Secure Shell(SSH) - Tips and Tricks

Published on
10,945 Points
3 Endorsements
Last Modified:
Linux Server Admin with 9+ years experience in Linux Server Administration

SSH (Secure Shell) - Tips and Tricks

As you all know SSH(Secure Shell) is a network protocol, which we use to access/transfer files securely between two networked devices. SSH was actually designed as a replacement for insecure protocols that sends information as plain text through the network. While using SSH, the entire session, including password transmission, is encrypted. Using SSH, we can access other systems remotely, execute commands, transfer/move files etc. SSH uses two major protocols. They are SSH1 or SSH-1 and SSH2 or SSH-2. Comparing both protocols, SSH-2 is more secure. SSH is available for Windows, Unix, Macintosh etc. In short SSH, is a powerful tool, and there are lots of possibilities. Here are some awesome tips and tricks on how to use SSH for daily administration duties.

Before we start let me brief some basic things regarding SSH.

To access a remote system using SSH, we need the following details.

1.A SSH client
2.Remote servername/IP
3.SSH Port number (By default SSH use port number as 22)
4.Username in remote server
5.Password of the user

If you are using a Unix/Linux machine, you can use Terminal as SSH client. Execute the following command in terminal section to access the remote machine using SSH.

ssh username@remoteservername/ip

ssh root@

Open in new window

This will prompt for password. Enter the password and you are in. For remote servers having custom ssh port, you need to mention the port number in the command line.

ssh username@remoteservername/ip -p portnumber

ssh root@ -p 1032 

Open in new window

If you are using some other Operating system, you can use a SSH client like putty. Putty can be downloaded from the following url.

Putty Download

Now moving to SSH Server side:

Default Configuration file of SSH = /etc/ssh/sshd_config

Default Port Number = 22

SSH Start/Stop/Restart = /etc/rc.d/init.d/sshd or /etc/init.d/ssh (start/stop/restart)

If we are making any changes to sshd_config, we need to restart the ssh service for changes to take effect.

Moving to the configuration part, there are a lots of directives in the sshd_config which is the main SSH configuration file. Lets discuss one by one.

1. Change SSH port number (Port)

As mentioned above, SSH runs on default port number 22. You will be able to find the following entry in your SSH configuration file for the SSH port number.

Port 22 

Open in new window

To change port number just replace 22 with the required port number. Its always good to use a number higher than 1024 because by default port scanners will not scan for high port numbers.

Port 1033

Open in new window

Restart sshd using

/etc/rc.d/init.d/sshd restart

Open in new window

Also make sure to open the port in the firewall. If you are using iptables you can use the following command to open a port number.

iptables -I INPUT -p tcp --dport 1033 -j ACCEPT

Open in new window

/etc/rc.d/init.d/iptables save

Open in new window

Check if its open using the following command.

iptables -nL | grep 1033

Open in new window

2. SSH protocol (Protocol)

You can see the SSH protocol mentioned as below in your configuration file.

Protocol 2,1

Open in new window

Its good to set the protocol to 2. As discussed above, SSH-2 protocol is more secure. Change the above line to

Protocol 2

Open in new window

Restart sshd.

3. Permit Root Login (PermitRootLogin)

Using this directive you can enable/disable root login to server. Allowing direct root login through SSH is a security risk. So I would recommend you to disable root logins. Just find the following line to disable root login.


PermitRootLogin yes

Open in new window


PermitRootLogin no

Open in new window

Restart sshd.

4. Login Time Limit (LoginGraceTime)

This option sets a time limit for the user to authenticate. If this time exceeds and the user has not yet authenticated, the server closes the connection from that user. Its better to leave the option to the default value. You can change it if required.

LoginGraceTime 2m

Open in new window

5. Maximum login attempts (MaxAuthTries)

This directive will set the maximum login attempts allowed per connection.

MaxAuthTries 6

Open in new window

Reduce the number for security reasons.

6. Key authentication (PubkeyAuthentication)

Enabling key based authentication means, you can access the server only using your private key. You need to generate a key pair and add the private key to your remote machine and add the public key to the server so that the server can be accessed using the keys. Un-comment the following lines if you wish to activate key based authentication.

PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
RSAAuthentication yes
PasswordAuthentication no

Open in new window

Restart sshd.

When we are using "PasswordAuthentication no", any person who tries to connect to your SSH service and doesn't have a public key on the server, will be rejected without even seeing the login prompt.

Refer the following article for details regarding key based authentication.

SSH Access Using Public Key

Now we can check some SSH security tips & tricks

Creating custom Banner for SSH:

If you wish to display some message/warning/announcements for the users while logging into the server via ssh, just edit the following file and include your message.

vi /etc/motd

Open in new window

You can add a message like this.

* This is a my Private Server. You are not supposed to be here.*

Open in new window

You can also place the banner in some location like /home/user/bannet.txt and mention the path in your ssh configuration file.

Find the following directive and mention the path.

Banner /home/user/bannet.txt

Open in new window

Restart sshd.

You can edit the file named /etc/issue and include any message which will be displayed before the login prompt.

SSH Tunneling:

SSH tunneling is an awesome method where you can tunnel all the traffic from your local machine to a remote machine. SSH tunneling consists of an encrypted tunnel created through SSH protocol. This method is helpful when you are behind some firewalls. You can easily overcome any restrictions due to firewall using tunneling.

