Sign In
Sign In

How to Install and Configure SSH on an Ubuntu Server

How to Install and Configure SSH on an Ubuntu Server
Hostman Team
Technical writer
Ubuntu
24.11.2023
Reading time: 10 min

Secure Shell (SSH) is a network protocol for secure client-server communication. Each interaction is encrypted. It allows you to securely manage the server, transfer files, and perform other tasks. 

For example, you have ordered a cloud server on Hostman and want to manage it from your laptop. To do this, you only need to set up SSH access. Through a secure connection, you will be able to perform all necessary administration actions.

For successful configuration, you need to: 

  1. Install the SSH server components on your server. The openssh-server package will cover that.

  2. Have the SSH client on your local machine from which you will connect to the remote host. 

    For this purpose, the openssh-client package is usually used. It's pre-installed in most Linux and BSD distributions and also in the latest Windows versions. On older versions of Windows, you'll need to install additional utilities. One of the most popular solutions is PuTTY.

Enabling SSH

By default, remote access via a secure network protocol is forbidden. However, installing SSH in Ubuntu is very easy.

Start the console of the server where you need to configure SSH. 

Update the package manager:

sudo apt update

Install the software:

sudo apt install openssh-server

Both operations require superuser rights, which you get with sudo.

On Ubuntu, the OpenSSH starts automatically after installation but you can check its status using the command:

sudo systemctl status ssh

The output should indicate that the service is running and allowed to start on system boot: 

ssh.service - OpenBSD Secure Shell server
   Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2022-03-21 12:34:00 CEST; 1m ago

This means that the installation was successful. To return to the command prompt, press the q key.

If the service is not active, start it manually with the command:

sudo systemctl enable --now ssh

Ubuntu comes with a firewall configuration tool called UFW. If you have a firewall enabled on your system, be sure to open the SSH port:

sudo ufw allow ssh

Now you can connect to your Ubuntu system via SSH from any remote computer.

-

Creating an SSH key pair

To make the connection even more secure and authentication more convenient, use an SSH key pair: a public and a private SSH keys. The public key is stored on the host, and the private key is stored on the user's computer.

Let's see how to create keys in different operating systems. Let's start with Ubuntu.

To generate a new 2048-bit RSA key pair, open a terminal and run the command below:

ssh-keygen -t rsa

A prompt will appear asking you where to save the keys. If you press Enter, the system will save the key pair in the default .ssh subdirectory of the home folder. You can also specify an alternate path where you want to save the key pair. However, it is recommended to use the default directory. It makes further management much easier.

If you have already created a key pair on the client computer, the system will prompt you to overwrite it. The choice is entirely up to you, but be careful. If you choose to overwrite it, you will not be able to use the previous key pair to log in to the server. It will be deleted. Fixing the conflict is easy; just specify a unique name for each new pair. The storage folder can remain the same.

You will also be prompted to enter a passphrase to add an extra layer of security that prevents unauthorized users from accessing the host. Press Enter if you do not want to use it.

To verify that the keys have been created, run the command:

ls -l ~/.ssh/id_*.pub. 

The terminal will display a list of keys.

Similarly, you can generate a pair on macOS or newer Windows versions.

If you're using an older Windows OS, you'll need to download the PuTTY utility suite. It contains the PuTTYgen application. To create an SSH key pair, all you need to do is run the PuTTYgen and swipe with your mouse. You can also select a folder to store the keys and add a passphrase for maximum protection.

Adding the SSH key to the server

The private key is stored on the computer. You should never transfer it to anyone. But you need to transmit the public part to the server.

If you have password access to the host, you can transfer the public key using ssh-copy-id. Example command:

ssh-copy-id hostman@123.456.78.99 

Instead of hostman enter your username, instead of 123.456.78.99 enter the server IP address. Enter the password when prompted, and after which the public key will be transferred to the host.

To connect to the server using the SSH keys, run the command:

ssh hostman@123.456.78.99

Instead of hostman enter your username, instead of 123.456.78.99 enter the server IP address. If you have not set a passphrase, you will log in without further authentication. The security system will check the public and private parts of the key and establish a connection if they match. 

Configuring SSH

You can configure your Ubuntu Server through the /etc/ssh/sshd_config file. Before making changes to it, make a backup copy. It will keep you from wasting time on reinstallation if you suddenly make a mistake.

To make a copy, run the command:

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.factory-defaults

The /etc/ssh/sshd_config.factory-defaults will store the default settings. You will be editing the /etc/ssh/sshd_config file.

Disabling password authentication

SSH password authentication on the Ubuntu Server isn't bad. But if you create long, complex passwords, you can be tempted to store them insecurely. Using encryption keys to authenticate the connection is a more secure alternative. In this case, the password may be unnecessary and you can disable it.

