There are a number of things you can do to help secure SSH, and changing the port that SSH uses is one of those things that many people change. That can help, but I feel it’s important to also mention that security by obscurity isn’t really good security.
By the way, I’ve already written a couple of articles about SSH. Feel free to check ’em out, as they may get you up to speed if you’re not already there. The first link should be the link you click if you need to learn how to get started.
If you don’t know what ports are, there’s a great Wikipedia page here. We’re talking about software ports and not hardware ports. They’re well-described as this:
At the software level, within an operating system, a port is a logical construct that identifies a specific process or a type of network service.
By default, SSH uses port 22, and everybody knows it. Well, everybody that’s interested in networking knows this. And, because of this, malicious actors will scan for online computers and then check port 22 to see if SSH is running. If they find the port open, they’ll possibly try to guess the password and keep trying until they get through.
NOTE: There are a number of ways to secure SSH, including disabling password logins entirely and using things like fail2ban to limit login attempts. I’d expect articles on those subjects in the future, but they have not yet been written by me. I’m sure other sites will have information, so use a search engine if you’re wanting to learn about those things today. (I am never gonna remember to come back and remove this.)
So, one step you can take is to make SSH listen on a different port. You can do that in isolation or along with other security methods. It’s not the greatest security fix, because people can (and do) just scan entire port ranges. While moving the port to something other than the default will help, it’s (by itself) just security by obscurity.
Knowing all that, let’s take a look at how we can change from the default port to one of your choosing. It’s actually pretty easy.
To get started, we’re gonna need to open a terminal. You can do this with your keyboard, simply press CTRL + ALT + T and your default terminal should open up. By the way, you can change your default terminal.
Once that’s open, we’re going to want to edit a file using nano. You’ll do that with this command:
sudo nano /etc/ssh/sshd_config
That will open ‘sshd_config’ (the SSH configuration file) with the nano text editor. Once that’s open, you’re going to scroll down while looking for “#Port 22”. It will look a little something like this:
What you need to do is remove the # and then change the 22 to whatever port you want to use. So, if you wanted to change the port to 4441, you’d change the line to read:
Port 4441
Note the removal of the #, as the # tells the computer to ignore that line. A line starting with # (in this case) means that line is ‘commented out’, meant to be ignored.
Anyhow, once you’ve changed it to the new port you need to save it. Seeing as you’re using nano, that’s pretty easy. Just use your keyboard and press CTRL + X, then Y, and then ENTER.
Just because you’ve changed it doesn’t mean it has taken effect. You have to restart the service. To do that, you need this command:
sudo systemctl reload sshd
That should restart the service, where it will now listen on the new port. From now on, you’ll connect with something like this:
ssh -p 4441 user@ip.addr
Basically you’re just adding the ‘-p 4441’, except whatever port you picked, to the command. If you’re using aliases or something like Putty, be sure to change those settings as well.
NOTE: This isn’t the final step for many people. Some of you will have to change your firewall’s settings to allow TCP on the changed port. In some cases you may also have to enable it with semanage utility. In those cases, consult your documentation. If you can’t get it figured out, leave a comment and we’ll see if we can get it figured out together.
And there you have it, another article in the books. This time, you’ve learned how to change the port that SSH uses. Hopefully that’ll come in handy for some of you. In isolation, it’s not the greatest security method – but it’s better than nothing. There’s still an article every other day!
Thanks for reading! If you want to help, or if the site has helped you, you can donate, register to help, write an article, or buy inexpensive hosting to start your own site. If you scroll down, you can sign up for the newsletter, vote for the article, and comment.
Today we'll cover one way to enable or disable your network interface in the Linux…
Today's exercise is a nice and simple exercise where we check your NIC speed in…
Have you ever wanted to easily monitor your wireless connection? Well, now you can learn…
I think I've covered this before with the ls command but this time we'll count…
Today we'll be learning about a basic Linux command that's known as 'uname' and it…
If you've used hardinfo in the past, it may interest you to know that hardinfo…