How can I change my SSH port?
What this is
Moving SSH off the default port 22. It cuts the automated brute-force noise in your logs to near zero, and as a bonus, our network's port-22 SSH firewall no longer applies to you, so a mistyped password can never get your IP banned.
(To be clear about what it is not: it's obscurity, not security. Keep using keys and the rest of the hardening basics, this just quiets the door-rattling.)
Steps, in an order that can't lock you out
- Allow the new port in your own firewall first, if you run one (say you picked 2222):
ufw allow 2222/tcp, or the equivalent from the firewall commands page. Our managed firewall doesn't block custom ports, so nothing to do on our side. - Edit the SSH config:
nano /etc/ssh/sshd_config, find the#Port 22line, uncomment it and set your port:Port 2222. Pick something memorable that doesn't collide with services you run. - Restart SSH:
systemctl restart ssh(Debian/Ubuntu) orsystemctl restart sshd(RHEL-family). - Keep your current session open, and test from a second terminal:
ssh -p 2222 [email protected]. Only close the old session once the new port works.
From then on, every SSH and SFTP client needs the port set (-p 2222, or the Port field in FileZilla/WinSCP).
If it went wrong anyway
You still have the Console, log in there and fix the config or firewall rule. The full recovery flow is in How to restore my SSH access.
Still need help?
You can open a support ticket. So we can help on the first reply, it's worth mentioning:
- the VPS hostname or IP and the port you moved SSH to,
- the
Portline you set in sshd_config, - whether the Console still gets you in.
Related questions
- "How do I change my SSH port?"
- "Does changing the SSH port improve security?"
- "I changed my SSH port and can't connect anymore."
- "Do I need to tell you if I move SSH off port 22?"