Is it safe to expose SSH on port 22 to the internet?

It is acceptable if you have key-only authentication enabled and password login disabled. Port 22 receives heavy automated scanning, so you will see failed login attempts immediately, but with key auth those attempts go nowhere. Changing to a non-standard port like 2222 reduces scan noise. Fail2Ban adds an extra layer by auto-banning IPs after repeated failures.

How do I access my home SSH server from outside my network?

Two options: port forwarding or Tailscale. Port forwarding requires configuring your router to send inbound port 22 traffic to your server's local IP, plus a DDNS service if your ISP assigns a dynamic public IP. Tailscale is simpler: install it on both devices and they get stable private IPs that work from anywhere without any router configuration.

Why does my SSH port forwarding not work?

The most common causes are your ISP blocking port 22 (try port 2222 instead), double NAT where both an ISP modem and your router need forwarding rules, or your server's local IP changed after a DHCP reassignment. Assign a static local IP via DHCP reservation on your router to fix the last issue permanently.

What port should I use for SSH instead of 22?

2222 and 22222 are common alternatives. Changing the port does not meaningfully improve security but reduces automated scan traffic, which makes your logs cleaner. Update both the sshd_config on the server and your router's port forwarding rule to use the same port.

How do I set up SSH key authentication on my home server?

Generate a key pair on your client with ssh-keygen -t ed25519, then copy the public key to the server with ssh-copy-id username@serverip. After confirming key login works, set PasswordAuthentication no in sshd_config and restart SSH. On Linux, verify that ~/.ssh is 700 and authorized_keys is 600. On Windows, admin accounts require the key in C:\ProgramData\ssh\administrators_authorized_keys.

How do I fix SSH connection refused on my home server?

Check three things in order: is the SSH service running (sudo systemctl status ssh), is the firewall allowing the port (sudo ufw status on Linux or Windows Defender Firewall rules on Windows), and are you using the correct IP and port. Connection refused means the server is reachable but actively rejecting the connection, which is different from connection timed out, which points to a firewall or port forwarding issue.

Can you SSH into a Windows PC from Linux?

Yes. Windows 10 version 1709 and later and Windows 11 include a native OpenSSH server. Install it via PowerShell or through Settings > Optional Features. Once running, you connect from any Linux machine with the standard ssh username@windowsip command. The main difference from Linux is that admin accounts use a different authorized_keys path.

What is the difference between SSH and a VPN for home remote access?

SSH gives you terminal access and file transfer to a specific machine. A VPN like Tailscale or WireGuard connects you to your entire home network as if you were physically there. For most developers, Tailscale is the better home setup because it handles NAT traversal automatically, requires no router config, and SSH connections work over the same tunnel without any extra steps.

SSH Server on Home Computer: Linux and Windows Setup

The Connection refused error on port 22 usually happens because your ISP placed you behind a Carrier-Grade NAT, making traditional port forwarding completely useless. Bypassing this restriction requires a strict diagnosis of your home network to decide whether you need a dynamic DNS setup or a zero-configuration mesh VPN.

Default Port: 22 (Requires an immediate change to a custom port like 2222)
Windows Requirement: Windows 10 (version 1709) or newer
Linux Requirement: openssh-server package
Key Algorithm: Ed25519 (Faster and more secure than RSA)
Remote Access Methods: Port Forwarding (Static IP/DDNS) or Mesh VPN (Tailscale)

SSH Server Decision Tree: Port Forwarding vs. Tailscale

If your ISP provides a real public IP, standard port forwarding with a Dynamic DNS works perfectly. You control the entire traffic flow. If your router status page shows a WAN IP starting with 10.x.x.x or 100.x.x.x, you are behind a CGNAT. Tailscale bypasses this entirely without touching a single router setting.

Step 1: Installing OpenSSH on Your Local Machine

Ubuntu/Debian Setup (Linux)

Open your terminal and run sudo apt update && sudo apt install openssh-server. The background service starts automatically right after the installation. Check its current status with sudo systemctl status ssh. The terminal output shows active (running) if everything went well.

