CIS Essentials

Remote login is off

Check SSH service status

Check if SSH is currently running:

sudo systemctl status ssh # Ubuntu/Debian
sudo systemctl status sshd # Fedora/CentOS/RHEL/Arch

How to disable SSH service

Stop and disable SSH

For desktop systems that don't need remote access:

# Ubuntu/Debian
sudo systemctl stop ssh
sudo systemctl disable ssh

# Fedora/CentOS/RHEL/Arch
sudo systemctl stop sshd
sudo systemctl disable sshd

Secure SSH if you need it enabled

If you must keep SSH enabled, secure it properly:

Edit SSH configuration:

sudo nano /etc/ssh/sshd_config

Recommended security settings:

# Disable root login
PermitRootLogin no

# Use key-based authentication only
PasswordAuthentication no
PubkeyAuthentication yes

# Change default port (optional but recommended)
Port 2222

# Limit login attempts
MaxAuthTries 3

# Set idle timeout
ClientAliveInterval 300
ClientAliveCountMax 2

Restart SSH service after changes:

sudo systemctl restart ssh # Ubuntu/Debian
sudo systemctl restart sshd # Fedora/CentOS/RHEL/Arch

Additional protection

Install and configure fail2ban to protect against brute force attacks:

# Ubuntu/Debian
sudo apt install fail2ban

# Fedora
sudo dnf install fail2ban

# Enable and start
sudo systemctl enable --now fail2ban

Verify SSH is disabled

Confirm SSH is not listening on network ports:

sudo netstat -tlnp | grep :22
# or
sudo ss -tlnp | grep :22

No output means SSH is not listening (disabled).

Warning for Remote Systems

Never disable SSH on a remote server unless you have alternative access methods (console access, VNC, etc.). Disabling SSH on a remote system will lock you out permanently.

Desktop vs Server

Desktop systems typically don't need SSH enabled. Servers and headless systems should keep SSH enabled but properly secured with key-based authentication and fail2ban protection.