How to Change the Default SSH Port in Linux [Properly and Safely]
Changing the default SSH port is one of the several ways to enhance SSH server security. Learn how to do it properly and safely.
If you are aware of the SSH basics, you already know that SSH uses port 22 by default.
When you connect to a server via SSH, most of the time you don't provide any port information. And in such cases, your connection goes to the port 22 of the SSH server.
You can change the default port from 22 a port number of your choice using the following steps:
- Open the
/etc/ssh/sshd_configfile for editing.
- Locate the line that has
Port 22(if it is commented out with #, remove the # as well).
- Change the line to Port 2522 (or any number of your choice between 1024 and 65535).
- Make sure that the new port is allowed by the firewalls (if you have any).
- Restart ssh daemon with
sudo systemctl restart sshd.
- From now onwards, you'll have to specify the port to make the ssh connection
ssh user@ip_address_of_server -p 2522.
Let me show you the steps in details and also tell you why you may consider changing the
Why change the default SSH port?
One of the most elementary tricks for securing SSH server is to change the default SSH port number 22.
Why? Because a number of bot scripts try the brute force attacks on the default port 22. Most of these scripts don't always scan for open ports, and they target the default ports for various known services like SSH.
Changing the default SSH port reduces number of such attacks. There are other ways to improve the security of your SSH server. If interested, please follow these actionable tips for improving SSH server security.
Now that you know why you would change the default SSH port, let's see how to do it.
Allow traffic on the new port by changing the firewall settings
Now this part depends upon what kind of firewall or routing you are using.
If you are using UFW, you can use the following command to allow port 2522:
sudo ufw allow 2522/tcp
If you are using iptables, you should use this command:
sudo iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 2522 -j ACCEPT
sudo firewall-cmd --permanent --zone=public --add-port=2522/tcp
sudo firewall-cmd --reload
On CentOS and Red Hat, you may also have to change the SELinux rules:
sudo semanage port -a -t ssh_port_t -p tcp 2522
Now that you have put the correct firewall settings, let's move on to changing the SSH port.
Changing the default SSH port
Usually, the ssh configuration file is located at
/etc/ssh/sshd_config. You'll have to use a terminal-based editor like Vim or Nano or Emacs to edit the file.
Distributions like Ubuntu have Nano installed by default so you can use it for opening the file in edit mode like this:
sudo nano /etc/ssh/sshd_config
As you can see, you'll have to be a sudo user or root to edit the ssh configuration.
Scroll down a bit and you'll see a line with
Port 22. If it starts with
#, it means the line is commented out. The commented out lines gives you the default settings.
So if you see
# Port 22, it means that default port is 22.
Change this line with a port number of your choice. In Linux, port number 0-1023 are usually reserved for various services. It will be good to avoid using anything between 0 and 1023 to avoid conflicts.
You can use any other port number between 1024 and 65535. I am using 2522 in the example. Make sure to remove the
# before the Port line.
Save your changes and exit the editor. If you are using Nano, use Ctrl+X to save and exit.
The next step is to restart the ssh service. Most modern system use systemd services so you can use the following command:
sudo systemctl restart sshd
Now if you want to access the SSH server, you'll have to specify the port number:
ssh user@ip_address_of_server -p 2522
Was it helpful?
I hope you find this tutorial helpful in changing the SSH port. Now that you have changed the port, you'll have to use it all the time you want to connect to the server via SSH and that could be annoying.
This is why I recommend using SSH config file to save the settings for easy and quick access.