- Understanding the Risk of Default SSH Configuration
- Important Considerations Before You Begin
- Step 1: Choose a Secure and Unused Port
- Step 2: Modify the SSH Configuration File
- Step 3: Configure the Firewall
- Step 4: Update SELinux (If Enabled)
- Step 5: Restart the SSH Service
- Step 6: Test the New Port
- Step 7: Disable Default Port 22
- Verifying the Change
- Additional Security Best Practices
- Managing Infrastructure the Smart Way
- Common Mistakes to Avoid
- Conclusion
Because this port is universally known, it is constantly targeted by automated bots attempting brute-force attacks. While changing the SSH port is not a complete security solution, it is a highly effective first step in reducing attack surface and noise.
In this detailed guide, we’ll cover not only how to change the SSH port, but also why it matters, potential pitfalls, and best practices for maintaining a secure server environment.
Understanding the Risk of Default SSH Configuration
Most attackers don’t manually target servers. They use automated scripts that scan IP ranges looking for open port 22. Once found, they attempt:
- Credential stuffing (trying leaked username/password combinations)
- Brute-force login attempts
- Exploiting weak configurations
Even a small virtual server can receive hundreds or thousands of login attempts per day.
Changing the SSH port helps by:
- Making your server less visible to automated scans
- Reducing log spam and system load
- Acting as a basic but effective deterrent
Important Considerations Before You Begin
Before making any changes, keep the following in mind:
- Always keep an active SSH session open during configuration
- Ensure you have console access (via hosting panel) in case something goes wrong
- Use SSH keys if possible, to avoid being locked out
- Double-check firewall rules before restarting SSH
Managing a Linux server often comes with questions, especially when it comes to security configurations like SSH. If you ever feel stuck or want real-world insights, you can always ask your questions directly in the community spaces of PlusClouds and connect with other developers and system administrators.
Community
Further questions? Ask our team
Step 1: Choose a Secure and Unused Port
SSH can run on any port between 1024–65535 (non-privileged ports).
To verify a port is unused:
sudo ss -tuln | grep
If no output appears, the port is likely available.
Step 2: Modify the SSH Configuration File
The SSH daemon configuration file is located at: /etc/ssh/sshd_config
Open it with a text editor: sudo nano /etc/ssh/sshd_config
- Uncomment it (remove #)
- Replace 22 with your chosen port
Example: Port 2222
Optional: Bind SSH to Specific IP (Advanced)
You can further secure SSH by binding it to a specific IP: ListenAddress 192.168.1.10
This is useful in private or internal networks.
Step 3: Configure the Firewall
This is the most critical step. If you forget it, you may lose access to your server. For UFW (Ubuntu / Debian)
Allow the new port: sudo ufw allow 2222/tcp
Check rules: sudo ufw status
Step 4: Update SELinux (If Enabled)
On systems with SELinux (e.g., CentOS, RHEL), SSH is restricted to predefined ports. To allow a new port: sudo semanage port -a -t ssh_port_t -p tcp 2222
If semanage is not installed: sudo yum install policycoreutils-python-utils
Step 5: Restart the SSH Service
Apply your changes: sudo systemctl restart sshd
Or on some systems: sudo service ssh restart
Step 6: Test the New Port (CRITICAL STEP)
Before closing your current session, open a new terminal and test: ssh -p 2222 username@your_server_ip
If the connection fails:
- Re-check firewall rules
- Verify SSH config syntax
- Use server console access to fix issues
Step 7: Disable Default Port 22 (Optional but Recommended)
Once the new port works:
UFW: sudo ufw delete allow 22/tcp
Verifying the Change
You can confirm SSH is listening on the new port: sudo ss -tuln | grep ssh
Or: sudo netstat -tulnp | grep ssh
Additional Security Best Practices
Changing the port is just one layer. For stronger security:
1. Disable Root Login
PermitRootLogin no
2. Use SSH Key Authentication
Disable passwords entirely: PasswordAuthentication no
3. Install Fail2Ban
Automatically blocks repeated login attempts: sudo apt install fail2ban
4. Limit User Access
AllowUsers yourusername
5. Enable Two-Factor Authentication (2FA)
Adds an extra layer of login protection.
Managing Infrastructure the Smart Way
While manually configuring SSH and firewall rules is essential knowledge, managing multiple servers this way can become complex and time-consuming—especially as your projects grow.
This is where platforms like Plusclouds come in. With scalable cloud infrastructure, automated deployments, and centralized management tools, Plusclouds allows you to:
- Quickly deploy secure virtual servers
- Manage firewall and network settings from a single panel
- Scale your infrastructure without manual overhead
- Focus on development instead of repetitive server configuration
By combining hands-on security practices like SSH hardening with modern cloud management platforms, you can achieve both efficiency and security at scale.
Common Mistakes to Avoid
- Forgetting to open the new port in the firewall
- Restarting SSH before verifying configuration
- Closing the active session too early
- Choosing a port already in use
- Ignoring SELinux restrictions
Conclusion
Changing the SSH port is a simple yet impactful step toward improving your server’s security. While it doesn’t eliminate threats entirely, it significantly reduces automated attacks and unnecessary noise.
When combined with:
- SSH key authentication
- Proper firewall configuration
- Intrusion prevention tools
…it forms part of a strong, layered security strategy.
Whether you’re managing a single VPS or scaling across multiple environments, understanding and applying these practices will help you maintain a secure and reliable infrastructure.
