UFW Allow SSH on Ubuntu: Safe Setup

The safe way to run ufw allow ssh on Ubuntu is to add the SSH rule before enabling the firewall, keep your current SSH session open, and test a second login before closing anything. That order protects you from the most common remote-server mistake: turning on a firewall that blocks your only management connection.

UFW is designed to make firewall rules easier to manage, but it can still lock you out if the wrong port is allowed. This tutorial covers the standard OpenSSH profile, custom SSH ports, rule verification, and a practical VPS checklist.

Key takeaways

• Add the SSH rule before enabling UFW on a remote VPS.
• Use sudo ufw allow OpenSSH when the OpenSSH application profile matches your server.
• Use a port-specific rule such as sudo ufw allow 2222/tcp if SSH listens on a custom port.
• Keep the current SSH session open while testing a second session.
• Confirm sudo ufw status verbose before and after enabling the firewall.
• For related access tasks, read the Virtarix guides to generating SSH keys, securing a VPS, VPS security, and systemctl basics.

Before you enable UFW

Do these checks first:

1. Confirm you are logged in over SSH and the session is stable.
2. Confirm which port SSH actually listens on.
3. Decide whether you will use the OpenSSH application profile or a port rule.
4. Add the rule.
5. Enable UFW only after the rule exists.
6. Test a new SSH login before closing the original session.

If you are working through a hosting console, keep that console available too. It gives you a recovery path if you make a firewall mistake.

Step 1: Check UFW status

Run:

sudo ufw status verbose

If UFW is inactive, that is normal on many fresh Ubuntu servers. You can still add rules before enabling it. If UFW is already active, be more careful: changing rules can affect live traffic immediately.

The status output shows current rules, default policies, and whether the firewall is active. Save the output in your maintenance notes when you are changing a production VPS.

Step 2: Check available application profiles

Ubuntu packages can provide UFW application profiles. Check whether OpenSSH is listed:

sudo ufw app list

If OpenSSH appears and your SSH daemon uses the standard profile settings, you can allow it by name. This is the simplest path for a default Ubuntu OpenSSH setup.

Step 3: Allow SSH with the OpenSSH profile

Run:

sudo ufw allow OpenSSH

This adds a rule for the OpenSSH application profile. It is clearer than a bare service name because it matches the profile name shown by ufw app list.

Then verify the rule:

sudo ufw status verbose

Look for an allow rule for OpenSSH. Do not enable or reload the firewall until the rule is visible.

Step 4: Allow a custom SSH port instead

If you changed SSH to a custom port, allow that port explicitly. For example:

sudo ufw allow 2222/tcp

Replace 2222 with your real SSH port. Do not copy a custom-port example unless it matches the active SSH server configuration. If SSH listens on a different port, UFW will faithfully allow the wrong port and block the real one when the firewall becomes active.

After adding the rule, verify it:

sudo ufw status verbose

You should see the custom TCP port listed as allowed.

Step 5: Enable UFW safely

When the SSH rule is present, enable UFW:

sudo ufw enable

Read the warning carefully. On a remote VPS, enabling the firewall can disrupt existing connections if rules are wrong. Because you added the SSH rule first, the risk is lower, but you still need to test.

After enabling, check status again:

sudo ufw status verbose

Confirm that UFW is active and the SSH rule remains allowed.

Step 6: Test a second SSH session

Do not close the original terminal yet. Open a new terminal and connect again using the expected port. If you use the default port, connect normally. If you use a custom port, specify that port in your SSH client.

If the second login works, your firewall rule is probably correct. If it fails, keep the first session open and fix the rule before disconnecting.

Lockout recovery checklist

If you accidentally block SSH, use the safest available recovery channel:

• Use the provider console if available.
• Check UFW status from the console.
• Add the correct SSH rule.
• Disable UFW temporarily only if you need emergency access.
• Re-enable it after the rule set is correct.

Do not repeatedly guess from a disconnected client. You need a console or an existing session to repair the firewall safely.

Common mistakes

Enabling UFW before allowing SSH

This is the classic lockout pattern. Add the SSH rule first, then enable UFW.

Allowing the wrong port

If the SSH daemon uses a custom port, ufw allow OpenSSH may not match your actual configuration. Confirm the SSH server port before choosing the rule.

Closing the only working session too early

Always test a second login before closing your original session. This one habit prevents most remote firewall lockouts.

Forgetting IPv6

If IPv6 is enabled on the server, confirm your firewall policy matches your access requirements. UFW can manage IPv4 and IPv6 rules when configured for both.

When to use the service name instead of a port

Use the OpenSSH profile when the server follows the packaged Ubuntu OpenSSH setup and you have not moved SSH to a custom listener. Use the explicit TCP port rule when the SSH daemon has been changed, when you inherited an older server, or when documentation says remote access uses a non-standard port. The rule should describe the real listener, not the habit you use on other servers.

VPS-safe UFW checklist

Before you finish, confirm:

1. UFW status was checked before changes.
2. The OpenSSH profile or correct custom TCP port was allowed.
3. UFW was enabled only after the SSH rule existed.
4. A second SSH login succeeded.
5. The original session stayed open during testing.
6. The final rule list was saved in your notes.

This makes the change auditable and gives the next administrator enough context to understand why the rule exists.

If you want a disposable server for practicing ufw allow ssh safely, Virtarix Cloud VPS plans give you an isolated environment for testing firewall rules, SSH ports, and recovery habits before changing production access.

FAQ

What is the command to allow SSH through UFW?

Use sudo ufw allow OpenSSH for the OpenSSH application profile, or use sudo ufw allow 2222/tcp if SSH listens on a custom TCP port.

Should I enable UFW before allowing SSH?

No. Add the SSH allow rule first, then enable UFW, then test a second SSH login before closing your original session.

How do I check if UFW allows SSH?

Run sudo ufw status verbose and look for an allow rule for OpenSSH or the custom SSH TCP port.

What if I changed the SSH port?

Allow the actual SSH port with a TCP rule. Do not rely on the default profile unless it matches your server configuration.

Summary

The safe ufw allow ssh workflow is simple: verify the current state, allow the correct SSH rule, enable UFW, and test a second login while your original session is still open. The exact rule depends on whether your server uses the OpenSSH profile or a custom SSH port.

On a VPS, firewall work is access-control work. Treat it like a change window, not a casual command. Check the rule, test the login, and leave notes so future administrators understand the setup.

Byline: Peter French — Updated 2026-05-18.