How to Change SSH Port in Linux?

Introduction

Secure Shell (SSH) is a protocol that provides a secure channel over an unsecured network in Linux systems. It is commonly used for remote logins, file transfers, and executing commands on a remote machine securely. SSH is an essential tool for Linux system administrators, developers, and users who access their machines remotely.

Checking Current SSH Port

Before we can proceed to changing the SSH port, it is important to know the current port number being used. By default, the SSH service listens on port 22.

However, this is a well-known port and is often targeted by attackers. Therefore, it is recommended to change this default port number to a non-standard one.

Using the Command "sshd -T | Grep Port" to Check Current Port

To check which port number your SSH service is currently listening on, you can use the following command in your Linux terminal −

sshd -T | grep port 

This command will show you output that looks like −

port 22 addressfamily any 

listenaddress 0.0.0.0:22 listenaddress [::]:22 

Explanation of What the Output Means

The output above shows that the SSH service is currently listening on port 22 for both IPv4 and IPv6 connections (indicated by "listenaddress 0.0.0.0:22" and "listenaddress [::]:22"). The "grep" command filters out all lines of text except for those containing the word "port". The first line ("port 22") shows us that our server's default SSH listening Port number is 22.

If your system administrator has already changed the default SSH Port from its standard value of “22”, you will see that new value instead of “22” in this output. Taking note of this information will be helpful when choosing a new, non-standard Port Number for your Linux-based system.

Choosing a New Port Number

Guidelines for Choosing a New Port Number

After checking the current SSH port, the next step is to choose a new port number. It is important to choose a random port number that is not commonly used by other services on your Linux system. This will help prevent an attacker from easily finding and exploiting your SSH service.

The Internet Assigned Numbers Authority (IANA) recommends using port numbers between 49152 and 65535 for private or ephemeral ports. This range of ports is reserved for dynamic or private use and should not be used by any registered service.

The chosen new port number should also be easy to remember so that you do not forget it later on. Ensure that the selected port number complies with any security policies in place within your organization.

Commonly Used Alternative Ports

While there are numerous available ports to choose from, some have become more popular as alternatives to the default SSH port (22). One such alternative is port 2222, which has gained popularity over time due to its ease of remembering and registering with ISPs and firewalls. Another commonly used alternative is port 443, which is used by HTTPS traffic.

Since most firewalls allow HTTPS traffic through without inspection, using this alternate SSH port can help avoid detection by network administrators who might otherwise block the use of non-standard ports. Other commonly used alternative ports include 992, 2020, and 8080.

However, it's important to note that while these are good options for changing your SSH Port in Linux systems, they are still widely known among attackers who may try scanning them in their attempts to locate vulnerable systems. Therefore it's recommended that you select unique unused high range ports like those mentioned earlier between 49152-65535 for maximum security benefits.

Editing SSH Configuration File

Once you have chosen a new port number, the next step is to edit the sshd_config file. This configuration file determines how your SSH server behaves and allows you to customize its settings.

To access the file, open any text editor on your Linux machine and navigate to /etc/ssh/sshd_config. You can use any text editor you like, but nano and vim are commonly used editors in command-line environments.

$ sudo vim /etc/ssh/sshd_config

Using a Text Editor to Modify the sshd_config File

Open the sshd_config file in your text editor of choice and find the line that says "#Port 22". The "#" symbol is used to comment out lines, so remove it from this line and change "22" to your chosen port number.

#Port 22

Port 22

Save changes made to the sshd_config file by pressing Ctrl + O or using your editor's "Save" function. Then exit the editor by pressing Ctrl + X.

Explanation of What Changes Need To Be Made

The only change that needs to be made in the configuration file is modifying the "Port" setting as mentioned earlier. It's important not to make any other changes unless you know what you're doing because they could potentially affect SSH functionality.

It's worth noting that if you're changing your SSH port number for security reasons, it's also recommended that you disable root login through SSH by setting "PermitRootLogin no" in this same configuration file. By modifying this configuration file with a new port number and other recommended security settings, you can significantly decrease your vulnerability to attacks on unsecured ports while still allowing authorized access through another secured channel.

Restarting SSH Service

Once you have edited the sshd_config file, it's time to restart the SSH service to apply the changes. You can do this by using the following command on your terminal −

systemctl restart sshd

This command will stop and then restart the SSH service with the new configuration. If you encounter any errors at this stage, it could be due to an issue with your configuration file.

Using the Command Line to Check if New Port is Working

To check if your new port is working, you can use the following command −

ssh -p [new_port_number] [username]@[ip_address]

Replace `[new_port_number]` with your chosen port number, `[username]` with your username, and `[ip_address]` with your server's IP address. If everything is configured correctly, you should be able to connect to your server using SSH on the new port. It's important to note that changing the default SSH port does not make your system completely secure.

However, it does add an extra layer of security by making it more difficult for attackers to target your system through a commonly known port. It's always a good practice to implement multiple layers of security measures in order to protect sensitive information stored on servers.

Conclusion

Changing the default SSH port is an important step that you can take to secure your Linux system. By using a non-standard port, you can make it more difficult for attackers to find your server and launch attacks against it. While this is not a foolproof solution and should not be the only security measure taken, it is an important step in securing your system.

It's also important to remember that changing the SSH port alone will not make your system completely secure. You should also enable other security measures such as configuring firewalls, disabling root login, and using key-based authentication.

By following the steps outlined in this article, you can easily change the default SSH port on your Linux system and improve its overall security. Stay safe!