How to Change OpenSSH Port on Linux Systems for Enhanced Security

Changing the default SSH port from 22 is a common practice for system administrators aiming to add an extra layer of security to their servers. While this method won’t stop a determined attacker, it can reduce automated brute-force attacks targeting the default SSH port.

This guide walks you through the process of changing the SSH port on a Linux system, covering essential steps to ensure your server remains accessible and secure.

Why Change the Default SSH Port?

The standard SSH port (22) is well-known and often targeted by attackers using automated scripts. Changing it to a non-standard port doesn’t make your server unbreakable, but it can reduce unwanted attempts to connect. For stronger security, consider using SSH key-based authentication and restricting access to specific IP addresses via your firewall.

Steps to Change the SSH Port on Linux

The steps below apply to most Linux distributions like Ubuntu, CentOS, and Debian. Ensure you have root privileges or sudo access before making these changes.

Step 1: Back Up the Current SSH Configuration

Before modifying your SSH configuration, create a backup to easily revert if something goes wrong:

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

This creates a backup named sshd_config.bak with the current settings.

Step 2: Modify the SSH Configuration File

  1. Open the SSH configuration file using your preferred text editor (vi, nano, etc.):

     sudo vi /etc/ssh/sshd_config

  2. Locate the line that reads:

     #Port 22

  3. Uncomment the line (remove the #), then change 22 to your desired port number, for example:

     Port 2244

    Ensure the new port number is not in use by another service.

  4. Save and exit the file.

Step 3: Update SELinux (CentOS and RHEL Systems Only)

If you’re using CentOS, RHEL, or another distribution with SELinux enabled, you need to update SELinux to allow the new port:

  1. Add the new SSH port to SELinux:

     sudo semanage port -a -t ssh_port_t -p tcp 2244

    If you get an error saying semanage: command not found, install the required package:

    sudo yum -y install policycoreutils-python

  2. Rerun the semanage command to allow the new port through SELinux:

    sudo semanage port -a -t ssh_port_t -p tcp 2244

Step 4: Allow the New SSH Port Through the Firewall

If you’re using a firewall, such as firewalld or UFW, add the new port to the firewall rules:

  • For firewalld:

      sudo firewall-cmd --permanent --zone=public --add-port=2244/tcp
  sudo firewall-cmd --reload

  • For UFW (Uncomplicated Firewall):

      sudo ufw allow 2244/tcp

These commands open the new SSH port in the firewall and apply the changes.

Step 5: Restart the SSH Service

After making changes to the SSH configuration, you need to restart the SSH service for them to take effect:

sudo systemctl restart sshd.service

For older systems or distributions using init.d:

sudo service ssh restart

Step 6: Verify the New SSH Port is Active

Confirm that SSH is now listening on the new port by running:

ss -tnlp | grep ssh

You should see output similar to this:

LISTEN  0  128  *:2244  *:*  users:((sshd”,10783,3))
LISTEN  0  128  :::2244  :::*  users:((sshd”,10783,4))

If the new port is not displayed, double-check your configuration and firewall settings.

Step 7: Test the New SSH Port

Finally, test your SSH connection using the new port:

ssh username@your_server_ip -p 2244

If you can connect successfully, you’ve configured SSH to use the new port. Don’t close your existing SSH session until you’ve confirmed the new connection works.

Step 8: Remove Access to the Old SSH Port (Optional)

Once you confirm the new port is working, remove the old SSH port (22) from your firewall rules:

  • For firewalld:

      sudo firewall-cmd --permanent --remove-port=22/tcp
  sudo firewall-cmd --reload

  • For UFW:

      sudo ufw delete allow 22/tcp

This step is optional but recommended to reduce the chances of brute-force attacks on the old port.

Further Notes

  • Choosing a Port Number: Pick a non-standard port above 1024 that’s not used by other services.
  • SELinux Considerations: If SELinux is enabled, always update its policies to reflect the new port.
  • Key-Based Authentication: Consider using SSH keys instead of passwords for a more secure setup.
  • IP Whitelisting: To further protect your server, restrict SSH access to specific IP addresses using firewall rules.

By following these steps, you’ve successfully changed the default SSH port on your Linux server, making it more resilient to brute-force attacks.

raramuridesign consulting - web strategy, development, design