Skip to main content

Configuring SSH Ports on a Linux System

Configuring SSH ports on a Linux system is a common task to improve server security. Here’s how to do it:

1. Edit the SSH Configuration File

The main SSH configuration file is /etc/ssh/sshd_config.

Open the configuration file with a text editor, for example, nano or vim:

sudo nano /etc/ssh/sshd_config

Find the line that defines the port (default is port 22):

#Port 22

Uncomment the line and change the port number to your desired port (e.g., 2222):

Port 2222

2. Configure the Firewall

If you have a firewall configured on your server, you will need to open the new port for SSH.

For ufw (Uncomplicated Firewall):

sudo ufw allow 2222/tcp

For iptables:

sudo iptables -A INPUT -p tcp --dport 2222 -j ACCEPT
sudo iptables-save | sudo tee /etc/iptables/rules.v4

3. Restart the SSH Service

After making the changes, you need to restart the SSH service for the changes to take effect:

sudo systemctl restart ssh

4. Verify the Configuration

Make sure the SSH server is listening on the new port:

sudo netstat -tuln | grep 2222

Connect to the server using the new port:

ssh -p 2222 your_username@your_server

Summary of Commands

# Edit the SSH configuration file
sudo nano /etc/ssh/sshd_config

# Configure the firewall (ufw)
sudo ufw allow 2222/tcp

# Configure the firewall (iptables)
sudo iptables -A INPUT -p tcp --dport 2222 -j ACCEPT
sudo iptables-save | sudo tee /etc/iptables/rules.v4

# Restart the SSH service
sudo systemctl restart ssh

# Verify that the port is open
sudo netstat -tuln | grep 2222

# Connect using the new port
ssh -p 2222 your_username@your_server

Security Considerations

Changing the default SSH port can help reduce automated attack attempts, but it should not be the only security measure. Here are some additional practices:

  • Use key-based authentication instead of passwords.
  • Disable root access via SSH:
PermitRootLogin no

Implement Fail2Ban to protect against brute-force attacks.

Configuring Fail2Ban

Fail2Ba helps protect your server from brute-force attacks by banning IP addresses that show malicious signs.

Install Fail2Ban:

sudo apt-get install fail2ban

Create a local configuration file to override the default settings:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Open the local configuration file:

sudo nano /etc/fail2ban/jail.local

Find the [sshd] section and configure it as follows:

[sshd]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log
maxretry = 3

Restart Fail2Ban to apply the changes:

sudo systemctl restart fail2ban

By following these steps, you can secure your server more effectively.