How to Change the SSH Port on Linux

Introduction

Before we begin talking about how to change the SSH Port on Linux, let's briefly understand – What is SSH Port ?

SSH port, stands for Secure Shell port, is a secure communication protocol for remote access to Linux. It allows users to securely connect to a remote server or device over an encrypted connection.

By default, SSH uses port 22 for communication. However, it is recommended to change the default SSH port for enhanced security. This can be done by modifying the SSH configuration file and updating the firewall settings accordingly. Changing the SSH port helps in minimizing exposure to potential attacks and adds an extra layer of protection to your system.

It is advisable to choose a port number above 1024 to avoid conflicting with already assigned ports. By configuring your firewall to allow access to the new SSH port, you can ensure secure remote access to your Linux system.

In this tutorial, you will change the SSH Port on Linux. We will also address a few FAQs on how to change the SSH Port on Linux.

💡
Configure your firewall to enable access to port 22 only from trusted hosts and set up SSH key-based authentication to secure your server from threats.

Advantages of SSH Port

  1. Enhanced Security: SSH uses encryption to protect data transmitted over the network.
  2. Remote Access: SSH enables access to a Linux system from anywhere, facilitating remote administration.
  3. Encryption: All communication through SSH is encrypted, ensuring confidentiality.
  4. Port Forwarding: SSH allows for secure tunneling of network connections.
  5. Authentication: SSH supports various authentication methods, such as public key authentication, for secure access control.

Changing the SSH Port

Changing an image's SSH port is a simple process. It's as simple as editing the SSH configuration file and restarting the service.

The parts that follow will show you how to alter the SSH Port on a Linux machine.

1) Choosing a New Port Number

Port numbers lower than 1024 on Linux are reserved for well-known services and can only be bound by root. Although you can use a port between 1 and 1024 for the SSH service to avoid future port allocation concerns, it is suggested that you use a port greater than 1024.

In this example, the SSH port will be changed to 5522, however, you can use whatever port you like.

2) Adjusting the Firewall

If you want to allow traffic on the new SSH port, you will have to adjust your firewall before changing the SSH Port.

Run the following command to open the new SSH port if you're using UFW, Ubuntu's default firewall setting tool:

sudo ufw allow 5522/tcp

FirewallD is the default firewall administration tool in CentOS. Run the following commands to open the new port:

sudo firewall-cmd --permanent --zone=public --add-port=5522/tcp
sudo firewall-cmd --reload

SELinux rules must also be adjusted for CentOS users:

sudo semanage port -a -t ssh_port_t -p tcp 5522

To open the new port if you're using iptables as your firewall, type:

sudo iptables -A INPUT -p tcp --dport 5522 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

3) Configuring SSH

With your text editor, open the SSH configuration file /etc/ssh/sshd config:

sudo vim /etc/ssh/sshd_config

Now, search for the line starting with Port 22. This line starts with the # character generally. Enter the new SSH port after removing the hash #.  

Port 5522

When editing the SSH configuration file, exercise extreme caution. The SSH service may fail to start due to the wrong configuration.

To apply the modifications, save the file and restart the SSH service:

sudo systemctl restart ssh

SSH service is named as sshd in CentOS:

sudo systemctl restart sshd

Type the below command to see if the SSH daemon is listening on port 5522:

ss -an | grep 5522

You will get an output like below:

Output

tcp   LISTEN      0        128            0.0.0.0:5522           0.0.0.0:*
tcp   ESTAB       0        0      192.168.121.108:5522     192.168.121.1:57638
tcp   LISTEN      0        128               [::]:5522              [::]:*

Using the New SSH Port

Use the ssh command with the -p <port number> argument to specify the port:

ssh -p 5522 username@remote_host_or_ip

If you connect to several servers on a frequent basis, you can make your process easier by defining all of your connections in the SSH config file.

FAQs to Change the SSH Port on Linux

Why should I change the default SSH port? 

Changing the default SSH port adds an extra layer of security by making it harder for potential attackers to discover and target your SSH service.

Can I choose any port number for SSH?

Yes, you can choose any available port number above 1024. Ensure the chosen port is not used by other services to avoid conflicts.

Do I need to update my firewall after changing the SSH port? 

Yes, you need to update your firewall settings to allow incoming connections to the newly assigned SSH port. Ensure your firewall permits SSH traffic on the updated port.

How can I verify if the new SSH port is functioning correctly? 

After changing the port, attempt to connect to your Linux system using specified port using an SSH client. If successful, the port is functioning correctly.

What if I forget the new SSH port?

If you forget the new SSH port, you may lose remote access to your Linux system. It is important to keep a record of the changed port for future reference.

Is changing the SSH port enough to secure my system? 

Changing the SSH port is one step towards securing your system, but it is recommended to implement other security measures such as strong authentication, firewall rules, and regular system updates.

What should I do if I experience issues after changing the SSH port?

If you face connectivity issues after changing the SSH port, ensure the port is correctly configured in the SSH configuration file and that the firewall allows incoming connections to the new port.

Conclusion

You learned how to modify the SSH port on a Linux server in this lesson. Set up SSH key-based authentication so you may log in to your Linux servers without having to enter a password.

If you have any queries, please leave a comment below and we’ll be happy to respond to them.