Every bot on the internet knows that SSH lives on port 22. It’s the first door they knock on. Within minutes of spinning up a fresh Linux server, you’ll see login attempts from IPs you’ve never heard of, hammering away at the default SSH port number with dictionary attacks. The logs fill up fast.
Changing the default SSH port won’t make your server invincible. Let’s be clear about that. But it kills the vast majority of automated brute force noise, and that alone is worth the two minutes this takes. Think of it as moving your front door to a side street that script kiddies don’t bother walking down.
This guide walks you through every step: picking a new port, editing sshd_config, updating your firewall rules, restarting the service, and confirming it all works. Nothing fancy. Just the commands you need on a Linux VPS.
Choosing a New SSH Port Number
Before you touch any config files, you need to decide what port to move SSH to. Pick the wrong one and you’ll collide with another service. Pick something obvious and you’ve wasted your time.
Here’s the quick reference for common ssh ports and well known ports you absolutely must avoid:
| Port | Service | Protocol |
| 20/21 | FTP | TCP |
| 22 | SSH | TCP |
| 23 | Telnet | TCP |
| 25 | SMTP | TCP |
| 53 | DNS | TCP/UDP |
| 80 | HTTP | TCP |
| 110 | POP3 | TCP |
| 143 | IMAP | TCP |
| 443 | HTTPS | TCP |
| 3306 | MySQL | TCP |
| 8080 | HTTP alt | TCP |
| 8443 | HTTPS alt | TCP |
The well known ports range covers 0 through 1023. These belong to privileged services, and your OS expects them to stay that way. The registered ports range, 1024 through 49151, houses things like databases, application servers, and other software that’s already claimed its turf.
Your best bet is the dynamic or private ports range: 49152 to 65535. Nothing’s pre-assigned there. Pick something random within that range, something like 51832 or 62419, and you’re unlikely to hit a conflict. Avoid “clever” choices like 2222 or 2200. Those are the second place attackers check after 22.
How to Change the Default SSH Port
You’ve got your port number. Now let’s actually change it. The process is the same whether you’re on Ubuntu, Debian, CentOS, or any other mainstream Linux distro. Five steps, and you should leave your current SSH session open the entire time. If something goes wrong, that open session is your lifeline.
Connect to Your Server via SSH
Open a terminal. On macOS or Linux, it’s built in. On Windows, grab PuTTY or use the built-in OpenSSH client if you’re on Windows 10+. Run the SSH login command:
ssh username@server_ipEnter your password when prompted. If you’ve already set up SSH key authentication (and you should), it’ll log you straight in. Either way, get a root shell or make sure you can run sudo. You’ll need elevated privileges for everything that follows.
Edit the sshd_config File
The SSH daemon’s behavior is controlled by a single configuration file. Open it:
sudo nano /etc/ssh/sshd_configScroll until you find the line that reads #Port 22. The hash means it’s commented out, and SSH is using the default port 22 implicitly. Remove the # and change 22 to your chosen port number:
Port 51832That’s it for the SSH configuration file. Save and exit nano with Ctrl+X, then Y, then Enter. On some newer Ubuntu systems (22.10+), SSH may use a socket-based configuration instead. If your sshd_config change doesn’t stick, check /etc/ssh/sshd_config.d/ for override files or look into systemd socket activation settings.
Update Firewall Rules for the New Port
Here’s where people lock themselves out. You’ve told SSH to listen on a new port, but your firewall is still only allowing traffic on 22. If you restart SSH now, you’re done. Locked out. Game over.
If you’re running UFW (the standard on Ubuntu and Debian), allow your new port first:
sudo ufw allow 51832/tcpReload to apply:
sudo ufw reloadVerify the UFW firewall rules are in place:
sudo ufw statusYou should see your new port listed as ALLOW. If you’re using firewalld (common on CentOS/RHEL), the equivalent is:
sudo firewall-cmd --permanent --add-port=51832/tcp && sudo firewall-cmd --reloadIf you’ve never configured any firewall rules at all, and ufw status shows “inactive”, you can skip this step. But you should probably fix that soon. Running a server without a firewall is asking for trouble.
Restart the SSH Service
Now apply the new configuration by restarting the SSH daemon. On any modern distro using systemd:
sudo systemctl restart sshdOn older systems still running SysVinit:
sudo service ssh restartCheck that the restart went cleanly:
sudo systemctl status sshdYou want to see “active (running)” with no errors. If it failed, you’ve got a typo in sshd_config. Go back and fix it. Your current session is still alive, so you can still make changes.
Verify the New SSH Port Is Active
Don’t just trust that the restart worked. Verify. There are two things to check: the port is open, and you can actually connect through it.
Check the Port with ss or netstat
The ss command is the modern replacement for netstat on Linux. Run:
ss -tuln | grep 51832You should see a LISTEN entry on your port. If you prefer the older netstat approach:
netstat -tuln | grep 51832Same output, different tool. If nothing shows up, SSH isn’t listening on that port. Go back to the sshd_config file and double-check your edit.
Log In Using the New SSH Port
Open a new terminal window. Do not close your existing session. Test the connection using the -p flag:
ssh -p 51832 username@server_ipIf you get a shell, you’re good. The SSH port change worked. If the connection hangs or gets refused, something’s wrong with your firewall rules or the sshd_config edit. Your old session is still open, so go troubleshoot.
Once you’ve confirmed the new port works, you can optionally remove the old port 22 rule from your firewall:
sudo ufw deny 22/tcp && sudo ufw reloadOnly do this after you’re 100% sure the new port is working. There’s no undo if you lock yourself out.
SSH Port Change FAQ
Why Change the Default SSH Port?
Automated SSH brute force attacks target port 22 by default. Thousands of bots scan entire IP ranges looking for that open door. Moving to a non-standard port doesn’t stop a determined attacker who runs a full port scan, but it eliminates the drive-by noise. Your auth logs get quieter. Your fail2ban stops working overtime. It’s basic security hygiene paired with proper measures like SSH key authentication and disabling root login.
Which Port Is Best for SSH?
Anything in the 49152 to 65535 range that you can remember. Avoid “creative” ports like 2222, 8022, or 443 (which collides with HTTPS). The ssh port number you pick doesn’t matter much as long as it’s not a well known port, not used by another service on your box, and not something an attacker would guess on their second try. Random is good. Write it down somewhere safe.
Does Changing SSH Port Affect Performance?
No. Zero impact. You’re changing which numbered door the SSH daemon answers on, not how it processes connections. The encryption, the key exchange, the data transfer, all of it works identically regardless of the port. Your Linux server performance stays exactly the same. The only thing that changes is the entry point, and the fact that your server stops showing up in lazy port scans targeting the default SSH port.
