Ever worried someone might access your Linux server without permission?
SSH (Secure Shell) is the lifeline of system administrators. It gives you remote control over Linux servers — but with great power comes the need for strong control. Do you want to allow specific users to access your server, or block unauthorized logins? You’re in the right place.
In this comprehensive guide, we’ll walk you through everything about controlling SSH access in Linux — whether you want to allow it for select users or deny it entirely.
Let’s dive in. 
What is SSH Access?
Let’s first understand what SSH really means in simple terms.
SSH (Secure Shell) is a protocol used to securely log into a remote system over a network. It encrypts all traffic and allows administrators and developers to execute commands, transfer files, and manage services without needing physical access.
Whether you’re running a VPS, dedicated server, or local Linux machine — SSH is the most common remote administration method.
By default, most Linux distributions come with OpenSSH installed. Once SSH is enabled and running, it listens on port 22 (unless changed) and can be accessed using:
bashssh username@hostname
But to secure it properly, you need to control who can or cannot log in via SSH.
How to Allow SSH Access in Linux?
If you’re setting up a secure environment, granting SSH access only to trusted users is a smart move. This helps minimize security risks and protects critical system resources.
Let’s explore how you can do this step by step.
Add a User for SSH Access
Before allowing SSH access, make sure the user exists:
bashsudo adduser username
Edit the SSH Configuration File
SSH settings are managed through the /etc/ssh/sshd_config file.
Open the file with your preferred text editor:
bashsudo nano /etc/ssh/sshd_config
Now, look for the directive AllowUsers. If it doesn’t exist, add it at the bottom of the file:
bashAllowUsers username1 username2
This line will allow only listed users to connect via SSH.
Restart the SSH Service
Once you’ve saved the config file, apply changes:
bashsudo systemctl restart sshd
Your configuration is now active.
Allow SSH Through the Firewall
If you’re using a firewall (like ufw or firewalld), don’t forget to allow SSH traffic.
For UFW:
bashsudo ufw allow ssh
Or for a custom port:
bashsudo ufw allow 2222/tcp
For Firewalld:
bashsudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --reload
Use SSH Keys for Better Security
Instead of passwords, it’s better to allow access using SSH key authentication.
- Generate an SSH key on the client: bashCopyEdit
ssh-keygen - Copy the key to the server: bashCopyEdit
ssh-copy-id username@server_ip
This prevents brute-force password attacks.
How to Deny SSH Access in Linux?
Sometimes, you may want to block specific users or groups from accessing your server remotely — for example, to lock down a former employee or protect the root account.
Here’s how to do it efficiently and securely.
Deny Users via sshd_config
Edit the same SSH config file:
bashsudo nano /etc/ssh/sshd_config
Add the following directive at the end:
bashDenyUsers username1 username2
You can also block entire groups:
bashDenyGroups groupname
Save and restart SSH:
bashsudo systemctl restart sshd
Disable Root Login via SSH
It’s a security best practice to block root access:
Inside /etc/ssh/sshd_config, set:
bashPermitRootLogin no
Restart the SSH service again.
Restrict SSH by IP Address
Want to deny SSH access from certain IPs? Use TCP wrappers or firewall rules.
Edit /etc/hosts.deny and add:
bashsshd: 192.168.1.100
Then edit /etc/hosts.allow to whitelist trusted IPs:
bashsshd: 192.168.1.50
Or with UFW:
bashsudo ufw deny from 192.168.1.100 to any port 22
This method gives you IP-level control over SSH access.
By now, you’ve seen how easily you can control who gets SSH access and who doesn’t — whether you’re opening the gates for trusted users or locking down your server from unwanted logins. But remember, a secure configuration starts with a reliable hosting provider.
If you’re looking for a powerful, developer-friendly, and secure environment to manage your Linux servers, QloudHost is a name you can trust. With full root access, high-performance VPS and dedicated servers, and 100% DMCA ignored privacy — QloudHost gives you the freedom and control you need, backed by rock-solid infrastructure. Ready to manage your servers the right way?
Host smart. Host with QloudHost.
While securing SSH access is a key part of server management, optimizing your server’s performance is just as important. If you’re using Linux for web hosting or application deployment, you should definitely check out our guide on What is NGINX? — it explains how this powerful web server works and why it’s a favorite among high-performance hosting setups.
