« Back to SSH

Change SSH server port number

Why change your SSH port?

Systems that are available via the internet and can’t be fully protected with a firewall, they might benefit from running on a different TCP port than the default 22. This way automated scanners will less likely probe your system(s), as they don’t know what port you use for SSH.

Changing your SSH port won’t make a system more secure in itself, and therefore is often called security through obscurity. At the same, it may help in reducing noise in your logs, making it easier to monitor. This in itself slighly improves security, as system administrators typically start to ignore log files if they are flooded with authentication failures.

Change SSH port number

The server configuration is typically stored in /etc/ssh/sshd_config. If you have a /etc/ssh/sshd_config.d directory, then typically it a good idea to make your changes there. Settings will then override the main configuration file. Create a new file, such as 99-custom.conf.

Port 2222

Test configuration

After making changes, test if all is good. If there is an issue, then the output might look like this.

# sshd -t
/etc/ssh/sshd_config.d/99-custom.conf: line 3: Bad configuration option: Portt
/etc/ssh/sshd_config.d/99-custom.conf: terminating, 1 bad configuration options

Update your firewall

If you are running a firewall, then this is the time to add the new port.

FirewallCommand
FirewallDfirewall-cmd –permanent –zone=public –add-port=2222/tcp && firewall-cmd –reload
iptables/sbin/iptables -A INPUT -m state –state NEW -m tcp -p tcp –dport 2222 -j ACCEPT
UFWufw allow 2222/tcp

Don’t remove the existing port 22 yet, as we are currently connected to it.

Update SELinux

If SELinux is enabled, then update the configuration.

semanage port -a -t ssh_port_t -p tcp 2222

Not sure if SELinux is enabled?

# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33

Restart SSH daemon

Next step is restarting the SSH daemon. Under normal conditions you should stay connected on the active connection.

systemctl restart ssh.service

Confirm that the port is active in the new configuration.

sshd -T | grep port

If the configuration setting is correct, then connect to the system via another session using the newly defined port.

ssh -p 2222 192.168.1.250

That’s it!

Want to learn about more SSH configuration options? SSH server configuration

Relevant commands in this article

Like to learn more about the commands that were used in this article? Have a look, for some there is also a cheat sheet available.

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon