Changing the default SSH port on a Linux system is often done as a security measure. The primary reason for changing the SSH port is to make it more difficult for attackers to find and target your SSH service, thereby enhancing the security of your server. Here are a few reasons why changing the SSH port is considered a security best practice:
- Reducing Automated Attacks: Attackers often use automated scripts to scan a large range of IP addresses for open ports, including the default SSH port (port 22). By changing the SSH port to a non-standard number, you can reduce the visibility of your SSH service and decrease the likelihood of being a target of these automated scanning attacks.
- Defense Against Brute Force Attacks: Changing the SSH port can thwart many brute force attacks, where attackers attempt to guess usernames and passwords. When the SSH port is changed, attackers would need to know both the IP address and the custom port to even attempt a brute force attack.
- Security through Obscurity: While security through obscurity is not a foolproof strategy, changing the SSH port is a simple step that adds an extra layer of obscurity. This means that even if an attacker discovers the custom port, they still need to bypass authentication to gain access.
- Mitigation of Port-Based Attacks: Some attackers specifically target well-known ports like 22 for attacks. Changing the SSH port can mitigate such attacks, as attackers might not immediately know the new port to target.
However, it’s important to note that changing the SSH port is just one part of a comprehensive security strategy. It should not be the only security measure you rely on. Other best practices for securing your server include:
- Using Strong Passwords or SSH Keys: Ensure that you use strong, complex passwords or SSH keys for authentication.
- Regularly Updating Software: Keep your operating system, SSH daemon, and other software up to date to patch security vulnerabilities.
- Configuring a Firewall: Utilize a firewall to restrict incoming and outgoing traffic and allow only necessary services.
- Implementing Intrusion Detection/Prevention Systems: Set up tools that monitor for unusual or malicious activity and take action to prevent attacks.
- Enabling Two-Factor Authentication (2FA): If possible, enable 2FA for SSH logins to add an extra layer of authentication security.
- Monitoring Logs: Regularly monitor system and SSH logs for any suspicious activities.
While changing the SSH port can add an extra layer of security, it’s important to remember that determined attackers can still find the new port and attempt to breach your system. Therefore, it’s crucial to implement a well-rounded security strategy that covers various aspects of server protection.
1. Changing SSH Port:
Edit the SSH configuration file to change the port number:
sudo nano /etc/ssh/sshd_config
Look for the line that says and change it to your desired port number (e.g., ).Port 22
Port 2222
Save the file and exit the text editor.
Restart the SSH service:
sudo systemctl restart sshd
2. Open port on firewall
After changing you, you need to open the port on the firewall. If it’s not open, the port will always be closed and you won’t be able to SSH into the server anymore.
2.1. Configuring Firewalld:
Allow the new SSH port in Firewalld:
sudo firewall-cmd --add-port=2222/tcp --permanent # Replace 2222 with your chosen port
sudo firewall-cmd --reload
2.2. Configuring UFW (Uncomplicated Firewall):
Allow the new SSH port in UFW:
sudo ufw allow 2222/tcp # Replace 2222 with your chosen port
2.3. Configuring iptables:
Add a rule to allow the new SSH port in iptables:
sudo iptables -A INPUT -p tcp --dport 2222 -j ACCEPT # Replace 2222 with your chosen port
Save the iptables rules:
sudo service iptables save
2.4. Configuring CSF (ConfigServer Security & Firewall):
Edit CSF configuration to allow the new SSH port:
sudo nano /etc/csf/csf.conf
Find the line and add your chosen SSH port (e.g., ) to the list of ports.TCP_IN
2222
Save the file and exit the text editor.
Restart CSF:
sudo csf -r
Please note that when you change the SSH port, you’ll need to specify the new port whenever you connect to the server via SSH, like: .ssh user@server_ip -p 2222
Before making any changes to your server’s firewall settings, ensure you have an alternative way to access your server (such as a console or physical access), as incorrect configuration can lead to loss of remote access. Always exercise caution and ensure you understand the implications of the changes you’re making.