How to Change the SSH Port?

February 13, 2023

Introduction

SSH (Secure Shell) is a network protocol that provides a secure way to remotely access a computer or server. Since SSH offers strong password and public key authentication, as well as encrypted data communication between two machines, it is one of the most secure protocols.

However, leaving the default port 22 for SSH creates a security issue that makes the server vulnerable to cyber threats such as brute-force attacks. Therefore, changing the default SSH port is a great way to add extra protection to the server.

In this tutorial, you will learn to change the default SSH port.

How to change the SSH port - a tutorial.

Prerequisites

  • A system running Linux.
  • An account with root privileges.
  • Access to the terminal.

Changing the Default SSH Port

Port numbers range from 0 to 65536, but port numbers 0-1023 are reserved for common TCP/IP applications and are called well-known ports. Well-known ports allow client applications to quickly locate the corresponding server application processes when connecting to hosts.

The following table contains the most common privileged services and their associated ports and functions:

Port NumberServiceDescription
7TCP/UDPEchoes data back to the sender.
13TCP/UDPReports time in a user-friendly format.
19UDPCharacter generator.
20TCPFTP's default data transfer port.
21TCPFTP server control channel.
22TCPSecure Shell (SSH) communication.
23TCPUsed by the Telnet protocol.
25TCPThe default port for relaying emails via SMTP.
53DNSPort for transferring Domain Name System (DNS) queries.
67UDPDHCP server port used to send configuration information.
68UDPDHCP client port used to receive configuration information.
69UDPTrivial file transfer (TFTP).
80TCPHypertext Transfer Protocol (HTTP).
110TCPPost Office Protocol 3 (POP3).
123UDPNetwork Time Protocol (NTP).
143TCPInternet Message Access Protocol (IMAP).
161/162TCP/UDPSNMP ports used to receive network management queries and network problem reports.
443TCPHTTP over SSL/TLS (HTTPS).
636TCP/UDPLDAP over SSL/TLS (LDAPS).
1011-1023ReservedReserved for future use.

Although it is possible to use well-known ports, they might cause a network conflict. Thus, it is safer to choose a port number from 1024-65535 as they are not reserved for any other service.

Follow the steps below to change the default SSH port:

Step 1: Connect to Remote Server

Connect to the remote server via ssh. Open a terminal (Ctrl+Alt+T) and use the following syntax:

ssh username@[ip_address]

For example:

Connecting to a remote server using SSH.

Step 2: Change SSH Configurations

On the remote server, edit the SSH configuration file located in /etc/ssh/sshd_config. Use a text editor of your choice. The default editor on Ubuntu is nano. Run:

sudo nano /etc/ssh/sshd_config

Warning: Only modify the settings outlined below. Providing an incorrect SSH configuration may render the server inaccessible via SSH. Read our tutorial to learn more about the SSH config file.

Find the line that reads #Port 22. Either uncomment the line and replace 22 with the desired port number or enter a new line below with the new default SSH port:

Editing the SSH configuration file in Linux.

Adding a new line allows you to revert to the default settings later by deleting the line.

Save the changes and exit the file.

Alternatively, open the port using iptables. The syntax is:

sudo /sbin/iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport [port_number] -j ACCEPT

Replace [port_number] with the port you want to open.

Step 3: Update Firewall Rules

Ensure the firewall is not blocking the port you want to use for SSH. Depending on which firewall you are using, update the firewall settings to allow incoming connections to the specified port. The syntax for configuring the ufw firewall is:

sudo ufw allow [port_number]/tcp

For example, we will allow connections to port 1222:

Opening a port in ufw firewall.

The output states that rules have been updated. Verify that the port is in a listening state by running the ss or netstat command:

ss -tulpn | grep [port_number]
netstat -tulpn | grep [port_number]

For example:

Check if the specified port is open.

The output shows that the specified port is open.

Note: If you are opening a port on an SELinux system, use the following syntax:

semanage port -a -t ssh_port_t -p tcp [port_number]

Step 4: Restart SSH

For the configuration changes to take effect, restart the SSH service. Run the following command:

sudo service ssh restart

Step 5: Test the New Port

Test if the new port allows you to connect by establishing a new SSH connection to the server.

Important: Test the SSH connection in a new terminal window. Only close the previous root session after you make sure the new setup is working.

The syntax is:

ssh -p [port] username@[ip_address]

For example:

Establish SSH connection using a custom port.

In the example above, the connection was established using the specified port.

Conclusion

This tutorial showed how to change the default SSH port to additionally secure remote connections to your server. A secure connection is important, especially when dealing with sensitive data, so using a port other than the default one is recommended.

For more information, see how SSH works, read the difference between SSH and Telnet, or see the five SSH best practices for securing your system.

Was this article helpful?
YesNo
Bosko Marijan
Having worked as an educator and content writer, combined with his lifelong passion for all things high-tech, Bosko strives to simplify intricate concepts and make them user-friendly. That has led him to technical writing at PhoenixNAP, where he continues his mission of spreading knowledge.
Next you should read
How to Enable SSH on VMware ESXi
October 7, 2021

Choose an option to enable SSH on ESXi and follow the steps in one of the three methods. The guide provides detailed instructions how to successfully complete the task.
Read more
SSHFS: How to Mount Remote File Systems Over SSH
August 20, 2024

Need to transfer files between machines securely? Try SSHFS, which mounts a remote file system directly to your local machine and uses SSH.
Read more
How to Fix SSH Failed Permission Denied
June 27, 2024

This tutorial shows you how to troubleshoot and fix the Permission Denied (publickey,gssapi-keyex,gssapi-with-mic) error.
Read more
How to Fix the SSH "Connection Refused" Error
November 28, 2023

Fix SSH connection refused by troubleshooting some of the common causes for this problem. See the reasons for connection refused error and how to fix the problem.
Read more