Change SSH Default Port in CentOS 8

Learn how to change SSH default port in CentOS 8 to enhance security and reduce unauthorized access attempts. Follow our step-by-step guide to modify SSH settings, update firewall rules, and restart the SSH service safely. #centlinux #linux #ssh

What is SSH?

Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. Typical applications include remote command-line, login, and remote command execution, but any network service can be secured with SSH. (Courtesy: Wikipedia)

SSH provides a secure channel over an unsecured network by using a client–server architecture, connecting an SSH client application with an SSH server. The protocol specification distinguishes between two major versions, referred to as SSH-1 and SSH-2. The standard TCP port for SSH is 22. SSH is generally used to access Unix-like operating systems, but it can also be used on Microsoft Windows. Windows 10 uses OpenSSH as its default SSH client and SSH server.

SSH considered as the entry point to any Linux based server, therefore it is the most favorite target for attackers. Since, everyone is aware that the SSH runs on port 22, thus one can attempt different type of attacks on this port.

It is a best practice to change SSH default port of your server. Although, doing so didn’t guarantees that one cannot find it. Because there are many port scanners, that can search and list down the open ports on a server. But changing ssh default port to some other port will make things a little bit more difficult for the attacker.

Is it safe to change SSH port?

Yes, changing the SSH port from the default port 22 to another port can enhance the security of your server by reducing the risk of automated attacks and port scanning. However, while changing the SSH port is a helpful security measure, it should not be relied upon as the sole method of securing your SSH service. Here are some considerations for safely changing the SSH port:

Benefits of Changing the SSH Port

1. Reduced Visibility to Attackers:
   • Automated bots and scripts typically scan the default port 22 for vulnerabilities. Changing the port makes your SSH service less visible to these automated attacks.
2. Additional Layer of Security:
   • Though not a substitute for robust security practices, changing the port can add an extra layer of security by obscurity.

Read Also: How to Change SSH Port Number in Linux 9

Recommended Training: Secure Shell (SSH) essentials: a hands-on guide from Ahmed Elfakharany.

Check Status of SSH Service

Verify current status of SSH service by using systemctl command.

# systemctl status sshd.service
â sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
   Active: active (running) since Sat 2020-08-08 17:59:18 PKT; 2s ago
     Docs: man:sshd(8)
           man:sshd_config(5)
 Main PID: 1564 (sshd)
    Tasks: 1 (limit: 5916)
   Memory: 1.2M
   CGroup: /system.slice/sshd.service
           ââ1564 /usr/sbin/sshd -D -oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,>

Aug 08 17:59:18 centos-8.centlinux.com systemd[1]: Starting OpenSSH server daemon...
Aug 08 17:59:18 centos-8.centlinux.com sshd[1564]: Server listening on 0.0.0.0 port 22.
Aug 08 17:59:18 centos-8.centlinux.com sshd[1564]: Server listening on :: port 22.
Aug 08 17:59:18 centos-8.centlinux.com systemd[1]: Started OpenSSH server daemon.

You can see that the service is running on default SSH port number 22.

Apple 2024 MacBook Air 15-inch Laptop with M3 chip: Built for Apple Intelligence, 15.3-inch Liquid Retina Display, 16GB Unified Memory, 256GB SSD Storage, Backlit Keyboard, Touch ID; Midnight

(860)

$999.00 (as of March 7, 2025 18:48 GMT +00:00 – More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)

Change SSH Default Port in CentOS 8

The SSH daemon/service configurations are stored in the /etc/ssh/sshd_config file, which contains various parameters that define how the OpenSSH service operates. This configuration file allows administrators to customize and secure SSH access by modifying settings such as authentication methods, allowed users, and network restrictions.

By default, the SSH configuration file does not explicitly define a Port directive. Instead, the SSH service listens on the default port 22 unless specified otherwise. To enhance security and reduce exposure to automated attacks, we can manually add a Port directive in the sshd_config file to specify a custom SSH port.

