Learn how to secure SSH access on your home servers, so you can set it and forget it.

I have a confession. For the longest time, I was caught in a tedious cycle with my home servers. Whenever I needed to run a command or check on a service, I’d enable SSH. As soon as I was done, I’d manually disable it. It felt like a basic security step, but it was a nagging annoyance. My biggest fear? What if the web interface I used to toggle SSH ever went down? I’d be completely locked out. If this sounds familiar, I want you to know there’s a much smarter way to handle things. You don’t need to choose between convenience and security. The key is to secure SSH access by telling your servers to only listen to devices you already trust.

It’s a simple change that completely removes the need to flip that switch back and forth, giving you peace of mind and robust security without the hassle.

Why Toggling SSH Manually is a Bad Habit

Let’s be honest, the main reason for manually disabling SSH is a lack of trust in our own security measures. Maybe it’s just a password holding the line, and the thought of leaving that port open to the world feels reckless. But this manual toggle creates two bigger problems:

1. It’s a Pain: It adds an extra, unnecessary step to every quick task. What should be a 30-second job turns into a two-minute process of logging into a UI, enabling the service, doing the work, and then disabling it again. It just doesn’t scale, especially as you add more devices like a Raspberry Pi, a NAS, or a mini-PC running Proxmox to your network.
2. It’s Brittle: Your system becomes fragile. If the web UI or front-end controlling that SSH toggle breaks, you’ve lost your only way in. You’re left hoping you can physically access the machine to fix it, which isn’t always easy or possible.

How to Properly Secure SSH Access on Your Network

The best way to solve this is to stop thinking of SSH as an on/off switch and start thinking of it as a locked door with a specific key. Instead of leaving the door wide open (or constantly locking and unlocking it), you can just tell the door to only open for a few trusted friends.

In networking terms, this means configuring your server’s firewall to only allow SSH connections (typically on port 22) from the specific IP addresses of your trusted devices—like your main desktop or laptop. Any connection attempt from an unknown IP address is simply ignored. It’s like they’re knocking on a soundproof wall.

This method is far superior because the SSH service can remain active 24/7, ready for when you need it, but it’s completely invisible and inaccessible to anyone else.

A Simple Guide to Restrict SSH Access with UFW

For most Linux-based servers (including those running on a Proxmox host or Raspberry Pi), the easiest way to do this is with Uncomplicated Firewall (UFW). It’s designed to be user-friendly, and it’s perfect for this task.

Let’s say your main computer has the IP address 192.168.1.100 and you want to allow it to SSH into your server.

1. Install UFW: If it’s not already installed on your server, you can add it with a simple command:
   sudo apt-get install ufw

2. Allow Your Specific IP: This is the magic command. You’re telling the firewall to allow any connection from your trusted IP address to any port on the server. The to any port 22 part specifies that this rule is only for the SSH port.
   sudo ufw allow from 192.168.1.100 to any port 22

3. Enable the Firewall: Once your rule is in place, you can turn the firewall on.
   sudo ufw enable

That’s it! Now, your server will only accept SSH connections from the device at 192.168.1.100. All other connection attempts will be blocked. You can repeat step 2 for any other trusted machines on your network. For more detailed information, the official Ubuntu UFW documentation is an excellent resource.

Take Your SSH Security Even Further

While IP whitelisting is a fantastic step, you can make your setup even more bulletproof. If you’re ready to level up, here are two more best practices for how to secure SSH access:

• Use SSH Keys Instead of Passwords: Passwords can be guessed or cracked. SSH keys are a pair of cryptographic keys that are used to authenticate you. They are significantly more secure than passwords. Setting them up is a one-time process and provides incredible security. Websites like DigitalOcean have fantastic guides on how to generate and use them.
• Install Fail2Ban: This is a brilliant little tool that scans log files for malicious activity, like repeated failed login attempts. If it detects a brute-force attack from a specific IP, it will automatically update the firewall to block that IP for a set amount of time. You can learn more at the official Fail2Ban website.

By combining a firewall rule with SSH keys, you create a layered defense that is both incredibly secure and wonderfully convenient. You can finally leave SSH running with confidence, knowing that your home lab is protected. So go ahead, break the cycle, and give yourself one less thing to worry about.