SSH (Secure Shell) is the standard protocol for secure remote administration of Linux servers. It is provided by OpenSSH and allows encrypted remote login, command execution, file transfers (SCP/SFTP), and secure tunneling. By default, SSH listens on TCP port 22. Changing the default SSH port is a common Linux server hardening technique used to reduce automated brute-force attacks and lower exposure to mass scanning bots.

Why Change the Default SSH Port?

Port 22 is globally known as the default SSH port. Attackers routinely scan for open port 22 and attempt password-based logins. While changing the SSH port is not a replacement for proper security practices such as key-based authentication and firewalls, it significantly reduces log noise and automated attack attempts.

  • Reduces automated brute-force login attempts
  • Lowers exposure to automated vulnerability scanners
  • Improves overall server security posture
  • Adds an additional security hardening layer

Step 1: Edit the OpenSSH Configuration File

The SSH daemon configuration file is located at /etc/ssh/sshd_config.

sudo nano /etc/ssh/sshd_config
  • sudo → Executes the command with administrative privileges.
  • nano → Opens the file in a text editor (you can also use vi or vim).
  • /etc/ssh/sshd_config → Main OpenSSH server configuration file.

Locate the following line:

#Port 22
  • # → Indicates the line is commented out.
  • Port 22 → Default SSH listening port.

Uncomment and change it to a custom port number above 1024, for example:

Port 2222
  • Port 2222 → Configures SSH to listen on TCP port 2222.

Save and exit the file after making changes.

Step 2: Allow the New SSH Port in the Firewall

If Using FirewallD (RHEL, AlmaLinux, Rocky Linux, CentOS)

sudo firewall-cmd --permanent --add-port=2222/tcp
  • --permanent → Makes the rule persistent across reboots.
  • --add-port=2222/tcp → Opens TCP port 2222.
sudo firewall-cmd --reload
  • --reload → Applies the firewall configuration changes.

If Using UFW (Ubuntu, Debian)

sudo ufw allow 2222/tcp
  • allow → Permits traffic through the firewall.
  • 2222/tcp → Specifies TCP port 2222.

Step 3: Configure SELinux (If Enabled)

If SELinux is in enforcing mode, you must allow the new SSH port.

sudo semanage port -a -t ssh_port_t -p tcp 2222
  • semanage → Manages SELinux policy settings.
  • -a → Adds a new port rule.
  • -t ssh_port_t → Assigns SSH port type context.
  • -p tcp → Specifies TCP protocol.
  • 2222 → Defines the new SSH port.

If the port already exists, use:

sudo semanage port -m -t ssh_port_t -p tcp 2222
  • -m → Modifies an existing SELinux port rule.

Step 4: Restart the SSH Service

sudo systemctl restart sshd
  • systemctl → Controls systemd services.
  • restart → Restarts the SSH daemon.
  • sshd → OpenSSH server service.

Step 5: Test the New SSH Port

Before closing your current SSH session, open a new terminal and test connectivity:

ssh -p 2222 username@server_ip
  • ssh → SSH client command.
  • -p 2222 → Specifies the custom SSH port.
  • username@server_ip → Remote login credentials.

Only log out of your original session after confirming successful login on the new port.

Optional SSH Hardening Best Practices

Disable Root Login

PermitRootLogin no
  • PermitRootLogin no → Prevents direct root login via SSH.

Disable Password Authentication

PasswordAuthentication no
  • PasswordAuthentication no → Forces SSH key-based authentication only.

Restart SSH After Security Changes

sudo systemctl restart sshd
  • restart → Applies configuration changes.

Common Troubleshooting

  • If SSH fails after changing the port, verify firewall rules.
  • Ensure SELinux policy allows the new port.
  • Confirm the SSH service restarted without errors.
  • Check listening ports using ss -tulnp | grep ssh.

Security Considerations

Changing the SSH port is considered security through obscurity and should be combined with:

  • SSH key authentication
  • Strong user passwords
  • Fail2ban intrusion prevention
  • Proper firewall configuration
  • Regular system updates

Final thoughts

Changing the SSH port in Linux is a simple yet effective security hardening step for VPS hosting, cloud servers, and enterprise Linux systems. While it does not replace proper authentication and firewall policies, it significantly reduces automated attack attempts and improves overall server security. By combining a custom SSH port with key-based authentication, firewall configuration, and SELinux policy adjustments, you can build a more secure and resilient Linux server environment.

هل كانت المقالة مفيدة ؟ 259 أعضاء وجدوا هذه المقالة مفيدة (492 التصويتات)

الأكثر زيارة

IPTABLES examples

#1: Displaying the Status of Your Firewall Type the following command as root: # iptables -L -n...
lsof Linux Command Examples

About lsof Command If you want to quickly see the name of files that have been opened by a...
13 Linux commands for beginners

About 90% of the Internet is powered by Linux servers. And if you want to manage or deploy...
The TAR command in Linux

The tar command is used to put a collection of files and folders into a highly compressed...
Monitor your server with VMStat and IOstat

If vmstat and iostat commands are not available on your box, please install sysstat package....