Before proceeding, keep the following in mind:

Disabling password authentication increases the likelihood of being locked out of your server. You can be locked out if you lose your private key or break the ~/.authorized_keys file .

If you are locked out, you can no longer access any application files.

You should only disable password authentication if you are very familiar with the key authentication mechanism and understand the potential consequences of losing access to your server.

To disable password authentication, connect to the server as root and edit the sshd_config file. Change the PasswordAuthentication parameter value to No instead of Yes

Then restart the SSH service by running the following command:

sudo systemctl restart sshd

After that, you will no longer be able to use passwords for authentication. You will only be able to connect using Linux SSH keys.

Disabling root access

To improve security on your remote Ubuntu system, consider disabling root user login via SSH.

To do this, edit the configuration file:

sudo vi /etc/ssh/sshd_config

Change the PermitRootLogin value to No.

Another option is allowing the root user to log in using any authentication mechanism other than a password. To do this, set the PermitRootLogin parameter to prohibit-password.

This configuration lets you log in as the root user with a private key. The main thing is to ensure that you have copied the public key to the system before restarting the SSH service.

To apply the updated configuration, restart the service:

sudo systemctl restart sshd

Changing the default port

By default, the SSH server uses port 22. To increase security, you can set it to any other value. We recommend using ports from the upper range, from 50000 to 65000. It is also preferable to pick numbers in which all digits are different, for example, 56713.

Open the configuration file:

sudo vi /etc/ssh/sshd_config

Uncomment the line Port 22. Instead of 22, specify another number, for example, Port 56713. Save the changes and close the file.

To apply the configuration, restart the service:

sudo systemctl restart sshd

After a successful restart, verify that the connection is now on a different port:

ssh -p 56713 user@server_ip

Remember to restart the service after each change. Otherwise, SSH connections will follow the old rules.

Configuring tunneling

Tunneling is a method of transmitting unencrypted traffic or data over an encrypted channel. In addition to file transfers, tunneling can also be used to access internal network services through firewalls and to create a VPN.

There are three types of tunneling (forwarding):

  • Local,

  • remote,

  • dynamic.

To configure some of them, you will need to edit the SSH configuration file.

Local forwarding

It is a port forwarding from a client computer to a remote computer. The connection is then redirected to another port on the target computer.

The SSH client checks for a connection on the given port. When it receives a connection request, it tunnels it with the specified port on the remote host. The host then connects to another target computer through the configured port.

Mostly, local forwarding is used to connect externally to a service from an internal network. For example, this is how you can configure access to a database. It is also used for remote file sharing.

The -L argument is used for local forwarding. For example:

ssh hostman@server.example -L 8080:server1.example:3000 

Now open a browser on the local computer. You can use localhost:8080 to access the remote application instead of accessing it using the address server.example:3000.

Remote redirection

Remote redirection allows you to connect to a local computer from a remote computer. SSH does not support remote port forwarding by default. Therefore, you need to enable it in the SSH configuration file. It will require some additional configuration of the Ubuntu server. 

Open the configuration file:

sudo vi /etc/ssh/sshd_config 

Set the GatewayPorts parameter to Yes.

Save the changes and restart the service:

sudo systemctl restart sshd

Use the -R argument to configure forwarding. Example command:

ssh -R 8080:127.0.0.0.1:3000 -N -f user@remote.host 

After running this command, the host will listen on port 8080 and redirect all traffic to port 3000, which is open on the local computer.

Remote redirection is mainly used to give someone from outside access to an internal service.

Dynamic forwarding

Local and remote forwarding methods allow you to tunnel and communicate with a single port. With dynamic forwarding, you can tunnel and communicate with multiple ports.

Dynamic tunneling creates a socket on the local computer. It works like a SOCKS proxy server. Basically, your local computer is used as a SOCKS proxy server and listens on port 1080 by default. When the host connects to this port, it is redirected to the remote machine and then to the dynamic machine through the dynamic port.

The -D argument is used to configure dynamic tunneling. Example command:

ssh -D 9090 -N -f user@remote.host

Once you have set up tunneling, you can configure your application to use it. For example, to add a proxy to the browser. You'll need to configure redirection separately for each application you want to tunnel traffic for.

Disabling SSH

To disable the Open SSH server, stop the SSH service by running the command:

sudo systemctl disable --now ssh

To start the service back up, run the command:

sudo systemctl enable --now ssh

The enable command in Ubuntu does not reinstall the software, so you don't have to reconfigure anything. It simply starts up the previously installed and configured service.

Conclusion

In this article, we have covered the basics of using SSH on an Ubuntu machine. Now you know how to install the necessary software to set up a secure connection, configure it, route the tunnel, and even disable the service when it is not in use.

Connecting via SSH in Ubuntu is a common task, so you'll definitely need this knowledge. If not in development and administration, then for personal purposes, such as establishing a secure connection between devices in a local network.

Ubuntu
24.11.2023
Reading time: 10 min

Similar

Wordpress

How to Install WordPress with Nginx and Let’s Encrypt SSL on Ubuntu

WordPress is a simple, popular, open-source, and free CMS (content management system) for creating modern websites. Today, WordPress powers nearly half of the websites worldwide. Hostman offers Wordpress cloud hosting with quick load times, robust security, and simplified management.  However, having just a content management system is not enough. Modern websites require an SSL certificate, which provides encryption and allows using a secure HTTPS connection. This short guide will show how to install WordPress on a cloud server, perform initial CMS configuration, and add an SSL certificate to the completed site, enabling users to access the website via HTTPS. The Nginx web server will receive user requests and then proxied to WordPress for processing and generating response content. A few additional components are also needed: a MySQL database, which serves as the primary data storage in WordPress, and PHP, which WordPress is written in. This technology stack is known as LEMP: Linux, Nginx, MySQL, PHP. Step 1. Creating the Server First, you will need a cloud server with Ubuntu 22.04 installed. Go to the Hostman control panel. Select the Cloud servers tab on the left side of the control panel. Click the Create button. You’ll need to configure a range of parameters that ultimately determine the server rental cost. The most important of these parameters are: The operating system distribution and its version (in our case, Ubuntu 22.04). Data center location. Physical configuration. Server information. Once all the data is filled in, click the Order button. Upon completion of the server setup, you can view the IP address of the cloud server in the Dashboard tab, and also copy the command for connecting to the server via SSH along with the root password: Next, open a terminal in your local operating system and connect via SSH with password authentication: ssh root@server_ip Replace server_ip with the IP address of your cloud server. You will then be prompted to enter the password, which you can either type manually or paste from the clipboard. After connecting, the terminal will display information about the operating system. Now you can create a user with sudo priviliges or keep using root. Step 2. Updating the System Before beginning the WordPress installation, it’s important to update the list of repositories available through the APT package manager: sudo apt update -y It’s also a good idea to upgrade already installed packages to their latest versions: sudo apt upgrade -y Now, we can move on to downloading and installing the technology stack components required for running WordPress. Step 3. Installing PHP Let's download and install the PHP interpreter. First, add a specialized repository that provides up-to-date versions of PHP: sudo add-apt-repository ppa:ondrej/php In this guide, we are using PHP version 8.3 in FPM mode (FastCGI Process Manager), along with an additional module to enable PHP’s interaction with MySQL: sudo apt install php8.3-fpm php-mysql -y The -y flag automatically answers “yes” to any prompts during the installation process. To verify that PHP is now installed on the system, you can check its version: php -v The console output should look like this: PHP 8.3.13 (cli) (built: Oct 30 2024 11:27:41) (NTS)Copyright (c) The PHP GroupZend Engine v4.3.13, Copyright (c) Zend Technologies    with Zend OPcache v8.3.13, Copyright (c), by Zend Technologies You can also check the status of the FPM service: sudo systemctl status php8.3-fpm In the console output, you should see a green status indicator: Active: active (running) Step 4. Installing MySQL The MySQL database is an essential component of WordPress, as it stores all site and user information for the CMS. Installation We’ll install the MySQL server package: sudo apt install mysql-server -y To verify the installation, check the database version: mysql --version If successful, the console output will look something like this: mysql  Ver 8.0.39-0ubuntu0.22.04.1 for Linux on x86_64 ((Ubuntu)) Also, ensure that the MySQL server is currently running by checking the database service status: sudo systemctl status mysql The console output should display a green status indicator: Active: active (running) MySQL Security This step is optional in this guide, but it’s worth mentioning. After installing MySQL, you can configure the database’s security settings: mysql_secure_installation This command will prompt a series of questions in the terminal to help you configure the appropriate level of MySQL security. Creating a Database Next, prepare a dedicated database specifically for WordPress. First, log in to MySQL: mysql Then, execute the following SQL command to create a database: CREATE DATABASE wordpress_database; You’ll also need a dedicated user for accessing this database: CREATE USER 'wordpress_user'@'localhost' IDENTIFIED BY 'wordpress_password'; Grant this user the necessary access permissions: GRANT ALL PRIVILEGES ON wordpress_database.