Changing your SSH port from the default port 22 is a crucial security measure that can significantly reduce automated attacks on your Linux server. This comprehensive guide will walk you through the entire process of changing your SSH port safely and effectively.

Why Change Your SSH Port?

The default SSH port (22) is constantly targeted by automated bots scanning for vulnerable servers. By changing to a non-standard port, you can:

  • Reduce automated brute-force attacks by up to 99%
  • Decrease server log clutter from failed login attempts
  • Add an extra layer of security through obscurity
  • Improve overall server security posture

Prerequisites

Before you begin, ensure you have:

  • Root or sudo access to your Linux server
  • An active SSH connection to your server
  • A backup of your SSH configuration file
  • Knowledge of your firewall configuration (iptables, UFW, or firewalld)
⚠️ Warning: Never close your current SSH session until you’ve verified the new port works correctly, or you may lock yourself out of your server.

Step 1: Choose Your New SSH Port

Select a port number between 1024 and 65535 to avoid conflicts with well-known ports. Popular choices include:

  • 2222
  • 2200
  • 22000
  • Any random high port number

Avoid using ports already assigned to other services. You can check which ports are currently in use with:

sudo netstat -tulpn | grep LISTEN

Or alternatively:

sudo ss -tulpn | grep LISTEN

Step 2: Backup Your SSH Configuration

Always create a backup before making changes:

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup

If something goes wrong, you can restore the original configuration:

sudo cp /etc/ssh/sshd_config.backup /etc/ssh/sshd_config

Step 3: Edit the SSH Configuration File

Open the SSH daemon configuration file with your preferred text editor:

sudo nano /etc/ssh/sshd_config

Or if you prefer vim:

sudo vim /etc/ssh/sshd_config

Find the line that says:

#Port 22

Or simply:

Port 22

Change it to your chosen port number. For example, to use port 2222:

Port 2222
💡 Important: Remove the # symbol if present, as it comments out the line.

Optional: Run SSH on Multiple Ports Temporarily

For added safety during the transition, you can temporarily run SSH on both the old and new ports:

Port 22
Port 2222

This allows you to test the new port while keeping the old one active. Once you’ve confirmed the new port works, remove the Port 22 line.

Save and exit the file (in nano: Ctrl+X, then Y, then Enter).

Step 4: Configure SELinux (If Applicable)

If your system uses SELinux (common on RHEL, CentOS, Rocky Linux, AlmaLinux), you must tell SELinux about the new port:

First, check if SELinux is enabled:

sestatus

If SELinux is enabled, add the new port:

sudo semanage port -a -t ssh_port_t -p tcp 2222

Replace 2222 with your chosen port number.

If the port is already defined, modify it instead:

sudo semanage port -m -t ssh_port_t -p tcp 2222

Verify the port was added:

sudo semanage port -l | grep ssh

Step 5: Update Your Firewall Rules

Your firewall must allow traffic on the new SSH port. The commands depend on which firewall you’re using.

For UFW (Ubuntu/Debian):

sudo ufw allow 2222/tcp
sudo ufw status

Once you’ve confirmed the new port works, remove the old rule:

sudo ufw delete allow 22/tcp

For firewalld (RHEL/CentOS/Fedora):

sudo firewall-cmd --permanent --add-port=2222/tcp
sudo firewall-cmd --reload
sudo firewall-cmd --list-ports

After testing, remove the old port:

sudo firewall-cmd --permanent --remove-service=ssh
sudo firewall-cmd --reload

For iptables:

sudo iptables -A INPUT -p tcp --dport 2222 -j ACCEPT
sudo iptables -L -n | grep 2222

Save the rules (method varies by distribution):

# Debian/Ubuntu
sudo iptables-save | sudo tee /etc/iptables/rules.v4

# RHEL/CentOS
sudo service iptables save

For Cloud Providers

If you’re using a cloud provider (AWS, Google Cloud, Azure, DigitalOcean, etc.), you must also update the security group or firewall rules in your cloud console:

  • AWS: Update Security Group inbound rules
  • Google Cloud: Update Firewall rules
  • Azure: Update Network Security Group
  • DigitalOcean: Update Cloud Firewall rules

Step 6: Restart SSH Service

Restart the SSH daemon to apply changes:

For systemd-based systems (most modern distributions):

sudo systemctl restart sshd

Check the status to ensure it started successfully:

sudo systemctl status sshd

For older init-based systems:

sudo service ssh restart

Or:

sudo service sshd restart

Step 7: Test the New SSH Port

⚠️ Do not close your current SSH session yet! Open a new terminal window and test the connection: 
ssh -p 2222 username@your_server_ip

Replace:

  • 2222 with your chosen port
  • username with your actual username
  • your_server_ip with your server’s IP address or domain

If the connection succeeds, congratulations! Your new SSH port is working correctly.

Troubleshooting Connection Issues

If you cannot connect, check the following:

1. Verify SSH is listening on the new port:

sudo ss -tlnp | grep sshd

2. Check SSH service logs:

sudo journalctl -u sshd -n 50

Or:

sudo tail -f /var/log/auth.log

3. Verify firewall rules:

sudo ufw status verbose  # For UFW
sudo firewall-cmd --list-all  # For firewalld
sudo iptables -L -n  # For iptables

4. Check SELinux status:

sudo ausearch -m avc -ts recent

Step 8: Update SSH Client Configuration

To avoid typing the port number every time, update your local SSH config file on your client machine (not the server):

nano ~/.ssh/config

Add the following:

Host your_server_name
    HostName your_server_ip
    Port 2222
    User your_username

Now you can connect simply with:

ssh your_server_name

Step 9: Update Any Automated Scripts

Don’t forget to update any scripts or tools that connect to your server via SSH:

  • Backup scripts
  • Deployment tools (Ansible, Capistrano, etc.)
  • Git remote repositories
  • FTP/SFTP clients
  • Monitoring tools
  • Cron jobs

For Git repositories using SSH, update the remote URL:

git remote set-url origin ssh://git@your_server_ip:2222/path/to/repo.git

Step 10: Remove the Old Port (Optional)

Once you’ve thoroughly tested the new port and updated all your tools, you can remove SSH access on port 22:

  1. Edit /etc/ssh/sshd_config and remove Port 22 if you added multiple ports
  2. Remove firewall rules for port 22 (shown in Step 5)
  3. Restart SSH service

Additional Security Recommendations

While changing the SSH port improves security, consider implementing these additional measures:

Disable Password Authentication

Use SSH keys instead:

sudo nano /etc/ssh/sshd_config

Set:

PasswordAuthentication no
PubkeyAuthentication yes

Disable Root Login

PermitRootLogin no

Use SSH Key Authentication

Generate an SSH key pair on your local machine:

ssh-keygen -t ed25519 -C "your_email@example.com"

Copy it to your server:

ssh-copy-id -p 2222 username@your_server_ip

Install Fail2Ban

Fail2Ban automatically blocks IP addresses after multiple failed login attempts:

sudo apt install fail2ban  # Debian/Ubuntu
sudo yum install fail2ban  # RHEL/CentOS

Configure it to monitor your new SSH port by editing /etc/fail2ban/jail.local:

[sshd]
enabled = true
port = 2222

Enable Two-Factor Authentication

Add an extra layer of security with Google Authenticator or similar:

sudo apt install libpam-google-authenticator  # Debian/Ubuntu
sudo yum install google-authenticator  # RHEL/CentOS

Common Issues and Solutions

Issue: Cannot connect after changing port

Solution: Check if SSH is running on the new port using sudo ss -tlnp | grep sshd. Verify your firewall allows the new port. If using a cloud provider, check security group rules.

Issue: SELinux is blocking connections

Solution: Run sudo ausearch -m avc -ts recent to check for denials. Ensure you’ve added the port to SELinux using semanage port -a.

Issue: Locked out of the server

Solution: If you have console access (like through a cloud provider’s web console), log in and revert the SSH configuration using the backup. If not, you may need to contact your hosting provider.

Conclusion

Changing your SSH port is a simple yet effective security measure that significantly reduces automated attacks on your Linux server. By following this guide, you’ve successfully moved SSH to a custom port, updated your firewall, and tested the configuration.

Remember to keep your SSH client configurations and automated tools updated with the new port number. For maximum security, combine this change with SSH key authentication, Fail2Ban, and regular security updates.

Quick Reference Commands

# Backup SSH config
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup

# Edit SSH config
sudo nano /etc/ssh/sshd_config

# Add SELinux port (if applicable)
sudo semanage port -a -t ssh_port_t -p tcp 2222

# Allow firewall port
sudo ufw allow 2222/tcp  # UFW
sudo firewall-cmd --permanent --add-port=2222/tcp && sudo firewall-cmd --reload  # firewalld

# Restart SSH
sudo systemctl restart sshd

# Test connection (from another terminal)
ssh -p 2222 username@server_ip

# Check if SSH is listening
sudo ss -tlnp | grep sshd

About VM6 Networks: This guide is brought to you by VM6 Networks, your trusted resource for WordPress hosting security and Linux server management tips. Stay secure and keep your servers protected!