Step 1: Connect to your server through SSH
Before you begin, you need to SSH to your Linux machine through SSH. You should have your server IP address, username and password. If you are connecting from Windows, download PuTTY. Also the basic command of connecting through another Linux machine has the following syntax:
- $ ssh -p 22 username@198.18.0.6
Remember to change the username and IP address. The user in this case must have sudo privileges
Step 2: Choosing a new SSH port
ICAAN (Internet Corporation for Assigned Names and Numbers) is an organisation that controls namespaces and numerical spaces of the internet to ensure its stable and secure operation.
ICAAN classifies ports in two three categories:
- System/well known ports: 0-1023
- User or registered ports: 1024-49151
- Dynamic/private ports: 49152-65535
To prevent mis-configuring your server, you should choose a port from the dynamic/private ports range (e.g. 49160, 53425, 64342 and so on).
Step 3: Changing the default SSH port
To change the default port the SSHD daemon is listening on. We can edit the configuration file using a nano editor:
- $ sudo nano /etc/ssh/sshd_config
Then look for the line below:
- # Port 22
First comment the line by removing the pound sign before the line. Then, enter your preferred port on the right side.
- Port 58342
To avoid completely locking yourself from your system, you should whitelist the port that you have specified above on your firewall.
Step 4: Restart SSH
Once you make a change to the SSHD daemon configuration file, you should restart the services to reload the new changes.
- $ sudo service sshd restart
Step 5: Test the changes
Before you log out from your current SSH session, try connecting to your server again. But this time, use the new SSH port that you have specified above. Opening a new session prior to closing the original one ensures that you don’t completely lock yourself from your Linux server in case there are complex IP table rules preventing direct access to your server via the new SSH port.
Step 6: Other considerations
Like we said above, changing the default SSH port will not keep hackers and malicious users from the system. You should consider additional layers of security to be on the safe side. For instances, choose strong password with a mix of lower case, upper case, numbers and symbols.
Also, if you are connecting from a static IP address, you might consider whitelisting only the IP addresses that you are connecting from. Another great layer of security is disabling password login and only allowing users to log in on your server using authentication key pair.
Conclusion
In this guide, we showed you how to change the default SSH port on your Linux machine. We have also discussed additional steps that you can take to safeguard your server. Remember to use the new private port range to keep your server stable and avoid disrupting running services.
