Secure Shell (SSH) is a cryptographic network protocol that enables secure communication between a client and a remote server over an unsecured network. By setting up an SSH server, you can guarantee security, facilitate remote administration, and allow encrypted connections for safe data transfers. Whether you're a system administrator or a developer, having SSH configured correctly is crucial for efficient server management.
This guide will walk you through the step-by-step process of installing and setting up an SSH server to ensure a secure and reliable connection to your system.
Fig 1. How SSH works.
SSH is a security protocol that uses encryption and authentication mechanisms to provide secure remote access. It replaces older, less secure protocols like Telnet and FTP. A key feature of SSH is its encrypted communication between computers, which makes it suitable for use on unsecured networks.
SSH is widely used for managing remote servers, allowing administrators and developers to execute commands, configure systems, and automate tasks securely. It also plays a key role in secure file transfers through protocols like SCP (Secure Copy Protocol) and SFTP (Secure File Transfer Protocol).
When discussing SSH, it's important to mention SSH keys—a pair of cryptographic keys used for secure authentication between a client and a server in SSH connections. They provide a more secure and convenient alternative to password-based authentication by using public-key cryptography.
An SSH key pair consists of:
Fig 2. Understanding SSH keys mechanism.
Before installing SSH on a server, ensure the following prerequisites are met:
apt for Debian/Ubuntu, yum or dnf for CentOS/RHEL, pacman for Arch Linux).sudo or root access.Installing an SSH server on Linux allows secure remote access to the system. Most Linux distributions use OpenSSH, the most common SSH implementation. Follow these steps to install and enable SSH on your Linux server.
Fig 3. Setting up SSH server on Linux.
1. Update system packages.
Before installing, update your package lists to ensure you get the latest version.
For Debian/Ubuntu
sudo apt update sudo apt upgrade -y
For CentOS/RHEL
sudo yum update -y
For Fedora
sudo dnf update -y
For Arch Linux
sudo pacman -Syu
2. Install OpenSSH Server.
Depending on your Linux distribution, install the OpenSSH server package.
For Debian/Ubuntu
sudo apt install openssh-server -y
For CentOS/RHEL
sudo yum install openssh-server -y
For Fedora
sudo dnf install openssh-server -y
For Arch Linux
sudo pacman -S openssh
3. Start and enable SSH service.
Once installed, start and enable the SSH service to ensure it runs on system startup.
For Debian/Ubuntu
sudo systemctl start ssh sudo systemctl enable ssh
For CentOS/RHEL/Fedora/Arch Linux
sudo systemctl start sshd sudo systemctl enable sshd
4. Verify SSH installation.
To confirm SSH is running, check the service status.
For Debian/Ubuntu
sudo systemctl status ssh
For CentOS/RHEL/Fedora/Arch Linux
sudo systemctl status sshd
If SSH is active and running, you should see an output indicating that the service is operational.
Fig 4. SSH service status output on Ubuntu.
5. Allow SSH through Firewall (if needed).
If your server has a Firewall enabled, allow SSH traffic.
For Debian/Ubuntu
sudo ufw allow OpenSSH sudo ufw enable
For CentOS/RHEL/Fedora/Arch Linux
sudo firewall-cmd --permanent --add-service=ssh sudo firewall-cmd --reload
6. Test SSH connection.
From another machine, attempt to connect to the server via SSH.
ssh username@server-ip
Once SSH is installed on your Linux server, you can configure its security and functionality settings. The SSH configuration file is located at: /etc/ssh/sshd_config.
sudo nano /etc/ssh/sshd_config
By default, SSH listens on port 22, making it a common target for attacks. It is recommended to change the port number to something less obvious.