* TO 'wordpress_user'@'localhost'; Finally, exit MySQL: quit Step 5. Downloading and Configuring Nginx The Nginx web server will handle incoming HTTP requests from users and proxy them to PHP via the FastCGI interface. Download and Installation We’ll download and install the Nginx web server using APT: sudo apt install nginx -y Next, verify that Nginx is indeed running as a service: systemctl status nginx In the console output, you should see a green status indicator: Active: active (running) You can also check if the web server is functioning correctly by making an HTTP request through a browser. Enter the IP address of the remote server in the address bar, where you are installing Nginx. For example: http://166.1.227.189 If everything is set up correctly, Nginx will display its default welcome page. For good measure, let’s add Nginx to the system’s startup list (though this is typically done automatically during installation): sudo systemctl enable nginx Now, you can proceed to make adjustments to the web server configuration. Configuration In this example, we’ll slightly modify the default Nginx configuration. For this, we need a text editor. We will use nano. sudo apt install nano Now open the configuration file: sudo nano /etc/nginx/sites-enabled/default If you remove all the comments, the basic configuration will look like this: server { listen 80 default_server; listen [::]:80 default_server; root /var/www/html; index index.html index.htm index.nginx-debian.html; server_name _; location / { try_files $uri $uri/ =404; } } To this configuration, we’ll add the ability to proxy requests to PHP through FastCGI: server { listen 80 default_server; listen [::]:80 default_server; root /var/www/html; # added index.php to index files index index.html index.htm index.nginx-debian.html index.php; # specify the domain name to obtain an SSL certificate later server_name mydomain.com www.mydomain.com; location / { # try_files $uri $uri/ =404; # direct root requests to /index.php try_files $uri $uri/ /index.php?$args; } # forward all .php requests to PHP via FastCGI location ~ \.php$ { include snippets/fastcgi-php.conf; fastcgi_pass unix:/run/php/php8.3-fpm.sock; } } Note that the server_name parameter should contain the domain name, with DNS settings including an A record that directs to the configured server with Nginx. Now, let’s check the configuration syntax for errors: sudo nginx -t If everything is correct, you’ll see a confirmation message in the console: nginx: the configuration file /etc/nginx/nginx.conf syntax is oknginx: configuration file /etc/nginx/nginx.conf test is successful Then, reload the Nginx service to apply the new configuration: sudo systemctl reload nginx Step 6. Installing an SSL Certificate To obtain an SSL certificate from Let’s Encrypt, we’ll use a special utility called Certbot. In this guide, Certbot will automate several tasks: Request the SSL certificate. Create an additional Nginx configuration file. Edit the existing Nginx configuration file (which currently describes the HTTP server setup). Restart Nginx to apply the changes. Obtaining the Certificate Like other packages, install Certbot via APT: sudo apt install certbotsudo apt install python3-certbot-nginx The first command installs Certbot, and the second adds a Python module for Certbot’s integration with Nginx. Alternatively, you can install python3-certbot-nginx directly, which will automatically include Certbot as a dependency: sudo apt install python3-certbot-nginx -y Now, let’s initiate the process to obtain and install the SSL certificate: sudo certbot --nginx First, Certbot will prompt you to register with Let’s Encrypt. You’ll need to provide an email address, agree to the Terms of Service, and optionally opt-in for email updates (you may decline this if desired). Then, enter the list of domain names, separated by commas or spaces, for which the certificate should be issued. Specify the exact domain names that are listed in the Nginx configuration file under the server_name directive: mydomain.com www.mydomain.com After the certificate is issued, Certbot will automatically configure it by adding the necessary SSL settings to the Nginx configuration file: listen 443 ssl; # managed by Certbot # RSA certificate ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot # Redirect non-https traffic to https if ($scheme != "https") { return 301 https://$host$request_uri; } # managed by Certbot So, the complete Nginx configuration file will look as follows: server { listen 80 default_server; listen [::]:80 default_server; listen 443 ssl; # managed by Certbot # RSA certificate ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot root /var/www/html; index index.html index.htm index.nginx-debian.html index.php; server_name domain.com www.domain.com; # Redirect non-https traffic to https if ($scheme != "https") { return 301 https://$host$request_uri; } # managed by Certbot location / { # try_files $uri $uri/ =404; # direct root requests to /index.php try_files $uri $uri/ /index.php?