How to configure SSH to listen to a specific IP address

Binding SSH to a specific IP address restricts remote access to selected network interfaces and addresses. Limiting where sshd accepts connections reduces exposure on multi-homed hosts and helps enforce network segmentation or management-plane isolation on servers reachable from different networks.

The OpenSSH daemon reads its configuration from /etc/ssh/sshd_config and uses the ListenAddress directive to decide which local addresses and ports to bind. When no explicit ListenAddress is set, sshd typically listens on all available IPv4 and IPv6 interfaces, which may include addresses that are not intended for administrative access.

Changing ListenAddress modifies how sshd binds sockets at startup, so a syntax error or incorrect address can prevent the daemon from accepting new connections. Configuration changes require root or sudo access and a restart of the SSH service, and a recovery path such as console, IPMI, or a second working SSH session is important before committing changes on remote systems.

Steps to bind SSH server to a specific IP address:

Open a terminal session on the SSH server with an account that has sudo privileges.
```
$ whoami
admin
```

Display the current IPv4 addresses for all interfaces to identify the target address.

$ ip -4 addr
2: eth0: &lt;BROADCAST,MULTICAST,UP,LOWER_UP&gt; mtu 1500 qdisc fq_codel state UP group default qlen 1000
    inet 192.168.1.100/24 brd 192.168.1.255 scope global eth0
       valid_lft forever preferred_lft forever
##### snipped #####

ip shows the active addresses and interfaces so the correct management IP can be chosen.

Open the /etc/ssh/sshd_config file in a text editor.
```
$ sudo vi /etc/ssh/sshd_config
```
Locate any existing ListenAddress directives in the configuration.
```
#Port 22
#ListenAddress 0.0.0.0
#ListenAddress ::
```
Commented ListenAddress lines reflect the default of listening on all interfaces until an explicit value is set.
Set ListenAddress to the specific IP address that must accept SSH connections.
```
ListenAddress 192.168.1.100
```
Multiple ListenAddress lines can be added if the daemon should listen on more than one explicit address.
Save the changes in the text editor.
Exit the text editor.
Validate the sshd configuration syntax before restarting the service.
```
$ sudo sshd -t
```
No output from sshd -t indicates that the configuration syntax is valid.

An invalid configuration prevents sshd from starting, which blocks new SSH logins until the error is corrected.

Related: How to check and validate SSH server's configuration
Restart the SSH service to apply the new listening address.
```
$ sudo systemctl restart ssh
```
Some distributions use the unit name sshd instead of ssh, for example sudo systemctl restart sshd. Related: [DRAFT] How to manage the SSH server service with systemctl in Linux
Confirm that the SSH daemon is listening only on the specified IP address and port.
```
$ sudo netstat -tulnp | grep ssh
tcp        0      0 192.168.1.100:22      0.0.0.0:*               LISTEN      1234/sshd
```
If the output still shows 0.0.0.0:22 or additional addresses, SSH remains reachable on interfaces that were not intended for administration.
Test an SSH connection to the configured IP address from another machine.
```
$ ssh admin@192.168.1.100
Welcome to Ubuntu 22.04 LTS
##### snipped #####
```
A successful login over the chosen IP address confirms that sshd is bound correctly and accepting connections as expected.

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.

Discuss the article:

Comment anonymously. Login not required.