Help Center
Home Server & Cloud Infrastructure Cloud Server Important Security Information for Your Server

Changing the default SSH port

Valid for VPS, Cloud Servers, Dedicated Servers, and Value Servers.

This article explains how to change the default SSH port to increase the security of your server.

By default, port 22 is used to establish an SSH connection. This port is automatically configured during the installation of your operating system.

To reduce the number of brute force attacks, you can configure a different port for SSH access.

Please Note

  • Before changing the port, make sure that the applications and services installed on the server can also be configured with a user-defined port. Otherwise, changing the default port may result in these applications and services no longer functioning.

  • Before changing the port, also ensure that the port you have selected is enabled in the operating system and Cloud Panel firewalls.

Change SSH port in Ubuntu 22.04 and 24.04; Debian 11 and 12

To change the SSH port:

  • Log in to the server as an administrator.

  • Open the SSH configuration file sshd_config with the vi text editor:

    vi /etc/ssh/sshd_config

  • Search for the entry Port 22.

  • Replace port 22 with a port within the range of 1024 to 65535.

Note

The vi editor has an insert mode and a command mode. You can call up insert mode with the [i] key. In this mode, the characters entered are immediately inserted into the text. To call up command mode, press [ESC]. If you use command mode, your keyboard input is interpreted as a command.

Please Note

Make sure that the selected port is not used for other services. You can do this using the following port list, which is provided by the Internet Assigned Numbers Authority (IANA):

Service Name and Transport Protocol Port Number Registry

Alternatively, you can view the list of ports in the /etc/services file.

  • To exit vi and save the file, enter the command :wq and then press Enter.

  • Restart the SSH service. To do this, enter the command below. If you are logged in as root, you can omit sudo.

    sudo systemctl restart ssh

  • To check the status of the service, enter the command below. If you are logged in as root, you can omit sudo.

    sudo systemctl status ssh

  • To establish an SSH connection after this change, enter the following command:

    ssh root@IP_address_of_server -p NewPort

Change SSH port in Rocky Linux 8 and 9; AlmaLinux 8, 9, and 10

  • Log in to the server as an administrator.

  • Open the SSH configuration file sshd_config with the vi text editor:

    vi /etc/ssh/sshd_config

  • Search for the entry Port 22.
  • Replace port 22 with a port within the range of 1024 to 65535.
  • Optional: If the hash sign is at the beginning of the Port line, you must remove it so that the port is taken into account in the configuration.
     

Note

The vi editor has an insert mode and a command mode. You can call up insert mode with the [i] key. In this mode, the characters entered are immediately inserted into the text. To call up command mode, press [ESC]. If you use command mode, your keyboard input is interpreted as a command.

Please Note

Make sure that the selected port is not used for other services. You can do this using the following port list, which is provided by the Internet Assigned Numbers Authority (IANA):
Service Name and Transport Protocol Port Number Registry

Alternatively, you can view the list of ports in the /etc/services file.

  • To exit vi and save the file, enter the command :wq and then press Enter.

  • If SELinux is enabled (default for Rocky/AlmaLinux), you must add the new port to the SELinux context before restarting the service. To do this, enter the following command:

    semanage port -a -t ssh_port_t -p tcp MY_NEW_PORT

    Example:

    semanage port -a -t ssh_port_t -p tcp 22222

Note

If the semanage command is not found, enter the following command to install the required package:

dnf install policycoreutils-python-utils

  • To check the SELinux configuration (Security-Enhanced Linux), enter the command below. This command shows which network ports are authorized for the SSH service according to the current security guidelines.

    semanage port -l | grep ssh

  • Restart the SSH service.

    systemctl restart sshd

  • To check the status of the service, enter the following command:

    systemctl status sshd

  • To establish an SSH connection after this change, enter the following command:

    ssh root@IP_address_of_server -p NewPort

    Example:

    ssh root@IP-address_of_the_server -p 22222

Change SSH port in Debian 13

As of Debian 13, the port is no longer managed by the SSH service itself, but by the system (systemd). The port is therefore set at the socket, not in /etc/ssh/sshd_config.

Please Note

  • Leave your existing SSH session open until the new connection works.
  • Select a free port between 1024 and 65535 (example: 22222).
  • Open the new port in the internal firewall and in the firewall policies of the Cloud Panel.
  • Make sure that an alternative user with sudo rights exists and works via SSH.
  • Only remove port 22 after a successful test.
  • Log in to the server as an administrator.

  • To check whether the ssh.socket service is active, enter the following command:

    systemctl is-active ssh.socket

  • To check whether the ssh.service is active, enter the following command:

    systemctl is-active ssh.service


Note

On Debian 13, ssh.socket is normally active. If ssh.service is also active, port 22 remains open until it is deactivated.

  • To open the configuration editor, enter the following command:

    systemctl edit ssh.socket

  • Enter the following information in the text editor that opens:

    [Socket]
    ListenStream=
    ListenStream=0.0.0.0:NEW_PORT
    ListenStream=[::]:NEW_PORT

    Example:

    [Socket]
    ListenStream=0.0.0.0:22222
    ListenStream=[::]:22222


    The entry ListenStream= (empty) deletes the old default port 22. The entry ListenStream=22222 sets the new port.

  • When the Nano editor opens (default): Press CTRL + O and Enter to save, then CTRL + X to exit. Then enter Y if necessary and press Enter.
    When the Vi/Vim editor opens: Press Esc, type :wq and press Enter.

  • To apply the changes and ensure that only the socket is active, enter the following commands:

    systemctl daemon-reload

    systemctl disable --now ssh.service

  • To restart the socket, enter the following commands:

    systemctl restart ssh.socket

    systemctl enable ssh.socket

  • Open another terminal or PuTTY window.

  • Enter the IP address of the server in the Host Name field.

  • Enter the new port in the Port field.

  • Click on OK.

  • Log in to the server. If the login works, you can close the old session and remove port 22 in the firewall.

  • To check whether only the new SSH port is active, enter the following command:

    ss -lntp | grep -E ':(22|NEW_PORT)'

  • Check the socket status with the following command:

    systemctl status ssh.socket

  • To display the effective socket configuration, enter the following command:

    systemctl cat ssh.socket

Note

If the login does not work, check your firewall settings and undo the changes if necessary.

Content