Change SSH server port number
Why change your SSH port?
Systems that are available via the internet and can’t be fully protected with a firewall, they might benefit from running on a different TCP port than the default 22. This way automated scanners will less likely probe your system(s), as they don’t know what port you use for SSH.
Changing your SSH port won’t make a system more secure in itself, and therefore is often called security through obscurity. At the same, it may help in reducing noise in your logs, making it easier to monitor. This in itself slightly improves security, as system administrators typically start to ignore log files if they are flooded with authentication failures.
Change SSH port number
The server configuration is typically stored in /etc/ssh/sshd_config . If you have a /etc/ssh/sshd_config.d directory, then typically it a good idea to make your changes there. Settings will then override the main configuration file. Create a new file, such as 99-custom.conf.
Port 2222
Test configuration
After making changes, test if all is good. If there is an issue, then the output might look like this.
# sshd -t
/etc/ssh/sshd_config.d/99-custom.conf: line 3: Bad configuration option: Portt
/etc/ssh/sshd_config.d/99-custom.conf: terminating, 1 bad configuration options
Update your firewall
If you are running a firewall, then this is the time to add the new port.
Firewall | Command |
---|---|
FirewallD | firewall-cmd –permanent –zone=public –add-port=2222/tcp && firewall-cmd –reload |
iptables | /sbin/iptables -A INPUT -m state –state NEW -m tcp -p tcp –dport 2222 -j ACCEPT |
UFW | ufw allow 2222/tcp |
Don’t remove the existing port 22 yet, as we are currently connected to it.
Update SELinux
If SELinux is enabled, then update the configuration.
semanage port -a -t ssh_port_t -p tcp 2222
Not sure if SELinux is enabled?
# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
Restart SSH daemon
Next step is restarting the SSH daemon. Under normal conditions you should stay connected on the active connection.
systemctl restart ssh.service
Confirm that the port is active in the new configuration.
sshd -T | grep port
If the configuration setting is correct, then connect to the system via another session using the newly defined port.
ssh -p 2222 192.168.1.250
That’s it!
Want to learn about more SSH configuration options? SSH server configuration