Taking SSH Off Port 22

It’s arguably a good idea to move your SSH listener off port 22. This is a quick and easy way to reduce hacking attempts and one of the first things you can do to further secure your server.

Why Should I Change My SSH Port?

By default SSH listens on port 22. Because it’s one way for a hacker to gain entry to your system either by a brute force attack or another method, many would argue that moving SSH to another port effectively stops the attacker because they no longer know where to send their login attempts. When I first checked my server log I was surprised at how many attacks my brand new server was already receiving. It was most likely just the automated stuff, but moving off port 22 stopped it dead.

Arguments Against

Others would argue that any hacker worth his salt will simply be able to run a port scan against your machine and find your new SSH port with no trouble. You’re better off just disabling the root login and choosing a strong password for your shell account. Yeah that’s a valid point, and sound advice. And to be fair if your system was specifically targeted then your SSH port would be relatively easy to find. But why not move it off port 22 as well, and stop the script kiddies’ constant attacks?

Choosing a New SSH Port

You can’t just go trying to use any old port, as it may already be reserved or in use by another application.

According to LinuxLookup: Change the default SSH port:

Note: The Internet Assigned Numbers Authority (IANA) is responsible for the global coordination of the DNS Root, IP addressing, and other Internet protocol resources. It is good practice to follow their port assignment guidelines. Having said that, port numbers are divided into three ranges: Well Known Ports, Registered Ports, and Dynamic and/or Private Ports. The Well Known Ports are those from 0 through 1023 and SHOULD NOT be used. Registered Ports are those from 1024 through 49151 should also be avoided too. Dynamic and/or Private Ports are those from 49152 through 65535 and can be used. Though nothing is stopping you from using reserved port numbers, our suggestion may help avoid technical issues with port allocation in the future.

So essentially you want to choose a port between 49152 and 65535.

Edit Your SSH Config

Edit the “Port” directive in /etc/ssh/sshd_config, adding your new chosen port.

Restart the SSH Daemon

This is the Debian-based Ubuntu command, your flavour of Linux may be slightly different:

sudo service ssh restart

And the next time you login it will be on your new port.

Leave a Reply

Your email address will not be published. Required fields are marked *