How to change the SSH port
Introduction
One of the most common server administration tasks is to change your server's SSH port. While this is often seen as good practice, beginners need to understand that this configuration change doesn't increase your server's security whatsoever. The port can still be discovered using a port scanner. The only thing you'll achieve in terms of security is that you'll reduce the amount of standardized brute force attacks or network scans and thus decluttering your authentication log.
We have an extensive SSH security tutorial available where we cover extended topics of SSH security, and we highly recommend you following along.
This tutorial requires you to know how to edit a file. If you're unfamiliar with this, please read our tutorial on how to edit a file in Linux, first.
Adjust Configuration
To edit your SSH port, you need to edit your SSH server's configuration file which in the majority of all Linux distributions is located at /etc/ssh/sshd_config.
You then need to open that file in your favorite text editor, by e.g., typing
sudo nano /etc/ssh/sshd_config
The file can only be edited by root, so we recommend running the text editor with sudo in order to avoid permission issues.
The exact contents or default settings may differ from distribution to distribution, but somewhere near the top of your sshd_config file you should fine the following line:
#Port 22
In some distributions, the # symbol in front of the Port instruction may be missing. If the # symbol is present, you need to remove it, because it identifies the line as a comment. As long as the # symbol is the first character of the line, the configuration instruction will be ignored.
You can then change the value of 22 to any other free port you want to use for your SSH server. The available port numbers are from 1 to 65535, but it's not recommended to use a port below 1024. Also, you need to ensure that no other service is already listening on the port, you're choosing because only one application can listen to one port at the same time.
After you're done editing, the line may look like this:
Port 20222
You can see that we
- removed the
#in front ofPort(which may not be necessary on your server if the symbol wasn't there in the first place) and - that we adjusted the port number from
22to20222which is a high port number within the valid TCP port range.
Afterward, you can save your changes to the file and quit the editor.
Restart Service
In order to activate the changes, you need to restart the SSH server service.
After you restarted your SSH server, do not disconnect the SSH session you used to perform the changes described above. Even after your restarted your SSH server, that session will stay active and acts as a lifeline in case you misconfigured your SSH server.
To validate that your changes were successful, open a second SSH session and verify that your connection works properly with the newly selected port. If not, you can revert your changes and restart the service again in order to make your server accessible again.
If you should lose access to your server via SSH, you can still utilize our VNC Console to locally sign in to your server and fix your SSH server's configuration.
The restart process may differ from distribution to distribution but the following commands are the most common ones. Please notice that those commands need to be executed with elevated rights as well. If you are a non-privileged user, you will be asked to type your password to re-authenticate.
Ubuntu & Debian
systemctl restart ssh
CentOS
In CentOS 7 or greater you can use the same command as for Ubuntu and Debian:
systemctl restart ssh
For older CentOS versions, you can use the following command:
service sshd restart