Introduction
SSH (Secure Shell) is a network protocol that provides a secure way to remotely access a computer or server. Since SSH offers strong password and public key authentication, as well as encrypted data communication between two machines, it is one of the most secure protocols.
However, leaving the default port 22 for SSH creates a security issue that makes the server vulnerable to cyber threats such as brute-force attacks. Therefore, changing the default SSH port is a great way to add extra protection to the server.
In this tutorial, you will learn to change the default SSH port.
Prerequisites
- A system running Linux.
- An account with root privileges.
- Access to the terminal.
Changing the Default SSH Port
Port numbers range from 0 to 65536, but port numbers 0-1023 are reserved for common TCP/IP applications and are called well-known ports. Well-known ports allow client applications to quickly locate the corresponding server application processes when connecting to hosts.
The following table contains the most common privileged services and their associated ports and functions:
| Port Number | Service | Description |
|---|---|---|
| 7 | TCP/UDP | Echoes data back to the sender. |
| 13 | TCP/UDP | Reports time in a user-friendly format. |
| 19 | UDP | Character generator. |
| 20 | TCP | FTP's default data transfer port. |
| 21 | TCP | FTP server control channel. |
| 22 | TCP | Secure Shell (SSH) communication. |
| 23 | TCP | Used by the Telnet protocol. |
| 25 | TCP | The default port for relaying emails via SMTP. |
| 53 | DNS | Port for transferring Domain Name System (DNS) queries. |
| 67 | UDP | DHCP server port used to send configuration information. |
| 68 | UDP | DHCP client port used to receive configuration information. |
| 69 | UDP | Trivial file transfer (TFTP). |
| 80 | TCP | Hypertext Transfer Protocol (HTTP). |
| 110 | TCP | Post Office Protocol 3 (POP3). |
| 123 | UDP | Network Time Protocol (NTP). |
| 143 | TCP | Internet Message Access Protocol (IMAP). |
| 161/162 | TCP/UDP | SNMP ports used to receive network management queries and network problem reports. |
| 443 | TCP | HTTP over SSL/TLS (HTTPS). |
| 636 | TCP/UDP | LDAP over SSL/TLS (LDAPS). |
| 1011-1023 | Reserved | Reserved for future use. |
Although it is possible to use well-known ports, they might cause a network conflict. Thus, it is safer to choose a port number from 1024-65535 as they are not reserved for any other service.
Follow the steps below to change the default SSH port:
Step 1: Connect to Remote Server
Connect to the remote server via ssh. Open a terminal (Ctrl+Alt+T) and use the following syntax:
ssh username@[ip_address]For example:
Step 2: Change SSH Configurations
On the remote server, edit the SSH configuration file located in /etc/ssh/sshd_config. Use a text editor of your choice. The default editor on Ubuntu is nano. Run:
sudo nano /etc/ssh/sshd_configWarning: Only modify the settings outlined below. Providing an incorrect SSH configuration may render the server inaccessible via SSH. Read our tutorial to learn more about the SSH config file.
Find the line that reads #Port 22. Either uncomment the line and replace 22 with the desired port number or enter a new line below with the new default SSH port:
Adding a new line allows you to revert to the default settings later by deleting the line.
Save the changes and exit the file.
Alternatively, open the port using iptables. The syntax is:
sudo /sbin/iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport [port_number] -j ACCEPTReplace [port_number] with the port you want to open.
Step 3: Update Firewall Rules
Ensure the firewall is not blocking the port you want to use for SSH. Depending on which firewall you are using, update the firewall settings to allow incoming connections to the specified port. The syntax for configuring the ufw firewall is:
sudo ufw allow [port_number]/tcpFor example, we will allow connections to port 1222:
The output states that rules have been updated. Verify that the port is in a listening state by running the ss or netstat command:
ss -tulpn | grep [port_number]netstat -tulpn | grep [port_number]For example:
The output shows that the specified port is open.
Note: If you are opening a port on an SELinux system, use the following syntax:
semanage port -a -t ssh_port_t -p tcp [port_number]Step 4: Restart SSH
For the configuration changes to take effect, restart the SSH service. Run the following command:
sudo service ssh restartStep 5: Test the New Port
Test if the new port allows you to connect by establishing a new SSH connection to the server.
Important: Test the SSH connection in a new terminal window. Only close the previous root session after you make sure the new setup is working.
The syntax is:
ssh -p [port] username@[ip_address]For example:
In the example above, the connection was established using the specified port.
Conclusion
This tutorial showed how to change the default SSH port to additionally secure remote connections to your server. A secure connection is important, especially when dealing with sensitive data, so using a port other than the default one is recommended.
For more information, see how SSH works, read the difference between SSH and Telnet, or see the five SSH best practices for securing your system.