$args; } # forward all .php requests to PHP via FastCGI location ~ \.php$ { include snippets/fastcgi-php.conf; fastcgi_pass unix:/run/php/php8.3-fpm.sock; } } Automatic Certificate Renewal Let’s Encrypt certificates expire every 90 days, so they need to be renewed regularly. Instead of manually renewing them, you can set up an automated task. For this purpose, we’ll use Crontab, a scheduling tool in Unix-based systems that uses a specific syntax to define when commands should run. Install Crontab: sudo apt install cron And enable it: sudo systemctl enable cron Now open the Crontab file: crontab -e Add the following line to schedule the Certbot renewal command: 0 12 * * * /usr/bin/certbot renew --quiet In this configuration: The command runs at noon (12:00) every day. Certbot will check the certificate’s expiration status and renew it if necessary. The --quiet flag ensures that Certbot runs silently without generating output. Step 7. Downloading WordPress In this guide, we’ll use WordPress version 6.5.3, which can be downloaded from the official website: wget https://wordpress.org/wordpress-6.5.3.tar.gz Once downloaded, unpack the WordPress archive: tar -xvf wordpress-*.tar.gz After unpacking, you can delete the archive file: rm wordpress-*.tar.gz This will create a wordpress folder containing the WordPress files. Most core files are organized in the wp-content, wp-includes, and wp-admin directories. The main entry point for WordPress is index.php. Moving WordPress Files to the Web Server Directory You need to copy all files from the wordpress folder to the web server’s root directory (/var/www/html/) so that Nginx can serve the PHP-generated content based on user HTTP requests. Clear the existing web server directory (as it currently contains only the default Nginx welcome page, which we no longer need): rm /var/www/html/* Copy WordPress files to the web server directory: cp -R wordpress/* /var/www/html/ The -R flag enables recursive copying of files and folders. Set ownership and permissions. Ensure that Nginx can access and modify these files by setting the www-data user and group ownership, as well as appropriate permissions, for the WordPress directory: sudo chown -R www-data:www-data /var/www/html/sudo chmod -R 755 /var/www/html/ This allows Nginx to read, write, and modify WordPress files as needed, avoiding permission errors during the WordPress installation process. Step 8. Configuring WordPress WordPress configuration is managed through an intuitive web-based admin panel. No programming knowledge is necessary, though familiarity with languages like JavaScript, PHP, HTML, and CSS can be helpful for creating or customizing themes and plugins. Accessing the Admin Panel Open a web browser and go to the website using the domain specified in the Nginx configuration, such as: https://mydomain.com If all components were correctly set up, you should be redirected to WordPress’s initial configuration page: https://mydomain.com/wp-admin/setup-config.php Select Language: Choose your preferred language and click Continue. Database Configuration: WordPress will prompt you to enter database details. Click Let’s go! and provide the following information: Database Name: wordpress_database (from the previous setup) Database Username: wordpress_user Database Password: wordpress_password Database Host: localhost Table Prefix: wp_ (or leave as default) Click Submit. If the credentials are correct, WordPress will confirm access to the database. Run Installation: Click Run the installation. WordPress will then guide you to enter site and admin details: Site Title Admin Username Admin Password Admin Email Option to discourage search engine indexing (recommended for development/testing sites) Install WordPress: Click Install WordPress. After installation, you’ll be prompted to log in with the admin username and password you created. Accessing the Dashboard Once logged in, you'll see the WordPress Dashboard, which contains customizable widgets. The main menu on the left allows access to core WordPress functions, including: Posts and Pages for content creation Comments for moderating discussions Media for managing images and files Themes and Plugins for design and functionality Users for managing site members and roles Your WordPress site is now fully configured, and you can begin customizing and adding content as needed. Conclusion This guide showed how to install WordPress along with all its dependencies and how to connect a domain and add a SSL certificate from Let’s Encrypt to an already functioning website, enabling secure HTTPS connections with the remote server. The key dependencies required for WordPress to function include: PHP: The scripting language WordPress is written in. MySQL: The database system used by WordPress to store content and user data. Nginx (or Apache in other implementations): The web server that processes user requests initially. For more detailed information on managing site content through the WordPress admin panel, as well as creating custom themes and plugins, refer to the official WordPress documentation. Frequently Asked Questions How do I install WordPress on Ubuntu? First set up Nginx, PHP, and MySQL. Then either download WordPress manually or use a deployment script. How do I enable HTTPS with Let’s Encrypt? Use Certbot to generate a certificate, then automate renewal with a simple cron job. Is Nginx better than Apache for WordPress? For performance and memory efficiency, yes. Nginx handles high traffic with fewer resources.
16 June 2025 · 13 min to read
Ubuntu

