In this tutorial, we will show you how to change the SSH default port in Linux, and go over why changing this default port is a good idea. IMPORTANT: Before we go any further, you should understand that this is not a solution that will prevent or deter a determined hacker to attack your SSH service. It is merely a measure to help you avoid the thousands of automated bots running all the time scanning vast ranges of IP space searching for standard SSH ports being open. Preventing a determined hacker from brute-forcing your SSH service is beyond the scope of this article.
SSH, also known as Secure Shell, is the most widely-used protocol for connecting to and managing Linux systems remotely. SSH offers strong encryption and authentication along with excellent customizability, and using SSH gives you the freedom of accessing a remote machine. You can run services and software as if you were physically using the machine, no matter where you are.
By default, SSH runs on port 22. Since this is common knowledge, this port often becomes a target for brute force attacks. Because this provides full access to your server’s OS, people with malicious intent will often target port 22 more than any other port. Changing the default SSH port will prevent automated attacks that don’t spend the time to rotate ports when targeting a Linux Server. To protect your server from a brute force attack, you should change the default SSH port to something else.
Table of Contents
Prerequisites
- A Linux VPS with root access enabled, or a user with sudo privileges. Our VPSes all come with root access, so you should have no issues if you use one of our Managed Linux VPSes.
Step 1. Connect via SSH
Log in to your server using SSH as the root user (or as a user with sudo privileges). You can do that by entering this command:
ssh root@Server_IP_Address -p Port_Number
Remember to replace ‘root’ with your username if you are not using the root user. Also, replace Server_IP_Address and Port_Number with your actual IP address and SSH port number. If you have never changed the port number before, this should be 22.
Once you are logged in, you can proceed to the next step.
Step 2. Select a New Port Number
Before changing the default SSH port, you will need to select a new port for SSH to listen on. You can select any unused port. In Linux, port numbers below 1024 are reserved for well-known services and could be more easily discovered. So it is recommended to select a port above 1024.
As an example, we will change the default SSH port to 5437.
Step 3. Configure the Firewall
Before changing the default SSH port, you will need to configure the firewall on your server to allow traffic on the new SSH port.
On Ubuntu/Debian-based operating systems, you can open the new SSH port 5437 using the UFW
command:
ufw allow 5437/tcp ufw reload
On CentOS/RHEL/Fedora-based operating systems, you can open the new SSH port 5437 using the firewall-cmd
command:
firewall-cmd --permanent --zone=public --add-port=5437/tcp firewall-cmd --reload
At this point, your server is configured to allow traffic on the new SSH port.
Step 4. Change the Default SSH Port
You can change the SSH default port by editing the file /etc/ssh/sshd_config
.
nano /etc/ssh/sshd_config
Find the following line:
# Port 22
Uncomment the line by removing the pound symbol “#” , then replace it with the following line:
Port 5437
Save and close the file when you are finished. Then, restart the SSH service to apply the changes.
systemctl restart ssh
Next, verify the SSH listening port with the following command:
netstat -plntu | grep 5437
You should see the following output:
tcp 0 0 0.0.0.0:5437 0.0.0.0:* LISTEN 5134/sshd tcp6 0 0 :::5437 :::* LISTEN 5134/sshd
Step 5. Connect to SSH using the new Port
Now, log out from your current SSH session and connect your server again using the new port.
ssh -p 5437 root@Server_IP_Address
If everything is fine, you should connect to the server and see a password prompt with no problems.
Congratulations! You have successfully changed the default SSH port on your Linux machine.
You don’t have to change the default SSH port in your Linux VPS on your own if you use one of our fully managed Linux VPS hosting solutions. Our technical support team will gladly help you change your SSH port to a custom one without you having to do a thing. They are available 24/7 and will help you with any aspect of managing your server.
If you found this tutorial helpful, we would appreciate you sharing it with your friends through social media by using our share shortcuts, or by leaving a comment in our comments section. Thank you.
Why are people still peddling this type of “advice” in 2020?
Its more than easy enough to discover SSH that has been moved to another port. Sure it might help with a bulk attack, but tbh the attacks you should worried about is targeted ones which would most likely have the attacker doing the minimal of discoveries.
Firewall -> Only allow access to specific IP addresses if possible
Port Knocking -> Even better than an ACL use fwknop to send an encrypted packet to open the firewall to a specific IP address which also bypasses the issue of dynamic client IP addresses.