8.2.12 OpenSSH Installation and Configuration
OpenSSH allows secure connection to a server via the SSH protocol, executing commands, transferring files, and managing the server. Proper OpenSSH configuration is a critical step in ensuring your server’s security.
System Requirements
Important: if you are configuring OpenSSH on a public server, make sure to set it up securely – https://thehost.ua/en/wiki/root/install-openssh#dopolnitelnye-nastroyki-open-ssh
Installing OpenSSH Server
By default, OpenSSH Server is available in Ubuntu 24.04 repositories.
Update the package index and install OpenSSH Server:
sudo apt update
sudo apt install -y openssh-server
Check the SSH service status:
sudo systemctl status ssh
Expected output:
● ssh.service - OpenBSD Secure Shell server
Active: active (running)
If the service is not running — start it manually:
sudo systemctl start ssh --now
To test the connection from your local machine:
ssh user@SERVER_IP
For more connection methods, refer to our guide.
Note: replace user and SERVER_IP with your actual login and IP address.
If you use SSH keys — connect using the -i flag:
ssh -i ~/.ssh/id_rsa user@SERVER_IP
Configuring Logging
Let’s enable verbose logging. Open the configuration file:
sudo nano /etc/ssh/sshd_config
Add or modify the following parameter:
LogLevel VERBOSE
Save and restart the service:
sudo systemctl restart ssh
To view logs:
sudo journalctl -u ssh
Or check system logs:
sudo tail -f /var/log/auth.log
Additional OpenSSH Settings
To improve server security, it is recommended to change default settings.
Disable Password Authentication
Password-based authentication is a common target for brute-force attacks. Disabling it significantly reduces the risk of compromise. After this, only SSH key-based connections will be allowed.
PermitRootLogin without-password
PasswordAuthentication no
Enable Key-Only Login
To further enhance security, enforce login using SSH keys only. This completely disables password login.
PubkeyAuthentication yes
Change the Default Port (Default is 22)
Port 22 is frequently scanned by attackers. Changing it to a non-standard port helps reduce automated attacks.
Port 2222
Note: changing the port helps reduce the number of automated attacks.
Restrict Access by IP
To restrict access by IP address, use iptables or ufw.
UFW:
sudo ufw allow from <YOUR_IP> to any port 2222 proto tcp
sudo ufw enable
iptables:
# Allow new connections to port 2222 only from your IP
sudo iptables -I INPUT -p tcp -s <YOUR_IP> --dport 2222 -m conntrack --ctstate NEW -j ACCEPT
# Block all other connections to port 2222
sudo iptables -A INPUT -p tcp --dport 2222 -j DROP
Note: replace <YOUR_IP> with your actual IP address (e.g., 203.0.113.45).
The -I rule (insert) places the allow rule at the top for priority processing.
Important: before testing, keep your current SSH session or open a VNC console to avoid locking yourself out.
Test connection:
ssh -p 2222 user@SERVER_IP
After making changes, be sure to restart SSH:
sudo systemctl restart ssh
Service Check
To check if the service is running:
sudo systemctl status ssh
To check login logs:
sudo grep sshd /var/log/auth.log
Expected output:
Accepted publickey for user from IP port ...
Common Errors
| Error/Symptom | Cause/Solution |
|---|---|
| Connection refused | SSH server not running or blocked by firewall |
| Permission denied (publickey) | Access denied (publickey) |
| Port 22 not open | A non-standard port is used — specify -p or configure your SSH client |
| Cannot restart ssh: failed | SSH restart failed — check /etc/ssh/sshd_config for issues |
Diagnostic Commands
To check firewall status use next command.
When using UFW:
sudo ufw status verbose
If using iptables:
iptables -L -v -n
View recent login attempts:
sudo last -a | grep ssh
Another helpful command to show active logins and IPs:
w
Official Documentation
