How to limit SSH (TCP port 22) connections with ufw on Ubuntu Linux

How do I limit ssh connection attempts using UFW (Uncomplicated Firewall) on Ubuntu or Debian Linux server?

UFW means Uncomplicated Firewall. It is a default firewall on Ubuntu. However, one can install ufw on other Linux distros. For example Arch Linux, Debian, CentOS and more. In other words, ufw is nothing but a front-end for managing a Netfilter firewall. It provides a command line interface and aims to be uncomplicated and easy to use for developers and new Linux users. Let us see how to limit SSH connection with ufw on Ubuntu or Debian Linux.
Limiting SSH Connections with ufw


Rate limiting with ufw

You can add limit rule. Currently only IPv4 (Internet Protocol version 4) is supported. With this syntax you can deny connections from an IP address that has attempted to initiate 6 or more connections in the last 30 seconds. This option is very useful for services such as sshd as those are attacks by bots and other bad actors. Hence, we use firewall to protect our server from brute force attacks.

Syntax to limit SSH (TCP port 22) connections with ufw

The syntax is pretty simple:

## ufw limit ssh various usage ##
ufw limit ssh
ufw limit ssh/tcp
ufw limit ssh comment 'Rate limit for openssh server'
### if sshd is running on tcp port 2022 add ####
ufw limit 2022/tcp comment 'SSH port rate limit'

The above rules are useful for protecting against brute-force login attacks. When a limit rule is used, ufw will normally allow the connection but will deny connections if an IP address attempts to initiate six or more connections within thirty seconds. Once setup you can verify it with the following command:
$ sudo ufw limit ssh/tcp comment 'Rate limit for openssh serer'
$ sudo ufw status

Sample outputs:

Status: active

To                         Action      From
--                         ------      ----
22/tcp                     LIMIT       Anywhere                   # Rate limit for openssh serer
22/tcp (v6)                LIMIT       Anywhere (v6)              # Rate limit for openssh serer

The actual rules are as follows in iptables:

-A ufw-user-input -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name DEFAULT --mask --rsource
-A ufw-user-input -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 --name DEFAULT --mask --rsource -j ufw-user-limit
-A ufw-user-input -p tcp -m tcp --dport 22 -j ufw-user-limit-accept

Please note that the new ssh rule will then replace the previous ssh rule. You can limit other services too:
ufw limit {service}
## be careful with http/https limits as many users might be behind a large proxy server ##
ufw limit 25/tcp
ufw limit http
ufw limit https


OpenSSH server running on Ubuntu Linux with TCP port 22 open invites lots of trouble. It is scanned and attacked by hackers and bots everyday. Hence, we learned how to use limit ssh connection rate with ufw command to protect your Ubuntu or Debian Linux server from attacks. Make sure you use the strong password and set up ssh keys. Please see my “OpenSSH server best practices” page for more information and all other ufw related tutorials below. See ufw man page here or by typing the following ufw command:
man ufw

🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source/DevOps topics:
CategoryList of Unix and Linux commands
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04

3 comments… add one
  • Jouni "rautamiekka" Jrvinen Jan 25, 2017 @ 10:48

    It’s harder but directly commanding iptables is better since you can make precise rules while UFW only in the general direction.

  • PGF Jan 30, 2017 @ 13:54

    It is simpler, but it gives you far less fine control than iptables.

  • Stephan Jan 31, 2017 @ 16:31

    But what if the IP changes then the attacker can still attempt to connect to the server. Why not just not use the default port, configure SSH on another port.

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.