In our previous article, where we’ve explained how to TMOUT shell variable to auto logout Linux shell when there isn’t any activity. In this article, we will explain how to auto disconnect inactive or idle SSH sessions or connections in Linux.
Read Also: 5 Ways to Keep Remote SSH Sessions and Processes Running After Disconnection
This is a just one of the several practices to protect and secure SSH service from possible attacks; you can also block SSH and FTP access to specific IP and network range in Linux, just to add more security.
Auto Disconnect Inactive SSH Sessions in Linux
To auto disconnect idle SSH sessions, you can use these sshd configuration options.
- ClientAliveCountMax – defines the number of messages (client alive messages) sent to the ssh client without sshd receiving back messages from the client. Once this limit is reached, without the client responding, sshd will terminate the connection. The default value is 3.
- ClientAliveInterval – defines a timeout interval (in seconds) after which if no message has been received from the client, sshd will send a message to the client requesting it to response. The default is 0, meaning that these messages will not be sent to the client.
To configure it, open main SSH configuration file /etc/ssh/sshd_config with your choice of editor.
# vi /etc/ssh/sshd_config
Add these two following lines, which means it will disconnect the client after approximately 3 minutes. It means that after every 60 seconds, a client alive message is sent (total 3 client alive messages will be sent), which results to 3*60=180 seconds (3 minutes).
ClientAliveInterval 60 ClientAliveCountMax 3
After making changes, make sure to restart the SSH service to take new changes into effect.
# systemctl restart sshd [On Systemd] # service sshd restart [On SysVinit]
That’s all! Below is a list of useful SSH guides, that you can read:
- How to Configure Custom SSH Connections to Simplify Remote Access
- ssh_scan – Verifies Your SSH Server Configuration and Policy in Linux
- Restrict SSH User Access to Certain Directory Using Chrooted Jail
It is absolutely necessary to auto disconnect inactive SSH sessions due to sever security reasons. To share any thoughts or ask a question, use the comment form below.
This article addresses a common misconception regarding SSH configuration parameters for unresponsive sessions.
The `ClientAliveInterval` does not monitor inactivity but rather checks if the client is still responsive. It sets a timeout interval in seconds; if no data is received from the client during this time, `sshd(8)` will send a message through the encrypted channel to request a response from the client. The default value is 0, which means these messages will not be sent.
For further clarification, the documentation for `ClientAliveCountMax` is helpful:
If `ClientAliveInterval` is set to 15 seconds and `ClientAliveCountMax` is left at its default value, unresponsive SSH clients will be disconnected after approximately 45 seconds. Setting `ClientAliveCountMax` to 0 disables connection termination.
For more details, visit: [ServerFault](https://serverfault.com/a/1162840/274176)
@Esa,
Thanks for clarifying! Your explanation about `ClientAliveInterval` and `ClientAliveCountMax` is spot on. It’s important to understand that these settings help check if the client is responsive rather than just tracking inactivity.
how to do it on ssh dropbear?
@ngabul
You have to read the ssh dropbear documentation, since it’s a premium service: https://sshdropbear.net/