Change SSH Port Linux: Expert Guide to Secure Your System

Why Change the Default SSH Port on Linux? Understanding the Security Benefits

Changing the SSH port on Linux is a straightforward yet effective way to bolster your system’s security. By default, SSH operates on port 22, making it a prime target for automated bots and malicious attackers. Changing this port can help obscure your SSH service, reducing the likelihood of automated attacks and brute-force attempts. This section will walk you through the steps required to change the SSH port on a Linux system, while also explaining the security benefits of this action.

Prepare the System for SSH Port Change

Before making any changes to the SSH configuration, ensure your system is ready for the SSH port change. First, verify that the SSH service is running and active. You can check its status by running:

systemctl status ssh

This command shows whether SSH is active and running. If it isn’t, you’ll need to start the service before proceeding.

Next, back up your SSH configuration file to prevent any loss of data if something goes wrong. Use the following command to create a backup:

cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

This command copies the sshd_config file to a backup location. It ensures that you can restore the default settings if needed.

Edit SSH Configuration File to Change Port

To change the SSH port, you’ll need to edit the SSH configuration file. Open the file with a text editor like nano :

sudo nano /etc/ssh/sshd_config

Inside the file, locate the line that specifies the Port (it is usually set to 22 by default). Modify this line to the port number you wish to use, for example:

Port 2222

Make sure to choose a port that is not already in use. After making this change, save and close the file.

Adjust Firewall and Security Settings

Once you’ve changed the SSH port, you must update your firewall settings to allow connections on the new port. If you’re using UFW (Uncomplicated Firewall), use this command:

sudo ufw allow 2222/tcp

This command allows incoming connections on port 2222 for TCP traffic. Don’t forget to disable the old port (port 22) to prevent access through it:

sudo ufw deny 22/tcp

This ensures that only the new SSH port is accessible. If you’re using a different firewall, such as iptables , adjust the settings accordingly.

Restart SSH Service and Test the New Configuration

After modifying the configuration and firewall settings, restart the SSH service to apply the changes:

sudo systemctl restart sshd

This command restarts the SSH service and applies the changes you’ve made.

Finally, verify that the new port is working correctly. You can test the connection by using the following SSH command:

ssh -p 2222 user@hostname

Replace 2222 with the port you chose, and user@hostname with your actual username and server address. If the connection is successful, you’ve successfully changed the SSH port.

By following these steps, you not only make your system more secure by reducing exposure to automated attacks, but you also gain greater control over how SSH operates on your Linux machine. For more detailed instructions on securing SSH on Linux, refer to Change SSH Port on Linux: Ubuntu & CentOS Guide and Change the Default SSH Port in Linux — GeeksforGeeks.

For additional SSH hardening tips, check out 15 SSH Best Practices Every Linux Admin Should Know.

Step-by-Step Guide to Changing the SSH Port on Linux

Changing the SSH port on a Linux system is an effective way to enhance security by making your server less visible to attackers who target default ports. By following this step-by-step guide, you’ll learn how to modify the SSH port, configure your firewall, and verify the changes. After completing this process, you’ll have an added layer of security for your system’s SSH access.

Prepare the System for SSH Port Change

Before changing the SSH port, it’s crucial to prepare your system to avoid getting locked out. This involves ensuring that you have backup access to the server, particularly if you are remotely managing it.

1. Backup access: Ensure that you have another method of accessing the system, such as a physical console or an alternate user account with SSH access, in case something goes wrong.
2. Check current SSH access: Run ss -tuln to verify that SSH is listening on the default port (22). This step ensures that the system is configured correctly before any changes.

ss -tuln

This command will show you all the active ports. Look for an entry like 22 under the Local Address column, confirming that SSH is running on the default port.

3. Use `sudo`: Since you’ll be editing system files and restarting services, always ensure you have the necessary privileges by using `sudo` for administrative commands.

By ensuring these precautions, you can minimize the risk of losing access during the configuration process.

Edit SSH Configuration File to Change Port

The next step is to modify the SSH configuration file to change the default port. The SSH configuration file is typically located at /etc/ssh/sshd_config .

1. Open the SSH configuration file: Use a text editor with sudo to open the configuration file. For instance, use nano to open the file:

sudo nano /etc/ssh/sshd_config

2. Modify the Port directive: Look for the line that specifies the port (usually #Port 22 or Port 22 if it’s uncommented). Change this line to your preferred port number. For example, if you want to use port 2222, modify the line like this:

Port 2222

3. Save and exit: After making the change, save the file and exit the text editor. In nano , you can press CTRL + O to save and CTRL + X to exit.

