This guide will show you how you can have the SSH server run on a custom port.
By default, the SSH server runs on port 22. This port is often scanned by malicious bots that try to find exploits to gain unauthorised access to your server. To make this a bit harder and enhance the security of your server, it is recommended to run the SSH server on a different port. We'll use port 33000 as an example only, but since this is also often used as an SSH port, we recommend choosing a different, less common port.
Note: The Internet Assigned Numbers Authority (IANA) is responsible for the global coordination of the DNS Root, IP addressing, and other Internet Protocol resources. It is good practice to follow their port assignment guidelines. Having said that, port numbers are divided into three ranges: Well Known Ports, Registered Ports, and Dynamic and/or Private Ports. The Well Known Ports are those from 0 through 1023 and SHOULD NOT be used. Registered Ports are those from 1024 through 49151 should also be avoided. Dynamic and/or Private Ports are those from 49152 through 65535 and can be used. Although you are free to use reserved port numbers, our suggestion is to check if the port may conflict with any usual or installed services/software to avoid technical issues. You can use the SG TCP/IP Ports Database (speedguide.net) to check the port before using it.
Open Custom SSH Port on the Firewall
Before we change the SSH port, we must assure that we can access the port by opening it on the firewall.
On servers running firewalld:
firewall-cmd --add-port=33000/tcp --permanent
firewall-cmd --reload
On servers running iptables:
iptables -A INPUT -p tcp --dport 33000 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 33000 -m conntrack --ctstate ESTABLISHED -j ACCEPT
On servers running a different firewall, please check the documentation.
Allow SSH Port on SELinux
If your server has SELinux enabled (which is often disabled, especially on cPanel servers), add it to the allow list:
semanage port -a -t ssh_port_t -p tcp 33000
Edit the SSH Configuration File
Use nano or your preferred text editor to define the custom SSH port:
nano /etc/ssh/sshd_config
Look for the Port parameter and change it from 22 to your chosen port number.
Restart the SSH Server and Reconnect
Final step is to apply all changes by restarting the SSH server. You should assure that you have alternative methods to access the server (e.g., remote console, rescue mode) in case the SSH server becomes inaccessible.
systemctl restart sshd
You should now close your current SSH session, then connect again through the defined custom SSH port:
ssh username@hostname.com -p 33000
You should now be connected to SSH through the custom port.
DISCLAIMER: The scripts provided in our knowledgebase are for informational purposes only. We do not provide any warranty or support. It is essential to review and modify the scripts to fit your site's specific needs. There may be unforeseen outcomes when adding new script code to an existing website. You should discuss it with your website manager and seek advice from an experienced website developer if you are unsure.
Updated by SP on 23/11/2022
