Moving SSH off default port 22

Alright, we are moving along with locking down this server – I feel safer already!

We just finished disabling root access via SSH, now we are going to make 1 more simple change: moving SSH from listening on the default port 22, to something less predictable and unused – you don’t want/can’t have two different services listening on the same port (the port binding will fail on startup anyway).

Admittedly, sniffing a server for open ports and finding SSH running on another port isn’t that hard for a hacker and is no form of security against a professional, BUT this change still has value to keep bots and other riff-raff from quickly finding holes in our armor for no good reason.

Please Note: Making this change and then restarting the SSH Daemon at the end of this page may terminate the SSH session you are currently using to connect to the server to actually run the command and work your way through this guide.

So just be prepared for this, don’t freak out and go ahead and reconnect.

Choosing a new port

You can typically pick any port you want from the min of 1 to the max of 65,535 for the SSH Daemon to run on.

You’ll want to make sure the port isn’t already in use (bound to another service) and that can be done with the following command:

sudo netstat --inet -lnp

Tip: The netstat command is from the net-tools package and you can easily install it with the sudo apt install net-tools command!

The output of which will look like:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 *               LISTEN      886/systemd-resolve 
tcp        0      0    *               LISTEN      13247/sshd: /usr/sb 
udp        0      0 *                           886/systemd-resolve 

Now that you have figured out the port number you want to use, let’s change it!

Changing the port

Let’s open the SSH Daemon config file for a quick edit:

sudo nano /etc/ssh/sshd_config

and scroll down to find the Port directive; it’s usually one of the first lines in the file:

#Port 22
#AddressFamily any
#ListenAddress ::

Now, you can uncomment the line (remove the #) and change it OR, what I liked to do, is duplicate the line – add a comment above it as to why I made the change – and setup your new Port value:

#Port 22
#UPDATED Feb 22, 2021 by rkalla - making things secure!
Port 1234

Tip: Leaving comments behind in configs is especially helpful over time when you are running servers for years and forget why certain configs changed the way they did or when the change was made.

Now you’ll want to save the config, exit the editor and restart the SSH Daemon like we did before with the command

sudo systemctl restart ssh

And now we’ll want to check the status of the SSH Daemon to confirm our change worked:

$ sudo systemctl status ssh
... SNIPPED (ssh.service output) ...
Feb 22 13:08:46 e3-2276 systemd[1]: Starting OpenBSD Secure Shell server...
Feb 22 13:08:46 e3-2276 sshd[13247]: Server listening on port 1234.
Feb 22 13:08:46 e3-2276 sshd[13247]: Server listening on :: port 1234.
Feb 22 13:08:46 e3-2276 systemd[1]: Started OpenBSD Secure Shell server.

Looks good, we see the service listening on the right port we configured!

Important: At this point in time before you continue, I would strongly recommend you open another terminal session on your local machine and attempt to connect to your server on the port you just configured.

It’s possible during the SSH restarts your sessions weren’t dropped and before we move on, you want to make sure you really can get back in if you needed to without dropping the one connection that is still working.

You got back in? Excellent, our settings worked! One step closer to a secure future!