How to Disconnect Inactive or Idle SSH Connections in Linux

In our previous article, where we’ve explained how to TMOUT shell variable to auto logout Linux shell when there isn’t any activity. In this article, we will explain how to auto disconnect inactive or idle SSH sessions or connections in Linux.

Read Also: 5 Ways to Keep Remote SSH Sessions and Processes Running After Disconnection

This is a just one of the several practices to protect and secure SSH service from possible attacks; you can also block SSH and FTP access to specific IP and network range in Linux, just to add more security.

Auto Disconnect Inactive SSH Sessions in Linux

To auto disconnect idle SSH sessions, you can use these sshd configuration options.

  • ClientAliveCountMax – defines the number of messages (client alive messages) sent to the ssh client without sshd receiving back messages from the client. Once this limit is reached, without the client responding, sshd will terminate the connection. The default value is 3.
  • ClientAliveInterval – defines a timeout interval (in seconds) after which if no message has been received from the client, sshd will send a message to the client requesting it to response. The default is 0, meaning that these messages will not be sent to the client.

To configure it, open main SSH configuration file /etc/ssh/sshd_config with your choice of editor.

# vi /etc/ssh/sshd_config

Add these two following lines, which means it will disconnect the client after approximately 3 minutes. It means that after every 60 seconds, a client alive message is sent (total 3 client alive messages will be sent), which results to 3*60=180 seconds (3 minutes).

ClientAliveInterval 60
ClientAliveCountMax 3

After making changes, make sure to restart the SSH service to take new changes into effect.

# systemctl restart sshd   [On Systemd]
# service sshd restart     [On SysVinit]

That’s all! Below is a list of useful SSH guides, that you can read:

  1. How to Configure Custom SSH Connections to Simplify Remote Access
  2. ssh_scan – Verifies Your SSH Server Configuration and Policy in Linux
  3. Restrict SSH User Access to Certain Directory Using Chrooted Jail

It is absolutely necessary to auto disconnect inactive SSH sessions due to sever security reasons. To share any thoughts or ask a question, use the comment form below.

Hey TecMint readers,

Exciting news! Every month, our top blog commenters will have the chance to win fantastic rewards, like free Linux eBooks such as RHCE, RHCSA, LFCS, Learn Linux, and Awk, each worth $20!

Learn more about the contest and stand a chance to win by sharing your thoughts below!

Aaron Kili
Aaron Kili is a Linux and F.O.S.S enthusiast, an upcoming Linux SysAdmin, web developer, and currently a content creator for TecMint who loves working with computers and strongly believes in sharing knowledge.

Each tutorial at TecMint is created by a team of experienced Linux system administrators so that it meets our high-quality standards.

Join the TecMint Weekly Newsletter (More Than 156,129 Linux Enthusiasts Have Subscribed)
Was this article helpful? Please add a comment or buy me a coffee to show your appreciation.

4 Comments

Leave a Reply
  1. This article addresses a common misconception regarding SSH configuration parameters for unresponsive sessions.

    The `ClientAliveInterval` does not monitor inactivity but rather checks if the client is still responsive. It sets a timeout interval in seconds; if no data is received from the client during this time, `sshd(8)` will send a message through the encrypted channel to request a response from the client. The default value is 0, which means these messages will not be sent.

    For further clarification, the documentation for `ClientAliveCountMax` is helpful:

    If `ClientAliveInterval` is set to 15 seconds and `ClientAliveCountMax` is left at its default value, unresponsive SSH clients will be disconnected after approximately 45 seconds. Setting `ClientAliveCountMax` to 0 disables connection termination.

    For more details, visit: [ServerFault](https://serverfault.com/a/1162840/274176)

    Reply
    • @Esa,

      Thanks for clarifying! Your explanation about `ClientAliveInterval` and `ClientAliveCountMax` is spot on. It’s important to understand that these settings help check if the client is responsive rather than just tracking inactivity.

      Reply

Got Something to Say? Join the Discussion...

Thank you for taking the time to share your thoughts with us. We appreciate your decision to leave a comment and value your contribution to the discussion. It's important to note that we moderate all comments in accordance with our comment policy to ensure a respectful and constructive conversation.

Rest assured that your email address will remain private and will not be published or shared with anyone. We prioritize the privacy and security of our users.