How to Allow or Deny SSH Access In Linux 2026? – Complete Guide

ByAlam Updated on Reading Time: 7 minutes
How to Allow or Deny SSH Access In Linux

Ever worried someone might access your Linux server without permission?

SSH (Secure Shell) is the lifeline of system administrators. It gives you remote control over Linux servers — but with great power comes the need for strong control. Do you want to allow specific users to access your server, or block unauthorized logins? You’re in the right place.

In this comprehensive guide, we’ll walk you through everything about controlling SSH access in Linux — whether you want to allow it for select users or deny it entirely.

Let’s dive in. 👇

What is SSH Access?

Let’s first understand what SSH really means in simple terms.

SSH (Secure Shell) is a protocol used to securely log into a remote system over a network. It encrypts all traffic and allows administrators and developers to execute commands, transfer files, and manage services without needing physical access.

What is SSH Access

Whether you’re running a VPS, dedicated server, or local Linux machine — SSH is the most common remote administration method.

By default, most Linux distributions come with OpenSSH installed. Once SSH is enabled and running, it listens on port 22 (unless changed) and can be accessed using:

bash

ssh username@hostname

But to secure it properly, you need to control who can or cannot log in via SSH.

How to Allow SSH Access in Linux?

If you’re setting up a secure environment, granting SSH access only to trusted users is a smart move. This helps minimize security risks and protects critical system resources.

Let’s explore how you can do this step by step.

Add a User for SSH Access

Before allowing SSH access, make sure the user exists:

bash
sudo adduser username

Edit the SSH Configuration File

SSH settings are managed through the /etc/ssh/sshd_config file.

Open the file with your preferred text editor:

bash
sudo nano /etc/ssh/sshd_config

Now, look for the directive AllowUsers. If it doesn’t exist, add it at the bottom of the file:

bash
AllowUsers username1 username2

This line will allow only listed users to connect via SSH.

Restart the SSH Service

Once you’ve saved the config file, apply changes:

bash
sudo systemctl restart sshd

Your configuration is now active.

Allow SSH Through the Firewall

If you’re using a firewall (like ufw or firewalld), don’t forget to allow SSH traffic.

For UFW:

bash
sudo ufw allow ssh

Or for a custom port:

bash
sudo ufw allow 2222/tcp

For Firewalld:

bash
sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --reload

Use SSH Keys for Better Security

Instead of passwords, it’s better to allow access using SSH key authentication.

  1. Generate an SSH key on the client: bashCopyEditssh-keygen
  2. Copy the key to the server: bashCopyEditssh-copy-id username@server_ip

This prevents brute-force password attacks.

How to Deny SSH Access in Linux?

Sometimes, you may want to block specific users or groups from accessing your server remotely — for example, to lock down a former employee or protect the root account.

Here’s how to do it efficiently and securely.

Deny Users via sshd_config

Edit the same SSH config file:

bash
sudo nano /etc/ssh/sshd_config

Add the following directive at the end:

bash
DenyUsers username1 username2

You can also block entire groups:

bash
DenyGroups groupname

Save and restart SSH:

bash
sudo systemctl restart sshd

Disable Root Login via SSH

It’s a security best practice to block root access:

Inside /etc/ssh/sshd_config, set:

bash
PermitRootLogin no

Restart the SSH service again.

Restrict SSH by IP Address

Want to deny SSH access from certain IPs? Use TCP wrappers or firewall rules.

Edit /etc/hosts.deny and add:

bash
sshd: 192.168.1.100

Then edit /etc/hosts.allow to whitelist trusted IPs:

bash
sshd: 192.168.1.50

Or with UFW:

bash
sudo ufw deny from 192.168.1.100 to any port 22

This method gives you IP-level control over SSH access.

By now, you’ve seen how easily you can control who gets SSH access and who doesn’t — whether you’re opening the gates for trusted users or locking down your server from unwanted logins. But remember, a secure configuration starts with a reliable hosting provider.

If you’re looking for a powerful, developer-friendly, and secure environment to manage your Linux servers, QloudHost is a name you can trust. With full root access, high-performance VPS and dedicated servers, and 100% DMCA ignored privacy — QloudHost gives you the freedom and control you need, backed by rock-solid infrastructure. Ready to manage your servers the right way?

Host smart. Host with QloudHost.

FAQs – How to Allow or Deny SSH Access In Linux

1. How do I know if SSH is enabled on my Linux server?

To check whether the SSH service is running on your Linux system, use the following command:

bash
sudo systemctl status sshd

If the service is active, you’ll see a status like “active (running)” in green. Alternatively, you can use:

bash
ss -tulpn | grep ssh

This checks if the SSH daemon is listening on the expected port (usually port 22). If it’s not running, you can enable it using:

bash
sudo systemctl start sshd
sudo systemctl enable sshd

2. Can I allow SSH access to a group instead of individual users?

Yes, Linux allows you to grant SSH access to specific user groups using the AllowGroups directive in the SSH configuration file.

To do this:

  1. Open the SSH config file: bashCopyEditsudo nano /etc/ssh/sshd_config
  2. Add the line: bashCopyEditAllowGroups sshusers

Make sure the users you want to grant access to are members of the sshusers group:

bash
sudo usermod -aG sshusers username

Then restart SSH to apply the changes:

bash
sudo systemctl restart sshd

3. What happens if I misconfigure sshd_config?

A misconfigured sshd_config file can lock you out of your server, especially if you’re connected remotely via SSH. To avoid this:

  • Always test the configuration before restarting SSH: bashCopyEditsshd -t This checks for syntax errors.
  • Keep an open SSH session when making changes so you don’t lose access.
  • Consider setting a short timeout when restarting the SSH service, like: bashCopyEditsudo systemctl restart sshd && sleep 5 && echo "Restarted"

Always double-check user and port configurations before applying changes.

4. Is it safe to use SSH with just a password?

Using SSH with passwords is functional, but not the most secure option. Password authentication is vulnerable to brute-force attacks, especially if the password is weak or reused.

The recommended best practice is to use SSH key-based authentication:

  • It eliminates the risk of password guessing.
  • You can disable password login entirely using: bashCopyEditPasswordAuthentication no

With key-based authentication, only clients with the correct private key can access your server — making it far more secure.

5. How to change the default SSH port?

Changing the default SSH port (22) can help reduce unauthorized login attempts and automated attacks.

Here’s how to do it:

  1. Open the SSH configuration file: bashCopyEditsudo nano /etc/ssh/sshd_config
  2. Locate or add the Port directive and set a new port (e.g., 2222): bashCopyEditPort 2222
  3. Save the file and restart SSH: bashCopyEditsudo systemctl restart sshd
  4. Update your firewall rules to allow the new port: bashCopyEditsudo ufw allow 2222/tcp
  5. Connect using: bashCopyEditssh -p 2222 user@your_server_ip

6. How can I check SSH login attempts?

To monitor SSH login attempts, you can view authentication logs. These logs provide detailed information about successful and failed logins.

On most systems:

bash
sudo cat /var/log/auth.log | grep sshd

Or for systems using journalctl:

bash
sudo journalctl -u sshd

To see failed login attempts specifically:

bash
sudo grep "Failed password" /var/log/auth.log

This helps you detect potential unauthorized access attempts or brute-force attacks.

7. What is the correct permission for SSH?

The correct permission for your SSH private key file (like id_rsa) should be 600 (chmod 600 filename) so only the owner can read and write it.
The .ssh directory itself should have permission 700 to restrict access to your user only.
For the authorized_keys file, the recommended permission is also 600 to maintain secure SSH access.

8. Can I block SSH access temporarily for maintenance?

Yes, you can temporarily disable SSH access for maintenance, but proceed with caution, especially if you rely on remote access.

Here’s how:

  • To stop the SSH service: bashCopyEditsudo systemctl stop sshd
  • To block SSH via firewall (temporarily): bashCopyEditsudo ufw deny ssh

Be sure to have local console access or another way to reconnect in case you need to reverse the changes. Once maintenance is complete, re-enable SSH:

bash
sudo systemctl start sshd

or

bash
sudo ufw allow ssh

Conclusion – How to Allow or Deny SSH Access In Linux

SSH is a powerful and essential tool — but without proper access control, it can also be a security risk. In this article, we walked you through how to allow or deny SSH access in Linux, from editing configuration files to setting user permissions and managing firewall rules.

Whether you’re an admin hardening your server or a dev setting up secure access — these best practices will help keep your Linux system safe, stable, and accessible only to the right people.

Stay secure. Stay in control.

FacebookXRedditPinterest
Alam

Hi, I'm Alam! I have been working in the web hosting industry for 4+ years, specializing in server configurations and privacy-focused hosting solutions. My goal is to help you navigate the world of offshore hosting with confidence. I publish new guides and articles here on QloudHost to keep you updated.
Note: Due to the privacy-focused nature of our work, 'Alam' is a professional pseudonym used by our technical lead. Want to learn more? Check out the QloudHost YouTube Channel @qloudhost

More to Explore

Leave a Reply

Your email address will not be published. Required fields are marked *