Hostwinds Tutorials
Search results for:
Table of Contents
Tags: VPS
Secure Shell (SSH) is a trusted and widely used method for securely connecting to remote servers. By default, it listens on port 22—a well-known port that's frequently targeted by automated bots and malicious login attempts. Switching to a different port won't make your server invincible, but it can significantly cut down on unwanted traffic and help improve your overall security posture.
In this tutorial, we'll walk you through the steps to change your server's SSH port safely. Along the way, we'll cover how to pick a new port, update your firewall rules, test the connection, and apply a few additional best practices for a stronger more secure SSH setup.
Let's get started.
Before changing your SSH port, let's make sure you have the following:
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
SSH defaults to port 22, but you can change it to any unused port between 1024 and 65535. Avoid ports under 1024—they're reserved for well-known services and could lead to conflicts. Below is a list of commonly used ports so you know which ones to steer clear of:
Tip: Choose a port that's not commonly scanned by attacker, such as 2222, 2525, or 50022
Once you've decided the port number you want to use, let's go through the steps on how to make the switch.
1.Connect to your server using the current SSH port (default is 22):
ssh user@your-server-ip
2. Open the SSH daemon configuration file with a text editor such as nano:
sudo nano /etc/ssh/sshd_config
3. Find the line that specifies the default SSH port:
#Port 22
4. Uncomment it (remove the # symbol) and change the number to your new port:
Port 2222
(Replace 2222 with your preferred port number.)
5. Save and exit the file.
If your server has a firewall enabled, you'll need to open the new SSH port in your firewall and close the old one.
On Ubuntu/Debian:
sudo ufw allow 2222/tcp
sudo ufw delete allow 22/tcp
sudo ufw reload
On CentOS RHEL with Firewalld:
sudo firewall-cmd --permanent --add-port=2222/tcp
sudo firewall-cmd --permanent --remove-service=sshsudo firewall-cmd --reload
Tip: Make sure the port change is reflected in any other firewall management tools or external security groups (like those in AWS or cloud providers)
After making the changes, apply the new settings by restarting the SSH service:
sudo systemctl restart sshd
Before closing your current SSH session, open a new terminal window and test the new port:
ssh -p 2222 user@your-server-ip
If the connection works, you're all set.
If not, go back and double-check the SSH config file and firewall rules or check out our more detailed post on troubleshooting SSH connection issues.
To avoid typing the port number every time, you can add it to your local SSH configuration:
1.Open or create this file:
nano ~/.ssh/config
2. Add the following using your credentials (server name, server IP, port #, and username):
Host your-server
HostName your-server-ip
Port 2222
User your-username
Changing your SSH port is a good first step, but here are a few more ways to strengthen your server's security:
Edit /etc/ssh/sshd_config and set:
PermitRootLogin no
This forces users to authenticate as a regular user and then escalate privileges with sudo.
Password-based logins are easier to brute-force. Switching to SSH keys makes unauthorized access significantly harder. Generate a key pair with ssh-keygen and upload your public key to the server.
Tools like Fail2Ban monitor login attempts and temporarily ban IPs that fail repeatedly. This helps prevent brute-force attacks.
Regularly install updates to patch any known vulnerabilities.
Check logs like /var/log/auth.log (Ubuntu/Debian) or /var/log/secure (CentOS/RHEL) to keep an eye on login attempts and potential threats.
If only specific IPs need SSH access, restrict your firewall rules to allow just those addresses.
Written by Michael Brower / June 23, 2017