Ttdfjt

What causes a rotating object to rotate forever without external force—inertia, or something else?

How would you say "Sorry, that was a mistake on my part"?

Round command argument before using

What is this green alien supposed to be on the American covers of the "Hitchhiker's Guide to the Galaxy"?

Why are flying carpets banned while flying brooms are not?

Zhora asks Deckard: "Are you for real?" Was this meant to be significant?

How fast does a character need to move to be effectively invisible?

Why is the Intel 8086 CPU called a 16-bit CPU?

Arithmetics in LuaLaTeX

How can electric field be defined as force per charge, if the charge makes its own, singular electric field?

Why are there few or no black super GMs?

Is encryption still applied if you ignore the SSL certificate warning for self signed?

Why do the digits of a number squared follow a similar quotient?

Term “console” in game consoles

Could a US citizen born through "birth tourism" become President?

How do you give a date interval with diffuse dates?

How to belay quickly ascending top-rope climbers?

What makes MOVEQ quicker than a normal MOVE in 68000 assembly?

How to interpret a promising preprint that was never published?

The most secure way to handle someone forgetting to verify their account?

How do you send money when you're not sure it's not a scam?

Locked-up DOS computer beeped on keypress. What mechanism caused that?

Is it possible to have a career in SciComp without contributing to arms research?

We get more abuse than anyone else

How can I truly shut down ssh server?

ssh daemon error: sshd must be ownMigrate socat init script to systemdWhy is my Systemd unit loaded, but inactive (dead)?systemd: How to unmask a service whose unit file is empty?Linux ssh (bug/broken) still working even when the service is stopped on linux ubuntu?Why x0vncserver is not starting at boot?What is the difference between Process: and Main PID: in the output of systemctl status?Why is systemd stopping service immediately after it is started?Daemon not started by systemdCan't find SSHD/systemd socket-activated logs

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;

15

1

I disable the ssh server with systemctl disable ssh then reboot. After reboot, I still can log into the remote server through ssh. I use systemctl status ssh to check the server status and it is inactive.

$ systemctl -a | grep ssh
ssh.service loaded inactive dead OpenBSD Secure Shell server
ssh@3-192.168.0.120:22-192.168.0.104:31079.service loaded active running OpenBSD Secure Shell server per-connection daemon (192.168.0.104:31079)
system-ssh.slice loaded active active system-ssh.slice
ssh.socket loaded active listening OpenBSD Secure Shell server socket

systemd sshd

share|improve this question

edited Jul 9 at 15:47

Gilles

564k134134 gold badges11611161 silver badges16691669 bronze badges

asked Jul 9 at 15:11

codexplorercodexplorer

17888 bronze badges

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Could you add the output of systemctl status ssh to your question?
  
  – Fiximan
  Jul 9 at 15:21
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  It is much like:● ssh.service - OpenBSD Secure Shell server Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled) Active: inactive (dead) since Tue 2019-07-09 23:25:16 CST; 1s ago
  
  – codexplorer
  Jul 9 at 15:26
  
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Additionally you should block port 22 on the firewall, so that even if the SSH server is running somehow, it won't be accessible from remote.
  
  – dr01
  Jul 10 at 10:51
  
  

  
  
  
  

add a comment | 

15

1

I disable the ssh server with systemctl disable ssh then reboot. After reboot, I still can log into the remote server through ssh. I use systemctl status ssh to check the server status and it is inactive.

$ systemctl -a | grep ssh
ssh.service loaded inactive dead OpenBSD Secure Shell server
ssh@3-192.168.0.120:22-192.168.0.104:31079.service loaded active running OpenBSD Secure Shell server per-connection daemon (192.168.0.104:31079)
system-ssh.slice loaded active active system-ssh.slice
ssh.socket loaded active listening OpenBSD Secure Shell server socket

systemd sshd

share|improve this question

edited Jul 9 at 15:47

Gilles

564k134134 gold badges11611161 silver badges16691669 bronze badges

asked Jul 9 at 15:11

codexplorercodexplorer

17888 bronze badges

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Could you add the output of systemctl status ssh to your question?
  
