A Step-by-Step Guide to Changing the SSH Port on Linux VPS

Secure Shell (SSH) is a widely used protocol to access Linux servers remotely. By default, SSH uses port 22 for connection. Using the default ssh port poses some security risks.

As SSH is widely used, and SSH port 22 is known to everybody often attacker target servers to conduct brute-force attacks using default port 22. If attackers gain access to your server, they may access sensitive information and cause a broken system. So, instead of leaving the default ssh port to the internet, you can change it to a custom port which increases security significantly.

In this blog post, I’ll show step-by-step how to change the default SSH port and secure your server.

Change Default SSH Port

Throughout history, many cyber attacks have been launched. For example, In 2017, a group of hackers exploited a vulnerability in Microsoft Windows with wannacry virus. The ransomware spread around the world very rapidly. They spread the malware with the help of the server by scanning the server with default port 22.

Using a non-standard SSH port enhances your server security. You can choose your non-standard port freely, but there are some limitations. For various services and applications, some ports are reserved, and selecting a reserved port results broken system or lost access to the server.

You should avoid this list of reserved ports when choosing a custom port for your SSH server.

Port NumberProtocolService/Application
20TCPFTP Data
21TCPFTP Control
22TCP/UDPSSH
23TCPTelnet
25TCPSMTP
53TCP/UDPDNS
80TCPHTTP
110TCPPOP3
119TCPNNTP
123UDPNTP
143TCPIMAP
161UDPSNMP
194TCPIRC
443TCPHTTPS
465TCPSMTPS
587TCPSMTP (Message Submission)
993TCPIMAPS
995TCPPOP3S
1433TCPMicrosoft SQL Server
3306TCPMySQL
3389TCPRemote Desktop Protocol
5432TCPPostgreSQL

Please note that this is not a complete list. Other ports may be open depending on the application or service you use. Please check the ports associated with your application and don’t use them as SSH ports.

Step 1: Connect to your Server

To change your default SSH port, you need to connect to your server first. If you use macOS or Linux, you can connect your server using the following command.

ssh user@host_ip_address

If you use the Windows Operating system, you can use PuTTY to connect to your server. You can also use Powershell to connect to the server. After establishing the connection, log in to a user account with root privilege.

Step 2: Edit the SSH Configuration File

You need to edit your server’s SSH configuration file to specify a new port number. Server SSH configuration is located /etc/ssh/sshd_config on most Linux servers. You can open the configuration file with your favorite text editor. To open the configuration file in the nano editor, enter the following command in the terminal.

sudo nano /etc/ssh/sshd_config

Step 3: Change the SSH Port Number

In the configuration file location of the line where the port number is specified.

Locate SSH port on SSH configuration file

Once you find the line, uncomment the line by removing the ‘#’ symbol and changing the port number to a non-standard SSH port.

change SSH port on Linux VPS

After changing the port, save the file and exit the editor. If you use nano editor, use CTRL + O to write the file and CTRL + X to exit the editor.

Don’t close the connection before adding firewall rule otherwise you can’t access to the server

Step 4: Configure Your Firewall to accept new port

The newly added port is inactive and will be blocked by the server firewall. To use the new SSH port, you must create a firewall rule specifying the new port as an SSH port.

1. For Debian/Ubuntu System

Before adding a firewall rule, check whether your firewall is active. To check the firewall status, use the following command.

sudo ufw status

If your firewall is inactive, you need to activate it before adding a new rule. To activate the firewall, use the following command.

sudo ufw enable

Once your firewall is enabled, add a new rule to open the newly created port for connection. To create new firewall rules, use the following command.

sudo ufw allow 2222/tcp

After setting the rule to the firewall, you need to reload the firewall to take effect. To reload the firewall use

sudo ufw reload

2. For RHEL/CentOS System

To check whether the firewall is running or not, use the following command

sudo firewall-cmd --state

If the system uses iptables, use this command

sudo iptables -L

If the firewall is not running, you can enable the firewall by using the following command.

sudo systemctl enable firewalld

For iptables, use the following command.

sudo systemctl enable iptables

If the system uses firewall, you can use this command to add firewall rule to accept a new SSH port for SSH connection.

sudo firewall-cmd --add-port=2222/tcp --permanent

Or, if the system is using iptables, you can use this command to add a firewall rule for SSH connection with the newly added port.

sudo iptables -A INPUT -p tcp --dport 2222 -j ACCEPT

Once you add the firewall rule, you need to reload the firewall to take effect. If You use firewall, you can reload the firewall using the following command.

sudo firewall-cmd --reload

Or if your system use iptables, you can use the following command

sudo service iptables reload

Step 5: Restart the SSH Service

Now that you have configured ssh and added the firewall rule, you need to restart the SSH service to start using the new port for SSH connection. To restart the SSH service, use the following command.

sudo systemctl restart ssh

Step 6: Testing with SSH Client:

It is a good idea to test a new SSH connection before terminating your SSH connection to the service. Because if you did not do any of the previous steps correctly, there may be a possibility that you will lose your access to the server. I face this problem once. So, before terminating your existing connection, I recommend you test the new port to see if it is working correctly.

One way to test your connection is by using telnet. With telnet, you can check your newly added port. To check your connection with telnet with this command

telnet your-server-ip your-port
Test SSH port with telnet

You can also open another window in your terminal and connect to your server with a new port. You can use this command to use a custom port with an SSH connection.

ssh -p port user@host-ip-address

If you can connect successfully, you have changed your default SSH port to a non-standard one.

Conclusion

Following this step-by-step tutorial, you can change your default SSH port to any custom port. This tutorial applies to most Linux servers such as Debian, Ubuntu, Red Hat Linux Enterprise, CentOS, and other distro with the same architecture as Debian or RHEL.

Share your love

Newsletter Updates

Stay updated with our latest guides and tutorials about Linux.

Leave a Reply

Your email address will not be published. Required fields are marked *