Help Center
Home Server & Cloud Infrastructure Cloud Server Important Security Information for Your Server

Changing the SSH port

Valid for VPS+, VPS, Cloud Servers, Dedicated Servers, and Bare Metal Servers running AlmaLinux 9, AlmaLinux 10, Rocky Linux 9, Rocky Linux 10, Ubuntu 24.04, Ubuntu 26.04, Debian 12, and Debian 13

This article explains how to change the default SSH port to improve the security of your server.

By default, port 22 is used to establish an SSH connection. This port is automatically configured during the installation of your operating system.

To reduce the number of brute-force attacks, you can configure a different port for SSH access.

Please Note

  • Before changing the port, make sure that the applications and services installed on the server can also be configured to use a custom port. Otherwise, changing the default port may cause those applications and services to stop working.

  • Make sure that the port you choose is allowed in the firewall. This also applies to the firewall policy assigned to the server in the Cloud Panel.

Change the SSH port on Ubuntu 24.04 and 26.04

To change the SSH port:

  • Log in to the server as an administrator.

  • Open the SSH configuration file sshd_config using the vi text editor:

    vi /etc/ssh/sshd_config

  • Find the entry for Port 22.

  • Remove the # symbol. Replace port 22 with a port in the range 1024 to 65535.

Note

The vi editor has an insert mode and a command mode. You can enter insert mode by pressing the [i] key. In this mode, the characters you type are inserted into the text immediately. To switch to command mode, press [ESC] afterwards. When you are in command mode, your keystrokes are interpreted as commands.

Please Note

Make sure that the selected port is not already being used by another service. You can check this using the Internet Assigned Numbers Authority (IANA) port list: Service Name and Transport Protocol Port Number Registry

Alternatively, you can view the list of ports in the /etc/services file.

  • To exit vi and save the file, type the command :wq and then press the Enter key.

  • Run the command to create an override file. The nano editor will open.

    sudo systemctl edit ssh.socket

  • In the section ### Anything between here and the comment below will become the contents of the drop-in file, enter the following information:

    [Socket]
    ListenStream=
    ListenStream=0.0.0.0:NEW_PORT
    ListenStream=[::]:NEW_PORT

    Example:

    [Socket]
    ListenStream=
    ListenStream=0.0.0.0:2222
    ListenStream=[::]:2222

Note

The first empty ListenStream= line is important to disable the default port 22. 

  • To save the change, press the key combination Ctrl+O and then the Enter key.
  • To close the nano editor, press Ctrl+X.
  • Save and close the editor. If the prompt Save modified buffer appears, type Y and press Enter.

  • To reload the systemd configuration and restart the socket service, enter the following command:

    sudo systemctl daemon-reload
    sudo systemctl stop ssh.service
    sudo systemctl restart ssh.socket

Caution

Be sure to keep your current SSH session open. 

  • To allow the new port in the UFW firewall, adjust and run the following commands:

    sudo ufw allow PORT/tcp
    sudo ufw reload

    Example:

    sudo ufw allow 22222/tcp
    sudo ufw reload

  • To check whether the port has been changed, enter the following command:

    ss -lntp | grep :22

    If the error message Connection refused is displayed, restart the server.

  • Test the connection in a new terminal window. To do this, enter the following command:

    ssh username@your-ip-address -p 2222

Change the SSH port on Rocky Linux 8, Rocky Linux 9, AlmaLinux 8, AlmaLinux 9, and AlmaLinux 10

  • Log in to the server as an administrator.

  • Open the SSH configuration file sshd_config using the vi text editor:

    vi /etc/ssh/sshd_config

  • Find the entry Port 22.
  • Replace Port 22 with a port number in the range 1024 to 65535. 
     
  • Optional: If the hash symbol appears at the start of the ‘Port’ line, you must remove it so that the port is taken into account in the configuration.
     

Note

The vi editor has an insert mode and a command mode. You can enter insert mode by pressing the [i] key. In this mode, the characters you type are inserted into the text immediately. To switch to command mode, press [ESC] afterwards. When you are in command mode, your keystrokes are interpreted as commands.

Please Note

Make sure that the selected port is not already being used by another service. You can check this using the Internet Assigned Numbers Authority (IANA) port list: Service Name and Transport Protocol Port Number Registry

Alternatively, you can view the list of ports in the /etc/services file.

  • To exit vi and save the file, enter the command :wq and then press the Enter key.