1. Locate the line: #Port 22.
2. Uncomment it (remove #), change the port number, for example: #Port 2222, and save the file.
3. Allow the new port in the firewall.
For Debian/Ubuntu
sudo ufw allow 2222/tcp sudo ufw reload
For CentOS/RHEL/Fedora
sudo firewall-cmd --permanent --add-port=2222/tcp sudo firewall-cmd --reload
For Arch Linux
If using iptables:
sudo iptables -A INPUT -p tcp --dport 2222 -j ACCEPT sudo iptables-save | sudo tee /etc/iptables/iptables.rules
If using Firewalld:
sudo firewall-cmd --permanent --add-port=2222/tcp sudo firewall-cmd --reload
4. Restart the SSH service to apply changes.
For Debian/Ubuntu
sudo systemctl restart ssh
For CentOS/RHEL/Fedora/Arch Linux
sudo systemctl restart sshd
5. Verify the SSH port.
Most modern Linux distributions, including Ubuntu, Debian, CentOS, RHEL, Fedora, and Arch Linux, support ss:
sudo ss -tulnp | grep ssh
Fig 5. SSH port output on Ubuntu.
Disabling root login improves security by preventing direct access to the system as the root user.
1. In the SSH configuration file, locate the following line: PermitRootLogin yes
2. Change it to: PermitRootLogin no
3. Restart SSH service for changes to take effect.
For Debian/Ubuntu
sudo systemctl restart ssh
For Fedora/CentOS/RHEL/Arch Linux
sudo systemctl restart sshd
4. Verify the changes
To confirm that root login is disabled, try logging in as root via SSH from another machine.
ssh root@server-ip
You should see a "Permission denied" message if the setting is applied correctly.
Using SSH key-based authentication improves security by replacing password-based logins with cryptographic keys. Follow these steps to enable SSH key authentication on your Linux server.
1. Generate an SSH key pair on the client machine.
On your local machine (not the server), generate a new SSH key pair.
ssh-keygen -t rsa -b 4096 -C "[email protected]"
Where:
-t rsa - specifies RSA as the encryption algorithm.-b 4096 - uses a 4096-bit key for enhanced security.-C "[email protected]" - adds a label to the key.Press Enter to save the key in the default location (~/.ssh/id_rsa) or specify a custom path. Optionally, set a passphrase for additional security.
Fig 6. SSH key generation output on the client machine.
2. Copy the public key to the server.
Transfer the generated public key (id_rsa.pub) to the remote server.
ssh-copy-id username@server-ip
If ssh-copy-id is unavailable, manually copy the key.
cat ~/.ssh/id_rsa.pub | ssh username@server-ip "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"
3. Configure the SSH server to allow key authentication.
3.1 On the server, open the SSH configuration file.
sudo nano /etc/ssh/sshd_config
3.2 Make sure the following lines are set (uncomment them if necessary).
PubkeyAuthentication yes PasswordAuthentication no
This enables key-based authentication and disables password logins for better security.
4. Restart SSH service to apply changes.
For Debian/Ubuntu
sudo systemctl restart ssh
For Fedora/CentOS/RHEL/Arch Linux
sudo systemctl restart sshd
5. Test SSH key authentication.
From your local machine, try logging in.
ssh username@server-ip
If successful, SSH will authenticate using the private key without prompting for a password.
Fig. 7. Successful SSH connection via SSH keys on Ubuntu.
Windows has built-in support for OpenSSH, allowing users to set up SSH without third-party software. Follow these steps to install, configure, and start an SSH server on Windows 10, Windows 11, or Windows Server.
Fig 8. Setting up SSH server on Windows.
1. Navigate Settings → Apps → Optional features.
2. Click Add a feature and search for OpenSSH Server.
3. Select OpenSSH Server, click Next, and then click Add.
Fig 9. Adding the OpenSSH Server on Windows via GUI.
ms-settings:optionalfeatures and press Enter.
1. Run PowerShell as Administrator and execute the following command for Windows Server.
Add-WindowsFeature -Name OpenSSH-Server
For Windows 10 and 11 use the following command.
Get-WindowsCapability -Online | Where-Object Name -like 'OpenSSH*'
2. To install OpenSSH, execute the command below.
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
Fig 10. Installing OpenSSH on Windows via PowerShell.
