Servers are often attacked by automated bots. In the case of Linux servers, they try (in almost all cases) to penetrate as root users via SSH port 22 by means of brute force attacks.
In this article, we show you how to change your SSH port. Changing your SSH port is a form of 'security through obscurity'; you make your VPS (partially) untraceable for most of the attacking bots. An additional advantage is that your log files remain more organized and you get a clearer picture when your VPS is attacked.
Follow the steps in this article as a user with root privileges
Connect to your VPS via the VPS console. If you connect via SSH, your connection will disconnect while you process the changes.
Check your ports used with the command:
netstat -tulpn | less
An overview as shown in the screenshot below appears. In this overview, the port numbers are the numbers in the row 'Local Address' behind the colon.
Choose a random port number between 0 and 65535 that is not shown in the overview (for example 47592) and press 'q' to stop netstat.
Open the SSH configuration file with the command below. You can also use vim for this.
The configuration file opens, and, amongst other things, you will see the code below.
# If you want to change the port on a SELinux system, you have to tell # SELinux about this change. # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER # #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress ::
Uncomment / delete the # in front of '#Port 22' and change the number to the number you chose under step 2, for example:
Save the file and close the file by pressing ctrl + x> y> enter.
Add the chosen port to your firewall and connect port 22 to your firewall. Below, we have examples of some commonly used firewalls. Replace 47592 with the port number you selected in step 2.
firewall-cmd --permanent --zone=public --add-port=47592/tcp firewall-cmd --permanent --zone=public --remove-port=22/tcp firewall-cmd --reload
iptables -A INPUT -p tcp --dport 47592 -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j DROP
Depending on your OS, use one of the commands below to make the change permanent.
service iptables save
ufw allow 47592/tcp ufw deny 22/tcp
Debian is switching to nftables instead of iptables. Since most Debian users use ufw or iptables and nftables is a lot more complicated than these solutions, it now falls outside the scope of this manual. We will include a separate article on the use of nftables in our knowledge base in the future.
Finally, restart SSH with the command below.
systemctl restart sshd
Optional: Step 8 - Selinux
Do you use Selinux (you can check if you do using the command 'sestatus')? Add the selected port to Selinux as well:
semanage port -a -t ssh_port_t -p tcp
Are you getting an error that the semanage command cannot be found? Install the required package using:
yum install policycoreutils-python
Your SSH port has now been changed and your SSH connection can no longer be easily attacked by automated bots!
Should you have any questions left regarding this article, do not hesitate to contact our support department. You can reach them via the ‘ContactUs’ button at the bottom of this page.
If you want to discuss this article with other users, please leave a message under 'Comments'.