How to configure SSH to listen to a specific IP address

Binding SSH to a specific IP address restricts remote access to selected network interfaces and addresses. Limiting where sshd accepts connections reduces exposure on multi-homed hosts and helps enforce network segmentation or management-plane isolation on servers reachable from different networks.

The OpenSSH daemon reads its configuration from /etc/ssh/sshd_config and uses the ListenAddress directive to decide which local addresses and ports to bind. When no explicit ListenAddress is set, sshd typically listens on all available IPv4 and IPv6 interfaces, which may include addresses that are not intended for administrative access.

Changing ListenAddress modifies how sshd binds sockets at startup, so a syntax error or incorrect address can prevent the daemon from accepting new connections. Configuration changes require root or sudo access and a restart of the SSH service, and a recovery path such as console, IPMI, or a second working SSH session is important before committing changes on remote systems.

Related: How to change the SSH server port
Related: How to configure SSH Server to listen on multiple ports
Related: How to allow or deny SSH access by IP address

Steps to bind SSH server to a specific IP address:

  1. Open a terminal session on the SSH server with an account that has sudo privileges. 
    $ whoami
user
  2. Display the current IPv4 addresses for all interfaces to identify the target address. 
    $ ip -4 addr
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    inet 192.0.2.40/24 brd 192.0.2.255 scope global eth0
       valid_lft forever preferred_lft forever
##### snipped #####

    ip shows the active addresses and interfaces so the correct management IP can be chosen.

  3. Open the /etc/ssh/sshd_config file in a text editor. 
    $ sudo vi /etc/ssh/sshd_config
  4. Locate any existing ListenAddress directives in the configuration. 
    #Port 22
#ListenAddress 0.0.0.0
#ListenAddress ::
Port 22
Port 2222

    Commented ListenAddress lines reflect the default of listening on all interfaces until an explicit value is set.

  5. Set ListenAddress to the specific IP address that must accept SSH connections. 
    ListenAddress 192.0.2.40

    Multiple ListenAddress lines can be added if the daemon should listen on more than one explicit address.

  6. Save the changes in the text editor.
  7. Exit the text editor.
  8. Validate the sshd configuration syntax before restarting the service. 
    $ sudo sshd -t

    No output from sshd -t indicates that the configuration syntax is valid.

    An invalid configuration prevents sshd from starting, which blocks new SSH logins until the error is corrected.

    Related: How to test SSH server configuration

  9. Restart the SSH service to apply the new listening address. 
    $ sudo systemctl restart ssh

    Some distributions use the unit name sshd instead of ssh, for example sudo systemctl restart sshd. Related: How to manage the SSH server service with systemctl in Linux

  10. Confirm that the SSH daemon is listening only on the specified IP address and port(s). 
    $ sudo netstat -tulnp | grep ssh
tcp        0      0 192.0.2.40:2222       0.0.0.0:*               LISTEN      14091/sshd
tcp        0      0 192.0.2.40:22         0.0.0.0:*               LISTEN      14091/sshd

    If the output still shows 0.0.0.0:22 or additional addresses, SSH remains reachable on interfaces that were not intended for administration.

  11. Test an SSH connection to the configured IP address from another machine. 
    $ ssh user@192.0.2.40
user@host:~$

    A successful login over the chosen IP address confirms that sshd is bound correctly and accepting connections as expected.