Search here...
Search

How to Change the Default SSH Port on Linux for Enhanced Security

Editorial Staff
By Editorial Staff

Table of Contents [minimize]

Prerequisites

Root or sudo privileges
Basic knowledge of Linux command line
SSH service running on the system
Open firewall ports
Access to the server

Introduction

SSH (Secure Shell) is a widely used protocol for securely accessing and managing remote systems, but the default port 22 is a common target for attackers. By changing the default SSH port, you can add an extra layer of security to your Linux server, making it harder for potential intruders to find and exploit. In this guide, we'll walk you through the simple steps to change the SSH port on your Linux system, helping to secure your server and reduce the risk of unauthorized access. Whether you're a system administrator or just looking to improve your server's security, this quick tutorial will guide you every step of the way.

Log into Your Server

ssh user@your_server_ip

Backup SSH Configuration

It’s always a good idea to backup configuration files before making any changes. This way, if something goes wrong, you can restore the original settings.

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup

Open the SSH Configuration File

The configuration file for SSH is located at /etc/ssh/sshd_config. Use your preferred text editor (like nano or vi) to open the file.

For nano:

sudo nano /etc/ssh/sshd_config

For vim:

sudo vim /etc/ssh/sshd_config

Change the SSH Port

Port numbers range from 0 to 65535, with ports 0-1023 reserved for well-known TCP/IP services (such as HTTP, HTTPS, and SSH). When selecting a custom SSH port, it's crucial to choose a number that isn't already in use by other services. For enhanced security, it's recommended to select a port within the private port range (49152-65535), as these ports are typically unassigned and less likely to conflict with other applications. Ports that are not in use by any service and are not explicitly allowed by a firewall remain closed to external connections.

Once inside the configuration file, search for the line that specifies the default SSH port. It will look like this:

#Port 22

  • Remove the # (comment symbol) if it's present.
  • Change the port number to a custom one (for example, Port 49152).

Port 49152

Adjust Firewall Rules

If you have a firewall enabled on your server (e.g., UFW, firewalld), you need to allow traffic on the new SSH port.

For firewalld

sudo firewall-cmd --zone=public --add-port=49152/tcp --permanent
sudo firewall-cmd --reload

Make sure to close the old port (port 22) if it's no longer needed:

sudo firewall-cmd --zone=public --remove-port=22/tcp --permanent
sudo firewall-cmd --reload

If you want to see all open ports along with other details (like services allowed), you can use:

firewall-cmd --list-all

Display Network Connections and Listening Ports

The command netstat -tunlp is used to display network connections and listening ports on a Linux system. Here’s a breakdown of the options:

  • -t: Show TCP connections
  • -u: Show UDP connections
  • -n: Show numerical addresses instead of resolving hostnames (for faster output).
  • -l: Show only listening ports (ports that are waiting for incoming connections).
  • -p: Show the process ID (PID) and the name of the program that is using the connection/port.

Restart SSH Service

After saving the changes and configuring your firewall, restart the SSH service to apply the new configuration. This is the command for restarting the SSH daemon (sshd), which is responsible for handling incoming SSH connections.

CentOS, RHEL, Fedora (and other distributions that use systemd and follow the Red Hat naming conventions): The SSH daemon is typically named sshd, so the command to restart the SSH service is:

sudo systemctl restart sshd

To check the exact service name on your system, you can run:

systemctl list-units --type=service | grep ssh

Test the New SSH Port

Before closing your current SSH session, make sure the new port is working correctly by opening a new SSH session with the new port.

ssh -p 49152 user@your_server_ip

Security Auditing: is critical for tracking unauthorized access attempts, identifying brute-force login attempts, or auditing administrative actions (e.g., when users use sudo).

  • /var/log/auth.log
    • This is the main log file for authentication-related events on Ubuntu.
  • /var/log/secure
    • This is the main log file for authentication-related events on Red Hat-based Linux distributions (like CentOS or RHEL)

SeLinux (Security-Enhanced Linux)

If SELinux (Security-Enhanced Linux) is enabled on your system, you cannot just change the SSH port without informing SELinux.

