Skyline Servers

Official Blog

How to change default SSH port

Secure Shell communication by default takes place over TCP/IP protocol port 22 which doesn’t make it insecure by default. However, it’s common practice to change the default port to a nonstandard one. The reasoning for this is simply that while changing the default port doesn’t eliminate any service attack vectors it does limit the noise generated by automated attacks such as possible exploits attempts and very common brute force password guessing attacks made by bots to default service ports when scanning wide network ranges. SkylineServers recommends only permitting access through the firewall to SSH port to a set of trusted IP address for even better security access controls.

Warning: Do not lock yourself out

Before changing SSH port you need to take a couple precautionary steps to make sure you don’t lose access to the server over SSH in the process.

SElinux

Check if the server has SELinux, AppArmor or other similar system enabled as it will prevent sshd from opening other network port than policy allows, you can check this with

getenforce
apparmor_status

If the server does, in fact, enforces SELinux policies you will need to adjust it’s policy as well like so:

semanage port -a -t ssh_port_t -p tcp 22222

where 22222 is our new port.

Firewall

Double and triple check server firewall rules and adjust them as needed to permit SSH connections to new port as well. Your firewall configuration may vary. If your server is running firewalld you can make adjustments like so assuming public is the default zone configured in it.

firewall-cmd –permanent –zone=public –add-port=22222/tcp

and later (after testing ssh works on a new port you can remove old/default port rule with

firewall-cmd –permanent –zone=public –remove-service=ssh

Because we are using –permanent switch firewalld needs to be restarted to apply new rules with

service firewalld restart

After ensuring the above precautions we can now go on to actually change the sshd port. On a Linux server changing ssh service port is a very straightforward process, simply edit SSH server configuration file located in /etc/ssh/sshd_config and with your preferred editor much like so

vi /etc/ssh/sshd_config

change the default Port 22 to Port 22222 and save changes. You will need to restart sshd for it to reload configuration with

service sshd restart

Don’t forget to reflect the new port change on the client end when making a new connection.

ssh user@server.domain.com -p 22222
scp -P 22222 file user@server.domain.com:file

If you’re using fail2ban or other form or automated brute force protection mechanisms it’s configuration might need to reflect new SSH port as well.

Share