Changing the SSH port helps to reduce the chances of automated attacks targeting the default port.

Adjust Firewall and Security Settings

After changing the SSH port, it’s essential to update the firewall settings to allow traffic on the new port. This ensures that your system remains accessible via SSH after the change.

1. Allow the new port through the firewall: If you’re using UFW (Uncomplicated Firewall), run the following command to allow the new port (e.g., 2222):

sudo ufw allow 2222/tcp

This will allow SSH traffic on port 2222 through the firewall.

2. Disable access to the old port: It’s also important to block the default SSH port (22) to prevent unauthorized access. Run this command to deny access to port 22:

sudo ufw deny 22/tcp

3. Verify firewall settings: To ensure the new port is open, use:

sudo ufw status

This command will display the current firewall rules. Make sure the new port is listed as allowed.

Firewall changes are a critical part of securing your server. Make sure that you don’t inadvertently lock yourself out by forgetting to open the new port.

Restart SSH Service and Test the New Configuration

Once the SSH configuration and firewall settings have been adjusted, the next step is to restart the SSH service to apply the changes. Testing the new configuration is crucial to ensure everything is working correctly.

1. Restart SSH service: To apply the changes to the SSH configuration file, restart the SSH service using the following command:

sudo systemctl restart sshd

2. Verify the new port: To verify that SSH is listening on the new port, use the following command:

ss -tuln

Look for an entry with the new port number (e.g., 2222) under the Local Address column. This confirms that the SSH service is now running on the new port.

3. Test the new port: Finally, test the SSH connection to ensure that it works on the new port. From a different terminal or machine, try connecting to your server with the new port:

ssh -p 2222 user@your-server-ip

Replace 2222 with the actual port number you configured. If the connection is successful, you’ve successfully changed the SSH port.

By following these steps, you can ensure that your SSH port change is effective and that your system remains secure.

Comparing Methods to Change SSH Port: Manual vs. Tools and Configuration Files

Changing the SSH port on a Linux system is a common security practice, primarily aimed at reducing the risk of unauthorized access. The process can be done manually by editing configuration files or by utilizing tools like UFW (Uncomplicated Firewall). Both methods have distinct advantages and limitations depending on your system requirements. In this section, we’ll compare these approaches to help you decide the best way to change your SSH port on Linux based on security needs, ease of use, and performance considerations.

Manual Configuration vs. Using Tools like UFW

When it comes to changing the SSH port on a Linux system, there are two common methods: manual configuration and using tools like UFW.

Manual Configuration

The manual approach involves editing the SSH configuration file directly. You would modify the /etc/ssh/sshd_config file to change the default SSH port, which typically listens on port 22. To do this:

1. Open the SSH configuration file:

   sudo nano /etc/ssh/sshd_config
   

2. Locate the #Port 22 line and change it to your desired port, e.g., Port 2222 . Remove the # to uncomment the line.
3. Save the file and restart SSH:

   sudo systemctl restart ssh
   

   This change modifies the SSH server’s port, but it doesn’t automatically adjust firewall settings.

Using UFW

UFW, or Uncomplicated Firewall, is a tool that can be used to manage firewall rules easily. If you are using UFW, after changing the port in the SSH configuration, you must allow the new port through the firewall. For instance, if you’ve changed the SSH port to 2222 , you would run:

sudo ufw allow 2222/tcp
sudo ufw reload

This command ensures that UFW allows traffic on your new SSH port, adding an additional layer of security.

Comparison

• Manual Configuration: Offers direct control over SSH settings and is flexible in complex environments. However, you must remember to also adjust firewall rules manually, making it slightly more error-prone.
• Using UFW: Simplifies firewall management and is especially useful for beginners. UFW can automatically handle rules for the new SSH port, but it adds a dependency on an additional tool.

Evaluating Trade-offs: Ease of Use vs. Security

When deciding whether to change the SSH port manually or use a tool like UFW, it’s essential to evaluate the trade-offs between ease of use and security.

Ease of Use

Manual configuration requires familiarity with SSH configuration files and the Linux command line. While it’s not difficult for intermediate users, beginners may find the manual approach daunting, especially when remembering to update firewall settings.

Using UFW, on the other hand, is much easier for beginners. The tool simplifies the process by automating firewall rules, reducing the risk of errors. However, this ease of use comes at the cost of some flexibility, as UFW abstracts some of the lower-level configuration details.

Security

From a security standpoint, both methods can be equally secure when configured correctly. Changing the SSH port and properly configuring the firewall are both critical to protecting the system from unauthorized access. However, the manual method gives you more control over configuration settings, potentially allowing for more sophisticated security setups.

