# How to Change the Default SSH Port on a Linux Server

Secure Shell (SSH) is the most common method to remotely access and administer Linux servers. By default, SSH listens for incoming connections on TCP port 22. While this default configuration works out of the box, it also makes the service a visible and easy target for automated scanning tools and brute-force login attempts that probe port 22 across the Internet.
Changing the default SSH port to a non-standard value by editing the SSH daemon configuration file is a widely recommended security practice that can reduce exposure to malicious traffic. Although this change does not replace the need for strong authentication or other hardening techniques, it helps minimize noise in system logs and avoid low-effort intrusion attempts.

Although changing the port does not make SSH immune to attacks, it reduces visibility in large-scale port scans and helps you identify intentional access attempts more easily.

We will also guide you through verifying and applying the new port, without disrupting your current connection. The guide is designed to be safe and practical, even if you are new to Linux server administration.

Changing the SSH port requires administrative privileges and restarting the SSH service, so ensure that you have root or sudo privileges. We also recommend that you test the new port in a separate session to prevent accidental lockout.

## Instructions to Change the SSH Port
### Step 1: Choose a New SSH Port
Before modifying the SSH configuration, you must choose a new port number that SSH will listen on. While almost any unused port in the range 1024–65535 can be selected, it is best to avoid ports commonly used by other services to prevent conflicts and confusion.
Guidelines for choosing a port:
- Avoid well-known ports (0–1023) as they are reserved for standard services (e.g., 80 for HTTP, 443 for HTTPS, 25 for SMTP).
- Avoid ports used by other critical applications, such as 3306 (MySQL) or 5432 (PostgreSQL).
- Pick a high, uncommon number, such as 2222, 49152, or 58765 to reduce the chance of automated scans.
To check which ports are currently in use, you can run the following command to list all active listening ports and services. Make sure your selected port is not already in use:
```bash command
sudo ss -tuln
```
```bash output
root@expert-lab:~# sudo ss -tuln
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp UNCONN 0 0 127.0.0.54:53 0.0.0.0:*
udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:*
udp UNCONN 0 0 127.0.0.1:3030 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:*
tcp LISTEN 0 100 127.0.0.1:3031 0.0.0.0:*
tcp LISTEN 0 100 127.0.0.1:3030 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.54:53 0.0.0.0:*
tcp LISTEN 0 100 0.0.0.0:25 0.0.0.0:*
tcp LISTEN 0 4096 :22 :
tcp LISTEN 0 100 [::]:25 [::]:
```
Once you have chosen your new SSH port, for example, 2222, keep it noted. You will use it in the next step to update the SSH configuration.

### Step 2: Edit the SSH Configuration File
You need to edit the SSH daemon configuration file to change the default SSH port. This file controls the SSH service's behavior, including which port it listens on for incoming connections.
1. Open the SSH configuration file.
	
    Use a text editor such as nano to edit */etc/ssh/sshd_config*. You must have *root* or *sudo* privileges.
   ```bash command
   sudo nano /etc/ssh/sshd_config
   ```
2. Find the existing port directive.
   
   Inside the file, locate the line that begins with "*Port*". It may be commented out with a "*#*", indicating the service uses the default port 22.
   ```text
   GNU nano 7.2 /etc/ssh/sshd_config
   
   This is the sshd server system-wide configuration file. See
   sshd_config(5) for more information.
   This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
   The strategy used for options in the default sshd_config shipped with
   OpenSSH is to specify options with their default value where
   possible, but leave them commented. Uncommented options override the
   default value.
   
   Include /etc/ssh/sshd_config.d/*.conf
   
   #Port 22
   #AddressFamily any
   #ListenAddress 0.0.0.0
   #ListenAddress ::
   
   #HostKey /etc/ssh/ssh_host_rsa_key
   #HostKey /etc/ssh/ssh_host_ecdsa_key
   #HostKey /etc/ssh/ssh_host_ed25519_key
   
   Ciphers and keying
   
   #RekeyLimit default none
   
   Logging
   
   ^G Help ^O Write Out ^W Where Is ^K Cut ^T Execute ^C Location M-U Undo
   ^X Exit ^R Read File ^\ Replace ^U Paste ^J Justify M-E Redo M-6 Copy
   ```
3. Uncomment and change the port.
   