If you’re experiencing slow load times or performance issues on your website, don’t miss our detailed guide on How to Improve Website Performance. It walks you through practical, beginner-to-advanced strategies to boost your site speed, enhance user experience, and rank higher on search engines. Whether you’re using WordPress, VPS hosting, or running a media-rich platform, this guide has everything you need to make your website lightning fast and fully optimized.
FAQs – How to Allow or Deny SSH Access In Linux
1. How do I know if SSH is enabled on my Linux server?
To check whether the SSH service is running on your Linux system, use the following command:
bashsudo systemctl status sshd
If the service is active, you’ll see a status like “active (running)” in green. Alternatively, you can use:
bashss -tulpn | grep ssh
This checks if the SSH daemon is listening on the expected port (usually port 22). If it’s not running, you can enable it using:
bashsudo systemctl start sshd
sudo systemctl enable sshd
2. Can I allow SSH access to a group instead of individual users?
Yes, Linux allows you to grant SSH access to specific user groups using the AllowGroups directive in the SSH configuration file.
To do this:
- Open the SSH config file: bashCopyEdit
sudo nano /etc/ssh/sshd_config - Add the line: bashCopyEdit
AllowGroups sshusers
Make sure the users you want to grant access to are members of the sshusers group:
bashsudo usermod -aG sshusers username
Then restart SSH to apply the changes:
bashsudo systemctl restart sshd
3. What happens if I misconfigure sshd_config?
A misconfigured sshd_config file can lock you out of your server, especially if you’re connected remotely via SSH. To avoid this:
- Always test the configuration before restarting SSH: bashCopyEdit
sshd -tThis checks for syntax errors. - Keep an open SSH session when making changes so you don’t lose access.
- Consider setting a short timeout when restarting the SSH service, like: bashCopyEdit
sudo systemctl restart sshd && sleep 5 && echo "Restarted"
Always double-check user and port configurations before applying changes.
4. Is it safe to use SSH with just a password?
Using SSH with passwords is functional, but not the most secure option. Password authentication is vulnerable to brute-force attacks, especially if the password is weak or reused.
The recommended best practice is to use SSH key-based authentication:
- It eliminates the risk of password guessing.
- You can disable password login entirely using: bashCopyEdit
PasswordAuthentication no
With key-based authentication, only clients with the correct private key can access your server — making it far more secure.
5. How to change the default SSH port?
Changing the default SSH port (22) can help reduce unauthorized login attempts and automated attacks.
Here’s how to do it:
- Open the SSH configuration file: bashCopyEdit
sudo nano /etc/ssh/sshd_config - Locate or add the
Portdirective and set a new port (e.g., 2222): bashCopyEditPort 2222 - Save the file and restart SSH: bashCopyEdit
sudo systemctl restart sshd - Update your firewall rules to allow the new port: bashCopyEdit
sudo ufw allow 2222/tcp - Connect using: bashCopyEdit
ssh -p 2222 user@your_server_ip
6. How can I check SSH login attempts?
To monitor SSH login attempts, you can view authentication logs. These logs provide detailed information about successful and failed logins.
On most systems:
bashsudo cat /var/log/auth.log | grep sshd
Or for systems using journalctl:
bashsudo journalctl -u sshd
To see failed login attempts specifically:
bashsudo grep "Failed password" /var/log/auth.log
This helps you detect potential unauthorized access attempts or brute-force attacks.
7. Can I block SSH access temporarily for maintenance?
Yes, you can temporarily disable SSH access for maintenance, but proceed with caution, especially if you rely on remote access.
Here’s how:
- To stop the SSH service: bashCopyEdit
sudo systemctl stop sshd - To block SSH via firewall (temporarily): bashCopyEdit
sudo ufw deny ssh
Be sure to have local console access or another way to reconnect in case you need to reverse the changes. Once maintenance is complete, re-enable SSH:
bashsudo systemctl start sshd
or
bashsudo ufw allow ssh
Conclusion – How to Allow or Deny SSH Access In Linux
SSH is a powerful and essential tool — but without proper access control, it can also be a security risk. In this article, we walked you through how to allow or deny SSH access in Linux, from editing configuration files to setting user permissions and managing firewall rules.
Whether you’re an admin hardening your server or a dev setting up secure access — these best practices will help keep your Linux system safe, stable, and accessible only to the right people.
Stay secure. Stay in control.
Leave a Comment