Enabling SSH on Ubuntu is a straightforward process that unlocks secure remote administration for your server or desktop environment. This protocol allows you to manage your machine from anywhere, providing a encrypted command-line interface for executing commands and transferring files. For anyone running Ubuntu in a production setting or simply wanting to manage a home server, learning how to activate and secure this service is a fundamental skill. This guide walks through the necessary steps to get SSH operational and hardened for immediate use.
Understanding the SSH Service on Ubuntu
By default, Ubuntu Desktop does not start the SSH daemon, while Ubuntu Server editions often include it during the installation process. The service is managed by `systemd`, the init system used by modern Linux distributions, and the specific daemon is called `sshd`. Before you can enable remote connections, you need to ensure this package is installed and then configure the firewall to allow traffic on the correct port. The OpenSSH suite of tools is the standard implementation, and it is maintained with a focus on security and reliability.
Installing the OpenSSH Server
If you are working with a fresh installation of Ubuntu Desktop, the `openssh-server` package is likely not present. You can quickly verify this by checking if the `ssh` command exists locally. To install the server component, you will need to use the APT package manager with administrative privileges. This process downloads the necessary binaries and configures the service to start automatically on boot, preparing the system to accept incoming connections.
Command Line Installation
First, update the local package index with sudo apt update .
Then, install the server package using sudo apt install openssh-server .
The system will automatically start the service once the installation completes.
You can verify the installation by checking the status with sudo systemctl status ssh .
Configuring the Firewall
With the daemon running, Ubuntu's built-in firewall, `ufw`, might still block incoming connections on port 22. If you are connecting from the same local network, this might not be an issue, but for remote access, you must explicitly allow the traffic. Managing firewall rules correctly is a critical security practice that prevents unauthorized access attempts from reaching your SSH service.
Allowing SSH Traffic
Check the application profiles with sudo ufw app list .
Allow the OpenSSH profile using sudo ufw allow OpenSSH .
Alternatively, you can specify the port directly with sudo ufw allow 22/tcp .
Enable the firewall if it is not already active using sudo ufw enable .
Securing Your SSH Access
Leaving SSH configured with default settings, particularly password authentication, exposes your system to automated brute-force attacks. While passwords are convenient, public key authentication is significantly more secure and convenient for regular use. This method uses a cryptographic key pair, eliminating the need to send passwords over the network and providing a robust layer of defense.
Best Practices for Hardening
Disable root login directly via SSH to prevent direct attacks on the superuser account.
Change the default port from 22 to a higher number to reduce noise from automated bots.
Implement fail2ban to automatically ban IPs that show malicious signs, such as too many password failures.
Consider disabling password authentication entirely and relying solely on SSH keys.
