SSH Server Setup and Configuration Guide for Ubuntu

Step-by-step guide to setting up an SSH server on Ubuntu, covering OpenSSH installation, security hardening, UFW firewall rules, and host key warnings.

2 min read

SSH Server Installation and Configuration

This article explains how to set up an SSH (Secure Shell) server on Ubuntu. Using SSH, you can securely connect to a server remotely and execute commands or transfer files.

1. Installing OpenSSH Server

First, install the OpenSSH server package.

sudo apt update
sudo apt install openssh-server

After installation, the SSH service starts automatically.

2. Editing the SSH Configuration File

SSH server configuration is done in the /etc/ssh/sshd_config file. It is recommended to always back up this file before editing.

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
sudo nano /etc/ssh/sshd_config

Consider checking and modifying the following settings to improve security:

  • Disable Root Login: Setting PermitRootLogin to no prohibits direct login as the root user. This reduces the risk of brute force attacks.
    PermitRootLogin no
  • Disable Password Authentication (Recommended): When using public key authentication, setting PasswordAuthentication to no prohibits password-based login, significantly improving security.
    PasswordAuthentication no
  • Change Port Number: Changing from the default port 22 to a different port number can reduce attacks from common port scans.
    Port 2222 # Example: change to port 2222

After saving changes, restart the SSH service to apply the settings.

sudo systemctl restart ssh

3. Firewall Configuration (UFW)

If you changed the SSH port or have a firewall enabled, you need to allow access to the new SSH port. Ubuntu commonly uses UFW (Uncomplicated Firewall).

# Allow the default SSH port (22)
sudo ufw allow ssh

# Or allow the changed port number (e.g., 2222)
sudo ufw allow 2222/tcp

# Enable the firewall (if first time)
# sudo ufw enable

# Check firewall status
sudo ufw status

About the “REMOTE HOST IDENTIFICATION HAS CHANGED!” Warning

You may see the warning REMOTE HOST IDENTIFICATION HAS CHANGED! when connecting via SSH. This occurs when the SSH host key of the server you are trying to connect to differs from the one recorded in the client’s known_hosts file.

This warning may indicate server reinstallation, IP address changes, or a potential man-in-the-middle attack. If you are certain that the server’s host key has changed for a legitimate reason, you can resolve this by removing the corresponding entry from the client’s known_hosts file using the following command:

ssh-keygen -R [server IP address or hostname]

Running this command removes the specified host’s entry from the ~/.ssh/known_hosts file, and the new host key will be added on the next connection.

関連記事