  – Fiximan
  Jul 9 at 15:21
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  It is much like:● ssh.service - OpenBSD Secure Shell server Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled) Active: inactive (dead) since Tue 2019-07-09 23:25:16 CST; 1s ago
  
  – codexplorer
  Jul 9 at 15:26
  
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Additionally you should block port 22 on the firewall, so that even if the SSH server is running somehow, it won't be accessible from remote.
  
  – dr01
  Jul 10 at 10:51
  
  

  
  
  
  

add a comment | 

I disable the ssh server with systemctl disable ssh then reboot. After reboot, I still can log into the remote server through ssh. I use systemctl status ssh to check the server status and it is inactive.

$ systemctl -a | grep ssh
ssh.service loaded inactive dead OpenBSD Secure Shell server
ssh@3-192.168.0.120:22-192.168.0.104:31079.service loaded active running OpenBSD Secure Shell server per-connection daemon (192.168.0.104:31079)
system-ssh.slice loaded active active system-ssh.slice
ssh.socket loaded active listening OpenBSD Secure Shell server socket

systemd sshd

share|improve this question

edited Jul 9 at 15:47

Gilles

564k134134 gold badges11611161 silver badges16691669 bronze badges

asked Jul 9 at 15:11

codexplorercodexplorer

17888 bronze badges

$ systemctl -a | grep ssh
ssh.service loaded inactive dead OpenBSD Secure Shell server
ssh@3-192.168.0.120:22-192.168.0.104:31079.service loaded active running OpenBSD Secure Shell server per-connection daemon (192.168.0.104:31079)
system-ssh.slice loaded active active system-ssh.slice
ssh.socket loaded active listening OpenBSD Secure Shell server socket

share|improve this question

edited Jul 9 at 15:47

Gilles

564k134134 gold badges11611161 silver badges16691669 bronze badges

asked Jul 9 at 15:11

codexplorercodexplorer

17888 bronze badges

share|improve this question

edited Jul 9 at 15:47

Gilles

564k134134 gold badges11611161 silver badges16691669 bronze badges

asked Jul 9 at 15:11

codexplorercodexplorer

17888 bronze badges

edited Jul 9 at 15:47

Gilles

564k134134 gold badges11611161 silver badges16691669 bronze badges

edited Jul 9 at 15:47

Gilles

564k134134 gold badges11611161 silver badges16691669 bronze badges

asked Jul 9 at 15:11

codexplorercodexplorer

17888 bronze badges

asked Jul 9 at 15:11

codexplorercodexplorer

17888 bronze badges

1 Answer
1

active

oldest

votes

26

The systemd SSH socket is active, and the SSH service is socket-activated. You need to disable the socket as well:

systemctl disable --now ssh.socket

In fact, on my Arch system, the sshd daemon runs only when a new connection comes in. At other times, the only instances of sshd are the child processes forked off to handle those connections.

Also see:

• systemd and socket activation

share|improve this answer

answered Jul 9 at 15:21

murumuru

42k55 gold badges102102 silver badges177177 bronze badges

• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  @spender that's Lennart Poettering's official blog, so it's hard to get a 'better' source than that. Not sure why you're getting a warning from Firefox, but I'm not
  
  – Michael Snook
  Jul 10 at 13:50
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Ah, you're probably getting a warning about his self-signed certificate.
  
  – muru
  Jul 10 at 13:54
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  @spender: Indeed the error message is utterly awful. It should be telling you not to submit private data to the site, not that "hackers can steal your [implied: at-rest] data if you visit the site". It reads like a scareware/fake-AV message which users should be trained to ignore.
  
  – R..
  Jul 10 at 14:01
  
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Now that Lets Encrypt is so easy to use, Poettering should use it instead of self-signed certificates. :/
  
  – muru
  Jul 10 at 14:06
  

  
  
  
  


• 
  
  
  

  
  5
  

  
  
  
  
  
  

  
  
  @muru give Poettering a tad bit of time - it takes time to integrate a CA into an init manager....
  
