Linux Tips & Tricks · December 27, 2021

Changing Default SSH Port

[Linux] Change Default SSH Port

Secure Shell (SSH) uses port “22” by default. With this common information, lots of tools can knock your public server’s door and sometimes you may find this disturbing.

As much as changing default port number for SSH reduces the amount of login tries, it’s not a complete security solution. Because, you know, a simple nmap scan can find information about your open ports. However, most script kiddies won’t bother with that.

Changing Default SSH Port

The default location of SSH daemon configuration is “/etc/ssh/sshd_config“. Notice the “d” after “ssh”. With this file, you can change your SSH daemon configuration as well as the listening port. However, if you’re running behind a firewall, make sure you open that port before changing your SSH configuration. Otherwise, you may lock yourself out!

Opening Related Port

In my CentOS 7 machine, I’m using “firewall-cmd” as firewall. Therefore, I’ll show opening port permanently on firewall-cmd.

First, let’s check our zones. Note this command. We’ll use this to be sure that we’ve opened the port:

[root@gnuadmin ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp0s3
  sources: 
  services: dhcpv6-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

Seems like we only have one active zone. If you’ve multiple zones, you can check the active zone by:

[root@gnuadmin ~]# firewall-cmd --get-active-zones
public
  interfaces: enp0s3

And our firewall uses this zone as default:

[root@gnuadmin ~]# firewall-cmd --get-default-zone
public

Let’s open the port number “33333”. Be sure that no other application using the port you’d like to use for SSH:

[root@gnuadmin ~]# firewall-cmd --permanent --zone=public --add-port=33333/tcp
success

With this command, we’ve permanently opened a TCP port, numbered 33333 in our “public” zone. After changing port states, you’ve to reload settings:

[root@gnuadmin ~]# firewall-cmd --reload
success

Now let’s see what we got:

[root@gnuadmin ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp0s3
  sources: 
  services: dhcpv6-client ssh
  ports: 33333/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	
[root@gnuadmin ~]# firewall-cmd --list-ports
33333/tcp

Since we’ve opened the desired port, let’s change the SSH daemon configuration.

Changing SSH Daemon Listen Port

Simply, open “/etc/ssh/sshd_config” file and find the “#Port 22” line. Uncomment it by removing the “#” character and change the line as “Port 33333”. Save the file and restart your SSH service:

[root@gnuadmin ~]# vi /etc/ssh/sshd_config 
[root@gnuadmin ~]# systemctl restart sshd.service

After that, you can use a tool like “netstat” or “ss” to check port. If you don’t have netstat installed, you can install “net-tools” package to get it:

[root@gnuadmin ~]# netstat -tlpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:33333           0.0.0.0:*               LISTEN      1703/sshd           
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1223/master         
tcp6       0      0 :::33333                :::*                    LISTEN      1703/sshd           
tcp6       0      0 ::1:25                  :::*                    LISTEN      1223/master 

As you can see, our sshd is now listening port 33333 instead of the default, 22.

Changing default SSH port
Changing default SSH port