Update SELinux to allow the new port

To allow SELinux to recognize your new SSH port (let’s say you changed it to port 49152), run the following command:

sudo semanage port -a -t ssh_port_t -p tcp 49152

If semanage isn't available, you might need to install the policycoreutils-python package:

sudo yum install policycoreutils-python # older versions of RHEL/CentOS/Fedora
sudo dnf install policycoreutils-python-utils # newer version of RHEL/CentOS/Fedora
sudo apt install policycoreutils-python-utils # Ubuntu/Debian

List all the ports that are currently labeled for SSH traffic by SELinux.

semanage port -l | grep ssh

Delete a previously added port from SELinux's allowed list for SSH traffic

semanage port -d -t ssh_port_t -p tcp 49152

What is /etc/services?

  • /etc/services is a configuration file that contains a list of network services and their corresponding port numbers and protocols. It's used to map human-readable service names (like http, ssh, etc.) to the actual ports and protocols (e.g., 80/tcp for HTTP, 22/tcp for SSH).

Configure sshd_config for IP-based Access Control

  • Edit the sshd_config file
    • Open it with a text editor (e.g., nano, vim, etc.) with root privileges
    • sudo vim /etc/ssh/sshd_config
  • Use AllowUsers to Restrict Access by IP
    • Syntax: AllowUsers user1@192.168.1.100 user2@192.168.1.101
    • user 1 is allowed to SSH only from 192.168.1.100
    • user 2 is allowed to SSH only from 192.168.1.101

Final Thoughts

By changing the default SSH port from 22 to a custom port, you add an additional layer of defense against automated attacks and port scanning attempts. While this is not a silver bullet solution, it helps reduce the likelihood of brute-force and other malicious activities targeting your server. However, it's important to remember that this change should be part of a broader security strategy that includes strong passwords, the use of key-based authentication, firewalls, and regular updates. Ultimately, a multi-faceted approach is key to securing your server and maintaining a safe network environment.

Previous article
Mastering Linux File Permissions: A Comprehensive Guide
Next article
How to Simplify Your Terminal with Custom Bash Aliases

Popular (all time)

Related articles

Understanding JavaScript: Single vs Double vs Triple Equals Explained

Editorial Staff -
While it may seem like a small detail, these operators play a big role in determining whether values are truly equal or just appear to be. This post will break down each of these comparison operators, clarify the differences, and explain when to use them, helping you avoid common pitfalls and write cleaner, more efficient code.

How to Edit Your WordPress Admin Username and Author Slug via MySQL

Editorial Staff -
In this guide, we’ll walk you through the process of editing both the admin username and author slug using MySQL. Whether you’re looking to strengthen your site's security or simply personalize your author URL, this straightforward method will help you make the changes with ease.

Integrating React into Your Laravel Project: A Simple Guide

Editorial Staff -
In this guide, we'll walk you through the process of integrating React into your Laravel project, enabling you to harness the best of both worlds. Whether you're new to either technology or just looking to streamline your workflow, this step-by-step guide will show you how to set up and configure React with Laravel, so you can start building efficient, real-time applications with ease.

Follow us

Huntcode.com exists to help you learn at your own pace (our content is here 24/7, on-demand, whenever you need it), and we cover everything from web development basics to advanced topics like Cyber Security and server management.

Explore

Your Thoughts Matter to Us!

We'd love to hear your thoughts on our tutorials! What did you find helpful, and where can we improve? Our AI-powered chatbot is available on our content pieces to help personalize your learning experience, and your feedback helps us enhance our guides to make them even better for you!
Cam G Media, LLC is excited to announce its membership in the NVIDIA Inception Program.

© 2025 NVIDIA, the NVIDIA logo, are trademarks and/or registered trademarks of NVIDIA Corporation in the U.S. and other countries.

We want to help anyone curious about coding unlock new opportunities through learning.

Copyright © 2025 Cam G Media, LLC. All rights reserved.