Windows Native OpenSSH Setup (And the administrators_authorized_keys Trap)

Windows 10 and 11 include a native OpenSSH server directly in the system. Open PowerShell as Administrator and run Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0. Start the service with Start-Service sshd and make it persistent across reboots using Set-Service -Name sshd -StartupType 'Automatic'.

Here is the biggest trap for Windows users: If your Windows account is an Administrator, the SSH server completely ignores the standard ~/.ssh/authorized_keys file. You must place your public key in C:\ProgramData\ssh\administrators_authorized_keys. You also need to set the strict NTFS permissions exactly to SYSTEM and Administrators, manually removing all other users from the properties tab.

Running Windows VMs alongside your SSH server? If you use Hyper-V on Windows 11, each VM gets its own SSH config and authorized_keys file; the CGNAT and administrators_authorized_keys rules apply inside VMs too.

How to Fix docs.google.com refused to connect Error (Fast)

Step 2: Hardening Security and Key-Based Authentication

Generating and Copying SSH Keys

Never rely on passwords for remote access. Run ssh-keygen -t ed25519 -C "your_email@example.com" on your client machine. The Ed25519 algorithm provides better performance and stronger security against modern brute-force attempts. Use ssh-copy-id username@target_ip to push the newly generated key directly to your Linux server.

Disabling Root Login and Password Authentication

Open /etc/ssh/sshd_config on Linux or C:\ProgramData\ssh\sshd_config on Windows using your preferred text editor. Find the line #PasswordAuthentication yes and change it to PasswordAuthentication no. Do the exact same thing for PermitRootLogin no. Restart the SSH service immediately to apply these critical security rules.

Step 3: Beating Dynamic IPs and Carrier-Grade NAT

Setting up DDNS (DuckDNS / ddclient)

Home IPs change frequently after modem reboots. Register a free domain on DuckDNS and install ddclient on your Linux machine. This small background service pings DuckDNS every five minutes, keeping your custom domain seamlessly tied to your current home IP address.

Port Forwarding Basics on a Home Router

Log into your home router interface, typically located at 192.168.1.1 or 192.168.0.1. Navigate to the NAT or Port Forwarding section. Create a new rule pointing external port 2222 to internal port 22 of your server's local IP address. Exposing the default port 22 directly to the internet invites thousands of automated bot attacks every single day.

The Tailscale Alternative (Zero Router Config)

Install Tailscale on both your client laptop and your home server. It automatically assigns a static 100.x.x.x IP address to your server machine. You connect using ssh username@100.x.x.x from anywhere in the world. The connection feels instantaneous, and your router ports remain completely closed to the outside world.

How to Open 7z Files on Windows, Mac, and Linux

Step 4: Adding Fail2Ban for Brute Force Protection

If you expose a port, malicious bots will scan it. Install Fail2Ban with sudo apt install fail2ban on your Linux server. It actively monitors your authentication logs and automatically drops IP addresses at the firewall level after five failed login attempts. The default ban time is 10 minutes, but you can easily increase it to 24 hours in the /etc/fail2ban/jail.local configuration file.

SSH Troubleshooting: Decoding Connection Errors

Connection refused vs Connection timed out vs Permission denied

Connection refused: The server is reachable, but the SSH service is down or a local firewall (like UFW on Linux or Windows Defender) is actively blocking the specific port. If the service is running but you still get refused, check what process is holding port 22 with ss -tlnp | grep :22.

Connection timed out: Your packets are dropping somewhere before they reach the target machine. This almost always means your router port forwarding rule is incorrect or your ISP is actively blocking the port at their network level.

Permission denied (publickey): The server sees you, but explicitly rejects your cryptographic credentials. Double-check your administrators_authorized_keys permissions on Windows or ensure your private key matches the target user on the remote machine.

Bonus: Using \~/.ssh/config for Quick Access Aliases

Stop typing long connection strings every time you want to log in. Create a simple text file at ~/.ssh/config on your client machine. Add a block specifying the HostName, User, and Port under a short alias like Host home-pc. Next time, just type ssh home-pc and hit enter.

How to Set Up an SSH Server on Your Home Computer (Linux & Windows)

SSH Server Decision Tree: Port Forwarding vs. Tailscale