Cart

    Sorry, we could not find any results for your search querry.

    Changing the SSH port of your Linux VPS

    Servers  are often attacked by automated bots. In the case of Linux servers, they try (in almost all cases) to penetrate as root users via SSH port 22 by means of brute force attacks.

    We, therefore, recommend changing your SSH port and disabling access to SSH as root user on your VPS. The latter has already been automatically applied to our DirectAdmin, Plesk and cPanel VPSs.

    In this article, we show you how to change your SSH port. Changing your SSH port is a form of 'security through obscurity'; you make your VPS (partially) untraceable for most of the attacking bots. An additional advantage is that your log files remain more organized and you get a clearer picture when your VPS is attacked.

    Do you use DirectAdmin, Plesk, or cPanel? Then, for changing your SSH port, check out our articles about securing these control panels:

    Follow the steps in this article as a user with root privileges

     

    Step 1

    Connect to your VPS via the VPS console. If you connect via SSH, your connection will disconnect while you process the changes.


     

    Step 2

    Check your ports used with the command:

    netstat -tulpn | less

    An overview as shown in the screenshot below appears. In this overview, the port numbers are the numbers in the row 'Local Address' behind the colon.

     used port overview


     

    Step 3

    Choose a random port number between 0 and 65535 that is not shown in the overview (for example 47592) and press 'q' to stop netstat.


     

    Step 4

    Open the SSH configuration file with the command below. You can also use vim for this.

    nano /etc/ssh/sshd_config

     

    Step 5

    The configuration file opens, and, amongst other things, you will see the code below.

    # If you want to change the port on a SELinux system, you have to tell
        # SELinux about this change.
        # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
        #
        #Port 22 
        #AddressFamily any
        #ListenAddress 0.0.0.0
        #ListenAddress :: 

    Uncomment / delete the # in front of '#Port 22' and change the number to the number you chose under step 2, for example:

    Port 47592

    Save the file and close the file by pressing ctrl + x> y> enter.


     

    Step 6 

    Add the chosen port to your firewall and connect port 22 to your firewall. Below, we have examples of some commonly used firewalls. Replace 47592 with the port number you selected in step 2. 

     

    Voeg de gekozen poort toe aan je firewall en sluit poort 22 in je firewall. Hieronder hebben wij voorbeelden van enkele veelgebruikte firewalls. Vervang 47592 door het poortnummer dat je in stap 2 hebt gekozen.


     

    The VPS Firewall in the control panel

     

    Step 1

    Log in to your control panel and navigate to the relevant VPS.


     

    Step 2

    Click the cogwheel behind 'Network' (directly under the VPS console) and click 'VPS Firewall'.

    vps networking firewall


     

    Step 3

    Remove the current SSH rule, if present, and add a custom rule for your new SSH port. Finally, click 'Save' to process the changes.

    vps firewall ssh custom port


    FirewallD 

    firewall-cmd --permanent --zone=public --add-port=47592/tcp
        firewall-cmd --permanent --zone=public --remove-port=22/tcp
        firewall-cmd --reload

    Optionally you can open up SSH only for specific IP addresses or IP ranges in FirewallD as follows:

    firewall-cmd --permanent --zone=public --add-rich-rule='
    firewall-cmd --permanent --zone=public --add-rich-rule='

    Ufw 

    ufw allow 47592/tcp
        ufw deny 22/tcp

    Optionally you can open up SSH only for specific IP addresses or IP ranges in UFW as follows:

    ufw allow from 123.123.123.123 to any port 47592 proto tcp
        
    ufw allow from 123.123.123.0/24 to any port 22 proto tcp

    Nftables 

    Debian is switching to nftables instead of iptables. Since most Debian users use ufw or iptables and nftables is a lot more complicated than these solutions, it now falls outside the scope of this manual. We will include a separate article on the use of nftables in our knowledge base in the future.   


     

    Step 7

    Finally, restart SSH with the command below.   

    systemctl restart sshd

     

    Optional: Step 8 - Selinux 

    Do you use Selinux (you can check if you do using the command 'sestatus')? Add the selected port to Selinux as well:   

    47592

    Are you getting an error that the semanage command cannot be found? Install the required package using:

    yum install policycoreutils-python

     

    Your SSH port has now been changed and your SSH connection can no longer be easily attacked by automated bots!

    Should you have any questions left regarding this article, do not hesitate to contact our support department. You can reach them via the ‘Contact Us’ button at the bottom of this page.

    Need help?

    Receive personal support from our supporters

    Contact us