UFW enhances security by providing a simple interface to manage rules, but its simplicity may limit advanced users from configuring more granular firewall policies.

Impact of SSH Port Change on Performance

Changing the SSH port on a Linux system doesn’t significantly impact system performance under typical use. The main concern with SSH port changes is ensuring that the new port is correctly configured and accessible.

However, in some specific environments, a higher port number (e.g., 2222 or above) may face some minor delays in routing due to the way packets are handled by network firewalls and routers. This is usually negligible but could potentially affect performance in highly sensitive applications.

In general, the performance impact of changing the SSH port is minimal unless there are additional network configurations or performance tuning adjustments that need to be made. It’s important to ensure that the new port does not conflict with other services or result in excessive traffic blocking.

Using Scalable VMs for Testing SSH Port Changes

Testing the impact of changing the SSH port can be effectively done using scalable virtual machines (VMs). VMs provide a safe, isolated environment for experimentation without affecting your production system.

Here’s how you can use a VM to test the SSH port change:

1. Set up a VM with the same operating system as your production server.
2. Apply the SSH port change and firewall configuration in the same way you would on your live server.
3. Test the connectivity and system performance by attempting SSH connections from different networks and assessing whether the new port is accessible.

By using VMs, you can ensure that your SSH port changes won’t disrupt production services. Additionally, VMs allow you to experiment with different firewall configurations and port settings to determine the best setup for your security and performance needs.

In conclusion, changing the SSH port on Linux is an important step toward securing your system. Depending on your needs, you can choose between manual configuration and using tools like UFW. By considering the trade-offs between ease of use and security, understanding the impact on performance, and using VMs for testing, you can make an informed decision on the best approach to secure your SSH access.

Best Practices for Linux SSH Port Management and Optimization

Changing the SSH port on a Linux system is an essential step in enhancing security. By default, SSH runs on port 22, making it a prime target for brute force attacks. However, changing the SSH port Linux is one of the simplest yet effective methods to reduce the risk of unauthorized access. In this section, we will guide you through the process of changing your SSH port, securing it, and optimizing your system’s SSH setup for long-term protection.

Choosing the Right SSH Port for Enhanced Security

When you change SSH port Linux, it is crucial to select a port that isn’t commonly targeted by attackers. By default, SSH operates on port 22, and leaving it unchanged could leave your system vulnerable to brute-force attempts, which are often automated and easily detectable.

Risks of Using Port 22:
The biggest risk of leaving port 22 open is that it’s one of the most scanned ports on the internet. Attackers often attempt to gain access to your system by repeatedly trying to guess your password, and leaving port 22 exposed invites this type of attack.

Tips for Choosing a Secure Port:

• Pick a port within the range 1024 to 49151. These are known as registered ports, and they are less likely to be targeted by automated scans.
• Avoid choosing ports like 1 or 65535, as they can cause issues with certain network operations.
• Ensure that the selected port is not already used by other services.

For example, to change the SSH port to 2222, edit the /etc/ssh/sshd_config file by finding the line starting with #Port 22 , then modify it like this:

Port 2222

This sets your SSH service to listen on port 2222, which will provide a level of obscurity against common attack attempts.

Configuring Firewalls After Changing the SSH Port

Once you have changed the SSH port Linux, it’s crucial to configure your firewall rules to ensure that the new port is accessible for secure connections. Failure to update your firewall settings can lock you out of your system.

Steps to Adjust Firewall Rules:

• If you’re using UFW (Uncomplicated Firewall), you can open the new port using the following command:

sudo ufw allow 2222/tcp

This allows incoming traffic on port 2222. You can verify the change by running:

sudo ufw status

• If you’re using iptables, you can add the rule with:

sudo iptables -A INPUT -p tcp --dport 2222 -j ACCEPT

These commands ensure that SSH traffic on the new port is allowed through the firewall.

For more detailed instructions on configuring firewalls, see our article on firewall configuration.

Long-term SSH Port Security and Monitoring

Securing your SSH port isn’t a one-time task. To ensure long-term security, regular monitoring and logging are essential to detect any unusual activities on the SSH port.

Techniques for Monitoring SSH Access Logs:

• Regularly check the /var/log/auth.log file for any failed login attempts. You can do this with:

grep "Failed password" /var/log/auth.log

• Consider using fail2ban, a tool that can automatically block IP addresses after several failed login attempts. Install it with:

sudo apt install fail2ban

Importance of Regular Port Scanning:

• Performing regular port scans with tools like nmap can help detect unauthorized open ports. Run a scan like this to verify your SSH port is secure:

nmap -p 2222 your-server-ip

This will check if the new SSH port is correctly exposed to the network and can be accessed securely.

Optimizing SSH Port Security with Customizable VMs

Using Virtual Machines (VMs) can add an extra layer of security when configuring your SSH port. VMs allow you to isolate SSH services in a controlled environment, reducing the risk of compromising your entire system.

Benefits of Using VMs for SSH:

• Isolation: VMs isolate the SSH service from the rest of your system, making it harder for an attacker to impact other parts of your system.
• Customization: You can configure each VM to use different ports or security measures, allowing you to fine-tune each environment based on specific needs.

For example, to configure SSH on a VM, you would typically modify the sshd_config file as you would on a physical server, but the changes only apply to the VM. This enables you to experiment with different configurations without affecting your main system.

By using VMs, you gain flexibility in managing SSH ports and can enhance the security of your overall infrastructure.

Testing and Verifying Your New SSH Port Configuration

After you change the SSH port on your Linux system, it’s essential to test and verify that the new configuration works correctly. This ensures that your system remains accessible via SSH on the new port and helps avoid any connectivity issues. In this section, we’ll walk you through methods to test your SSH port changes and troubleshoot common issues that may arise.

How to Test SSH Port Changes in Linux Environments

To confirm that the SSH port change has been successful, you need to test the connection to the new port. Here are some practical methods to do that:

1. Using `ssh` command

   You can directly test the SSH connection using the ssh command, specifying the new port number.

   ssh -p <new-port> user@hostname
   

   This command attempts to establish an SSH connection to your server on the specified port. If successful, the terminal will prompt you for the user’s password.

2. Using `nc` (Netcat)

   nc is useful for checking whether the SSH port is open and accessible.

   nc -zv <hostname> <new-port>
   

   This command checks if the port is open on the target host. The -z flag makes nc scan for open ports, and the -v flag provides a verbose output, showing you whether the port is open or closed.

3. Using `nmap`

   Another method is to use nmap for a more comprehensive port scan:

   nmap -p <new-port> <hostname>
   

   This will show whether the SSH port is open on the target host and provide details about the service running on that port.

4. Using `telnet`

   You can also use telnet to test the SSH port.

   telnet <hostname> <new-port>
   

   If the connection is successful, it indicates that the port is open and accepting connections.

5. Verify SSH service with `ss`

   To ensure that the SSH service is listening on the new port, use the ss command:

   ss -tuln | grep ssh
   

   This lists all services listening for TCP connections, showing the new port for SSH if it’s correctly configured.

Each of these tools helps you verify that your SSH service is properly configured to listen on the new port. If any of these commands fail, it may indicate a misconfiguration or network issue.

Troubleshooting Common Issues After SSH Port Modification

After changing the SSH port, several issues might prevent a successful connection. Here are some common problems and how to troubleshoot them:

1. Firewall settings blocking the new port

   One of the most common issues is a firewall blocking the new SSH port. To check this, verify your firewall rules:

   • For UFW (Uncomplicated Firewall), use:

   sudo ufw status
   

   This will list all active firewall rules. Ensure that the new port is allowed through the firewall. If not, add the rule:

   sudo ufw allow <new-port>/tcp
   

   • For firewalld, use:

   sudo firewall-cmd --list-all
   

   If the new port is missing, add it:

   sudo firewall-cmd --permanent --add-port=<new-port>/tcp
   

   sudo firewall-cmd --reload
   

2. SSH service not restarted

   If the SSH service hasn’t been restarted after changing the port, it may still be listening on the old port. Verify the status of the SSH service with:

   systemctl status sshd
   

   If the service is not running or hasn’t been restarted, use the following command to restart it:

   sudo systemctl restart sshd
   

3. SELinux or AppArmor blocking the port

   SELinux or AppArmor might be enforcing policies that block your new SSH port. To check SELinux status:

   getenforce
   

   If SELinux is enforcing, you may need to update its policies to allow the new port. To temporarily disable SELinux for testing:

   sudo setenforce 0
   

   Remember to restore the settings after testing:

   sudo setenforce 1
   

4. Service not listening on the new port

   If the SSH service isn’t listening on the new port, ensure the sshd_config file was correctly updated. Check the listening ports with:

   ss -tuln | grep ssh
   

   If the new port is not listed, revisit the /etc/ssh/sshd_config file and confirm that the Port directive is set correctly. After making changes, restart the SSH service.

By following these troubleshooting steps, you can quickly identify and resolve the most common issues after changing the SSH port on Linux. For more in-depth troubleshooting, refer to the Debugging SSH Connection Issues: A Linux Expert’s Guide.