Ghosted

Change SSH Port from 22 to Custom Port

Change SSH Port from 22 to Custom Port

Complete Security Hardening Guide with Firewall Configuration & Recovery Options

πŸ“‹ Compatibility: This guide is tested and verified for:
  • AlmaLinux: 8.x through 9.6 (including all minor versions)
  • Rocky Linux: 8.x and 9.x
  • CentOS: 7.x, 8.x (Stream)
  • RHEL: 7.x, 8.x, 9.x
  • Ubuntu: 18.04 LTS, 20.04 LTS, 22.04 LTS, 24.04 LTS
  • Debian: 10 (Buster), 11 (Bullseye), 12 (Bookworm)
  • CloudLinux: 7.x, 8.x, 9.x
  • Oracle Linux: 7.x, 8.x, 9.x

Note: Commands may vary slightly for systemd vs init.d systems. This guide uses systemd commands which work on all modern distributions listed above.

πŸ›‘οΈ Why Change Your SSH Port from 22?

Port 22 is the default SSH port that every hacker and automated bot knows. Changing it provides immediate security benefits:

  • 90-95% Reduction in Automated Attacks: Bots constantly scan port 22 on every server
  • Cleaner Security Logs: Distinguish real threats from automated noise
  • Reduced Server Load: Less CPU wasted on processing fake login attempts
  • Defense in Depth: Additional security layer alongside strong passwords and key authentication
  • Compliance Benefits: Many security standards recommend non-standard ports

πŸ“Œ Recommended Custom Port Ranges

Popular secure port choices:

  • 2222 – Easy to remember (used in this guide)
  • 2200-2300 – Common alternate SSH range
  • 8022 – Another memorable option
  • 10000-10100 – High port range
  • 20000-30000 – Very high range, less commonly scanned

Note: You can use any port between 1024-65535. Avoid ports below 1024 (privileged) and common service ports. Throughout this guide, we’ll use port 2222 as an example – replace it with your chosen port.

1
Backup Current SSH Configuration

Always create a backup before making critical changes. This allows easy restoration if needed:

cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup-$(date +%Y%m%d)

This creates a timestamped backup file for easy identification.

2
Configure CSF Firewall (If Installed)
Optional Step: Skip this if you don’t have CSF (ConfigServer Security & Firewall) installed.
⚠️ CRITICAL: Add the new port to your firewall BEFORE changing SSH configuration to avoid lockout!

Edit CSF configuration to allow your custom port (we’re using 2222):

nano /etc/csf/csf.conf

Find the TCP_IN line and add your custom port. Change from:

TCP_IN = “20,21,22,25,53,80,110,143,443,465,587,993,995,2077,2078,2079,2080,2082,2083,2086,2087,2095,2096”

To (adding 2222 or your chosen port):

TCP_IN = “20,21,22,2222,25,53,80,110,143,443,465,587,993,995,2077,2078,2079,2080,2082,2083,2086,2087,2095,2096”

Save with Ctrl+O, then exit with Ctrl+X

Apply the CSF changes:

csf -r
3
Configure Imunify360 (If Installed)
Optional Step: Skip this if you don’t have Imunify360 installed.

Add your custom SSH port to Imunify360’s whitelist:

imunify360-agent whitelist port add 2222 –comment “Custom SSH Port”

Verify the port was whitelisted:

imunify360-agent whitelist port list
Imunify360 Note: This ensures Imunify360 won’t block legitimate SSH connections on your custom port.
4
Configure Other Firewalls
Optional Step: Only needed if you use firewall software other than CSF/Imunify360.

For iptables:

iptables -A INPUT -p tcp –dport 2222 -j ACCEPT iptables-save > /etc/sysconfig/iptables

For UFW (Ubuntu/Debian):

ufw allow 2222/tcp
5
Modify SSH Configuration

Now edit the SSH daemon configuration file:

nano /etc/ssh/sshd_config

Find the line (usually near the top):

#Port 22

Change it to your custom port (remove the # to uncomment):

Port 2222
πŸ’‘ Pro Tip – Dual Port Method: For extra safety during transition, you can temporarily run SSH on both ports:

Port 22
Port 2222

This allows you to test the new port while keeping the old one active. Remove port 22 after confirming the new port works.

Save with Ctrl+O, then exit with Ctrl+X

6
Validate SSH Configuration

Test the SSH configuration file for syntax errors before restarting:

sshd -t
βœ… Expected Result: No output means the configuration is valid
❌ If you see errors: Review your changes in step 5

Also verify SELinux permissions (if SELinux is enabled):

semanage port -a -t ssh_port_t -p tcp 2222
If the semanage command is not found, SELinux is likely disabled and you can skip this.
7
Restart SSH Service
⚠️ IMPORTANT – Don’t Close This Session! Keep your current SSH session open. You’ll test the new port in a NEW terminal window. This prevents lockout if something goes wrong.

Restart the SSH daemon to apply changes:

systemctl restart sshd

Check that SSH is running properly:

systemctl status sshd

Verify SSH is listening on the new port:

netstat -tlnp | grep sshd

You should see SSH listening on port 2222 (or your chosen port)

8
Test New SSH Port Connection
⚠️ Use a NEW Terminal Window! Don’t close your current session until you confirm the new port works.

In a NEW terminal window, test connecting with the custom port:

ssh -p 2222 root@your-server-ip

For servers with hostnames:

ssh -p 2222 root [at] your-server.domain [dot] com
βœ… Connection Successful? Great! Proceed to step 9
❌ Connection Failed? Don’t panic! See the recovery section below

🚨 SSH Connection Failed? Recovery Options

Don’t panic! Your original session is still active. Here are recovery methods:

Option 1: Use cPanel Terminal (Recommended)

  1. Log into cPanel at: https://your-server:2083
  2. Navigate to Advanced β†’ Terminal
  3. Switch to root: sudo su - or su -
  4. Edit SSH config: nano /etc/ssh/sshd_config
  5. Change port back to 22 and restart: systemctl restart sshd

Option 2: Use WHM Terminal

  1. Log into WHM at: https://your-server:2087
  2. Navigate to System β†’ Terminal
  3. Fix the SSH configuration as root

Option 3: VNC/Console Access

  • Use your hosting provider’s VNC or console access
  • Most providers offer this in their control panel
  • Works even if SSH is completely broken

Common Issues to Check:

  • Firewall blocking: Ensure the port is open in ALL firewalls
  • Typo in port number: Verify you’re using the same port everywhere
  • SELinux blocking: Check SELinux permissions
  • SSH syntax error: Run sshd -t to check
9
Remove Port 22 Access (Optional but Recommended)
⚠️ Only proceed after confirming the new port works perfectly!

Step 1: Remove port 22 from SSH config

nano /etc/ssh/sshd_config

Remove or comment out the Port 22 line, keeping only:

Port 2222

Step 2: Restart SSH

systemctl restart sshd

Step 3: Remove port 22 from CSF (if using CSF)

nano /etc/csf/csf.conf

Remove 22 from the TCP_IN line, then restart CSF:

csf -r

Step 4: Update other firewalls accordingly

Remove port 22 rules from iptables, firewalld, or UFW as needed.

10
Update Your SSH Clients & Documentation

Update SSH client configurations:

For command line SSH: Add to ~/.ssh/config:

Host your-server HostName your-server.domain.com Port 2222 User root

For PuTTY (Windows):

  • Update saved sessions with the new port
  • Change port from 22 to 2222 in connection settings

For FileZilla/SFTP clients:

  • Update site manager entries
  • Change port to 2222 for SFTP connections
πŸ“ Important Tasks:
  • Document the port change in your server notes
  • Inform your team members about the new port
  • Update any monitoring systems or scripts
  • Update backup scripts that use SSH/SFTP
  • Save the connection details securely
βœ“
Security Hardening Complete!
πŸŽ‰ Congratulations! Your SSH service is now secured on a custom port.

New connection command: ssh -p 2222 username@your-server

Security improvements achieved:
β€’ 90-95% reduction in automated SSH attacks
β€’ Cleaner security logs for better threat detection
β€’ Reduced server load from bot attempts
β€’ Additional layer of security (defense in depth)
β€’ Better compliance with security best practices
πŸ”’ Additional Security Recommendations:
β€’ Enable SSH key authentication and disable passwords
β€’ Install Fail2Ban for intrusion prevention
β€’ Limit SSH access to specific IP addresses
β€’ Use strong, unique passwords if password auth is needed
β€’ Regularly review SSH logs: /var/log/secure or /var/log/auth.log
β€’ Keep your backup: /etc/ssh/sshd_config.backup-*

Need Professional Server Security Management?

Changing your SSH port is just one step in comprehensive server security. Contact Ghosted.com for professional server hardening, security audits, and managed hosting solutions. Our experts ensure your servers are protected with industry-leading security practices while maintaining optimal performance.

We offer complete security packages including firewall configuration, intrusion detection, DDoS protection, and 24/7 monitoring.

Share:

More Posts

JetBackup 5 AlmaLinux Repository Fix Guide

GHOSTED.COM Complete Solution for Repository Issues and Professional Installation ⚠️ Important: This comprehensive guide will help you fix repository issues with JetBackup 5 on AlmaLinux

Complete AlmaLinux cPanel Installation Guide

GHOSTED.COM πŸš€Complete AlmaLinux cPanel Installation Professional Step-by-Step Setup for AlmaLinux 8 to 9.6 with Security Best Practices ⚠️ Important Prerequisites: This guide is designed for

Ultimate Imunify360 Threat Blocker Guide

GHOSTED.COM Automatically Block Hackers, Malware, and Botnets with Advanced Threat Intelligence βœ“ Production Tested βœ“ 10,000+ IPs Blocked βœ“ Daily Auto-Updates Protect Your Server with

Send Us A Message