Changing the SSH server port moves new remote logins away from the default TCP port 22. The change can reduce background scan noise or satisfy a network rule, but it also changes the endpoint every client, firewall rule, and monitoring check must use.
OpenSSH reads the listener port from the Port directive in /etc/ssh/sshd_config and any included server drop-in files. A single active Port 2222 line makes sshd listen on TCP 2222 instead of the default port when no other active Port line remains.
Keep an existing session or console open until a new login succeeds on the alternate port. Open the firewall, cloud security group, and any SELinux policy for the new port before restarting the listener, and refresh socket-activated systemd hosts so the socket unit uses the edited OpenSSH configuration.
Steps to change OpenSSH server port:
- Open a terminal on the SSH server with an account that can use sudo.
Keep the existing remote session open until a separate login on the new port works.
- Check that the alternate TCP port is not already listening locally.
$ sudo ss --tcp --listen --numeric --processes 'sport = :2222' State Recv-Q Send-Q Local Address:Port Peer Address:PortProcess
A header with no LISTEN row means no local service is using TCP 2222.
- Edit the SSH daemon configuration file.
$ sudoedit /etc/ssh/sshd_config
Use the site-owned drop-in under /etc/ssh/sshd_config.d/ instead when configuration management stores local listener settings there.
- Set the active Port directive to the chosen port.
- /etc/ssh/sshd_config
Port 2222
Do not leave another uncommented Port line unless sshd should listen on multiple ports. A commented #Port 22 line is ignored.
- Test the SSH daemon configuration.
$ sudo sshd -t
No output means the active configuration parsed successfully and the configured host keys passed the sanity check.
Related: How to test SSH server configuration - Allow the new port through UFW when UFW manages the host firewall.
$ sudo ufw allow 2222/tcp Rules updated Rules updated (v6)
Use the firewall manager or cloud security group that actually controls inbound access. On SELinux-enforcing hosts, label the new port for sshd before restarting the listener.
- Refresh systemd generated unit data before restarting a socket-activated SSH listener.
$ sudo systemctl daemon-reload
Recent Ubuntu OpenSSH packages can derive ssh.socket listeners from /etc/ssh/sshd_config, so refresh systemd after changing the Port directive.
- Restart the SSH socket or service that owns the listener.
$ sudo systemctl restart ssh.socket
Use sshd.socket if that is the socket unit. On hosts without socket activation, restart the service unit instead, such as sudo systemctl restart ssh or sudo systemctl restart sshd.
Related: How to manage the SSH server service with systemctl - Confirm that sshd is listening on the new port.
$ sudo ss --tcp --listen --numeric --processes 'sport = :2222' State Recv-Q Send-Q Local Address:Port Peer Address:PortProcess LISTEN 0 128 0.0.0.0:2222 0.0.0.0:* users:(("sshd",pid=1842,fd=6)) LISTEN 0 128 [::]:2222 [::]:* users:(("sshd",pid=1842,fd=7))If the listener still appears only on port 22, check for a socket override under /etc/systemd/system/ssh.socket.d/ or a firewall policy that still points clients to the old port.
- Test a new login from a separate client session.
$ ssh -p 2222 user@host.example.net 'echo SSH port reached' SSH port reached
Omit the remote command to open an interactive shell.
Related: How to connect to an SSH server on a different port - Remove the old UFW allow rule only after the new login works.
$ sudo ufw delete allow 22/tcp Rule deleted Rule deleted (v6)
Do not close port 22 in host, cloud, or network firewalls until the alternate-port login has been tested from the access path operators actually use.
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.