3. Start the service.
Start-Service -Name "sshd"
4. Check the service status.
Get-Service -Name "sshd" | Select-Object *
Fig 11. Verifying OpenSSH status on Windows via PowerShell.
To allow SSH connections through Windows Defender Firewall, follow these steps.
Run the following command to create a Firewall rule for SSH.
New-NetFirewallRule -Name "OpenSSH" -DisplayName "OpenSSH Server" -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22
1. Open Windows Security and go to Firewall & network protection.
2. Select Allow an app through firewall.
3. In the window that opens, click Change settings and find OpenSSH Server in the Allowed apps and features list.
4. Select both Private and Public network options.
5. Click OK to apply the changes.
Fig 12. Configuring Windows Firewall to allow SSH connections using GUI.
SSH key authentication enhances security by replacing password-based logins with cryptographic keys. Follow these steps to generate and configure SSH keys on a Windows machine.
To generate an SSH key pair, use PowerShell.
1.1 Open PowerShell as Administrator.
1.2 Run the following command:
ssh-keygen -t rsa -b 4096 -C "[email protected]"
Where:
-t rsa - specifies RSA as the encryption algorithm.-b 4096 - uses a 4096-bit key for enhanced security.-C "[email protected]" - adds a label to the key.When prompted, press Enter to save the key in the default location: C:\Users\YourUsername\.ssh\id_rsa
1.3 Optional: Set a passphrase for additional security.
To enable key-based authentication, transfer the public key to the remote server.
ssh-copy-id username@server-ip
If ssh-copy-id is not installed, you can copy the key manually.
1. Display the public key in PowerShell using the following command.
Get-Content $env:USERPROFILE\.ssh\id_rsa.pub
2. Copy the output and manually add it to the ~/.ssh/authorized_keys file on the remote server.
Once the key is added, test the SSH connection.
ssh username@server-ip
If successful, you will log in without a password.
Fig 13. Successful SSH connection via SSH keys on Windows.
Secure and efficient database management is essential, and dbForge Edge—all-in-one database management solution designed for MySQL, PostgreSQL, SQL Server, and Oracle, simplifies it by offering secure SSH connections for remote database access. Whether using password authentication, public key authentication, or PuTTY via the command-line interface, dbForge Edge provides a flawless and user-friendly experience.
With password authentication, users can easily establish an SSH connection by specifying the host, port, user credentials, and security settings directly in the Database Connection Properties dialog. For those prioritizing security, SSH key authentication enables access using private keys and passphrases, ensuring a more secure connection method. Additionally, dbForge Edge supports PuTTY-based SSH connections, allowing integration with plink.exe for users who prefer command-line tools.
Once the SSH connection is established, dbForge Edge makes it effortless to manage MySQL and PostgreSQL databases securely. Users can configure connection properties, select authentication methods, and test connections—all within an intuitive interface. With its comprehensive SSH tunneling support, dbForge Edge eliminates complexity and ensures secure database access in any environment.
Fig 14. Configuring SSH connections in dbForge Studio for MySQL.
When setting up an SSH server, you may encounter various issues that prevent successful connections. Below are some solutions for resolving the Connection Refused error.
/etc/ssh/sshd_config) and ensure the port setting matches the
intended port. Then restart SSH. If you are using a non-default port, specify it when connecting:
ssh -p username@server-ip .
For Ubuntu/Debian
sudo ufw allow 22/tcp sudo ufw reload
For CentOS/RHEL/Fedora
sudo firewall-cmd --permanent --add-port=22/tcp sudo firewall-cmd --reload
chmod 700 ~/.ssh chmod 600 ~/.ssh/authorized_keys
Then restart SSH and try connecting again.
systemctl status ssh.
sudo systemctl start sshd sudo systemctl enable sshd
sudo ufw allow 22/tcp.
Setting up an SSH server is essential for secure remote access and server management. In this guide, we covered the key steps to install, configure, and troubleshoot SSH to ensure a stable and secure connection. By using SSH, you improve server security, protect sensitive data, and enable encrypted communication between clients and servers.