  – ivanivan
  Jul 10 at 17:41
  

  
  
  
  

 | 
show 4 more comments

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f529203%2fhow-can-i-truly-shut-down-ssh-server%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

26

The systemd SSH socket is active, and the SSH service is socket-activated. You need to disable the socket as well:

systemctl disable --now ssh.socket

In fact, on my Arch system, the sshd daemon runs only when a new connection comes in. At other times, the only instances of sshd are the child processes forked off to handle those connections.

Also see:

• systemd and socket activation

share|improve this answer

answered Jul 9 at 15:21

murumuru

42k55 gold badges102102 silver badges177177 bronze badges

• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  @spender that's Lennart Poettering's official blog, so it's hard to get a 'better' source than that. Not sure why you're getting a warning from Firefox, but I'm not
  
  – Michael Snook
  Jul 10 at 13:50
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Ah, you're probably getting a warning about his self-signed certificate.
  
  – muru
  Jul 10 at 13:54
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  @spender: Indeed the error message is utterly awful. It should be telling you not to submit private data to the site, not that "hackers can steal your [implied: at-rest] data if you visit the site". It reads like a scareware/fake-AV message which users should be trained to ignore.
  
  – R..
  Jul 10 at 14:01
  
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Now that Lets Encrypt is so easy to use, Poettering should use it instead of self-signed certificates. :/
  
  – muru
  Jul 10 at 14:06
  

  
  
  
  


• 
  
  
  

  
  5
  

  
  
  
  
  
  

  
  
  @muru give Poettering a tad bit of time - it takes time to integrate a CA into an init manager....
  
  – ivanivan
  Jul 10 at 17:41
  

  
  
  
  

 | 
show 4 more comments

26

The systemd SSH socket is active, and the SSH service is socket-activated. You need to disable the socket as well:

systemctl disable --now ssh.socket

In fact, on my Arch system, the sshd daemon runs only when a new connection comes in. At other times, the only instances of sshd are the child processes forked off to handle those connections.

Also see:

• systemd and socket activation

share|improve this answer

answered Jul 9 at 15:21

murumuru

42k55 gold badges102102 silver badges177177 bronze badges

• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  @spender that's Lennart Poettering's official blog, so it's hard to get a 'better' source than that. Not sure why you're getting a warning from Firefox, but I'm not
  
  – Michael Snook
  Jul 10 at 13:50
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Ah, you're probably getting a warning about his self-signed certificate.
  
  – muru
  Jul 10 at 13:54
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  @spender: Indeed the error message is utterly awful. It should be telling you not to submit private data to the site, not that "hackers can steal your [implied: at-rest] data if you visit the site". It reads like a scareware/fake-AV message which users should be trained to ignore.
  
  – R..
  Jul 10 at 14:01
  
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Now that Lets Encrypt is so easy to use, Poettering should use it instead of self-signed certificates. :/
  
  – muru
  Jul 10 at 14:06
  

  
  
  
  


• 
  
  
  

  
  5
  

  
  
  
  
  
  

  
  
  @muru give Poettering a tad bit of time - it takes time to integrate a CA into an init manager....
  
  – ivanivan
  Jul 10 at 17:41
  

  
  
  
  

 | 
show 4 more comments

The systemd SSH socket is active, and the SSH service is socket-activated. You need to disable the socket as well:

systemctl disable --now ssh.socket

In fact, on my Arch system, the sshd daemon runs only when a new connection comes in. At other times, the only instances of sshd are the child processes forked off to handle those connections.

Also see:

• systemd and socket activation

share|improve this answer

answered Jul 9 at 15:21

murumuru

42k55 gold badges102102 silver badges177177 bronze badges

systemctl disable --now ssh.socket

share|improve this answer

answered Jul 9 at 15:21

murumuru

42k55 gold badges102102 silver badges177177 bronze badges

answered Jul 9 at 15:21

murumuru

42k55 gold badges102102 silver badges177177 bronze badges

answered Jul 9 at 15:21

murumuru

42k55 gold badges102102 silver badges177177 bronze badges