How to Change the Default SSH Port to Improve Security

A practical guide to dropping automated brute-force attacks and cleaning up your authentication logs.

Every Linux server connected to the internet has something in common: within minutes of going live, automated bots are already knocking on port 22. They are not targeting you specifically. They scan the entire IPv4 address range continuously, trying thousands of username and password combinations against anything that responds.

Changing your default SSH port will not make your server bulletproof, but it will immediately cut through the noise. Fewer failed login attempts, cleaner authentication logs, and less exposure to credential-stuffing scripts that never look beyond port 22.

This guide walks you through the exact steps to change your SSH port safely, update your firewall correctly, and avoid the mistakes that lock admins out of their own servers.

Why Port 22 Is a Target

Port 22 is the IANA-assigned default for SSH, documented in RFC 4251. Every attacker knows it, every scanner probes it, and every brute-force toolkit is built around it.

Open /var/log/auth.log on a freshly provisioned server and you will typically find hundreds of failed login attempts within the first hour. These attacks hit port 22 with usernames like root, admin, ubuntu, and pi. These attacks rarely succeed against servers with strong authentication, but they consume resources, pollute your logs, and create unnecessary exposure.

Moving SSH to a non-standard port removes your server from the crosshairs of the vast majority of automated scanners, which are configured to target port 22 and move on. It does not stop a determined, targeted attacker, but it eliminates most of the background noise permanently.

Choosing a New Port Number

Ports run from 0 to 65535. The first 1023 are reserved for well-known protocols, so you should work with the range above that.

A few things worth knowing before you pick:

  • Avoid port 2222 because it is the most common SSH alternative and already targeted by many scanners.
  • Pick something between 1024 and 65535 that isn't in use on your system.
  • Verify availability before committing by running sudo ss -tlnp | grep [your-chosen-port]
  • Write it down. You will need it on every connection from this point forward.

Ports like 4422, 47892, or 55222 are solid choices. The less predictable, the better.

Step by Step: Changing Your SSH Port

Step 1: Edit the SSH Configuration File

The SSH daemon reads its configuration from /etc/ssh/sshd_config. Open it with elevated privileges:

Terminal 
sudo nano /etc/ssh/sshd_config

Look for this line near the top:

sshd_config 
#Port 22

The hashtag means it is commented out and SSH is defaulting to 22 silently. Uncomment the line and set your chosen port:

sshd_config 
Port 4422

Pro tip: Before saving, temporarily keep both ports active. This gives you a working fallback if something goes wrong:

sshd_config 
Port 22
Port 4422

Once you have confirmed the new port works, come back and remove port 22. Save and exit the file.

Step 2: Restart the SSH Service

Apply the configuration change by restarting the SSH daemon. On Ubuntu, Debian, CentOS 7+, Rocky Linux, and most modern distributions:

Terminal 
sudo systemctl restart sshd

On some Ubuntu versions the service is named ssh rather than sshd:

Terminal 
sudo systemctl restart ssh

Confirm SSH is now listening on the new port:

Terminal 
sudo ss -tlnp | grep ssh

Your new port number should appear in the output. If it doesn't, check for typos in sshd_config and run sudo sshd -t to validate the configuration syntax.

Step 3: Update Your Firewall Rules

This is the step that trips people up. Skipping it or doing it in the wrong order results in getting locked out. Do not close your existing SSH session yet.

For UFW (Ubuntu / Debian):

Terminal 
sudo ufw allow 4422/tcp
sudo ufw reload

Test the new port first (see Step 4), then remove the old rule:

Terminal 
sudo ufw delete allow 22/tcp
sudo ufw reload

For firewalld (CentOS / RHEL / Rocky Linux):

Terminal 
sudo firewall-cmd --add-port=4422/tcp --permanent
sudo firewall-cmd --reload

After confirming access, remove port 22:

Terminal 
sudo firewall-cmd --remove-port=22/tcp --permanent
sudo firewall-cmd --reload

For servers with a cloud or hardware firewall:
Check your hosting provider's control panel. Many dedicated server providers manage a network-level firewall separate from the OS. You will need to open the new port there as well, otherwise your packets never reach the server in the first place.

