SSH servers on multi-homed Linux hosts can accidentally accept logins on every interface when the daemon keeps its default wildcard listener. Binding sshd to one local address confines new SSH sockets to a management IP while leaving firewall rules and user access policy to separate controls.
OpenSSH uses the ListenAddress directive in /etc/ssh/sshd_config to choose the local addresses and optional ports that sshd binds at startup. When no ListenAddress directive is active, the daemon listens on all local addresses for the configured Port values.
The address must already exist on the server before the service restarts, and it is not a client allowlist. Keep a second SSH session, console, or out-of-band path available, validate the configuration before restarting, and test both the listening socket and a new login after the change.
Steps to bind SSH server to a specific IP address:
- Open a terminal on the SSH server with an account that can use sudo.
- List the server addresses and choose the local address for SSH.
$ ip -brief address show scope global eth0 UP 192.0.2.40/24
ListenAddress must use an address assigned to the server, not the remote client address that is allowed to connect.
- Edit the SSH daemon configuration file.
$ sudoedit /etc/ssh/sshd_config
- Add the ListenAddress directive for the chosen address.
ListenAddress 192.0.2.40
Add multiple ListenAddress lines only when sshd should bind more than one local address. If SSH uses multiple Port values, an unqualified ListenAddress applies to those port values.
- Test the SSH daemon configuration.
$ sudo sshd -t
No output means sshd parsed the active configuration successfully.
Related: How to test SSH server configurationDo not restart the service until syntax errors are fixed, because a bad server configuration can block new SSH logins.
- Restart the SSH service.
$ sudo systemctl restart ssh
Use sudo systemctl restart sshd on systems where the service unit is named sshd.
Related: How to manage the SSH server service with systemctl - Check the listening socket for the SSH port.
$ sudo ss -tlnp 'sport = :22' State Recv-Q Send-Q Local Address:Port Peer Address:Port Process LISTEN 0 128 192.0.2.40:22 0.0.0.0:* users:(("sshd",pid=1246,fd=3))If the local address still shows 0.0.0.0:22, [::]:22, or an unintended interface address, sshd is still reachable outside the intended management address.
- Test a new SSH login through the selected address.
$ ssh user@192.0.2.40 'echo SSH listener reached' SSH listener reached
Run the login test from a separate client or terminal so the existing administrative session remains available for rollback.
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.