How to change the SSH port

How to change the SSH port

SSH, or Secure Shell, is an essential protocol for securely accessing and managing remote servers. It encrypts all communication, ensuring that data remains protected from unauthorized interception.

By default, SSH runs on port 22, which is often targeted by brute force attacks. Changing the default SSH port can significantly enhance security by reducing the likelihood of automated attacks.

This article will guide you through all the steps to changing the SSH port on a Linux virtual private server (VPS), from selecting the appropriate new port to ensuring your server remains accessible after the change.

Download ultimate SSH commands cheat sheet

Choosing a new SSH port

It’s important to select a port that is not already in use by other services to avoid potential conflicts and reduce security risks on your VPS. Here are some of the most commonly used port numbers with their associated services and protocols:

Port numberServiceProtocol
20FTP (data transfer)TCP
21FTP (control)TCP
22SSHTCP
23TelnetTCP
25SMTPTCP
53DNSTCP/UDP
67/68DHCPUDP
69TFTPUDP
80HTTPTCP
110POP3TCP
123NTPUDP
137/138/139NetBIOSTCP/UDP
143IMAPTCP
161/162SNMPTCP/UDP
179BGPTCP
389LDAPTCP/UDP
443HTTPSTCP
636LDAPSTCP/UDP
989/990FTPSTCP
3306MySQLTCP
8080Alternative to HTTP (web)TCP
8443Alternative to HTTPS (web)TCP

Additionally, consider selecting a port outside the well-known range (0-1023) and the registered ports range (1024-49151). It’s advisable to opt for a custom port within the dynamic or private ports range (49152-65535).

Suggested Reading

SSH uses three different encryption techniques: symmetric, asymmetric, and hashing. Learn more about these methods in our SSH tutorial article.

How to change the default SSH port

Now that you have chosen a new port, let’s proceed with the steps to implement the change.

1. Access your server via SSH

Before you can make any changes, you need to access your server securely. Follow these steps to connect to your server via SSH:

  1. Whether you’re using Windows, macOS, or Linux, start by opening a new terminal window. On Windows, you may need an SSH client like PuTTY.
  2. Use the following command to connect to your server. Replace username with your actual server username and server_ip with your server’s IP address:
ssh username@server_ip
  1. Enter the password associated with the username you provided. For enhanced security, it is recommended to use SSH keys instead of passwords.

2. Edit the SSH configuration file

Once you’ve successfully accessed your server, the next step is modifying the SSH configuration to use a new port. This involves editing the sshd_config file, which controls various parameters of your SSH daemon.

  1. Use the following command to open the SSH daemon configuration file in the nano text editor:
sudo nano /etc/ssh/sshd_config
  1. Scroll down until you find the line that includes #Port 22. This line is commented out by default, and the number 22 represents the default port.
  2. Remove the # to uncomment this line and change 22 to your desired port number, such as 61189.
  1. Once done, press Ctrl + X → Y → Enter to save the changes and exit nano.

3. Adjust firewall settings

After updating your SSH port, it’s essential to adjust your firewall settings to allow traffic on the new port. However, if you’ve never configured any firewall rules, you can skip this step and proceed to the next section.

Here’s how to update firewall settings using Uncomplicated Firewall (UFW):

  1. Execute the following command to allow incoming connections on your new port over TCP, replacing 61189 with your specific port:
sudo ufw allow 61189/tcp
  1. Reload UFW to apply the changes:
sudo ufw reload

For Hostinger’s VPS hosting customers, you can easily configure firewall settings on hPanel. Follow these steps:

  1. Access your VPS dashboard and navigate to Security → Firewall.
  2. Click Create firewall configuration, name your new configuration, and click Create.
  1. Click the three-dot horizontal button and choose Edit.
  1. In the Add firewall rule section, configure the rules you prefer and click Add Rule.
  1. Return to the Firewall page and click Activate.

After setting up your firewall rules using either method, verify the current UFW status with this command:

sudo ufw status

4. Restart the SSH service

Once you’ve updated the SSH configurations and firewall rules, it’s time to restart the SSH service to apply the new settings.

For systems using systemd, which is common in newer distributions like Ubuntu, Debian, and CentOS, restart the SSH service by running the following command:

sudo systemctl restart sshd

For older systems that use SysVinit, use this command instead:

sudo service ssh restart

After restarting, verify the SSH service status to make sure everything is running smoothly:

sudo systemctl status sshd

5. Verify the new port

Now that you’ve restarted the SSH service, the final step is verifying that SSH is indeed operating on the new port. This ensures that your changes have been successfully implemented and the server is accessible.

Check the SSH port with ss or netstat

If you have ss installed, use the following command to list active connections, filtering for your new SSH port:

ss -tuln | grep [new_port_number]

Here’s the output you might see:

If you prefer using the netstat command, you can check with:

netstat -tuln | grep [new_port_number]

The output should resemble:

Log in using the new port

Open a new terminal window to test connecting to the server with the new SSH port number by executing this command:

ssh -p new_port_number username@server_ip

Replace new_port_number, username, and server_ip with your specific details.

A successful SSH connection using the new port confirms that your server is functioning correctly with the changes.

Important! Do not log out of your previous root session until you’ve confirmed that the new setup is working correctly.

Conclusion

Changing the default SSH port is an effective security measure that can reduce your server’s vulnerability to attacks.

By implementing this change along with other best practices, such as using firewalls, regularly updating server packages, and setting up multi-factor authentication, you create a more secure environment for your SSH server.

Remember, security is an ongoing process that benefits from regular attention and adaptation.

How to change the SSH port FAQ

This section will answer the most common questions on how to change the SSH port.

Why should I change the default SSH port?

Changing the default port for SSH reduces your server’s visibility to automated attacks and port scans, enhancing security for sensitive data and root access.

What is the best port to choose when changing the default SSH port?

Choose a port above 1024 that isn’t used by the most common privileged services to minimize conflicts and reduce exposure to attacks.

Will changing the SSH port affect my server’s performance?

Changing the SSH port does not affect Linux server performance. It merely alters the entry point for SSH connections to improve security.

Author
The author

Ariffud Muhammad

Ariffud is a Technical Content Writer with an educational background in Informatics. He has extensive expertise in Linux and VPS, authoring over 200 articles on server management and web development. Follow him on LinkedIn.

Author
The Co-author

Edgaras G.

Edgaras is a veteran server administrator at Hostinger. He makes sure that every server runs at full throttle and has all the latest technological advancements. When he's not working, Edgaras enjoys skiing and exploring the world.