  • If SELinux is enabled (the default on Rocky/AlmaLinux), you must add the new port to the SELinux context before restarting the service. To do this, enter the following command:

    semanage port -a -t ssh_port_t -p tcp MY_NEW_PORT

    Example:

    semanage port -a -t ssh_port_t -p tcp 22222

Note

If the semanage command cannot be found, enter the following command to install the required package:

dnf install policycoreutils-python-utils

  • To check the SELinux (Security-Enhanced Linux) configuration, enter the command below. This command shows which network ports are permitted for the SSH service according to the current security policies.

    semanage port -l | grep ssh

  • Restart the SSH service.

    systemctl restart sshd

  • To check the status of the service, enter the following command:

    systemctl status sshd

  • To establish an SSH connection following this change, enter the following command:

    ssh root@server_IP_address -p new_port

    Example:

    ssh root@server_IP_address -p 22222

Change the SSH port in Debian 13

Starting with Debian 13, the port is no longer managed by the SSH service itself, but by the system (systemd). Therefore, you must adjust the system setting. The port is configured on the socket, not in /etc/ssh/sshd_config.

Please Note

  • Leave your existing SSH session open until the new connection is working.
  • Select an available port between 1024 and 65535 (e.g. 22222).
  • Open the new port in the internal firewall and in the Cloud Panel’s firewall policies
  • Ensure that an alternative user with sudo privileges exists and can be accessed via SSH.
  • Only remove access to port 22 once the test has been successful.
  • Log in to the server as an administrator.

  • To check whether the ssh.socket service is active, enter the following command:

    systemctl is-active ssh.socket

  • To check whether the ssh.service service is active, enter the following command:

    systemctl is-active ssh.service


Note

On Debian 13, ssh.socket is normally active. If ssh.service is also active, port 22 remains open until it is deactivated.

  • To open the configuration editor, enter the following command:

    systemctl edit ssh.socket

  • In the text editor that opens, enter the following information:

    [Socket]
    ListenStream=
    ListenStream=0.0.0.0:NEW_PORT
    ListenStream=[::]:NEW_PORT

    Example:

    [Socket]
    ListenStream=0.0.0.0:22222
    ListenStream=[::]:22222


    The entry ListenStream= (empty) deletes the old default port 22. The entry ListenStream=22222 sets the new port.

  • If the Nano editor opens (default): Press CTRL + O and Enter to save, then CTRL + X to exit. Then, if necessary, type Y and press Enter.
    If the Vi/Vim editor opens: Press Esc, type :wq and press Enter.

  • To apply the changes and ensure that only the socket is active, enter the following commands:

    systemctl daemon-reload

    systemctl disable --now ssh.service

  • To restart the socket, enter the following commands:

    systemctl restart ssh.socket

    systemctl enable ssh.socket

  • Open another terminal or PuTTY window.

  • Enter the server’s IP address in the Host Name field.

  • Enter the new port in the Port field.

  • Click OK.

  • Log in to the server. If the login is successful, you can close the old session and remove port 22 from the firewall.

  • To check that only the new SSH port is active, enter the following command:

    ss -lntp | grep -E ':(22|NEW_PORT)'

  • You can check the socket status using the following command:

    systemctl status ssh.socket

  • To view the current socket configuration, enter the following command:

    systemctl cat ssh.socket

Note

If you are unable to log in, please check your firewall settings and, if necessary, revert any changes you have made.

Change the SSH port in Ubuntu 22.04

To change the SSH port:

  • Log in to the server as an administrator.

  • Open the SSH configuration file sshd_config using the vi text editor:

    vi /etc/ssh/sshd_config

  • Find the entry Port 22.
  • Replace Port 22 with a port in the range 1024 to 65535.

Note

The vi editor has an insert mode and a command mode. You can enter insert mode by pressing the [i] key. In this mode, the characters you type are inserted into the text immediately. To switch to command mode, press [ESC] afterwards. When you are in command mode, your keystrokes are interpreted as commands.

Please Note

Make sure that the selected port is not already being used by another service. You can check this using the Internet Assigned Numbers Authority (IANA) port list: Service Name and Transport Protocol Port Number Registry

Alternatively, you can view the list of ports in the /etc/services file.

  • To exit vi and save the file, enter the command :wq and then press the Enter key.

  • Restart the SSH service. To do this, enter the command below. If you are logged in as root, you can omit sudo.

    sudo systemctl restart ssh

  • To check the status of the service, enter the command below. If you are logged in as root, you can omit sudo.

    sudo systemctl status ssh

  • To establish an SSH connection after making this change, enter the following command:

    ssh root@server_IP_address -p NEW_PORT

Content