Hostwinds Tutorials

Search results for:


Table of Contents


Prerequisites
Choosing a New SSH Port
How to Change Your Default SSH Port
Step 1: Update the SSH Configuration File
Step 2: Update Firewall Rules
Step 3: Restart the SSH Service
Step 4: Test the New SSH Port
Step 5: Make SSH Connections Easier (Optional)
Locking Down SSH Access
Disable Root Login
Use SSH Key Authentication
Set Up Fail2Ban or Similar Tools
Keep SSH and Your OS Updated
Monitor Login Activity
Limit SSH Access with IP Whitelisting

How To Change Your SSH Port

Tags: VPS 

Prerequisites
Choosing a New SSH Port
How to Change Your Default SSH Port
Step 1: Update the SSH Configuration File
Step 2: Update Firewall Rules
Step 3: Restart the SSH Service
Step 4: Test the New SSH Port
Step 5: Make SSH Connections Easier (Optional)
Locking Down SSH Access
Disable Root Login
Use SSH Key Authentication
Set Up Fail2Ban or Similar Tools
Keep SSH and Your OS Updated
Monitor Login Activity
Limit SSH Access with IP Whitelisting

Secure Shell (SSH) is a trusted and widely used method for securely connecting to remote servers. By default, it listens on port 22—a well-known port that's frequently targeted by automated bots and malicious login attempts. Switching to a different port won't make your server invincible, but it can significantly cut down on unwanted traffic and help improve your overall security posture.

In this tutorial, we'll walk you through the steps to change your server's SSH port safely. Along the way, we'll cover how to pick a new port, update your firewall rules, test the connection, and apply a few additional best practices for a stronger more secure SSH setup.

Let's get started.

Prerequisites

Before changing your SSH port, let's make sure you have the following:

  • Root or sudo access to the server: In order to modify system settings, you'll need admin privileges. If you're not sure how to access your server via SSH, please refer to our guide on Connecting to Your Server via SSH
  • An active SSH connection using default port (usually 22): Keeping an active SSH session open is a good idea in case of misconfiguration.
  • Firewall access: In order to allow traffic on the new port, you'll need to modify your operating system's firewall rules.
  • Command line knowledge: A basic understanding should be fine. If you need help, our beginners guide to the command-line interface is a good place to start.
  • A new SSH port number: Select a port between 1024 and 65535 that is not already in use.
  • A backup of your SSH configuration file: Before making changes, it's important to back up your SSH configuration to prevent lockouts:
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

Choosing a New SSH Port

SSH defaults to port 22, but you can change it to any unused port between 1024 and 65535. Avoid ports under 1024—they're reserved for well-known services and could lead to conflicts. Below is a list of commonly used ports so you know which ones to steer clear of:

Port Number

Service

Protocol

22

SSH

TCP

21

FTP

TCP

23

Telnet

TCP

25

SMTP

TCP

53

DNS

UDP/TCP

80

HTTP

TCP

443

HTTPS

TCP

3306

MySQL Database

TCP

5432

PostgreSQL

TCP

8080

Alternative HTTP

TCP

Tip: Choose a port that's not commonly scanned by attacker, such as 2222, 2525, or 50022

How to Change Your Default SSH Port

Once you've decided the port number you want to use, let's go through the steps on how to make the switch.

Step 1: Update the SSH Configuration File

1.Connect to your server using the current SSH port (default is 22):

ssh user@your-server-ip

2. Open the SSH daemon configuration file with a text editor such as nano:

sudo nano /etc/ssh/sshd_config

3. Find the line that specifies the default SSH port:

#Port 22

4. Uncomment it (remove the # symbol) and change the number to your new port:

Port 2222

(Replace 2222 with your preferred port number.)

5. Save and exit the file.

Step 2: Update Firewall Rules

If your server has a firewall enabled, you'll need to open the new SSH port in your firewall and close the old one.

On Ubuntu/Debian:

sudo ufw allow 2222/tcp
sudo ufw delete allow 22/tcp
sudo ufw reload

On CentOS RHEL with Firewalld:

sudo firewall-cmd --permanent --add-port=2222/tcp
sudo firewall-cmd --permanent --remove-service=sshsudo firewall-cmd --reload

Tip: Make sure the port change is reflected in any other firewall management tools or external security groups (like those in AWS or cloud providers)

Step 3: Restart the SSH Service

After making the changes, apply the new settings by restarting the SSH service:

sudo systemctl restart sshd

Step 4: Test the New SSH Port

Before closing your current SSH session, open a new terminal window and test the new port:

ssh -p 2222 user@your-server-ip

If the connection works, you're all set.

If not, go back and double-check the SSH config file and firewall rules or check out our more detailed post on troubleshooting SSH connection issues.

Step 5: Make SSH Connections Easier (Optional)

To avoid typing the port number every time, you can add it to your local SSH configuration:

1.Open or create this file:

nano ~/.ssh/config

2. Add the following using your credentials (server name, server IP, port #, and username):

Host your-server
 	HostName your-server-ip 
	Port 2222 
	User your-username 

Locking Down SSH Access

Changing your SSH port is a good first step, but here are a few more ways to strengthen your server's security:

Disable Root Login

Edit /etc/ssh/sshd_config and set:

PermitRootLogin no

This forces users to authenticate as a regular user and then escalate privileges with sudo.

Use SSH Key Authentication

Password-based logins are easier to brute-force. Switching to SSH keys makes unauthorized access significantly harder. Generate a key pair with ssh-keygen and upload your public key to the server.

Set Up Fail2Ban or Similar Tools

Tools like Fail2Ban monitor login attempts and temporarily ban IPs that fail repeatedly. This helps prevent brute-force attacks.

Keep SSH and Your OS Updated

Regularly install updates to patch any known vulnerabilities.

Monitor Login Activity

Check logs like /var/log/auth.log (Ubuntu/Debian) or /var/log/secure (CentOS/RHEL) to keep an eye on login attempts and potential threats.

Limit SSH Access with IP Whitelisting

If only specific IPs need SSH access, restrict your firewall rules to allow just those addresses.

Written by Michael Brower  /  June 23, 2017