Secure Shell (SSH) is the most popular method of remotely connecting to your Linux Machine. The protocol offers strong authentication hence maintaining the security and integrity of your Linux computer.
SSH utilizes strong encryption and allows users or automated processes to access, interact and even transfer files from a server. Once connected, a user can issue Linux commands to perform mission critical operations.
By default, SSH runs on port 22. A port is simply a communication endpoint where a process is routed once it arrives on a server. To connect through SSH, a user requires the port number (e.g. 22 in this case) and a public IP address of the server alongside a username and a password.
To prevent automated bots and malicious users from brute-forcing to your server, you should consider changing the default SSH port to something else.
An intelligent attacker would still scan your server to determine open ports and services running on them. However, changing the default SSH port will block thousands of those automated attacks that don’t have time to rotate ports when targeting a Linux Server.
In this guide, we will explore how you can change your default SSH port and we will also discuss other preventive measures for protecting SSH access on your server.
- A VPS plan running any Linux distribution (e.g. Ubuntu, CentOs, Debian)
- A non-root user with sudo privileges
Special Note: if you are looking to move to a VPS plan, we recommend that you consult with HostAdvice's Best VPS hosting providers list. If you are not running a Linux distribution, but are considering it, we recommend looking at Hostadvice's Best Linux Hosting services list.
Step 1: Connect to your server through SSH
Before you begin, you need to SSH to your Linux machine through SSH. You should have your server IP address, username and password. If you are connecting from Windows, download PuTTY. Also the basic command of connecting through another Linux machine has the following syntax:
$ ssh -p 22 firstname.lastname@example.org
Remember to change the username and IP address. The user in this case must have sudo privileges
Step 2: Choosing a new SSH port
ICAAN (Internet Corporation for Assigned Names and Numbers) is an organisation that controls namespaces and numerical spaces of the internet to ensure its stable and secure operation.
ICAAN classifies ports in two three categories:
- System/well known ports: 0-1023
- User or registered ports: 1024-49151
- Dynamic/private ports: 49152-65535
To prevent mis-configuring your server, you should choose a port from the dynamic/private ports range (e.g. 49160, 53425, 64342 and so on).
Step 3: Changing the default SSH port
To change the default port the SSHD daemon is listening on. We can edit the configuration file using a nano editor:
$ sudo nano /etc/ssh/sshd_config
Then look for the line below:
# Port 22
First comment the line by removing the pound sign before the line. Then, enter your preferred port on the right side.
To avoid completely locking yourself from your system, you should whitelist the port that you have specified above on your firewall.
Step 4: Restart SSH
Once you make a change to the SSHD daemon configuration file, you should restart the services to reload the new changes.
$ sudo service sshd restart
Step 5: Test the changes
Before you log out from your current SSH session, try connecting to your server again. But this time, use the new SSH port that you have specified above. Opening a new session prior to closing the original one ensures that you don’t completely lock yourself from your Linux server in case there are complex IP table rules preventing direct access to your server via the new SSH port.
Step 6: Other considerations
Like we said above, changing the default SSH port will not keep hackers and malicious users from the system. You should consider additional layers of security to be on the safe side. For instances, choose strong password with a mix of lower case, upper case, numbers and symbols.
Also, if you are connecting from a static IP address, you might consider whitelisting only the IP addresses that you are connecting from. Another great layer of security is disabling password login and only allowing users to log in on your server using authentication key pair.
In this guide, we showed you how to change the default SSH port on your Linux machine. We have also discussed additional steps that you can take to safeguard your server. Remember to use the new private port range to keep your server stable and avoid disrupting running services.