Cherry Servers

How to Change the Default SSH Port on a Linux Server

Copy page clone View as Markdown file-content Open in ChatGPT Open in Claude Open in Perplexity

Secure Shell (SSH) is the most common method to remotely access and administer Linux servers. By default, SSH listens for incoming connections on TCP port 22. While this default configuration works out of the box, it also makes the service a visible and easy target for automated scanning tools and brute-force login attempts that probe port 22 across the Internet. Changing the default SSH port to a non-standard value by editing the SSH daemon configuration file is a widely recommended security practice that can reduce exposure to malicious traffic. Although this change does not replace the need for strong authentication or other hardening techniques, it helps minimize noise in system logs and avoid low-effort intrusion attempts.

Although changing the port does not make SSH immune to attacks, it reduces visibility in large-scale port scans and helps you identify intentional access attempts more easily.

We will also guide you through verifying and applying the new port, without disrupting your current connection. The guide is designed to be safe and practical, even if you are new to Linux server administration.

Changing the SSH port requires administrative privileges and restarting the SSH service, so ensure that you have root or sudo privileges. We also recommend that you test the new port in a separate session to prevent accidental lockout.

#Instructions to Change the SSH Port

#Step 1: Choose a New SSH Port

Before modifying the SSH configuration, you must choose a new port number that SSH will listen on. While almost any unused port in the range 1024–65535 can be selected, it is best to avoid ports commonly used by other services to prevent conflicts and confusion. Guidelines for choosing a port:

  • Avoid well-known ports (0–1023) as they are reserved for standard services (e.g., 80 for HTTP, 443 for HTTPS, 25 for SMTP).
  • Avoid ports used by other critical applications, such as 3306 (MySQL) or 5432 (PostgreSQL).
  • Pick a high, uncommon number, such as 2222, 49152, or 58765 to reduce the chance of automated scans. To check which ports are currently in use, you can run the following command to list all active listening ports and services. Make sure your selected port is not already in use:
Command Line
sudo ss -tuln

Outputroot@expert-lab:~# sudo ss -tuln
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp UNCONN 0 0 127.0.0.54:53 0.0.0.0:*
udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:*
udp UNCONN 0 0 127.0.0.1:3030 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:*
tcp LISTEN 0 100 127.0.0.1:3031 0.0.0.0:*
tcp LISTEN 0 100 127.0.0.1:3030 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.54:53 0.0.0.0:*
tcp LISTEN 0 100 0.0.0.0:25 0.0.0.0:*
tcp LISTEN 0 4096 :22 :
tcp LISTEN 0 100 [::]:25 [::]:

Once you have chosen your new SSH port, for example, 2222, keep it noted. You will use it in the next step to update the SSH configuration.

#Step 2: Edit the SSH Configuration File

You need to edit the SSH daemon configuration file to change the default SSH port. This file controls the SSH service's behavior, including which port it listens on for incoming connections.

  1. Open the SSH configuration file.

    Use a text editor such as nano to edit /etc/ssh/sshd_config. You must have root or sudo privileges.

    Command Line
    sudo nano /etc/ssh/sshd_config

  2. Find the existing port directive.

    Inside the file, locate the line that begins with "Port". It may be commented out with a "#", indicating the service uses the default port 22.

    GNU nano 7.2 /etc/ssh/sshd_config

This is the sshd server system-wide configuration file. See
sshd_config(5) for more information.
This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
The strategy used for options in the default sshd_config shipped with
OpenSSH is to specify options with their default value where
possible, but leave them commented. Uncommented options override the
default value.

Include /etc/ssh/sshd_config.d/*.conf

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

Ciphers and keying

#RekeyLimit default none

Logging

^G Help ^O Write Out ^W Where Is ^K Cut ^T Execute ^C Location M-U Undo
^X Exit ^R Read File ^\ Replace ^U Paste ^J Justify M-E Redo M-6 Copy

  3. Uncomment and change the port.

    Remove the "#" symbol if present, and change the port number to your desired value. For example, to use port 2222:

    GNU nano 7.2 /etc/ssh/sshd_config *

This is the sshd server system-wide configuration file. See
sshd_config(5) for more information.
This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
The strategy used for options in the default sshd_config shipped with
OpenSSH is to specify options with their default value where
possible, but leave them commented. Uncommented options override the
default value.