   Remove the "*#*" symbol if present, and change the port number to your desired value. For example, to use port 2222:
   ```text
   GNU nano 7.2 /etc/ssh/sshd_config *
   
   This is the sshd server system-wide configuration file. See
   sshd_config(5) for more information.
   This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
   The strategy used for options in the default sshd_config shipped with
   OpenSSH is to specify options with their default value where
   possible, but leave them commented. Uncommented options override the
   default value.
   
   Include /etc/ssh/sshd_config.d/*.conf
   
   Port 2222
   #AddressFamily any
   #ListenAddress 0.0.0.0
   #ListenAddress ::
   
   #HostKey /etc/ssh/ssh_host_rsa_key
   #HostKey /etc/ssh/ssh_host_ecdsa_key
   #HostKey /etc/ssh/ssh_host_ed25519_key
   
   Ciphers and keying
   
   #RekeyLimit default none
   
   Logging
   
   ^G Help ^O Write Out ^W Where Is ^K Cut ^T Execute ^C Location M-U Undo
   ^X Exit ^R Read File ^\ Replace ^U Paste ^J Justify M-E Redo M-6 Copy
   ```
4. Save and close the file.
   - If you’re using nano, press Ctrl+O to write changes, then Enter to confirm.
   - Press Ctrl+X to exit the editor.
5. Do not close your current SSH session yet.
	
    If the new port is misconfigured, you may lock yourself out. You can keep your current session open while starting a new one to test the new port before applying changes permanently.

### Step 3: Restart the SSH Service to Apply the New Port
Once you have updated the *sshd_config* file and specified a new SSH port, you must restart the SSH daemon for the changes to take effect.
1. Restart the SSH service.
	
    To reload the configuration and apply the new port setting, use the following command:
   ```bash command
   sudo systemctl restart sshd
   ```
   This command instructs the SSH server to reread its configuration file and begin listening on the new port.
   
   - Note for Ubuntu 24.04 and systems using socket activation - If you are running Ubuntu 24.04 or a system that uses ssh.socket, you should use:
   ```bash command
   sudo systemctl daemon-reload
   sudo systemctl restart ssh.socket
   ```
2. Check if the new port is active.
	
    After restarting the SSH service or socket, verify that your server is listening on the new port using the following command, and replacing "*2222*" with your chosen port:
   ```bash command 
   sudo ss -tuln | grep 2222
   ```
   Which should return a response similar to:
   ```bash output
   root@expert-lab:~# sudo ss -tuln | grep 2222
   tcp LISTEN 0 4096 *:2222 :
   ```
   You should see a LISTEN entry indicating that the SSH daemon is active on the specified port. If not, review your configuration file for typos or syntax issues.
3. Edit firewall (If  enabled).
	
    Before testing the new SSH connection, make sure your firewall allows traffic on the new port. If you're using Uncomplicated Firewall (UFW), add the new SSH port and remove the old one (if desired):
   ```bash command
   sudo ufw allow 2222/tcp
   sudo ufw delete allow 22/tcp
   ```
   Then reload the firewall to apply changes:
   ```bash command
   sudo ufw reload
   ```
   If UFW is inactive, these changes will not be necessary. You can check if UFW is enabled with:
   ```bash command
   sudo ufw status
   ```
4. Keep the current session open.
	
    Do not close your existing SSH session at this point. Only close the original session once you have confirmed a successful connection. Instead, open a second terminal to test the new port, replacing "*user*" and "*your_server_ip*" with your actual SSH username and server IP address.:
   ```bash command
   ssh -p 2222 user@your_server_ip
   ```
   If everything is set up correctly, you should see something similar to this, with the port you have selected:
   ```bash output
   06:38:54 user@CherryServers ~
   
   ssh root@93.115.25.160
   ssh: connect to host 93.115.25.160 port 22: Connection refused
   
   06:39:01 ugnius@CherryServers ~
   
   ssh -p 2222 root@93.115.25.160
   Welcome to Ubuntu 24.04.2 LTS (GNU/Linux 6.8.0-60-generic x86_64)
   
   Documentation: https://help.ubuntu.com
   
   Management: https://landscape.canonical.com
   
   Support: https://ubuntu.com/pro
   
   System information as of Thu Jun 5 03:39:09 PM UTC 2025
   
   System load: 0.06 Temperature: 30.2 C
   Usage of /: 4.7% of 233.54GB Processes: 407
   Memory usage: 1% Users logged in: 1
   Swap usage: 0% IPv4 address for bond0: 93.115.25.160
   
   Expanded Security Maintenance for Applications is not enabled.
   
   0 updates can be applied immediately.
   
   Enable ESM Apps to receive additional future security updates.
   See https://ubuntu.com/esm
    or run: sudo pro status

   Last login: Thu Jun 5 15:29:57 2025 from 5.199.170.122
   root@expert-lab:~#
   ```
These steps reduce unwanted SSH login attempts and better protect your server from unauthorized access. Although port changing alone does not secure a system, it is a valuable layer in a defense-in-depth strategy alongside firewalls, public key authentication, and intrusion detection.