How to Install and Configure SSH on Ubuntu 22.04

SSH is a network protocol that provides a secure connection between a client and a server. All communication is encrypted, preventing theft of data transmitted over the network and other remote network attacks. Let’s say you have ordered a cloud server from Hostman. You will need SSH installed and configured to connect to and administer the server. The guide below will describe how to install SSH on Ubuntu 22.04 and configure it. Prerequisites Before proceeding with the installation and configuration of the Secure Shell service, ensure the following requirements are met: Linux Command Line Skills for Configuration Having a solid grasp of basic Linux commands like sudo, apt, nano, and systemctl is essential when setting up the service. These commands will be frequently used during the installation and configuration process. It's crucial to be comfortable working within the command line environment to manage the service effectively. Root or Sudo Access for Setup To install and configure the server, administrative (root) privileges are required. Users must either have sudo access or be logged in as root. Without these privileges, the setup process cannot proceed. Internet Connection for Package Download A stable internet connection is necessary to install the OpenSSH server and any additional related packages. Without a functional connection, the system cannot retrieve the required software components. Configuring Firewall for Access If a firewall, like ufw, is enabled on the system, it may block remote access by default. It is essential to configure your firewall to allow incoming connections. Use ufw or another firewall tool to ensure port 22 is open and accessible. Access to the System (Local or Remote) You need physical access to your machine to configure the service locally, or it must be remotely accessible via its IP address. Ensure the system is properly connected to the network to establish a connection. Don't forget, that you can deploy your cloud server fast and cheap by choosing our VPS Server Hosting Step 1: Prepare Ubuntu The first thing you need to do before you start installing SSH on Ubuntu is to update all apt packages to the latest versions. To do this, use the following command: sudo apt update && sudo apt upgrade Step 2: Install SSH on Ubuntu OpenSSH is not pre-installed on the system, so let's install it manually. To do this, type in the terminal: sudo apt install openssh-server The installation of all the necessary components will begin. Answer "Yes" to all the system prompts.  After the installation is complete, go to the next step to start the service. Step 3: Start SSH Now you need to enable the service you just installed using the command below: sudo systemctl enable --now ssh On successful startup, you will see the following system message. The --now key helps you launch the service and simultaneously set it to start when the system boots. To verify that the service is enabled and running successfully, type: sudo systemctl status ssh The output should contain the Active: active (running) line, which indicates that the service is successfully running. If you want to disable the service, execute:  sudo systemctl disable ssh It disables the service and prevents it from starting at boot. Step 4: Configure the firewall Before connecting to the server via SSH, check the firewall to ensure it is configured correctly. In our case, we have the UFW installed, so we will use the following command: sudo ufw status In the output, you should see that SSH traffic is allowed. If you don't have it listed, you need to allow incoming SSH connections. This command will help with this: sudo ufw allow ssh Step 5: Connect to the server Once you complete all the previous steps, you can log into the server using the SSH protocol. To do this, you will need the server's IP address or domain name and the name of a user created on the server. In the terminal line, enter the command: ssh username@IP_address Or:  ssh username@domain Important: To successfully connect to a remote server, SSH must be installed and configured on the remote server and the user's computer from which you make the connection.  - Step 6 (optional): Create Key Pair for Secure Authentication For enhanced security, consider configuring a key pair instead of relying on password authentication. To generate one, use the following command: ssh-keygen Step 7: Configure SSH Having completed the previous five steps, you can already connect to the server remotely. However, you can further increase the connection's security by changing the default connection port to another or changing the password authentication to key authentication. These and other changes require editing the SSH configuration file. The main OpenSSH server settings are stored in the main configuration file sshd_config (location: /etc/ssh). Before you start editing, you should create a backup of this file:  sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.initial If you get any errors after editing the configuration file, you can restore the original file without problems. After creating the backup, you can proceed to edit the configuration file. To do this, open it using the nano editor: sudo nano /etc/ssh/sshd_config In the file, change the port to a more secure one. It is best to set values from the dynamic range of ports (49152 - 65535) and use different numbers for additional security. For example, let's change the port value to 49532. To do this, we uncomment the corresponding line in the file and change the port as shown in the screenshot below. In addition to this setting, we recommend changing the password authentication mode to a more secure key authentication mode. To do this, uncomment the corresponding line and make sure the value is "Yes", as shown in the screenshot. Now, let's prohibit logging on to the server as a superuser by changing the corresponding line as shown in the picture below. There are other settings you can configure to increase the server security:  UseDNS checks if the hostname matches its IP address. The value "Yes" enables this parameter. PermitEmptyPasswords prohibits using empty passwords for authentication if the value is "No." MaxAuthTries limits the number of unsuccessful attempts to connect to the server within one communication session.  AllowUsers and AllowGroups are responsible for the list of users and groups allowed to access the server: # AllowUsers User1, User2, User3# AllowGroups Group1, Group2, Group3 Login GraceTime sets the time provided for successful authorization. We recommend reducing the value of this parameter by four times. ClientAliveInterval limits the time of user inactivity. After exceeding the specified limit, the user is disconnected. After making all the changes in the main configuration file, save them and close the editor.  Restart the service to make the changes take effect: sudo systemctl restart ssh If you have changed the port in the configuration file, you should connect using the new port:  ssh -p port_number username@IP_address Or: ssh -p port_number_port_username@domain Troubleshooting Connection Issues Ensure the service is running with: sudo systemctl status ssh Restart it if necessary: sudo systemctl restart ssh Check firewall settings to allow traffic on port 22: sudo ufw allow 22 Confirm the system is reachable by running: ping <server-ip-address> Disabling the Service If you need to disable remote access for any reason, follow these steps: Stop the Service To temporarily stop accepting connections: sudo systemctl stop ssh Prevent Automatic Startup To disable it from starting on reboot: sudo systemctl disable ssh Confirm Inactive Status Verify that the service is no longer running: sudo systemctl status ssh Uninstall the Server If the service is no longer needed, remove it and its associated configuration files: sudo apt remove openssh-server Conclusion This article presents a step-by-step guide on installing and configuring SSH in Ubuntu 22.04 and describes how to edit the main configuration file to improve security. We hope this guide helps you to set up a secure remote connection to your Ubuntu server.To see more about SSH keys click here.
05 June 2025 · 7 min to read
Ubuntu

