How to Change the Default SSH Port in Linux for Security Reason?

By default, SSH bind on port 22. Changing the default SSH port adds an additional layer of security to your Linux system.

It could save you from unnecessary attack specifically from bots and port scan attack.

This tutorial explains how to change the default SSH port in Linux.

Also, we will show you how to configure your firewall to allow access to the new SSH port.

We had written many articles for SSH in the past, you can check these by navigating to the following link.

What’s a port scan attack?

Cyberattacks often begin with a port scan attack, which attackers use to find exploitable vulnerabilities on targeted systems.

What’s SSH?

SSH stands for Secure Shell is a cryptographic network protocol that provide secure encrypted communications between two untrusted hosts over an insecure network.

What’s TCP and How the Port Numbers are Assigned?

TCP stands for Transmission Control Protocol is one of the main protocol, that keep a connection alive until the application programs at each end have finished exchanging messages.

TCP/UDP ports are segregated in three types.

  • Well-known or System Ports – 0 to 1023
  • Registered Ports – 1024 to 49151
  • Dynamic, Private or Ephemeral Ports – 49152 to 65535

How to Change the Default SSH Port in Linux?

Changing the SSH port in Linux system is not a big deal and it can be done easily by making the change in the ssh.conf file.

I would advise users to take an additional care when you are making any changes in config files. I mean to say, make a copy of the config file before making any changes in that.

# cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bk

To do so, run the following command.

# sed -i 's/#Port 22/Port 2200/g' /etc/ssh/sshd_config

We can check the changes by running the following command.

# grep -w Port /etc/ssh/sshd_config
Port 2200

How to Adjust Firewall to Allow the newly configured port for SSH?

Don’t forget to make a changes on your firewall before exit your session. If not, you can’t able to login back.

It means, you have to allow the new port in firewall for ssh access.

UFW is a default firewall for Ubuntu based systems. To adjust the UFW firewall, run the following command.

$ sudo ufw allow 2200/tcp

FirewallD is a default firewall tool for RHEL7/8 and CentOS 7 systems and it’s enabled by default so, we need to make a necessary changes by running the following command.

$ sudo firewall-cmd --permanent --zone=public --add-port=2200/tcp
$ sudo firewall-cmd --reload

Also, we need to adjust the SELinux rules to allows the new SSH port.

$ sudo semanage port -a -t ssh_port_t -p tcp 2200

Make a note and you must insert the “INPUT” rule before the reject line based on your iptables line number.

# iptables -nvL --line-n

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1     2162  205K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
2      990 32304 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
3        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
4       51  2988 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
5      215 15302 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 

In my case the “reject” input rule sits on the fifth line, so I’m going to add a new rule in the fifth line.

For RHEL 6/CentOS 6 systems, run the following command to adjust a iptables rules.

$ sudo iptables -I INPUT 5 -p tcp --dport 2200 -m state --state NEW,ESTABLISHED -j ACCEPT
$ sudo iptables -A OUTPUT -p tcp --sport 2200 -m state --state ESTABLISHED -j ACCEPT
$ sudo service iptables save

Once you made all the above changes, it’s time to restart the ssh service.

For SysVinit System.

$ sudo service sshd restart

For RHEL based systemd Systems.

$ sudo systemctl restart sshd

For Debian based systemd Systems.

$ sudo systemctl restart ssh

Now, check whether the SSH daemon is listening on the new port 2200 or not?

$ sudo netstat -tplugn | grep ssh

tcp        0      0 0.0.0.0:2200            0.0.0.0:*               LISTEN      1968/sshd           
tcp        0      0 :::2200                 :::*                    LISTEN      1968/sshd

Finally try to access the remote Linux system with standard port and the new SSH port and see the difference.

It’s throwing an error when i use the standard SSH port.

$ ssh 192.168.1.4 -l daygeek
ssh: connect to host 192.168.1.4 port 22: Connection refused

But at the same time, it’s allowing me to login with the new SSH port.

$ sh 192.168.1.4 -l daygeek -p 2200
Password: 
Last login: Sun Jun 23 23:39:36 2019 from 192.168.1.6
Have a lot of fun...

I hope this tutorial helped you to change the default SSH port on Linux system. As always, if you found this article is useful, then subscribe to our free newsletter to get more latest tips and tricks about Linux.

About Magesh Maruthamuthu

Love to play with all Linux distribution

View all posts by Magesh Maruthamuthu

Leave a Reply

Your email address will not be published. Required fields are marked *