How to set an SSH timeout
Setting a distinct timeout period for SSH connections on your server is an important and simple step to maintaining both server stability and security. The common SSH daemon tool found on most Linux distributions makes this process easy to handle and additional shell settings even offer the ability to disconnect idle users if necessary.
|DIFFICULTY||Basic - 1 | Medium - 2 | Advanced - 3|
|TIME REQUIRED||10 min|
|RELATED PRODUCTS||Linux-based VPS or dedicated servers
Linux-based shared hosting
Managing Server-side SSH Timeouts
To easily handle disconnected or even idle clients connected via SSH to your server, you'll want to look at the problem from two angles: ClientAlive and shell TMOUT.
Configuring SSH ClientAlive Settings
When a client remotely connects via SSH to your (properly configured) Linux-based server, the server will execute a series of KeepAlive requests to connected clients at designated intervals. Upon each execution, the server sends a packet to the client to verify that the client connection is still valid and functional. Should this KeepAlive packet exchange ever fail the server can automatically sever that connection.
To ensure your server terminates any SSH clients that do not respond properly you must edit your
sshd_config file. For most distributions the
sshd_config is located in the
/etc/ssh directory, but if necessary you can always locate it with a quick find:
To begin, open the
sshd_config file in your favorite text editor (such as vim or nano - we're using nano here):
# Package generated configuration file
# See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for
# Use these options to restrict which interfaces/protocols sshd will bind to
There are three settings you should locate — or add if necessary — in your
Below are the default settings for most SSH daemon installations:
ClientAliveInterval determines how frequently an encrypted (and therefore difficult-to-spoof).
TCPKeepAlive packet is transmitted to the client (in seconds). This setting works in tandem with
ClientAliveCountMax, which determines how many
KeepAlive packets will be transmitted to the client with no response before the connection is terminated.
With a default setting of zero seconds for the
ClientAliveInterval, most SSH daemon installations will not transmit these
You can easily enable
ClientAlive packet transmission by altering or changing these settings in your
sshd_config file. For example, to send a maximum of 4 packets at an interval of 15 seconds apart, add these lines to the
The third setting of
TCPKeepAlive behaves similarly to the
ClientAliveInterval duo, except
TCPKeepAliveuses unencrypted packets (sent over the TCP protocol) to verify that clients are still connected.
TCPKeepAlive ensures that there will not be any "ghost" client connections to your server that may consume resources. On the other hand, if there are any temporary internet hiccups that may sever the connection between an SSH-connected client and your server, the
TCPKeepAlive protocol may disconnect that user.
To enable (or disable)
TCPKeepAlive, set the value in the
sshd_config file to either yes or no:
As usual after making any changes to your
sshd_config file, be certain to save the file then restart your SSH daemon:
Disconnecting Idle SSH Clients
While the use of the ClientAlive and
TCPKeepAlive settings in your
sshd_config will handle any connections that were improperly severed, that has no impact on SSH client connections that are simply idle for a lengthy period of time. If security is paramount, you may wish to sever idle SSH connections to your server.
For most Linux distributions, disconnecting an idle client can be easily handled using the TMOUT bash setting within your bashrc file. Since you'll likely want to specify settings that apply to all users, you should edit the
/etc/bash.bashrc file (for user-specific settings open
# System-wide .bashrc file for interactive bash(1) shells.
# To enable the settings / commands in this file for login shells as well,
# this file has to be sourced in /etc/profile.
To add an idle client disconnection, simply add the following to the end of the
The TMOUT setting is the number of seconds a client can be connected and idle before a timeout is detected and the connection is dropped by the server. You can use a fairly small value at first to test your settings, but a reasonable value should be used in production.
Once the settings are changed and
bash.bashrc has been saved, you may now open a new SSH connection with your server and wait. After your set TMOUT period has elapsed your connection will be severed:
Wed Oct 15 03:09:41 EDT 2014
account@ubuntu:~# ssh firstname.lastname@example.org
Wed Oct 15 03:09:47 EDT 2014
root@Main:~# timed out waiting for input: auto-logout
Connection to 123.123.456.78 closed
Wed Oct 15 03:14:53 EDT 2014
Following these basic practices will ensure increased security and stability for all SSH connections to your server.