Master Secure Remote Access: A Complete Linux SSH Configuration Guide
This step‑by‑step guide explains how to install, configure, and harden SSH on Linux, covering service setup, key generation, client configuration, file transfer, tunneling, ProxyJump, login banners, password‑less authentication, time/IP restrictions, fail2ban monitoring, multi‑factor authentication, ssh‑agent usage, and regular maintenance.
Installation and Starting the SSH Service
Install the OpenSSH server package and start the service.
# Install OpenSSH server
sudo apt-get install openssh-server # Ubuntu/Debian
sudo yum install openssh-server # CentOS/RHEL # Start and enable SSH service
sudo systemctl start ssh
sudo systemctl enable sshConfiguring the SSH Service
Edit /etc/ssh/sshd_config to adjust settings such as listening port, allowed users, and root login.
# Edit sshd_config
sudo nano /etc/ssh/sshd_config # Change SSH port
Port 2222 # Disallow direct root login
PermitRootLogin noRestarting the SSH Service
# Apply configuration changes
sudo systemctl restart sshGenerating an SSH Key Pair
# Create RSA key pair (4096‑bit)
ssh-keygen -t rsa -b 4096 -f ~/.ssh/my_keyUsing SSH Keys for Login
Copy the public key to the remote server.
# Copy public key automatically
ssh-copy-id user@remote_serverOr copy manually:
# Manual copy of public key
cat ~/.ssh/my_key.pub | ssh user@remote_server 'mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys'Configuring the SSH Client
# Edit client config file
nano ~/.ssh/config # Define an alias for a remote host
Host my_server
HostName remote_server
User user
Port 2222
IdentityFile ~/.ssh/my_keyTransferring Files with SSH
# Use SCP to copy a local file to the remote host
scp /path/to/local/file user@remote_server:/path/to/remote/directoryCreating an SSH Tunnel
# Forward local port 8080 to remote host's port 80
ssh -L 8080:localhost:80 user@remote_serverUsing ProxyJump for Jump Hosts
# Configure multiple hosts with ProxyJump
Host final_server
HostName final_server
User user
Port 2222
IdentityFile ~/.ssh/my_key
Host jump_server
HostName jump_server
User user
Port 2222
IdentityFile ~/.ssh/my_key
Host remote_server
HostName remote_server
User user
Port 2222
IdentityFile ~/.ssh/my_key
ProxyJump jump_serverHardening SSH Configuration
# Restrict config file permissions
chmod 600 ~/.ssh/configSetting a Login Banner
# Add a banner to display before login
Banner /etc/ssh/banner_messageDisabling Password Authentication
# Ensure only public‑key authentication is allowed
PasswordAuthentication noLimiting Login Times and IP Ranges
# Define time‑based login rules
sudo nano /etc/security/time.confAdd rules such as:
# Allow user ssh access from 08:00 to 17:00
sshd;*;user;Al0800-1700 # Restrict SSH access to a specific IP subnet
sshd : 192.168.1.0/24Monitoring SSH Login Attempts
# Install fail2ban
sudo apt-get install fail2ban # Ubuntu/Debian
sudo yum install fail2ban # CentOS/RHEL # Configure fail2ban for SSH
sudo nano /etc/fail2ban/jail.local [sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 5Enabling Multi‑Factor Authentication
# Install Google Authenticator PAM module
sudo apt-get install libpam-google-authenticator # Ubuntu/Debian
sudo yum install google-authenticator # CentOS/RHEL # Enable PAM module for SSH
sudo nano /etc/pam.d/sshdAdd to /etc/ssh/sshd_config:
# Enable challenge‑response authentication
ChallengeResponseAuthentication yesManaging Keys with ssh‑agent
# Start ssh‑agent
eval $(ssh-agent) # Add private key to the agent
ssh-add ~/.ssh/my_keyOptimizing the SSH Client Experience
# Edit client config to auto‑close idle connections
Host *
ServerAliveInterval 60Regular Updates and Maintenance
# Update SSH packages regularly
sudo apt-get update && sudo apt-get upgrade # Ubuntu/Debian
sudo yum update # CentOS/RHELKeeping the SSH software and key files up to date ensures continued security and reliability.
Conclusion
The guide walks administrators through every essential step—from installing and starting the SSH service to advanced hardening techniques such as login banners, password‑less authentication, time/IP restrictions, fail2ban monitoring, and multi‑factor authentication—empowering them to secure remote Linux access effectively.
Liangxu Linux
Liangxu, a self‑taught IT professional now working as a Linux development engineer at a Fortune 500 multinational, shares extensive Linux knowledge—fundamentals, applications, tools, plus Git, databases, Raspberry Pi, etc. (Reply “Linux” to receive essential resources.)
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.
