What this is
This procedure changes the SSH port on your server (default is 22) to reduce automated login attempts.
What it is for
- Reduce automated “bot” scans on port 22
- Improve security (as an extra layer, not the only one)
Prerequisites
- SSH access to the server
- Root or sudo privileges
- Important: Keep your current SSH session open while testing the new port
Step-by-step
Step 1) Choose a new port
Pick a port like 2222 (example). Avoid ports used by other services.
Step 2) Edit the SSH server config
Command:
sudo nano /etc/ssh/sshd_configWhat it does: Opens the SSH server configuration file.
Change or add this line:
Port 2222Warning: Do NOT close your current session yet.
Step 3) Validate the SSH config (recommended)
sudo sshd -tWhat it does: Checks the config file for syntax errors.
Expected output: No output (silent) means OK. If there is an error, fix it before restarting.
Step 4) Allow the new port in the firewall
UFW (Ubuntu/Debian commonly)
sudo ufw allow 2222/tcp
sudo ufw statusExpected output: A rule allowing 2222/tcp.
firewalld (RHEL/Rocky/Alma commonly)
sudo firewall-cmd --add-port=2222/tcp --permanent
sudo firewall-cmd --reload
sudo firewall-cmd --list-portsExpected output: You should see 2222/tcp listed.
Step 5) Restart SSH service
Debian/Ubuntu:
sudo systemctl restart sshRHEL-based:
sudo systemctl restart sshdStep 6) Test the new port (open a new terminal)
Command:
ssh -p 2222 USERNAME@YOUR_SERVER_IPExpected result: You can log in successfully.
Step 7) (Optional) Close the old port 22
Only after confirming the new port works.
UFW
sudo ufw delete allow 22/tcp
sudo ufw statusfirewalld
sudo firewall-cmd --remove-service=ssh --permanent
sudo firewall-cmd --reloadFinal verification
- Confirm SSH works on the new port from a new session.
- Confirm your firewall allows the new port.
Conclusion
You changed the SSH port safely. Remember: the best security comes from SSH keys + disabling root login + firewall rules, not only from changing the port.