Open In App
Related Articles

How to change the default SSH port in Linux

Improve
Improve
Improve
Like Article
Like
Save Article
Save
Report issue
Report

SSH (Secure Shell) is a network protocol used to securely connect to the remote server where the data between the server and client is transferred in an encrypted format.

In the world of Linux system administration and security, one essential practice is changing the default SSH port. This article will guide you through the process of enhancing your server’s security by altering the default SSH port, providing you with valuable skills to protect your system from potential threats and unauthorized access. Join us in this informative exploration of “How to Change the Default SSH Port in Linux.” 

Why Change the Default Port?

The SSH port is typically changed to enhance server security and mitigate potential threats from malicious users, such as Brute Force attacks. These attacks involve systematic trial-and-error methods aimed at breaking into a user’s account by guessing login details, credentials, and encryption keys using various alphanumeric combinations.

By default, SSH services listen on port 22, a widely known default port, making it relatively easy for hackers to target and attempt unauthorized access to encrypted data on this port. Changing the default SSH port makes it significantly more challenging for hackers, as they must now identify the correct port through a more extensive search, increasing the security of the server.

Prerequisites

How to Change the Default SSH Port?

In this article, we will see how to change the default SSH port in simple and easy steps. The steps are mentioned below.

1. Connect to The Remote Server

The user should connect to a remote server via SSH using a terminal or any SSH client tool like Putty, Mobaxterm, etc. 

ssh username@server_ip

For example:

let’s connect to server.example.com from the terminal using the below command.

ssh root@server.example.com

In the next step, the user would be prompted to enter a password, post which the secure connection is established.

Access the remote server through SSH

2. Select a new port

There are a total of 65,536 communication ports which are categorized into three ranges.

Port Category

Range

Usage

Well known/System Ports                    0 -1023These are reserved ports for running system-specific services like SSH which usually runs on 22, HTTPS listens on 443, etc and the process must execute with superuser privileges to be able to bind a network socket to an IP address using one of the well-known ports.
Registered Ports1024 – 49151                                These ports are assigned by IANA for specific services upon application by a requesting entity and they can also be used by ordinary users.
Dynamic/Private ports49152 -65535                              These ports cannot be registered with IANA, it is used for private or customized services or for temporary purposes.

In this example, we will take port 5444 and have to make sure that the port is open meaning it should not be used by any other application. There are numerous Linux commands available to list the open ports and we will check for open ports using lsof command,

sudo lsof -i -P -n | grep LISTEN

Let’s try port 5432 and see if it’s open or not,

5432 used by postgres

5432 is used by Postgres, so let’s check for another port 5444,

5444 is open

5444 port is not used by any service, so it can be taken as a default port for sshd.

3. Unblock port

Once the port is selected, the user should make sure that the port is not blocked and have to open the port in order to allow traffic on it.

Run the following command to update iptables rule to allow incoming connection on the new port. 

sudo iptables -I INPUT -p tcp --dport 5444 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
update iptables rule to allow incoming connection on the new port

update iptables rule to allow incoming connection on the new port

Verify if the rule is listed in iptables,

Verifying if the rule is listed in iptables

Verifying if the rule is listed in iptables

4. Configure SSH

Next, the new port needs to be updated in the sshd server config file named sshd_config usually located under /etc/ssh/. 

config files always present in the /etc/ directory

Open the file and look for a Port option which is usually commented out (#).

#Port 22
Checking the port number

Checking the port number with #

Remove the # symbol, change the default port from 22 to 5444 and save it,

Port 5444

Checking the port number

Users should be careful while doing changes in the server config file as incorrect configuration might lead to the service not getting started up. As a proactive measure users can take a backup of the file before doing any changes.

5. Restart SSH Service

After changing the port number, restart sshd service for the changes to take effect.

For Debian/Ubuntu,

service sshd restart
restart ssh server in Ubuntu

restart ssh server in Ubuntu

For CentOS/Fedora,

systemctl restart sshd
restart ssh server in Fedora

restart ssh server in Fedora

After the service restart, the user would not be able to connect to the server through the old port,

Connection refused with old port

6. Connect with the new port

Now let’s try to connect to the remote server through new port 5444,

ssh username@server_ip -p port_number

Connection established

Frequelty Asked Question to Change the Default SSH Port in Linux

1. How can I change the default SSH port in Linux?

To change the default SSH port in Linux, you can modify the SSH daemon configuration file located at `/etc/ssh/sshd_config`. Look for the line containing “Port” and change the port number to your desired value. After making the change, restart the SSH service using `sudo service ssh restart`.

2. What are the security implications of changing the SSH port?

Changing the default SSH port adds a layer of security by making it less predictable for potential attackers. However, it’s not a foolproof security measure, and it’s crucial to implement other security practices like using key-based authentication, disabling root login, and keeping the system and SSH software up to date.

3. How do I access a Linux server with a custom SSH port?

To access a Linux server with a custom SSH port, include the port number in the SSH command. For example, if you changed the port to 2222, use the command: `ssh user@your_server_ip -p 2222`. Ensure that the firewall on both the client and server allows traffic on the custom port.

4. Can I use any port number for SSH?

In theory, you can use any available port for SSH. However, it’s recommended to choose a port number between 1024 and 49151 that is not commonly used by other services. Ports below 1024 are considered well-known ports, and using them for SSH may require additional permissions.

5. What should I do if I’m locked out after changing the SSH port?

If you’re unable to access your server after changing the SSH port, check if the port is open in the firewall and if the SSH service is running. If you have physical or console access to the server, you can revert the changes in the SSH configuration file. Alternatively, if you have a backup of the configuration file, restore it to regain access.

Conclusion

In this article we discussed How to Changing the default SSH port in Linux which is crucial for enhancing server security and thwarting potential threats like brute force attacks. This article guides users through the process in simple steps. It covers connecting to the server, selecting a new port (like 5444), unblocking and configuring the port, and restarting the SSH service. Frequently asked questions include how to change the SSH port, security implications, accessing a server with a custom port, suitable port numbers, and what to do if locked out after changes. By following these steps, users can bolster their server’s security effectively.



Last Updated : 13 Dec, 2023
Like Article
Save Article
Previous
Next
Share your thoughts in the comments
Similar Reads