Secure Shell communication by default takes place over TCP/IP protocol port 22 which doesn’t make it insecure by default. However, it’s common practice to change the default port to a nonstandard one. The reasoning for this is simply that while changing the default port doesn’t eliminate any service attack vectors it does limit the noise generated by automated attacks such as possible exploits attempts and very common brute force password guessing attacks made by bots to default service ports when scanning wide network ranges. SkylineServers recommends only permitting access through the firewall to SSH port to a set of trusted IP address for even better security access controls.
Warning: Do not lock yourself out
Before changing SSH port you need to take a couple precautionary steps to make sure you don’t lose access to the server over SSH in the process.
SElinux
Check if the server has SELinux, AppArmor or other similar system enabled as it will prevent sshd from opening other network port than policy allows, you can check this with
If the server does, in fact, enforces SELinux policies you will need to adjust it’s policy as well like so:
where 22222 is our new port.
Firewall
Double and triple check server firewall rules and adjust them as needed to permit SSH connections to new port as well. Your firewall configuration may vary. If your server is running firewalld you can make adjustments like so assuming public is the default zone configured in it.
and later (after testing ssh works on a new port you can remove old/default port rule with
Because we are using –permanent switch firewalld needs to be restarted to apply new rules with
After ensuring the above precautions we can now go on to actually change the sshd port. On a Linux server changing ssh service port is a very straightforward process, simply edit SSH server configuration file located in /etc/ssh/sshd_config and with your preferred editor much like so
change the default Port 22 to Port 22222 and save changes. You will need to restart sshd for it to reload configuration with
Don’t forget to reflect the new port change on the client end when making a new connection.
If you’re using fail2ban or other form or automated brute force protection mechanisms it’s configuration might need to reflect new SSH port as well.