How to Install VNC on Ubuntu

If you need to interact with a remote server through a graphical interface, you can use VNC technology.VNC (Virtual Network Computing) allows users to establish a remote connection to a server over a network. It operates on a client-server architecture and uses the RFB protocol to transmit screen images and input data from various devices (such as keyboards or mice). VNC supports multiple operating systems, including Ubuntu, Windows, macOS, and others. Another advantage of VNC is that it allows multiple users to connect simultaneously, which can be useful for collaborative work on projects or training sessions. In this guide, we will describe how to install VNC on Ubuntu, using a Hostman cloud server with Ubuntu 22.04 as an example. Step 1: Preparing to Install VNC Before starting the installation process on both the server and the local machine, there are a few prerequisites to review.  Here is a list of what you’ll need to complete the installation: A Server Running Ubuntu 22.04. In this guide, we will use a cloud server from Hostman with minimal hardware configuration. A User with sudo Privileges. You should perform the installation as a regular user with administrative privileges. Select a Graphical Interface. You’ll need to choose a desktop environment that you will use to interact with the remote server after installing the system on both the server and the local machine. A Computer with a VNC Client Installed.  Currently, the only way to communicate with a rented server running Ubuntu 22.04 is through the console. To enable remote management via a graphical interface, you’ll need to install a desktop environment along with VNC on the server. Below are lists of available VNC servers and desktop environments that can be installed on an Ubuntu server. VNC Servers: TightVNC Server. One of the most popular VNC servers for Ubuntu. It is easy to set up and offers good performance. RealVNC Server. RealVNC provides a commercial solution for remote access to servers across various Linux distributions, including Ubuntu, Debian, Fedora, Arch Linux, and others. Desktop Environments: Xfce. A lightweight and fast desktop environment, ideal for remote sessions over VNC. It uses fewer resources than heavier desktop environments, making it an excellent choice for servers and virtual machines. GNOME. The default Ubuntu desktop environment, offering a modern and user-friendly interface. It can be used with VNC but will consume more resources than Xfce. KDE Plasma. Another popular desktop environment that provides a wide range of features and a beautiful design. The choice of VNC server and desktop environment depends on the user’s specific needs and available resources. TightVNC and Xfce are excellent options for stable remote sessions on Ubuntu, as they do not require high resources. In the next step, we will describe how to install them on the server in detail. Step 2: Installing the Desktop Environment and VNC Server To install the VNC server on Ubuntu along with the desktop environment, connect to the server and log in as a regular user with administrative rights. Update the Package List  After logging into the server, run the following command to update the packages from the connected repositories: sudo apt update Install the Desktop Environment  Next, install the previously selected desktop environment. To install Xfce, enter: sudo apt install xfce4 xfce4-goodies Here, the first package provides the basic Xfce desktop environment, while the second includes additional applications and plugins for Xfce, which are optional. Install the TightVNC Server  To install TightVNC, enter: sudo apt install tightvncserver Start the VNC Server  Once the installation is complete, initialize the VNC server by typing: vncserver This command creates a new VNC session with a specific session number, such as :1 for the first session, :2 for the second, and so on. This session number corresponds to a display port (for example, port 5901 corresponds to :1). This allows multiple VNC sessions to run on the same machine, each using a different display port. During the first-time setup, this command will prompt you to set a password, which will be required for users to connect to the server’s graphical interface. Set the View-Only Password (Optional)  After setting the main password, you’ll be prompted to set a password for view-only mode. View-only mode allows users to view the remote desktop without making any changes, which is helpful for demonstrations or when limited access is needed. If you need to change the passwords set above, use the following command: vncpasswd Now you have a VNC session. In the next step, we will set up VNC to launch the Ubuntu server with the installed desktop environment. Step 3: Configuring the VNC Server The VNC server needs to know which desktop environment it should connect to. To set this up, we’ll need to edit a specific configuration file. Stop Active VNC Instances  Before making any configurations, stop any active VNC server instances. In this guide, we’ll stop the instance running on display port 5901. To do this, enter: vncserver -kill :1 Here, :1 is the session number associated with display port 5901, which we want to stop. Create a Backup of the Configuration File  Before editing, it’s a good idea to back up the original configuration file. Run: mv ~/.vnc/xstartup ~/.vnc/xstartup.bak Edit the Configuration File  Now, open the configuration file in a text editor: nano ~/.vnc/xstartup Replace the contents with the following: #!