Refer the following article for more details regarding tunneling.

SSH Tunneling

Creating a X(Graphical) session over a ssh tunnel:

With this option you can run application/software in GUI mode through SSH. You need to enable the following line in your ssh configuration file to accomplish this.

X11Forwarding yes

Open in new window

Restart sshd.

Now on client end, run the following command to access the server.

ssh -X root@

Open in new window

You can run a sample program like firefox or kate using following commands.


Just wait for some time and you will see firefox browser on client screen. Sometimes it will throw a error like "Error: no display specified". You need to set display using the following command.

export DISPLAY=IPaddressofmachine:0.0

export DISPLAY=

Open in new window

Now run firefox and it will work.

TCP wrappers:

You can mention which hosts on a network to be able to connect to SSH service by utilizing two simple files.

1. /etc/hosts.allow
2. /etc/hosts.deny

To block all from SSH service add the following entry in /etc/hosts.deny

sshd: ALL 

Open in new window

No need to do anything else. Just adding the above line will reject everyone from accessing the server via SSH.

If you wish to allow only some person, you can add them to the /etc/hosts.allow


Open in new window

Now all except is blocked from using SSH.

You can also mention the ip ranges.

SCP (Secure Copy)

SCP is a file copying/transferring tool  through SSH that’s included with Openssh package.  You should use the following command if you wish to copy/transfer files between machines running SSH.

scp source destination (General Syntax)

scp /home/user/myfile  root@

Open in new window

Above command will copy the myfile from your machine to the /home/user2 of remote machine.

To copy a folder you can use the following command.

scp –r /home/user/myfolder roor@

Open in new window

This will copy the myfolder directory from your machine to the /home/user2 of remote machine.

Editing files on a Remote machine using SCP.

You can edit files in remote machine using the simple vi command and scp. Here you go.

vi scp://location to file in remote machine

vi scp://root@ 

Open in new window

Search Files on remote Machine

You can easily search files on a remote machine and see the output on your machine using the following command.

ssh root@ “find locationtosearch –name ‘*.extension’”

eg: If you wish to search jpg files you may use the following command.

ssh root@ “find /home/user –name ‘*.jpg’”

Open in new window

This will output all the files in remote machine with that extension.

SSHFS (Secure Shell File System)

This tool is used to mount remote SSH file systems. Sometimes SSHFS may not be there with your default SSH package. Just install it through yum.

yum install sshfs

Open in new window

Now you can use the following command to mount the remote directory.

sshfs root@ /mnt/remotedirectory

Open in new window

Now if you want to play some media files on remote machine you can try the following commands.

ssh root@ “cat locationtomediafile” | player –

eg: If you wish to play a .avi file, just use the following command.

ssh root@ “cat /home/user/test.avi” | vlc –

Open in new window

Above will open the avi file in your vlc player.

Compare a Remote File with Local File.

You can use the following command to check the differences between local files and remote file.

ssh root@ “cat pathtoremotefile” | diff “pathtolocalfile”

ssh root@ cat /home/user2/myfile | diff /home/user/myorginalfile

Open in new window

Copying between two remote machines through your machine.

You should use the following command to copy between two remote machines. Please make sure that you have access to both remote machines. Just use the following command.

ssh root@remotemachine1 “cd /path/to/directory/to/copy && tar –cf - .” | ssh root@remotemachine2 “cd /directorytocopyto/ && tar –xf –“

Open in new window

SSH security locks.

You can limit connections to SSH for particular time by using iptables.

iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -m limit --limit 120/second --limit-burst 1 -j ACCEPT

Open in new window

Here we assume the default ssh port as 22. Change it accordingly.

iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j DROP

Open in new window

In the above example, if a user try to access using the,wrong password, his access is blocked for 120 seconds. After that he can try login only once / 120 seconds. You may use /second, /minute, /hour, or /day in the above example.

Allowing SSH for particular IP only.

iptables -A INPUT -p tcp -m state --state NEW –source --dport 22 -j ACCEPT

Open in new window

Make sure to save iptables after entering each rule.

Also if you are allowing only one ip to access SSH make sure to block the port 22.

iptables -I INPUT -p tcp --dport 22 -j DROP

Open in new window

How to Attach a screen over SSH.

There is no need to login to server. You can attach it directly using the following command.

ssh -t root@ screen –r

Open in new window

Live SSH Transfer Speed check.

yes | pv | ssh $root@ “cat > /dev/null”

Open in new window

This will show the live transfer speed. You need to install the Pipe Viewer package before executing this command.

yum install pv

Open in new window

SSH connection over compression.

SSH has a built in feature called compression. You can use the following command to enable it.

ssh -C root@

Open in new window

Another important feature of SSH is SFTP (Secure file transfer protocol)

Openssh offers SFTP. With SFTP you can securely transfer files. To enable SFTP, add  the following line in your SSH configuration file.

Subsystem sftp /usr/lib/openssh/sftp-server

Open in new window

Restart ssh service and you should be able to use the sftp server:


I was not able to cover all topics. This is just a overview of important commands.
Hope you found this article helpful! Feel free to drop your suggestion’s.
Thanks for reading.

Ask questions about what you read
If you have a question about something within an article, you can receive help directly from the article author. Experts Exchange article authors are available to answer questions and further the discussion.
Get 7 days free