SSH (Secure Shell) is a widely used network protocol in Linux that allows you to access and manage remote servers securely. By default, SSH, or SSH server, uses port 22 as the primary port for SSH in Linux to establish and accept connections.
However, since this is common knowledge, hackers can use it to target your systems. As a precaution, you can change the default port for SSH to a different port number.
In this comprehensive guide, we will walk you through the steps to change the SSH port on a Linux server. Once you’re done, your Linux servers and machines will be less vulnerable to potential cyber threats.
But before that, let’s briefly overview the system ports.
Table Of Contents
- A Short Discussion on Linux System Ports
- Change The Default Port for SSH Protocol
A Short Discussion on Linux System Ports
In a Linux environment, port numbers are from 0 to 65536.
More specifically, the port number 0-1023 is reserved for TCP/IP applications. This range is well-recognized by users and applications. Applications generally listen on assigned ports for incoming connections. Similarly, applications and users use these port numbers to check if the mapped services are available on a system.
Here is a list of some standard, well-known default port numbers and the associated services and functions.
Change The Default Port for SSH Protocol
Let’s go through the process of changing the default SSH port. But first, let’s take a look at the prerequisites.
Before we dive into the process of changing the port for SSH, here are some prerequisites to consider:
- A Linux server and a user account with root access. You can use Ubuntu or CentOS for your server, as they are among the most popular Linux distributions for servers.
- Ensure you have a backup of your SSH server or the ability to access it via an alternative method (for instance, a physical console or remote console).
- Ensure a text editor such as Nano or Vim is installed on your SSH server.
Let’s begin the process of changing the SSH port.
Step #1: Log into the Linux Server
Start by accessing the SSH service with the ssh command. You’ll need to provide your server’s IP address or domain name, username, and password.
# ssh username@server_ip
Step #2: Backup SSH Configuration
Before proceeding forward, you should know that incorrect SSH configuration will render your server inaccessible via SSH. That’s why creating a backup of sshd_config, the SSH configuration file, is crucial before making any changes. This backup enables admins to restore the default settings in case things go wrong.
Back up the file with the following command:
# sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config_backup
Step #3: Add a New SSh Port
Use the following command to open and edit sshd_config, the SSH daemon configuration file.
For this demonstration, we’ll edit the file with Nano. However, you can use any text editor.
# sudo nano /etc/ssh/sshd_config
Look for the line that specifies the SSH port (usually port number 22):
You can uncomment the line, replacing 22 with your preferred port number. Alternatively, you can leave the line as is and add a new line below, specifying the desired port number.
Step #4: Save and Exit
Save the changes and exit the text editor. In Nano, you can press Ctrl + O to save and Ctrl + X to exit.
Step #5: Restart the SSH Service
While you have made changes to the SSH configurations, they are not in effect. You need to restart the SSH service (the sshd daemon) so that the new changes can take effect.
# sudo systemctl restart sshd
Step #6: Update Your Firewall Settings
It’s crucial to ensure that your firewall settings don’t obstruct SSH access because of the changes in port numbers. Depending on the firewall you’re using, you’ll need to update its settings to permit incoming connections on your specified port.
Allow Traffic on the New SSH Port Using iptables
Start by adding the rule to allow incoming traffic to the port.
#/sbin/iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport [new_ssh_port] -j ACCEPT
Allow Traffic on the New SSH Port Using ufw Firewall
If you have the Universal Firewall (ufw), use this syntax:
# ufw allow [new_ssh_port]/tcp
Open a Port on a System with SELinux Enabled
On a system with SELinux, use the following command to allow the open port on the system:
# semanage port -a -t ssh_port_t -p tcp [new_ssh_port]
Once you execute this command, you’ll see a message confirming that the rules have been updated. To verify that the port is now open, you can use the ss command or the netstat utility:
# ss -tulpn | grep [new_ssh_port]
# netstat -tulpn | grep [new_ssh_port]
You can pipe the output to the grep utility to find out the exact output:
Step #7: Connect to the SSH Service on the New Port
To confirm if the new port allows connections, connect to the server via ssh. It’s essential to conduct this test in a new terminal window. Alternatively, you can close your previous root session after you’ve verified that the new configuration is functioning correctly.
Run the following command to initiate an SSH connection using your custom port:
ssh -p [port] username@[ip_address]
Changing the port for SSH is a simple yet effective way to enhance your server’s security. Implementing the steps detailed in this guide can enhance security measures and decrease the risk of unauthorized access and potential threats.
RedSwitches offers the best dedicated server pricing and delivers instant dedicated servers, usually on the same day the order gets approved. Whether you need a dedicated server, a traffic-friendly 10Gbps dedicated server, or a powerful bare metal server, we are your trusted hosting partner.
Q. Why should I change the port number of the ssh service?
Modifying the SSH port enhances the security of your server with an additional layer of protection. It increases potential attackers’ difficulty in identifying and focusing on your SSH service.
Q. Can I choose any port number when changing the SSH port?
We recommend choosing a port above 1024 (any number you choose between 1024 and 65535). You can choose any available port number, but it should not conflict with other services running on your server. Standard alternative ports include 2222 or 8022.
Q. What if I need to remember my custom SSH port?
Make it a point to keep a record of the SSH port you’ve customized. If you forget it, you may need to access your server through an out-of-band method or contact your hosting provider for assistance.
Q. Is changing the SSH default port 22 enough for server security?
No, changing the SSH port is just one security measure. You should also use strong passwords or key-based authentication, keep your server and software up to date, and implement a firewall.