/bin/bashxrdb $HOME/.Xresourcesstartxfce4 & #!/bin/bash – This line is called a "shebang," and it specifies that the script should be executed using the Bash shell. xrdb $HOME/.Xresources – This line reads settings from the .Xresources file, where desktop preferences like colors, fonts, cursors, and keyboard options are stored. startxfce4 & – This line starts the Xfce desktop environment on the server. Make the Configuration File Executable To allow the configuration file to be executed, use: chmod +x ~/.vnc/xstartup Start the VNC Server with Localhost Restriction Now that the configuration is updated, start the VNC server with the following command: vncserver -localhost The -localhost option restricts connections to the VNC server to the local host (the server itself), preventing remote connections from other machines. You will still be able to connect from your computer, as we’ll set up an SSH tunnel between it and the server. These connections will also be treated as local by the VNC server. The VNC server configuration is now complete. Step 4: Installing the VNC Client and Connecting to the Server Now, let’s proceed with installing a VNC client. In this example, we’ll install the client on a Windows 11 computer. Several VNC clients support different operating systems. Here are a few options:  RealVNC Viewer. The official client from RealVNC, compatible with Windows, macOS, and Linux. TightVNC Viewer. A free and straightforward VNC client that supports Windows and Linux. UltraVNC. Another free VNC client for Windows with advanced remote management features. For this guide, we’ll use the free TightVNC Viewer. Download and Install TightVNC Viewer Visit the official TightVNC website, download the installer, and run it. In the installation window, click Next and accept the license agreement. Then, select the custom installation mode and disable the VNC server installation, as shown in the image below. Click Next twice and complete the installation of the VNC client on your local machine. Set Up an SSH Tunnel for Secure Connection To encrypt your remote access to the VNC server, use SSH to create a secure tunnel. On your Windows 11 computer, open PowerShell and enter the following command: ssh -L 56789:localhost:5901 -C -N -l username server_IP_address Make sure that OpenSSH is installed on your local machine; if not, refer to Microsoft’s documentation to install it. This command configures an SSH tunnel that forwards the connection from your local computer to the remote server over a secure connection, making VNC believe the connection originates from the server itself. Here’s a breakdown of the flags used: -L sets up SSH port forwarding, redirecting the local computer’s port to the specified host and server port. Here, we choose port 56789 because it is not bound to any service. -C enables compression of data before transmitting over SSH. -N tells SSH not to execute any commands after establishing the connection. -l specifies the username for connecting to the server. Connect with TightVNC Viewer After creating the SSH tunnel, open the TightVNC Viewer and enter the following in the connection field: localhost:56789 You’ll be prompted to enter the password created during the initial setup of the VNC server. Once you enter the password, you’ll be connected to the VNC server, and the Xfce desktop environment should appear. Stop the SSH Tunnel To close the SSH tunnel, return to the PowerShell or command line on your local computer and press CTRL+C. Conclusion This guide has walked you through the step-by-step process of setting up VNC on Ubuntu 22.04. We used TightVNC Server as the VNC server, TightVNC Viewer as the client, and Xfce as the desktop environment for user interaction with the server. We hope that using VNC technology helps streamline your server administration, making the process easier and more efficient. We're prepared more detailed instruction on how to create server on Ubuntu if you have some trouble deploying it.
30 May 2025 · 8 min to read

Do you have questions,
comments, or concerns?

Our professionals are available to assist you at any moment,
whether you need help or are just unsure of where to start.
Email us
Hostman's Support