How to Change SSH Port in Linux?

Secure Shell (SSH) is a network protocol that provides encrypted communication over an insecure network. By default, SSH listens on port 22, which is well-known and frequently targeted by attackers. Changing the SSH port to a non-standard number adds an extra layer of security through security through obscurity.

Checking Current SSH Port

Before changing the SSH port, verify which port your SSH service is currently using. Use the following command to check the current configuration:

sshd -T | grep port

This command will display output similar to:

port 22
addressfamily any
listenaddress 0.0.0.0:22
listenaddress [::]:22

The output shows that SSH is listening on port 22 for both IPv4 (0.0.0.0:22) and IPv6 ([::]:22) connections. If your system administrator has already changed the port, you'll see the custom port number instead of 22.

Choosing a New Port Number

Guidelines for Port Selection

When selecting a new SSH port, follow these best practices:

• Use ports in the range 49152-65535 (private/ephemeral ports recommended by IANA)

• Avoid well-known ports (0-1023) used by system services

• Check that your chosen port isn't already in use by another service

• Choose a memorable number to avoid lockouts

Commonly Used Alternative Ports

You can check if a port is already in use with:

netstat -tuln | grep :2222

Editing SSH Configuration File

The SSH daemon configuration is stored in /etc/ssh/sshd_config. Open this file with a text editor:

sudo vim /etc/ssh/sshd_config

Modifying the Port Setting

Find the line containing #Port 22 and modify it as follows:

# Before (commented out)
#Port 22

# After (uncommented with new port)
Port 2222

Save the file and exit the editor. In vim, use :wq to write and quit.

Additional Security Recommendations

While editing the configuration file, consider implementing these additional security measures:

# Disable root login
PermitRootLogin no

# Use key-based authentication only
PasswordAuthentication no

# Limit user access
AllowUsers username1 username2

Restarting SSH Service

After modifying the configuration, restart the SSH service to apply changes:

sudo systemctl restart sshd

Check the service status to ensure it started successfully:

sudo systemctl status sshd

Verifying the Port Change

Confirm that SSH is now listening on the new port:

ss -tuln | grep :2222

You should see output similar to:

tcp   LISTEN 0      128          0.0.0.0:2222       0.0.0.0:*
tcp   LISTEN 0      128             [::]:2222          [::]:*

Testing the New Connection

Test the SSH connection using the new port. Important: Keep your current SSH session open while testing to avoid being locked out.

ssh -p 2222 username@your_server_ip

If the connection succeeds, your port change is working correctly. If you encounter connection issues, check:

• Firewall rules allow the new port

• SELinux policies (if enabled) permit the new port

• Cloud provider security groups include the new port

Updating Firewall Rules

Don't forget to update your firewall to allow the new SSH port:

# For UFW (Ubuntu/Debian)
sudo ufw allow 2222/tcp
sudo ufw delete allow 22/tcp

# For firewalld (CentOS/RHEL/Fedora)
sudo firewall-cmd --permanent --add-port=2222/tcp
sudo firewall-cmd --permanent --remove-service=ssh
sudo firewall-cmd --reload

Conclusion

Changing the SSH port from the default 22 to a non-standard port reduces automated attacks and improves security through obscurity. While not a complete security solution, it's an effective first step when combined with other hardening measures like key-based authentication and proper firewall configuration.