One of the SSH hardening practice is to change the default SSH port. It reduces the number of bot attacks on the server.
The default SSH port number is 22. So when you use
ssh user@IP, it tries to connect to the default port 22. But if the remote server uses some other port for SSH, you should provide the port number:
ssh -p port_number user@IP
Let's say you want to connect to a remote server with IP 188.8.131.52 that accepts SSH connections at port number 7770.
ssh -p 7770 [email protected]
That was about connecting to a different port via SSH. What about changing the SSH port on your server?
Change the default SSH port on Linux server
The process is simple:
- Decide which port number XXXX you want to use
- If you have an active firewall on the server, allow the new port XXXX
- Edit the
/etc/ssh/sshd_configfile and replace the line
- Restart the SSH service with
systemctl restart sshd
Let's see it in details.
Step 1: Choose a port number
You can choose any port number between 0 and 65535 except the common networking ports like 21, 80, 443 etc.
Can't pick. Let's say you use 7770 for the new SSH port.
Now, log in to the server where you want to make these changes.
Step 2: Allow the new port through the firewall
As a sysadmin you probably know if there is a firewall active on your system or not.
Different types of distributions have different firewalls. I cannot cover all of them so that onus lies on you.
I am using Ubuntu server and there you have the UFW. Check the UFW firewall status:
sudo ufw status
If it is active, allow the new port through the firewall:
sudo ufw allow 7770
Step 3: Edit the ssh config file
Use Vim or Nano to edit the config file in the terminal. I'll use nano here:
In the file locate the line with
#Port 22. It should be at the beginning of the file.
Change the line to
Port xxxx format where xxxx is the port number you chose:\
Step 4: Restart SSH service
Now that you have made changes to config file, restart the service SSH daemon.
Most distros these days use systemd and hence use this command to restart it:
systemctl restart sshd
And that's it. No need to restart the server itself.
Now when you have to connect to the server via SSH, specify the port number:
ssh -p xxxx user@ip
Not that it will stop SSH attacks but changing the default port does reduce the number of attacks automated bot target on the port 22.
I hope you find this quick tutorial helpful. Let me know if you have any questions.