When you think about server security, one of the first things that should come to mind is securing your SSH connections. While most administrators know the basics of SSH security, many still run their SSH services on the default port 22. But here’s the thing – you don’t have to stick with the default, and you probably shouldn’t.

What is SSH and Why Port 22?

Secure Shell (SSH) is the backbone of remote server administration. It’s the encrypted tunnel that allows you to securely connect to your servers from anywhere in the world. Port 22 became the standard SSH port simply because it was assigned by the Internet Assigned Numbers Authority (IANA) back in the early days of SSH development.

Think of it like having your house key under the same doormat everyone else uses. Sure, it works, but it’s not exactly creative or secure. Port 22 is that doormat – everyone knows to look there first.

The Security Implications of Default Ports

Running SSH on port 22 is like painting a target on your server. According to recent cybersecurity reports, over 90% of automated SSH brute-force attacks target port 22 specifically. These bots scan the internet looking for servers with SSH running on the default port, then attempt thousands of login combinations.

When you change your SSH port, you’re essentially moving your front door from the main street to a side alley. The bad guys can still find you if they’re really determined, but you’ll avoid 99% of the random trouble that walks by.

Why You Should Change Your SSH Port from 22

Reducing Automated Attack Attempts

I’ve seen server logs where systems running SSH on port 22 receive hundreds of attempted logins per day. These aren’t sophisticated attacks – they’re just bots trying common username/password combinations like “root/password” or “admin/123456.”

The moment you move SSH to a different port, this traffic drops to nearly zero. It’s not bulletproof security, but it’s incredibly effective at reducing noise and potential attack vectors. Think of it as the digital equivalent of not advertising that you’re home when you go on vacation.

Security Through Obscurity Benefits

Now, I know what you’re thinking – “Security through obscurity isn’t real security!” And you’re partially right. Changing your SSH port shouldn’t be your only security measure. But it’s an excellent first layer of defense.

Consider this: a security researcher found that changing SSH from port 22 to a non-standard port reduced attempted attacks by 98.7%. That’s a massive reduction in attack surface with minimal effort on your part.

Compliance and Enterprise Requirements

Many enterprise environments and compliance frameworks actually require or strongly recommend changing default service ports. If you’re dealing with PCI DSS, HIPAA, or other regulatory requirements, moving SSH off port 22 might not be optional – it could be mandatory.

Industry Statistics on SSH Attacks

Recent data from cybersecurity firms shows some eye-opening statistics:

• SSH brute-force attacks increased by 35% in 2024
• 89% of successful SSH compromises started with attacks on port 22
• Servers on non-standard SSH ports see 40 times fewer attack attempts
• The average time to compromise a weak SSH password on port 22 is under 4 hours

How SSH Port Configuration Works

Understanding Port Numbers and Ranges

Ports are like different doors into your server. Think of your server as a massive building with 65,535 numbered doors. Some doors are reserved for specific services (like door 22 for SSH, door 80 for web traffic), while others are available for whatever you want to use them for.

Ports are divided into three ranges:

• Well-known ports (0-1023): Reserved for system services
• Registered ports (1024-49151): Available for applications
• Dynamic ports (49152-65535): Usually used for temporary connections

For SSH, you’ll want to pick something in the registered ports range that’s not commonly used by other services.

Common Alternative SSH Ports

While you can technically use any available port, some numbers are more popular than others for SSH:

• 2022: Easy to remember (just add a 0 to 22)
• 2222: Another memorable option
• 22222: If you really like the number 2
• 8022: Combines 80 (web) with 22 (SSH)
• 9022: Another hybrid option

However, I’d recommend avoiding these “obvious” alternatives. A smart attacker will check these common substitutes after port 22 fails.