Step 4: Test Before You Close Anything

Open a second terminal window while keeping your existing session open. Attempt to connect using the new port:

Terminal 
ssh -p 4422 user@your_server_ip

If the connection succeeds, you are clear. Return to sshd_config, remove Port 22, restart the service one more time, and remove the old firewall rule.

If the connection fails, you still have your active session to diagnose the issue. Check that systemctl status sshd shows the service running, confirm ss -tlnp shows the new port, and double-check both the OS and any external firewall rules.

SELinux Users: One Extra Step

On CentOS, RHEL, Rocky Linux, and AlmaLinux systems running SELinux in enforcing mode, you need to explicitly authorize the new port for the SSH service:

sudo semanage port -a -t ssh_port_t -p tcp 4422

If semanage is not installed on your system, install it first using sudo dnf install policycoreutils-python-utils.

Skipping this step on SELinux systems is the most common reason the SSH service fails to restart after a port change. Run sudo ausearch -c sshd --raw | audit2allow to confirm if SELinux is blocking the change.

Simplify Future Connections With SSH Client Config

Typing -p 4422 on every connection gets old quickly. Your local SSH client has a config file that handles this automatically.

On your local machine, open or create ~/.ssh/config:

~/.ssh/config 
Host myserver
    HostName your_server_ip
    User your_username
    Port 4422

After saving, connect with a single command:

Terminal 
ssh myserver

This works across all SSH-based tools, including scp, rsync, and most GUI clients.

Is Changing the SSH Port Enough?

No. This is worth being direct about.

Changing the SSH port is classified as security through obscurity. It dramatically reduces automated noise, but a targeted port scan will eventually discover where SSH is running. A full nmap sweep takes minutes.

For a genuinely secure server, combine port changes with these practices:

  • Key-based authentication: add PasswordAuthentication no to sshd_config to disable password logins entirely.
  • Fail2ban: automatically bans IPs after repeated failed authentication attempts.
  • AllowUsers: restricts SSH access to specific user accounts only. For example, AllowUsers deploy shannon
  • IP whitelisting: if your own IP is static, restrict SSH access to it exclusively at the firewall level.

Think of changing the SSH port as turning off the porch light rather than installing a lock. It stops casual passersby, but it does not stop someone with intent. Pair it with the above measures and your server becomes genuinely hardened.

Quick Reference

Action Command
Edit SSH config sudo nano /etc/ssh/sshd_config
Set new port Port 4422
Restart SSH sudo systemctl restart sshd
Check listening ports sudo ss -tlnp | grep ssh
UFW allow new port sudo ufw allow 4422/tcp
Test connection ssh -p 4422 user@ip
UFW remove old port sudo ufw delete allow 22/tcp
SELinux authorize port sudo semanage port -a -t ssh_port_t -p tcp 4422

Frequently Asked Questions

What port should I change SSH to?
Choose any unused port between 1024 and 65535. Avoid 2222 since it is already on most scanner lists. Something like 4422, 55020, or 47892 is less predictable and a better choice.
Will changing the SSH port break my existing connections?
Only if you skip updating your firewall or client config. Always test the new port in a second terminal before removing port 22, and update ~/.ssh/config on your local machine so connections don't break.
Does changing SSH port actually improve security?
It eliminates most automated brute-force attempts, which target port 22 exclusively. It does not protect against targeted attacks. Use it alongside key-based authentication and fail2ban for meaningful security improvement.
Do I need to do anything extra on CentOS or RHEL?
Yes. Systems running SELinux in enforcing mode require an additional semanage command to authorize the new port. Without it, sshd will refuse to restart. See the SELinux section above.
Can I run SSH on two ports at the same time?
Yes. Add multiple Port lines to sshd_config during the transition. Remove the old one once you have confirmed the new port works and firewall rules are updated.

Need a secure environment for your next project? Explore our high-performance dedicated servers designed for maximum control, security, and reliability.