Changing The Default SSH Port On Linux


Jan 17, 2004
vB Floris submitted a new Article:

Changing The Default SSH Port On Linux

Many web site owners have a VPS or Dedicated server solution to host their forum software on. Their lack of knowledge about managing not just their vBulletin and other software, but also the server itself, leads to issues from malicious abuse; such as brute force attacks on the SSH port to gain server access, or even worse, root access.

This article is about how to improve the security on your server by changing the default port for SSH from 22 to something else. Originally written and blogged by me here: Changing the Default SSH Port on Linux | MrFloris

Establishing an encrypted connection to your online server is very smart. Especially if you are doing administrative tasks. This article does not prevent users from abusing the sshd service running on your linux box, but by changing the default port you prevent scripts from attacking on it.

If you are still using telnet or a control panel. I sort of hope you will use the year 2010 to reconsider and move on. Convert to ssh to not only be more secure, but also to improve your system administrator skills as well as understanding the operating system better, and of course to be more in control of your linux box.

View attachment 26210

Using an SSH client you can connect to your linux box if there is an sshd service running. This should be the case by default (otherwise install it first). And by default the port is 22.

And thats what I have a problem with. This allows automated malicious scripts to mass scan online for IP ranges on port 22 and fingerprint it to know what its dealing with. This is quite easy to do, and quite fast. You know the port and you can go through an IP range rather quick.

If you change the default port from 22 to something else, and much higher up the port range chain, they will need to port scan the whole IP to find it.

Automated scripts usually stay below 1024, if they even scan at all. So as an additional security layer you could change it from 22 to something over 1024, an available port of course thats not already in use by something else. And those scripts will run into connection refused error message on port 22, perhaps do a quick scan. Cant find sshd running, and more on. Yay.

Deflected a potential brute force attack for example.

So, on say CentOS or Ubuntu, how do we go about changing the sshd service default port from 22 to something higher?

Obviously, we need to log into the...

Read more about this article here...
Last edited by a moderator: