{"id":5253,"date":"2026-03-27T12:02:47","date_gmt":"2026-03-27T06:32:47","guid":{"rendered":"https:\/\/qloudhost.com\/blog\/?p=5253"},"modified":"2026-03-27T12:02:50","modified_gmt":"2026-03-27T06:32:50","slug":"how-to-allow-deny-ssh-access-linux","status":"publish","type":"post","link":"https:\/\/qloudhost.com\/blog\/how-to-allow-deny-ssh-access-linux","title":{"rendered":"How to Allow or Deny SSH Access In Linux 2026? – Complete Guide"},"content":{"rendered":"\n

Ever worried someone might access your Linux server without permission?<\/p>\n\n\n\n

SSH (Secure Shell) is the lifeline of system administrators. It gives you remote control over Linux servers \u2014 but with great power comes the need for strong control. Do you want to allow specific users<\/strong> to access your server, or block unauthorized logins<\/strong>? You\u2019re in the right place.<\/p>\n\n\n\n

In this comprehensive guide, we\u2019ll walk you through everything about controlling SSH access in Linux \u2014 whether you want to allow it for select users or deny it entirely. <\/p>\n\n\n\n

Let\u2019s dive in.<\/strong> \ud83d\udc47<\/p>\n\n\n\n

\n\n\n\n

What is SSH Access?<\/h2>\n\n\n\n

Let\u2019s first understand what SSH really means in simple terms.<\/p>\n\n\n\n

\n

SSH (Secure Shell)<\/strong> is a protocol used to securely log into a remote system over a network. It encrypts all traffic and allows administrators and developers to execute commands, transfer files, and manage services without needing physical access.<\/p>\n<\/div>

\"What<\/figure><\/div>\n\n\n\n

Whether you\u2019re running a VPS, dedicated server<\/a>, or local Linux machine \u2014 SSH is the most common remote administration method.<\/strong><\/p>\n\n\n\n

By default, most Linux distributions come with OpenSSH installed. Once SSH is enabled and running, it listens on port 22<\/code> (unless changed) and can be accessed using:<\/p>\n\n\n\n

