Pareto Security
Pareto Security
Pricing Contact
Start for Free

Existing customer? Login

CIS Essentials

Remote login is off

Time to fix

< 1m

What

Remote login on Linux typically refers to SSH (Secure Shell) access, which allows you to control your computer from other devices over the network. This should only be enabled when needed and properly secured when in use.

Why you should disable remote login when not needed

While SSH is generally secure, it's a common target for attackers. Following the principle of least exposure, SSH should be disabled when not actively needed to reduce your attack surface and prevent potential brute force attacks.

When to keep SSH enabled

SSH should remain enabled on servers and systems that require remote administration. However, it should be properly configured with key-based authentication and other security measures.

Check SSH service status

Check if SSH is currently running:

sudo systemctl status ssh # Ubuntu/Debian
sudo systemctl status sshd # Fedora/CentOS/RHEL/Arch

How to disable SSH service

Stop and disable SSH

For desktop systems that don't need remote access:

# Ubuntu/Debian
sudo systemctl stop ssh
sudo systemctl disable ssh

# Fedora/CentOS/RHEL/Arch
sudo systemctl stop sshd
sudo systemctl disable sshd

Secure SSH if you need it enabled

If you must keep SSH enabled, secure it properly:

Edit SSH configuration:

sudo nano /etc/ssh/sshd_config

Recommended security settings:

# Disable root login
PermitRootLogin no

# Use key-based authentication only
PasswordAuthentication no
PubkeyAuthentication yes

# Change default port (optional but recommended)
Port 2222

# Limit login attempts
MaxAuthTries 3

# Set idle timeout
ClientAliveInterval 300
ClientAliveCountMax 2

Restart SSH service after changes:

sudo systemctl restart ssh # Ubuntu/Debian
sudo systemctl restart sshd # Fedora/CentOS/RHEL/Arch

Additional protection

Install and configure fail2ban to protect against brute force attacks:

# Ubuntu/Debian
sudo apt install fail2ban

# Fedora
sudo dnf install fail2ban

# Enable and start
sudo systemctl enable --now fail2ban

Verify SSH is disabled

Confirm SSH is not listening on network ports:

sudo netstat -tlnp | grep :22
# or
sudo ss -tlnp | grep :22

No output means SSH is not listening (disabled).

Warning for Remote Systems

Never disable SSH on a remote server unless you have alternative access methods (console access, VNC, etc.). Disabling SSH on a remote system will lock you out permanently.

Desktop vs Server

Desktop systems typically don't need SSH enabled. Servers and headless systems should keep SSH enabled but properly secured with key-based authentication and fail2ban protection.