Learn how to improve server security by changing the default SSH port from 22 to a custom value using best practices and secure configuration.
Key points to consider:
-
By default, SSH listens on port 22, which is frequently scanned by automated bots and targeted for brute-force login attempts.
-
Changing the default SSH port is a simple but effective hardening measure that helps reduce exposure to common threats.
-
This change should be paired with proper firewall rules to allow traffic on the new port and limit access from untrusted IP addresses if a firewall is in use.
-
Always test the new port in a second terminal session before closing the original one to avoid accidental lockouts.
-
SSH port settings are configured in the
/etc/ssh/sshd_config
file and require a restart of the SSH service to take effect. -
Once you change your port number, you must use the
-p
flag with the new port number or define it in the SSH client configuration file (~/.ssh/config
). -
Root or sudo privileges are required to modify SSH settings and restart services.
-
Rebooting the server is not required, but restarting the SSH daemon is essential for the new configuration to apply.
Introduction
Secure Shell (SSH) is the most common method to remotely access and administer Linux servers. By default, SSH listens for incoming connections on TCP port 22. While this default configuration works out of the box, it also makes the service a visible and easy target for automated scanning tools and brute-force login attempts that probe port 22 across the Internet.
Changing the default SSH port to a non-standard value is a widely recommended security practice that can reduce exposure to malicious traffic. Although this change does not replace the need for strong authentication or other hardening techniques, it helps minimize noise in system logs and avoid low-effort intrusion attempts.
In this tutorial, you will learn how to change the default SSH port on a Linux server by editing the SSH daemon configuration file. You will also verify and apply the new port without disrupting your current connection. The guide is designed to be safe and practical, even if you are new to Linux server administration.
Important: Before proceeding, ensure that you have root or sudo access to the server. Changing the SSH port requires administrative privileges and restarting the SSH service. You should also test the new port in a separate session to prevent accidental lockout.
Step-by-Step Instructions
Step 1: Choose a new SSH port
Before modifying the SSH configuration, you must choose a new port number that SSH will listen on. While almost any unused port in the range 1024–65535 can be selected, it is best to avoid ports commonly used by other services to prevent conflicts and confusion.
Guidelines for choosing a port:
-
Avoid well-known ports (0–1023) as they are reserved for standard services (e.g., 80 for HTTP, 443 for HTTPS, 25 for SMTP).
-
Avoid ports used by other critical applications, such as 3306 (MySQL) or 5432 (PostgreSQL).
-
Pick a high, uncommon number, such as 2222, 49152, or 58765 to reduce the chance of automated scans.
To check which ports are currently in use, run the following command:
$ sudo ss -tuln
This will list all active listening ports and services (see Fig. 1). Make sure your selected port is not already in use.
Fig. 1. Output of sudo ss -tuln showing active listening ports. Use this command to ensure another service does not already use your chosen SSH port.
Once you have chosen your new SSH port (for example, 2222), keep it noted. You will use it in the next step to update the SSH configuration.
Note: Although changing the port does not make SSH immune to attacks, it reduces visibility in large-scale port scans and helps you identify intentional access attempts more easily.
Step 2: Edit the SSH Configuration File
You need to edit the SSH daemon configuration file to change the default SSH port. This file controls the SSH service's behavior, including which port it listens on for incoming connections.
- Open the SSH configuration file:
Use a text editor such asnano
to edit/etc/ssh/sshd_config
. You must have root or sudo privileges.$ sudo nano /etc/ssh/sshd_config
- Find the existing port directive:
Inside the file, locate the line that begins withPort
. It may be commented out with a#
, indicating the service uses the default port 22 (see Fig. 2).#Port 22
Fig. 2. The sshd_config file with the default SSH port 22 setting commented out. - Uncomment and change the port:
Remove the#
symbol if present, and change the port number to your desired value. For example, to use port2222
(see Fig. 3):Port 2222
Fig. 3. SSH configuration file after changing the port. The Port directive has been uncommented and set to 2222. This will instruct the SSH service to listen on the new port after a restart.
Make sure your chosen port lies within the range of1024–65535
and is not already in use to avoid conflicts with well-known services. - Save and close the file:
- If you’re using
nano
, pressCtrl+O
to write changes, thenEnter
to confirm. - Press
Ctrl+X
to exit the editor.
- If you’re using
- Important considerations:
- Do not close your current SSH session yet. If the new port is misconfigured, you may lock yourself out.
- You can keep your current session open while starting a new one to test the new port before applying changes permanently.
Step 3: Restart the SSH service to apply the new port
Once you have updated the sshd_config
file and specified a new SSH port (e.g., 2222
), you must restart the SSH daemon for the changes to take effect.
- Restart the SSH service:
To reload the configuration and apply the new port setting, use the following command:
$ sudo systemctl restart sshd
This command instructs the SSH server to reread its configuration file and begin listening on the new port.
Note for Ubuntu 24.04 and systems using socket activation:
If you are running Ubuntu 24.04 or a system that uses ssh.socket, you should use:
$ sudo systemctl daemon-reload
$ sudo systemctl restart ssh.socket
- Check if the new port is active:
After restarting the SSH service or socket, verify that your server is listening on the new port (see Fig. 4):$ sudo ss -tuln | grep 2222
Fig. 4. Verifying that SSH is now listening on port 2222 using ss -tuln. The LISTEN state confirms that the new port is active and ready to accept connections.
Replace2222
with your chosen port. You should see aLISTEN
entry indicating that the SSH daemon is active on the specified port. If not, review your configuration file for typos or syntax issues. - Edit firewall (If enabled):
Before testing the new SSH connection, make sure your firewall allows traffic on the new port. If you're usingufw
(Uncomplicated Firewall), add the new SSH port and remove the old one (if desired):$ sudo ufw allow 2222/tcp
$ sudo ufw delete allow 22/tcp
Then reload the firewall to apply changes:$ sudo ufw reload
Note: ifufw
is inactive, these changes are unnecessary. To check if it's enabled, run:$ sudo ufw status
- Keep the current session open:
Do not close your existing SSH session at this point. Instead, open a second terminal to test the new port (see Fig. 5):$ ssh -p 2222 user@your_server_ip
Replaceuser
andyour_server_ip
with your actual SSH username and server IP address. Only after confirming a successful connection should you close the original session.
Fig. 5. Connection attempt to default SSH port 22 is refused, while a successful connection is established using the new custom port 2222.
Summary
In this tutorial, you learned how to change the default SSH port on a Linux server to enhance security and reduce exposure to automated attacks.
We started by selecting a new, unused port in the 1024–65535
range and verified that it was not already in use.
Then, we edited the sshd_config
file to replace the default port 22 with our new custom port, then safely restarted the SSH service or socket using the appropriate method depending on the operating system version.
We also verified that the new port was listening and ensured existing sessions remained active during testing.
If a firewall was in use, we explained how to open the new port and remove the old one using ufw
. Finally, we confirmed connectivity via SSH on the new port before closing the original session.
By following these steps, you can reduce unwanted SSH login attempts and better protect your server from unauthorized access. Although port changing alone does not secure a system, it is a valuable layer in a defense in-depth strategy alongside firewalls, public key authentication, and intrusion detection.