bash

ssh username@hostname
<\/code><\/pre>\n\n\n\n
But to secure it properly, you need to control who can or cannot log in via SSH.<\/strong><\/p>\n\n\n\n
\n\n\n\n
How to Allow SSH Access in Linux?<\/h2>\n\n\n\n
If you’re setting up a secure environment, granting SSH access only to trusted users is a smart move. This helps minimize security risks and protects critical system resources.<\/p>\n\n\n\n
Let\u2019s explore how you can do this step by step.<\/p>\n\n\n\n
Add a User for SSH Access<\/h3>\n\n\n\n
Before allowing SSH access, make sure the user exists:<\/p>\n\n\n\n
bash
sudo adduser username<\/code><\/pre>\n\n\n\n
Edit the SSH Configuration File<\/h3>\n\n\n\n
SSH settings are managed through the \/etc\/ssh\/sshd_config<\/code> file.<\/p>\n\n\n\n
Open the file with your preferred text editor:<\/p>\n\n\n\n
bash
sudo nano \/etc\/ssh\/sshd_config<\/code><\/pre>\n\n\n\n
Now, look for the directive AllowUsers<\/code>. If it doesn\u2019t exist, add it at the bottom of the file:<\/p>\n\n\n\n
bash
AllowUsers username1 username2<\/code><\/pre>\n\n\n\n
This line will allow only listed users<\/strong> to connect via SSH.<\/p>\n\n\n\n
Restart the SSH Service<\/h4>\n\n\n\n
Once you\u2019ve saved the config file, apply changes:<\/p>\n\n\n\n
bash
sudo systemctl restart sshd<\/code><\/pre>\n\n\n\n
Your configuration is now active.<\/p>\n\n\n\n
Allow SSH Through the Firewall<\/h4>\n\n\n\n
If you’re using a firewall (like ufw<\/code> or firewalld<\/code>), don\u2019t forget to allow SSH traffic.<\/p>\n\n\n\n
For UFW:<\/p>\n\n\n\n
bash
sudo ufw allow ssh<\/code><\/pre>\n\n\n\n
Or for a custom port:<\/p>\n\n\n\n
bash
sudo ufw allow 2222\/tcp<\/code><\/pre>\n\n\n\n
For Firewalld:<\/p>\n\n\n\n
bash
sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --reload<\/code><\/pre>\n\n\n\n
Use SSH Keys for Better Security<\/h4>\n\n\n\n
Instead of passwords, it\u2019s better to allow access using SSH key authentication<\/strong>.<\/p>\n\n\n\n
    \n
  1. Generate an SSH key on the client: bashCopyEditssh-keygen<\/code><\/li>\n\n\n\n
  2. Copy the key to the server: bashCopyEditssh-copy-id username@server_ip<\/code><\/li>\n<\/ol>\n\n\n\n
    This prevents brute-force password attacks.<\/p>\n\n\n\n
    \n\n\n\n
    How to Deny SSH Access in Linux?<\/h2>\n\n\n\n
    Sometimes, you may want to block specific users or groups<\/strong> from accessing your server remotely \u2014 for example, to lock down a former employee or protect the root<\/code> account.<\/p>\n\n\n\n
    Here\u2019s how to do it efficiently and securely.<\/p>\n\n\n\n
    Deny Users via sshd_config<\/h3>\n\n\n\n
    Edit the same SSH config file:<\/p>\n\n\n\n
    bash
    sudo nano \/etc\/ssh\/sshd_config<\/code><\/pre>\n\n\n\n
    Add the following directive at the end:<\/p>\n\n\n\n
    bash
    DenyUsers username1 username2<\/code><\/pre>\n\n\n\n
    You can also block entire groups:<\/p>\n\n\n\n
    bash
    DenyGroups groupname<\/code><\/pre>\n\n\n\n
    Save and restart SSH:<\/p>\n\n\n\n
    bash
    sudo systemctl restart sshd<\/code><\/pre>\n\n\n\n
    Disable Root Login via SSH<\/h4>\n\n\n\n
    It’s a security best practice<\/strong> to block root access:<\/p>\n\n\n\n
    Inside \/etc\/ssh\/sshd_config<\/code>, set:<\/p>\n\n\n\n
    bash
    PermitRootLogin no<\/code><\/pre>\n\n\n\n
    Restart the SSH service again.<\/p>\n\n\n\n
    Restrict SSH by IP Address<\/h4>\n\n\n\n
    Want to deny SSH access from certain IPs? Use TCP wrappers or firewall rules.<\/p>\n\n\n\n
    Edit \/etc\/hosts.deny<\/code> and add:<\/p>\n\n\n\n
    bash
    sshd: 192.168.1.100<\/code><\/pre>\n\n\n\n
    Then edit \/etc\/hosts.allow<\/code> to whitelist trusted IPs:<\/p>\n\n\n\n
    bash
    sshd: 192.168.1.50<\/code><\/pre>\n\n\n\n
    Or with UFW:<\/p>\n\n\n\n
    bash
    sudo ufw deny from 192.168.1.100 to any port 22<\/code><\/pre>\n\n\n\n
    This method gives you IP-level control over SSH access.<\/p>\n\n\n\n
    By now, you\u2019ve seen how easily you can control who gets SSH access<\/a> and who doesn\u2019t \u2014 whether you\u2019re opening the gates for trusted users or locking down your server from unwanted logins. But remember, a secure configuration starts with a reliable hosting provider<\/strong>.<\/p>\n\n\n\n
    If you\u2019re looking for a powerful, developer-friendly, and secure environment to manage your Linux servers, QloudHost<\/a><\/strong> is a name you can trust. With full root access, high-performance VPS<\/a><\/strong> and dedicated servers<\/strong>, and 100% DMCA ignored<\/strong> privacy \u2014 QloudHost gives you the freedom and control you need, backed by rock-solid infrastructure. Ready to manage your servers the right way?<\/p>\n\n\n\n