Include /etc/ssh/sshd_config.d/*.conf

Port 2222
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

Ciphers and keying

#RekeyLimit default none

Logging

^G Help ^O Write Out ^W Where Is ^K Cut ^T Execute ^C Location M-U Undo
^X Exit ^R Read File ^\ Replace ^U Paste ^J Justify M-E Redo M-6 Copy

  4. Save and close the file.

    • If you’re using nano, press Ctrl+O to write changes, then Enter to confirm.
    • Press Ctrl+X to exit the editor.

  5. Do not close your current SSH session yet.

    If the new port is misconfigured, you may lock yourself out. You can keep your current session open while starting a new one to test the new port before applying changes permanently.

#Step 3: Restart the SSH Service to Apply the New Port

Once you have updated the sshd_config file and specified a new SSH port, you must restart the SSH daemon for the changes to take effect.

  1. Restart the SSH service.

    To reload the configuration and apply the new port setting, use the following command:

    Command Line
    sudo systemctl restart sshd

    This command instructs the SSH server to reread its configuration file and begin listening on the new port.

    • Note for Ubuntu 24.04 and systems using socket activation - If you are running Ubuntu 24.04 or a system that uses ssh.socket, you should use:
    Command Line
    sudo systemctl daemon-reload
sudo systemctl restart ssh.socket

  2. Check if the new port is active.

    After restarting the SSH service or socket, verify that your server is listening on the new port using the following command, and replacing "2222" with your chosen port:

    Command Line
    sudo ss -tuln | grep 2222

    Which should return a response similar to:

    Outputroot@expert-lab:~# sudo ss -tuln | grep 2222
tcp LISTEN 0 4096 *:2222 :

    You should see a LISTEN entry indicating that the SSH daemon is active on the specified port. If not, review your configuration file for typos or syntax issues.

  3. Edit firewall (If enabled).

    Before testing the new SSH connection, make sure your firewall allows traffic on the new port. If you're using Uncomplicated Firewall (UFW), add the new SSH port and remove the old one (if desired):

    Command Line
    sudo ufw allow 2222/tcp
sudo ufw delete allow 22/tcp

    Then reload the firewall to apply changes:

    Command Line
    sudo ufw reload

    If UFW is inactive, these changes will not be necessary. You can check if UFW is enabled with:

    Command Line
    sudo ufw status

  4. Keep the current session open.

    Do not close your existing SSH session at this point. Only close the original session once you have confirmed a successful connection. Instead, open a second terminal to test the new port, replacing "user" and "your_server_ip" with your actual SSH username and server IP address.:

    Command Line
    ssh -p 2222 user@your_server_ip

    If everything is set up correctly, you should see something similar to this, with the port you have selected:

    Output06:38:54 user@CherryServers ~

ssh root@93.115.25.160
ssh: connect to host 93.115.25.160 port 22: Connection refused

06:39:01 ugnius@CherryServers ~

ssh -p 2222 root@93.115.25.160
Welcome to Ubuntu 24.04.2 LTS (GNU/Linux 6.8.0-60-generic x86_64)

Documentation: https://help.ubuntu.com

Management: https://landscape.canonical.com

Support: https://ubuntu.com/pro

System information as of Thu Jun 5 03:39:09 PM UTC 2025

System load: 0.06 Temperature: 30.2 C
Usage of /: 4.7% of 233.54GB Processes: 407
Memory usage: 1% Users logged in: 1
Swap usage: 0% IPv4 address for bond0: 93.115.25.160

Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm
 or run: sudo pro status

Last login: Thu Jun 5 15:29:57 2025 from 5.199.170.122
root@expert-lab:~#

These steps reduce unwanted SSH login attempts and better protect your server from unauthorized access. Although port changing alone does not secure a system, it is a valuable layer in a defense-in-depth strategy alongside firewalls, public key authentication, and intrusion detection.

Was this article helpful?
Thanks for the feedback!
No results found for ""
Recent Searches
Navigate
Go
ESC
Exit
We use cookies to ensure seamless user experience for our website. Required cookies - technical, functional and analytical - are set automatically. Please accept the use of targeted cookies to ensure the best marketing experience for your user journey. You may revoke your consent at any time through our Cookie Policy.
build: 920a9a1ae.1622