How to Change the Default SSH Port in Linux for Security Reason?
By default, SSH bind on port 22. Changing the default SSH port adds an additional layer of security to your Linux system.
It could save you from unnecessary attack specifically from bots and port scan attack.
This tutorial explains how to change the default SSH port in Linux.
Also, we will show you how to configure your firewall to allow access to the new SSH port.
We had written many articles for SSH in the past, you can check these by navigating to the following link.
What’s a port scan attack?
Cyberattacks often begin with a port scan attack, which attackers use to find exploitable vulnerabilities on targeted systems.
SSH stands for Secure Shell is a cryptographic network protocol that provide secure encrypted communications between two untrusted hosts over an insecure network.
What’s TCP and How the Port Numbers are Assigned?
TCP stands for Transmission Control Protocol is one of the main protocol, that keep a connection alive until the application programs at each end have finished exchanging messages.
TCP/UDP ports are segregated in three types.
- Well-known or System Ports – 0 to 1023
- Registered Ports – 1024 to 49151
- Dynamic, Private or Ephemeral Ports – 49152 to 65535
How to Change the Default SSH Port in Linux?
Changing the SSH port in Linux system is not a big deal and it can be done easily by making the change in the ssh.conf file.
I would advise users to take an additional care when you are making any changes in config files. I mean to say, make a copy of the config file before making any changes in that.
# cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bk
To do so, run the following command.
# sed -i 's/#Port 22/Port 2200/g' /etc/ssh/sshd_config
We can check the changes by running the following command.
# grep -w Port /etc/ssh/sshd_config Port 2200
How to Adjust Firewall to Allow the newly configured port for SSH?
Don’t forget to make a changes on your firewall before exit your session. If not, you can’t able to login back.
It means, you have to allow the new port in firewall for ssh access.
UFW is a default firewall for Ubuntu based systems. To adjust the UFW firewall, run the following command.
$ sudo ufw allow 2200/tcp
FirewallD is a default firewall tool for RHEL7/8 and CentOS 7 systems and it’s enabled by default so, we need to make a necessary changes by running the following command.
$ sudo firewall-cmd --permanent --zone=public --add-port=2200/tcp $ sudo firewall-cmd --reload
Also, we need to adjust the SELinux rules to allows the new SSH port.
$ sudo semanage port -a -t ssh_port_t -p tcp 2200
Make a note and you must insert the “INPUT” rule before the reject line based on your iptables line number.
# iptables -nvL --line-n Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 2162 205K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 990 32304 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 3 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 4 51 2988 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 5 215 15302 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
In my case the “reject” input rule sits on the fifth line, so I’m going to add a new rule in the fifth line.
For RHEL 6/CentOS 6 systems, run the following command to adjust a iptables rules.
$ sudo iptables -I INPUT 5 -p tcp --dport 2200 -m state --state NEW,ESTABLISHED -j ACCEPT $ sudo iptables -A OUTPUT -p tcp --sport 2200 -m state --state ESTABLISHED -j ACCEPT $ sudo service iptables save
Once you made all the above changes, it’s time to restart the ssh service.
For SysVinit System.
$ sudo service sshd restart
For RHEL based systemd Systems.
$ sudo systemctl restart sshd
For Debian based systemd Systems.
$ sudo systemctl restart ssh
Now, check whether the SSH daemon is listening on the new port 2200 or not?
$ sudo netstat -tplugn | grep ssh tcp 0 0 0.0.0.0:2200 0.0.0.0:* LISTEN 1968/sshd tcp 0 0 :::2200 :::* LISTEN 1968/sshd
Finally try to access the remote Linux system with standard port and the new SSH port and see the difference.
It’s throwing an error when i use the standard SSH port.
$ ssh 192.168.1.4 -l daygeek ssh: connect to host 192.168.1.4 port 22: Connection refused
But at the same time, it’s allowing me to login with the new SSH port.
$ sh 192.168.1.4 -l daygeek -p 2200 Password: Last login: Sun Jun 23 23:39:36 2019 from 192.168.1.6 Have a lot of fun...
I hope this tutorial helped you to change the default SSH port on Linux system. As always, if you found this article is useful, then subscribe to our free newsletter to get more latest tips and tricks about Linux.