I still remember the first time I set up a Linux server. I was so excited to connect to it using SSH. But within a few days, I started seeing logs filled with failed login attempts — hundreds of them. I had no idea what was going on.
Turns out, many bots on the internet scan servers looking for SSH on the default port — port 22. They try usernames and passwords over and over, hoping to break in. That’s when I learned it’s a good idea to change the SSH port.
In this article, I’ll show you how to change your SSH port and explain why it helps improve security.
Let’s take it step by step.
What is SSH?
SSH stands for Secure Shell. It’s a way to connect to your server and control it using commands. You use SSH when you type something like:
ssh [email protected]
By default, SSH listens on port 22. Think of a port like a door — port 22 is the default door that SSH uses.
The problem? Everyone knows about that door, including hackers.
Changing it won’t make your server “unbreakable,” but it does help reduce the number of attacks. It’s like moving the door to the side of the house instead of leaving it in the front.
Why Change the SSH Port?
Good question.
Here are a few reasons I changed mine:
- Less spam in logs. I used to see failed logins all the time. Changing the port stopped most of them.
- Better focus. I could now pay attention to real threats, not bots knocking on the default port.
- Simple layer of security. It’s not perfect, but it makes you a smaller target.
To be clear, changing the port is not a complete security solution. But it does help. I always combine it with other steps like disabling root login and using SSH keys.
Before You Change the Port
There are some things you should check first.
1. Do you have root access?
You need to edit system files. If you don’t have sudo or root, you won’t be able to change the SSH settings.
2. Do you have firewall rules?
If you’re using something like ufw or iptables, you’ll need to allow the new port before switching.
3. Are you using a hosting provider with a firewall panel?
Some VPS providers like DigitalOcean or AWS also block ports at the cloud level. You’ll need to open the new port there too.
How to Change the SSH Port (Step-by-Step)
Let’s walk through it.
Step 1: Choose a New Port
Pick a number between 1024 and 65535.
Some common safe choices:
- 2222
- 2525
- 2022
Don’t pick ports already used by other services. You can check what’s in use with:
sudo netstat -tuln
Or on newer systems:
sudo ss -tuln
Step 2: Edit the SSH Config File
Open the SSH configuration file with:
sudo nano /etc/ssh/sshd_config
Look for the line that says:
#Port 22
Remove the # and change 22 to your new port, like:
Port 2525
Make sure to leave no typos. Save and exit.
Step 3: Allow the New Port in the Firewall
If you’re using ufw (Uncomplicated Firewall), run:
sudo ufw allow 2525/tcp
If using iptables, you can allow it like this:
sudo iptables -A INPUT -p tcp --dport 2525 -j ACCEPT
Check with your VPS dashboard too if they block ports.
Step 4: Restart the SSH Service
Now restart SSH:
sudo systemctl restart ssh
Or on some systems:
sudo service ssh restart
Don’t log out yet.
Step 5: Open a New Terminal and Test
Before closing your current session, open a new terminal and test the connection:
ssh -p 2525 [email protected]
If it works, you’re good.
If it fails, you can still go back using your old terminal and fix things.
Once everything works, you can remove access to port 22:
sudo ufw delete allow 22/tcp
Two Quick Lists
What You Need to Remember
- Always test new SSH ports in a second session
- Keep port numbers between 1024–65535
- Don’t use ports already taken by other services
- Update your firewall rules first
- Keep your existing session open during testing
Extra Tips for Better Security
- Use SSH keys instead of passwords
- Turn off root login in SSH config
- Use fail2ban to block brute force attacks
- Only allow your IP to connect if possible
- Backup your SSH config before editing
How This Helps (And Where It Doesn’t)
Changing your SSH port is what people call security by obscurity. It doesn’t stop a smart attacker, but it does:
- Stop most bots
- Clean up logs
- Reduce brute-force attempts
- Make your server less “noisy”
However, if you still use a weak password, changing the port won’t save you.
I once helped a friend whose server was hacked. He had changed the SSH port, but his password was “123456.” The attacker guessed it within minutes.
So always combine steps. Think of the port change as step one, not the only step.
Troubleshooting
Here are common problems and how to fix them:
SSH won’t connect after the change
→ You may have forgotten to allow the new port in the firewall.
Your VPS dashboard shows blocked traffic
→ You might need to open the port in cloud firewall settings.
You can’t restart SSH
→ Check for typos in /etc/ssh/sshd_config. Run:
sudo sshd -t
It will test your config for errors before you restart.
A Quick Comparison
| Feature | Port 22 (default) | Custom Port (e.g. 2525) |
|---|---|---|
| Common attack target | Yes | Less likely |
| Needs firewall rule change | No | Yes |
| Better log visibility | No | Yes |
| Harder to guess by attackers | No | Yes |
I switched years ago and never went back. It’s one of those small steps that helps make your server quieter and more secure.
Final Thoughts
If you’re running your own server, changing the SSH port is a quick way to reduce noisy attacks.
It won’t protect you from everything, but it makes a difference. Think of it like locking a side door instead of leaving the front wide open.
Have you checked your logs recently? How many failed SSH attempts do you see?
Try changing your port. Test it carefully. And combine it with better habits like strong passwords and SSH keys.