    Host smart. Host with QloudHost.<\/p>\n\n\n\n
    \n\n\n\n
    FAQs – How to Allow or Deny SSH Access In Linux<\/h2>\n\n\n\n
    1. How do I know if SSH is enabled on my Linux server?<\/strong><\/h4>\n\n\n\n
    To check whether the SSH service is running on your Linux system, use the following command:<\/p>\n\n\n\n
    bash
    sudo systemctl status sshd<\/code><\/pre>\n\n\n\n
    If the service is active, you\u2019ll see a status like \u201cactive (running)\u201d<\/strong> in green. Alternatively, you can use:<\/p>\n\n\n\n
    bash
    ss -tulpn | grep ssh<\/code><\/pre>\n\n\n\n
    This checks if the SSH daemon is listening on the expected port (usually port 22). If it\u2019s not running, you can enable it using:<\/p>\n\n\n\n
    bash
    sudo systemctl start sshd
    sudo systemctl enable sshd<\/code><\/pre>\n\n\n\n
    \n\n\n\n
    2. Can I allow SSH access to a group instead of individual users?<\/strong><\/h4>\n\n\n\n
    Yes, Linux allows you to grant SSH access to specific user groups using the AllowGroups<\/code> directive in the SSH configuration file.<\/p>\n\n\n\n
    To do this:<\/p>\n\n\n\n
      \n
    1. Open the SSH config file: bashCopyEditsudo nano \/etc\/ssh\/sshd_config<\/code><\/li>\n\n\n\n
    2. Add the line: bashCopyEditAllowGroups sshusers<\/code><\/li>\n<\/ol>\n\n\n\n
      Make sure the users you want to grant access to are members of the sshusers<\/code> group:<\/p>\n\n\n\n
      bash
      sudo usermod -aG sshusers username<\/code><\/pre>\n\n\n\n
      Then restart SSH to apply the changes:<\/p>\n\n\n\n
      bash
      sudo systemctl restart sshd<\/code><\/pre>\n\n\n\n
      \n\n\n\n
      3. What happens if I misconfigure sshd_config?<\/strong><\/h4>\n\n\n\n
      A misconfigured sshd_config<\/code> file can lock you out of your server<\/strong>, especially if you\u2019re connected remotely via SSH. To avoid this:<\/p>\n\n\n\n
        \n
      • Always test the configuration<\/strong> before restarting SSH: bashCopyEditsshd -t<\/code> This checks for syntax errors.<\/li>\n\n\n\n
      • Keep an open SSH session<\/strong> when making changes so you don\u2019t lose access.<\/li>\n\n\n\n
      • Consider setting a short timeout<\/strong> when restarting the SSH service, like: bashCopyEditsudo systemctl restart sshd && sleep 5 && echo \"Restarted\"<\/code><\/li>\n<\/ul>\n\n\n\n
        Always double-check user and port configurations before applying changes.<\/p>\n\n\n\n
        \n\n\n\n
        4. Is it safe to use SSH with just a password?<\/strong><\/h4>\n\n\n\n
        Using SSH with passwords is functional, but not the most secure option. Password authentication is vulnerable to brute-force attacks<\/strong>, especially if the password is weak or reused.<\/p>\n\n\n\n
        The recommended best practice is to use SSH key-based authentication<\/strong>:<\/p>\n\n\n\n
          \n
        • It eliminates the risk of password guessing.<\/li>\n\n\n\n
        • You can disable password login entirely using: bashCopyEditPasswordAuthentication no<\/code><\/li>\n<\/ul>\n\n\n\n
          With key-based authentication, only clients with the correct private key can access your server \u2014 making it far more secure.<\/p>\n\n\n\n
          \n\n\n\n
          5. How to change the default SSH port?<\/strong><\/h4>\n\n\n\n
          Changing the default SSH port (22) can help reduce unauthorized login attempts and automated attacks.<\/p>\n\n\n\n
          Here\u2019s how to do it:<\/p>\n\n\n\n
            \n
          1. Open the SSH configuration file: bashCopyEditsudo nano \/etc\/ssh\/sshd_config<\/code><\/li>\n\n\n\n
          2. Locate or add the Port<\/code> directive and set a new port (e.g., 2222): bashCopyEditPort 2222<\/code><\/li>\n\n\n\n
          3. Save the file and restart SSH: bashCopyEditsudo systemctl restart sshd<\/code><\/li>\n\n\n\n
          4. Update your firewall rules to allow the new port: bashCopyEditsudo ufw allow 2222\/tcp<\/code><\/li>\n\n\n\n
          5. Connect using: bashCopyEditssh -p 2222 user@your_server_ip<\/code><\/li>\n<\/ol>\n\n\n\n
            \n\n\n\n
            6. How can I check SSH login attempts?<\/strong><\/h4>\n\n\n\n
            To monitor SSH login attempts, you can view authentication logs. These logs provide detailed information about successful and failed logins.<\/p>\n\n\n\n
            On most systems:<\/p>\n\n\n\n
            bash
            sudo cat \/var\/log\/auth.log | grep sshd<\/code><\/pre>\n\n\n\n
            Or for systems using journalctl<\/code>:<\/p>\n\n\n\n
            bash
            sudo journalctl -u sshd<\/code><\/pre>\n\n\n\n
            To see failed login attempts specifically:<\/p>\n\n\n\n
            bash
            sudo grep \"Failed password\" \/var\/log\/auth.log<\/code><\/pre>\n\n\n\n
            This helps you detect potential unauthorized access attempts or brute-force attacks.<\/p>\n\n\n\n
            \n\n\n\n
            7. What is the correct permission for SSH?<\/h4>\n\n\n\n
            The correct permission for your SSH private key file (like id_rsa<\/code>) should be 600<\/strong> (chmod 600 filename<\/code>) so only the owner can read and write it.
            The .ssh<\/code> directory itself should have permission 700<\/strong> to restrict access to your user only.
            For the authorized_keys<\/code> file, the recommended permission is also 600<\/strong> to maintain secure SSH access.<\/p>\n\n\n\n
            \n\n\n\n
            8. Can I block SSH access temporarily for maintenance?<\/strong><\/h4>\n\n\n\n
            Yes, you can temporarily disable SSH access for maintenance, but proceed with caution<\/strong>, especially if you rely on remote access.<\/p>\n\n\n\n
            Here\u2019s how:<\/p>\n\n\n\n
              \n
            • To stop the SSH service<\/strong>: bashCopyEditsudo systemctl stop sshd<\/code><\/li>\n\n\n\n
            • To block SSH via firewall<\/strong> (temporarily): bashCopyEditsudo ufw deny ssh<\/code><\/li>\n<\/ul>\n\n\n\n
              Be sure to have local console access<\/strong> or another way to reconnect in case you need to reverse the changes. Once maintenance is complete, re-enable SSH:<\/p>\n\n\n\n
              bash
              sudo systemctl start sshd<\/code><\/pre>\n\n\n\n
              or<\/p>\n\n\n\n
              bash
              sudo ufw allow ssh<\/code><\/pre>\n\n\n\n
              \n\n\n\n
              Conclusion – How to Allow or Deny SSH Access In Linux<\/h2>\n\n\n\n
              SSH is a powerful and essential tool \u2014 but without proper access control, it can also be a security risk. In this article, we walked you through how to allow or deny SSH access in Linux<\/strong>, from editing configuration files to setting user permissions and managing firewall rules.<\/p>\n\n\n\n
              Whether you\u2019re an admin hardening your server or a dev setting up secure access \u2014 these best practices will help keep your Linux system safe, stable, and accessible only to the right people.<\/p>\n\n\n\n
              Stay secure. Stay in control.<\/p>\n","protected":false},"excerpt":{"rendered":"
              Ever worried someone might access your Linux server without permission? SSH (Secure Shell) is the lifeline…<\/p>\n","protected":false},"author":3,"featured_media":5256,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"_kad_post_classname":"","footnotes":""},"categories":[47],"tags":[690,689],"class_list":["post-5253","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-knowledgebase","tag-allow-or-deny-ssh-access-in-linux","tag-how-to-allow-or-deny-ssh-access-in-linux"],"acf":[],"_links":{"self":[{"href":"https:\/\/qloudhost.com\/blog\/wp-json\/wp\/v2\/posts\/5253","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/qloudhost.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/qloudhost.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/qloudhost.com\/blog\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/qloudhost.com\/blog\/wp-json\/wp\/v2\/comments?post=5253"}],"version-history":[{"count":7,"href":"https:\/\/qloudhost.com\/blog\/wp-json\/wp\/v2\/posts\/5253\/revisions"}],"predecessor-version":[{"id":10049,"href":"https:\/\/qloudhost.com\/blog\/wp-json\/wp\/v2\/posts\/5253\/revisions\/10049"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/qloudhost.com\/blog\/wp-json\/wp\/v2\/media\/5256"}],"wp:attachment":[{"href":"https:\/\/qloudhost.com\/blog\/wp-json\/wp\/v2\/media?parent=5253"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/qloudhost.com\/blog\/wp-json\/wp\/v2\/categories?post=5253"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/qloudhost.com\/blog\/wp-json\/wp\/v2\/tags?post=5253"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}