Master Secure Remote Access: A Complete Linux SSH Configuration Guide

This step‑by‑step guide explains how to install, configure, and harden SSH on Linux, covering service setup, key generation, client configuration, file transfer, tunneling, ProxyJump, login banners, password‑less authentication, time/IP restrictions, fail2ban monitoring, multi‑factor authentication, ssh‑agent usage, and regular maintenance.

Liangxu Linux
Liangxu Linux
Liangxu Linux
Master Secure Remote Access: A Complete Linux SSH Configuration Guide

Installation and Starting the SSH Service

Install the OpenSSH server package and start the service.

# Install OpenSSH server
sudo apt-get install openssh-server    # Ubuntu/Debian
sudo yum install openssh-server          # CentOS/RHEL
# Start and enable SSH service
sudo systemctl start ssh
sudo systemctl enable ssh

Configuring the SSH Service

Edit /etc/ssh/sshd_config to adjust settings such as listening port, allowed users, and root login.

# Edit sshd_config
sudo nano /etc/ssh/sshd_config
# Change SSH port
Port 2222
# Disallow direct root login
PermitRootLogin no

Restarting the SSH Service

# Apply configuration changes
sudo systemctl restart ssh

Generating an SSH Key Pair

# Create RSA key pair (4096‑bit)
ssh-keygen -t rsa -b 4096 -f ~/.ssh/my_key

Using SSH Keys for Login

Copy the public key to the remote server.

# Copy public key automatically
ssh-copy-id user@remote_server

Or copy manually:

# Manual copy of public key
cat ~/.ssh/my_key.pub | ssh user@remote_server 'mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys'

Configuring the SSH Client

# Edit client config file
nano ~/.ssh/config
# Define an alias for a remote host
Host my_server
    HostName remote_server
    User user
    Port 2222
    IdentityFile ~/.ssh/my_key

Transferring Files with SSH

# Use SCP to copy a local file to the remote host
scp /path/to/local/file user@remote_server:/path/to/remote/directory

Creating an SSH Tunnel

# Forward local port 8080 to remote host's port 80
ssh -L 8080:localhost:80 user@remote_server

Using ProxyJump for Jump Hosts

# Configure multiple hosts with ProxyJump
Host final_server
    HostName final_server
    User user
    Port 2222
    IdentityFile ~/.ssh/my_key

Host jump_server
    HostName jump_server
    User user
    Port 2222
    IdentityFile ~/.ssh/my_key

Host remote_server
    HostName remote_server
    User user
    Port 2222
    IdentityFile ~/.ssh/my_key
    ProxyJump jump_server

Hardening SSH Configuration

# Restrict config file permissions
chmod 600 ~/.ssh/config

Setting a Login Banner

# Add a banner to display before login
Banner /etc/ssh/banner_message

Disabling Password Authentication

# Ensure only public‑key authentication is allowed
PasswordAuthentication no

Limiting Login Times and IP Ranges

# Define time‑based login rules
sudo nano /etc/security/time.conf

Add rules such as:

# Allow user ssh access from 08:00 to 17:00
sshd;*;user;Al0800-1700
# Restrict SSH access to a specific IP subnet
sshd : 192.168.1.0/24

Monitoring SSH Login Attempts

# Install fail2ban
sudo apt-get install fail2ban    # Ubuntu/Debian
sudo yum install fail2ban        # CentOS/RHEL
# Configure fail2ban for SSH
sudo nano /etc/fail2ban/jail.local
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 5

Enabling Multi‑Factor Authentication

# Install Google Authenticator PAM module
sudo apt-get install libpam-google-authenticator    # Ubuntu/Debian
sudo yum install google-authenticator                # CentOS/RHEL
# Enable PAM module for SSH
sudo nano /etc/pam.d/sshd

Add to /etc/ssh/sshd_config:

# Enable challenge‑response authentication
ChallengeResponseAuthentication yes

Managing Keys with ssh‑agent

# Start ssh‑agent
eval $(ssh-agent)
# Add private key to the agent
ssh-add ~/.ssh/my_key

Optimizing the SSH Client Experience

# Edit client config to auto‑close idle connections
Host *
    ServerAliveInterval 60

Regular Updates and Maintenance

# Update SSH packages regularly
sudo apt-get update && sudo apt-get upgrade    # Ubuntu/Debian
sudo yum update                                 # CentOS/RHEL

Keeping the SSH software and key files up to date ensures continued security and reliability.

Conclusion

The guide walks administrators through every essential step—from installing and starting the SSH service to advanced hardening techniques such as login banners, password‑less authentication, time/IP restrictions, fail2ban monitoring, and multi‑factor authentication—empowering them to secure remote Linux access effectively.

LinuxsecurityKey ManagementSSHremote accessFail2Ban
Liangxu Linux
Written by

Liangxu Linux

Liangxu, a self‑taught IT professional now working as a Linux development engineer at a Fortune 500 multinational, shares extensive Linux knowledge—fundamentals, applications, tools, plus Git, databases, Raspberry Pi, etc. (Reply “Linux” to receive essential resources.)

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.