Linux Security System Administration

How and Why to Change Default SSH Port

Secure Shell, also known as SSH is a network protocol which can be used to access the server remotely. Communication taking place between client and server is encrypted so it is more secure than telnet (telnet is also a network protocol used for almost the same purpose). We can access server remotely by providing username, IP address and port number through which communication will take place.

How to Access Server Using SSH Default Port:

In order to access a client remotely, use the following command on terminal:

ubuntu@ubuntu:~$ ssh username@serverIP

OR

ubuntu@ubuntu:~$ ssh serverIP -l username

This command will cause the client to access server having IP Address ‘serverIP’ using the user ID ‘username’. If this is the first time connection between local client and server the user will be prompted with the remote host’s public key fingerprint.

The authenticity of the host ‘example.ssh.com’ cannot be established.

DSA key fingerprint is
98:76:54:32:10:jk:lm:23:32:pq:rs:tu:33:22:11:55

Are you sure you want to continue connecting (yes/no)?

If you answer ‘yes’ then the connection will be established and the host key will be stored in the local system. When host key is stored once, next time the client system can access the host without any approval. After confirmation, user will be asked for password. By entering password of the server, you will be able to access server remotely.

SSH Default Port:

Wireless or wired communication between two machines takes place through ports. There are a total of 65,536 Communication ports and communication can take place through any of these ports. SSH communicates by default through port 22. When we run the above command, connection between local client and server is established through port 22 and all the communication takes place through this port.

Why We Change Default SSH Port?

We change Default SSH port to provide security measures to the server especially from Brute Force Attack.

Brute Force Attack is a trial and error method to decode encrypted data such as passwords through exhaustive effort rather than applying intellectual algorithm. This is just like we make different number of combinations from specific alphabets.

Port 22 is default port of SSH so everyone knows about it and it is much easier to access data from this port by unauthorized person than any other port. In case of changed default SSH port, hacker has to try different ports on trial and error base and it becomes much more difficult to find an open port. Default port is changed to give a hacker in such a situation.

How to Change Default SSH Port?

You can change the default SSH port for your Linux Server to add security measure.

Warning: Make sure the new SSH port does not conflict with any known or blocked ports.

Following Steps are performed to change the default SSH port.

Access Server through SSH:

Before you change the default SSH port of machine, you need to connect to your server through SSH. In order to connect to the server you should know the server IP, username and password. Run the following command on your linux machine to get connected with server:

ubuntu@ubuntu:~$ ssh username@serverIP

You must have sudo privilege to get connected with server.

Selecting a new Port:

There are a total of 65,536 communication ports and we have to choose one port among these but which one?

ICANN (International Corporation for Assigned Names and Numbers) classifies the ports into following categories:

  • System/Well Known Ports: 0-1023
  • User or Registered Ports: 1024-49151
  • Dynamic/Private Ports: 49152-65535

In order to avoid miss-configuring, we choose a port number from Dynamic/Private Ports.

Changing the Default SSH Port:

When we are logged into the server we can change Default SSH port by editing sshd_config file. It is a good practice to have a backup before we make any changes in this file. The following command will create a backup file of sshd_config file.

ubuntu@ubuntu:~$ cp  /etc/ssh/sshd_config  /etc/ssh/sshd_config_backup

Above Command will generate a copy of sshd_config file in the same directory named as sshd_config_backup as a backup. Now we are ready to change the default SSH port. To change the default port, open sshd_config file in any editor. In the following command we are going to open this file in a text editor.

ubuntu@ubuntu:~$ gedit  /etc/ssh/sshd_config

By running the above command, sshd_config file will be opened in text editor. Now find the following line in this file:

#Port 22

Remove # sign and replace the Port 22 with your selected port from given range of ports. For example

Port 49160

In order to avoid completely locking yourself from your system, you should whitelist the port you have specified above (e.g. 49160) on your firewall.

Restart SSH:

When you have made changes in sshd_config file, you should restart the server to load changes. Run the following command to restart SSH:

ubuntu@ubuntu:~$ sudo service sshd restart

Test Changes:

You can test changes by connecting to your server again without logging out current SSH session. Remember to use the new Port number while connecting this time as we have changed it. Opening a new session without closing the previous one ensures that you don’t lock completely yourself from your linux server. After changing default Port, you need to specify the port number to connect to the server. Following is the command to connect to the server after changing default port:

ubuntu@ubuntu:~$ ssh username@userIP -p 49160

Use your specified port in place of 49160.

Conclusion:

This blog gives a brief knowledge on the procedure of changing default SSH port and the importance of changing default SSH port. I have summarized each step and hope you will find it helping.

About the author

Usama Azad

Usama Azad

A security enthusiast who loves Terminal and Open Source. My area of expertise is Python, Linux (Debian), Bash, Penetration testing, and Firewalls. I’m born and raised in Wazirabad, Pakistan and currently doing Undergraduation from National University of Science and Technology (NUST). On Twitter i go by @UsamaAzad14