To streamline server management and optimize your workflow, consider using dbForge Edge - a comprehensive database management tool that simplifies SSH configuration for quick and secure database connectivity.
1. Open CMD as Administrator: Press Win + R, type cmd, press Ctrl + Shift + Enter.
2. Install OpenSSH Server: dism /Online /Add-Capability /CapabilityName:OpenSSH.Server~~~~0.0.1.0
3. Start and enable SSH: sc start sshd
4. Allow SSH through the firewall:
netsh advfirewall firewall add rule name="OpenSSH Server" dir=in action=allow protocol=TCP localport=22
5. Find your IP (ipconfig) and connect from another device:ssh username@server-ip
Yes, dbForge Edge fully supports managing databases over an SSH connection. It allows you to:
Follow these steps to configure an SSH server to allow connections using key-based authentication.
1. Install the SSH server (if not installed).For example, on Ubuntu, run:
sudo apt install openssh-server -y
2. Start and enable SSH service. On Ubuntu, run:
sudo systemctl start sshd sudo systemctl enable sshd
3. Generate an SSH key pair on the client machine:
ssh-keygen -t rsa -b 4096 -C "[email protected]"
4. Copy the public key to the server: ssh-copy-id username@server-ip
5. Configure SSH Server to allow key authentication.
5.1 On the server, open the SSH configuration file: sudo nano /etc/ssh/sshd_config
5.2 Ensure these lines are set:
PubkeyAuthentication yes PasswordAuthentication no
5.3 Save and exit (Ctrl + X, then Y, then Enter).
6. Restart SSH service: sudo systemctl restart sshd
7. On the client machine, connect using: ssh username@server-ip
1. Install OpenSSH Server:
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.02. Start and enable SSH service via PowerShell.
Start-Service sshd Set-Service -Name sshd -StartupType Automatic
3. Then allow SSH through Windows Firewall.
New-NetFirewallRule -Name sshd -DisplayName "OpenSSH Server" -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22
4. Test SSH connection from another machine.
ssh username@server-ip
1. Disable root login.
PermitRootLogin no
2. Use key-based authentication.
PasswordAuthentication no
3. Change the default SSH port.
Port 2222 # Choose a non-standard port
4. Restrict SSH access to specific users.
AllowUsers username1 username2
5. Enable Firewall rules for SSH. For example, on Ubuntu, run the following command.
sudo ufw allow 2222/tcp
6. Use Fail2Ban to block brute-force attacks. On Ubuntu, run the command below.
sudo apt install fail2ban -y
7. Keep SSH and system updated.
sudo apt update && sudo apt upgrade -y
8. Monitor SSH logs.
sudo cat /var/log/auth.log | grep "Failed password"
Follow these steps to set up an SSH server and configure passwordless authentication using SSH keys.
1. Install the SSH server (if not installed).
On Linux, use:
sudo apt update && sudo apt install openssh-server -y # Ubuntu/Debian sudo yum install -y openssh-server # RHEL/CentOS/Fedora sudo pacman -S openssh # Arch Linux
On Windows, run PowerShell as Administrator and execute the following commands.
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0 Start-Service sshd Set-Service -Name sshd -StartupType Automatic
2. Enable and start SSH.
sudo systemctl enable sshd sudo systemctl start sshd
3. Generate a SSH key pair on the client machine.
ssh-keygen -t rsa -b 4096 -C "[email protected]"
4. Copy the public key to the server.
ssh-copy-id username@server-ip
5. Configure the SSH server for key authentication
5.1 Open the SSH configuration file on the server for editing.
sudo nano /etc/ssh/sshd_config
5.2 Ensure the following settings are enabled.
PubkeyAuthentication yes PasswordAuthentication no
5.3 Restart SSH to apply changes.
sudo systemctl restart sshd
Yes, dbForge Edge supports SSH tunneling, enabling secure remote access to databases without exposing them to the internet. It allows users to authenticate using SSH keys or passwords while encrypting data transmissions to prevent unauthorized access.
