How to change the default SSH port on your data center Linux servers

Don't let those data center Linux servers use the default SSH port. Gain a bit of a security edge by configuring the daemon to use a non-standard port.

How to change the default SSH Port on your data center Linux servers Don't let those data center Linux servers use the default SSH port. Gain a bit of a security edge by configuring the daemon to use a non-standard port. Jack Wallen shows you how.

Chances are, you log into your data center Linux servers by way of Secure Shell (SSH). Out of the box, that remote entry protocol uses port 22—a well-known, exploitable fact. Because that port is so widely accepted as the default, it can become the target of attacks. To that end, you might want to change that default to make use of a different port. But how? Fortunately, this is Linux, so customization is the name of the game.

I'm going to walk you through the process of changing the default SSH port in Linux. I'll demonstrate on Ubuntu Server 18.04, but the process should be the same, regardless of the distribution you use for your servers.

SEEL Disaster recovery and business continuity plan (Tech Pro Research)

Choosing a port

The first thing you must do is choose a new port for SSH to listen on. You can choose any unused port, but I suggest you select one over 1024 (as those ports under that number are used for well-known services and could be more easily discovered). Say you want to use port 2112 (on the off-chance you're a Rush fan). What you must do is make sure that port is accessible on your network. If you plan on accessing your servers from outside your LAN, your network security will have to be adjusted to allow the routing of traffic to that port on any listening devices. How this is done will depend upon the hardware/software used on your network.

Opening the firewall

You will also need to open the firewall on your server(s). As I'll be demonstrating on Ubuntu Server 18.04, we'll be working with Uncomplicated Firewall (UFW). If you use a different Linux distribution, make sure to adjust the firewall accordingly.

The necessary command to open port 2112 with UFW would be:

sudo ufw allow 2112/tcp

Once you've update the firewall rules, you're ready to make the change to the default SSH port.

Changing the port

The necessary change is found in the /etc/ssh/sshd_config file. Open that file for editing with the command:

sudo nano /etc/ssh/sshd_config

Once open, look for the line:

#Port 22

Remove the comment (the # character) and change the line to:

Port 2112

Save and close that file. Restart the SSH daemon with the command:

sudo systemctl restart sshd

Once the daemon restarts, SSH is now listening on the new port.

Connecting to SSH

If you attempt to connect to SSH on the server, in the standard fashion, you'll have no luck (Figure A). Why? Because the SSH client assumes the default port of 22.

Figure A

Figure A: Our SSH connection is now failing.

To get around that, run the SSH command with the -p option like so:

ssh -p 2112 USER@SERVER_IP

Where USER is the remote user and SERVER_IP is the remote server IP Address. With the -p option in place, the SSH connection will get through, and you can log into your data center Linux server on the newly configured, non-default port (Figure B).

Figure B

Figure B: Our connection is now allowed.

A small, but mighty change

This is a small change to the SSH daemon that every Linux admin should complete. Altering the default SSH port might be a small change, but it is mighty. The last thing you want to do is make it easy for would-be attackers to gain access to your data center servers, simply because you stuck with the default SSH port. Make this change and enjoy a little security by obfuscation.

Also see

linuxsecurityhero.jpg
Image: Jack Wallen

By Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.