Port Selection Best Practices

Here’s my personal approach to choosing SSH ports:

1. Pick something between 1024 and 65535
2. Avoid ports ending in 22, 80, or other obvious patterns
3. Check that your chosen port isn’t used by other services
4. Consider using a number that means something to you (but not something obvious like your birthday)

For example, port 49847 is random enough to avoid detection but memorable if you use a pattern like your favorite sports team’s founding year plus some offset.

Step-by-Step Guide to Change SSH Port on Linux

Now let’s get our hands dirty with the actual configuration. I’ll walk you through the process step by step.

Modifying the SSH Configuration File

The SSH server configuration lives in /etc/ssh/sshd_config. Before we touch anything, let’s make a backup:

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup

Now, open the configuration file with your favorite editor:

sudo nano /etc/ssh/sshd_config

Look for the line that says #Port 22 or Port 22. If it starts with a #, that means it’s commented out and using the default. Remove the # and change 22 to your chosen port:

Port 49847

That’s it for the basic configuration! But while we’re here, let me share a pro tip: consider making a few other security improvements at the same time:

Port 49847
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes

These additional settings disable root login and password authentication, forcing the use of SSH keys instead.

Restarting SSH Services

After saving your configuration file, you need to restart the SSH service. But here’s where things get tricky – if you’re connected via SSH and you mess up the configuration, you could lock yourself out.

First, test your configuration syntax:

sudo sshd -t

If that returns without errors, you’re good to proceed. Now restart the SSH service:

sudo systemctl restart sshd

Important: Don’t close your current SSH session yet! Keep it open while you test the new configuration.

Testing Your New Configuration

Open a new terminal window and test your new SSH port:

ssh -p 49847 username@your-server-ip

If you can connect successfully, congratulations! Your SSH port change is working. Only then should you close your original SSH session.

Troubleshooting Common Issues

If you can’t connect on the new port, here are the most common culprits:

1. Firewall blocking the new port: You need to open the port in your firewall rules
2. SELinux restrictions: SELinux might need to be told about the new SSH port
3. Typos in configuration: Double-check your sshd_config file
4. Service didn’t restart: Make sure the SSH service actually restarted

Don’t panic if you get locked out – most hosting providers offer console access through their web panel.

Configuring SSH Clients for Alternative Ports

Using Command Line SSH with Custom Ports

The simplest way to connect to SSH on a custom port is using the -p flag:

ssh -p 49847 username@hostname

But typing this every time gets old fast. That’s where SSH configuration files come in handy.

Configuring PuTTY for Windows Users

If you’re using PuTTY on Windows, changing the port is straightforward:

1. Open PuTTY
2. In the “Host Name” field, enter your server’s IP or hostname
3. In the “Port” field, change 22 to your custom port
4. Save the session for future use

You can also specify the port directly in the hostname field: hostname:49847

Setting Up SSH Config Files

Here’s where the magic happens. Create or edit ~/.ssh/config on your local machine:

Host myserver
    HostName your-server-ip
    Port 49847
    User your-username
    IdentityFile ~/.ssh/your-private-key

Now you can connect with just:

ssh myserver

This configuration file supports multiple servers, aliases, and all sorts of advanced options. It’s like having speed dial for your servers.

Firewall Configuration for Custom SSH Ports

UFW Configuration on Ubuntu

If you’re using Ubuntu’s Uncomplicated Firewall (UFW), you’ll need to allow your new SSH port:

sudo ufw allow 49847/tcp
sudo ufw reload

If you want to be extra careful, you can add the new rule before removing the old one:

sudo ufw allow 49847/tcp
sudo ufw reload
# Test your new configuration
sudo ufw delete allow 22/tcp

iptables Rules for SSH Ports

For systems using iptables directly:

sudo iptables -A INPUT -p tcp --dport 49847 -j ACCEPT
sudo iptables-save > /etc/iptables/rules.v4

Remember to make your iptables rules persistent, or they’ll disappear after a reboot!

Managing SELinux Policies

On Red Hat-based systems with SELinux enabled, you might need to update the SELinux policy:

sudo semanage port -a -t ssh_port_t -p tcp 49847
sudo systemctl restart sshd

You can verify the SELinux configuration with:

sudo semanage port -l | grep ssh

Security Best Practices for SSH Port Management

Choosing Secure Port Numbers

While any non-standard port is better than 22, some choices are smarter than others. Avoid:

• Well-known service ports (anything under 1024)
• Common alternative SSH ports (2022, 2222, etc.)
• Sequential numbers (if you use 49847 on one server, don’t use 49848 on the next)
• Personally identifiable numbers (birthdays, phone numbers, etc.)

Implementing Additional Security Measures

Changing your SSH port is just the beginning. Here’s your complete SSH security checklist:

Key-Based Authentication

Disable password authentication entirely and use SSH keys instead:

ssh-keygen -t rsa -b 4096 -C "[email protected]"
ssh-copy-id -p 49847 user@server

Then in your sshd_config:

PasswordAuthentication no
ChallengeResponseAuthentication no

Fail2Ban Integration

Install and configure Fail2Ban to automatically block IP addresses after failed login attempts:

sudo apt install fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Edit /etc/fail2ban/jail.local to include your custom SSH port:

[sshd]
enabled = true
port = 49847
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600

Advanced SSH Port Configuration Scenarios

Multiple SSH Ports on One Server

Sometimes you need SSH accessible on multiple ports. Maybe you have different user groups or need to support legacy systems. You can configure SSH to listen on multiple ports:

Port 49847
Port 50123

This gives you flexibility while maintaining security. You might use the first port for administrators and the second for automated systems.

SSH Port Forwarding Considerations

When you’re using SSH tunneling or port forwarding, remember that your custom SSH port affects these operations too:

ssh -L 8080:localhost:80 -p 49847 user@server

The -p flag specifies your custom SSH port, while -L sets up the local port forwarding.

Conclusion

Changing your SSH port from 22 to something non-standard is one of the simplest and most effective security improvements you can make. It’s not a complete security solution by itself, but it dramatically reduces your attack surface and keeps your server logs clean of automated brute-force attempts.

Remember, security is about layers. Your SSH port change should be combined with strong authentication methods, regular updates, proper firewall configuration, and monitoring. Think of it as locking your car doors – it won’t stop a determined thief, but it’ll keep honest people honest and opportunistic criminals moving along.

The few minutes you spend implementing this change could save you hours of dealing with compromised servers later. Plus, once it’s set up, you’ll never have to think about it again – your SSH connections will be just as convenient as before, but significantly more secure.

Frequently Asked Questions (FAQs)

1. What happens if I forget my custom SSH port?

If you forget your custom SSH port, you have several options. First, check your local SSH config file (~/.ssh/config) if you set one up. You can also use port scanning tools like nmap to find open SSH ports on your server. As a last resort, most hosting providers offer console access through their web interface.

2. Can changing the SSH port break anything on my server?

Changing the SSH port itself won’t break any server functionality. However, you might need to update automated scripts, monitoring tools, or backup systems that connect via SSH. Also, make sure to update your firewall rules to allow the new port and block the old one.

3. Is it better to use a high port number or a low one for SSH?

For SSH, it’s generally better to use a port number above 1024 (registered ports range). Ports below 1024 are reserved for system services and typically require root privileges to bind to them. A port in the range 1024-65535 is perfect for SSH.

4. Should I completely disable port 22, or can I run SSH on both ports?

You can run SSH on multiple ports simultaneously if needed, but it’s generally better to completely move away from port 22 once you’ve confirmed your new configuration works. Running on both ports maintains the original attack vector while adding complexity to your configuration.

5. How do I change the SSH port on cloud platforms like AWS or Google Cloud?

The SSH configuration process is the same on cloud platforms, but you’ll also need to update your security groups or firewall rules in the cloud console. For AWS, modify your Security Group to allow inbound traffic on your new SSH port. For Google Cloud, update your VPC firewall rules accordingly.