How to change the SSH server port

Running the SSH service on a non-default port reduces noise from automated scans and helps keep remote administration available when port 22 is filtered. Selecting an alternate port allows continued access through firewalls that block the default SSH port while still using the same authentication methods and keys.

The OpenSSH daemon sshd listens on the TCP port configured by the Port directive in /etc/ssh/sshd_config. After changing this directive and restarting sshd, the service begins accepting connections on the new port while leaving other settings such as host keys, ciphers, and user accounts unchanged.

Firewall rules and SELinux policies must allow traffic to the selected port or connection attempts will be dropped before reaching sshd. The chosen port must not be in use by another service, and configuration changes on systems without console access should be validated carefully to avoid lockouts after the daemon restarts.

Steps to change SSH server port:

Open a terminal session on the server with access to sudo privileges.
Check that the chosen port number is not already in use by another service.
```
$ ss -tlnp | grep 2022
$
```
Edit the /etc/ssh/sshd_config file with a text editor running as root.
```
$ sudo vi /etc/ssh/sshd_config
```
Any preferred text editor such as vi, nano, or vim can be used to modify /etc/ssh/sshd_config.
Locate the Port directive and set it to the desired port number, ensuring the line is not commented.
```
Port 2022
```
Leaving the original commented Port 22 line in place while adding another Port directive can cause confusion about which port is active and may leave sshd listening on an unintended port.
Validate the sshd configuration syntax before restarting the service.
```
$ sudo sshd -t
```
No output from sshd -t indicates that the configuration syntax is valid.

Related: How to check and validate SSH server's configuration
Allow the new SSH port through the Ubuntu uncomplicated firewall ufw when it is enabled.
```
$ sudo ufw allow 2022/tcp
Rule added
Rule added (v6)
```
On CentOS or Red Hat systems with firewalld, use sudo firewall-cmd --add-port=2022/tcp --permanent && sudo firewall-cmd --reload to open the port.
Configure SELinux to permit SSH connections on the new port when SELinux is in enforcing mode.
```
$ sudo semanage port -a -t ssh_port_t -p tcp 2022
```
If semanage is unavailable on CentOS or Red Hat, install the tools with sudo yum install --assumeyes policycoreutils-python; if the port is already defined, replace -a with -m to modify the existing entry.
Restart the sshd service so the daemon begins listening on the new port.
```
$ sudo systemctl restart sshd
```
Related: [DRAFT] How to manage the SSH server service with systemctl in Linux
Remove firewall rules for the old port only after confirming successful access on the new port.
```
$ sudo ufw delete allow 22/tcp
```
Deleting rules for port 22 before verifying connectivity on the new port can lock remote sessions out of the server if the new configuration is not reachable.

Verify that the SSH service is listening on the configured port.

$ ss -tlnp | grep 2022
LISTEN     0      128          *:2022                     *:*
LISTEN     0      128         :::2022                    :::*

Test remote access using the new port from a client system.

$ ssh -p 2022 user@example.com
Welcome to Ubuntu 22.04 LTS
##### snipped #####

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.

Discuss the article:

Comment anonymously. Login not required.