To modify the configuration, we can use the echo command or a text editor like nano or vi to append the Port directive with a preferred port number. Once the changes are made, restarting the SSH service ensures that the new settings take effect.

# echo "Port 2222" >> /etc/ssh/sshd_config

This one shot setting is quiet enough to change ssh default port number.

Configure SELinux to Allow SSH custom Port

Default SELinux configuration does not allow any service to run on a non-default port. Therefore, we have to configure SElinux to allow SSH to use port 2222/tcp.

We need semanage command to configure SELinux settings. If you are using a minimal installed CentOS 8 system then it is not available on your system. Install policycoreutils-python-utils package to get semanage command.

Then use semanage command to add port 2222/tcp to type ssh_port_t.

# semanage port -a -t ssh_port_t -p tcp 2222

Configure Firewall to Allow SSH custom Port

List down allowed ports or services in Linux firewall.

# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens33
  sources:
  services: cockpit dhcpv6-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

SSH service is by default allowed in most distributions of Linux including CentOS / RHEL 8.

Now, we need to block this ssh service and allow our new ssh port in Linux firewall.

# firewall-cmd --permanent --remove-service=ssh
success
# firewall-cmd --permanent --add-port=2222/tcp
success
# firewall-cmd --reload
success

TP-Link AXE5400 Tri-Band WiFi 6E Router (Archer AXE75)- Gigabit Wireless Internet Router, ax Router for Gaming, VPN Router, OneMesh, WPA3

(3528)

$149.99 (as of March 7, 2025 18:54 GMT +00:00 – More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)

Restart SSH Service

Restart SSH Service to apply changes that we have made in sshd_config file.

# systemctl restart sshd.service

Verify status of SSH Service.

# systemctl status sshd.service
â sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
   Active: active (running) since Sat 2020-08-08 18:13:37 PKT; 14s ago
     Docs: man:sshd(8)
           man:sshd_config(5)
 Main PID: 10376 (sshd)
    Tasks: 1 (limit: 5916)
   Memory: 1.2M
   CGroup: /system.slice/sshd.service
           ââ10376 /usr/sbin/sshd -D -oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc>

Aug 08 18:13:37 centos-8.centlinux.com systemd[1]: Stopped OpenSSH server daemon.
Aug 08 18:13:37 centos-8.centlinux.com systemd[1]: Starting OpenSSH server daemon...
Aug 08 18:13:37 centos-8.centlinux.com sshd[10376]: Server listening on 0.0.0.0 port 2222.
Aug 08 18:13:37 centos-8.centlinux.com sshd[10376]: Server listening on :: port 2222.
Aug 08 18:13:37 centos-8.centlinux.com systemd[1]: Started OpenSSH server daemon.

You can see that the service is now running on non-default port 2222 instead of default ssh port number 22.

Access SSH Service using custom Port

Try to access SSH service using ssh and sftp commands from the default ssh port.

# ssh root@centos-8.centlinux.com
ssh: connect to host centos-8.centlinux.com port 22: Connection refused

# sftp root@centos-8.centlinux.com
ssh: connect to host centos-8.centlinux.com port 22: Connection refused
Connection closed.
Connection closed

It confirms that Linux Firewall is not allowing the traffic through port 22.

Now, access the SSH service by using ssh command from the non-default ssh port.

# ssh root@centos-8.centlinux.com -p 2222
The authenticity of host '[centos-8.centlinux.com]:2222 ([192.168.116.206]:2222)' can't be established.
ECDSA key fingerprint is SHA256:skGj4xg0w+jIQtrfF8AOdfItgcXUQQu+bWUFfvws1Hk.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[centos-8.centlinux.com]:2222,[192.168.116.206]:2222' (ECDSA) to the list of known hosts.
root@centos-8.centlinux.com's password:
Last login: Sat Aug  8 17:59:01 2020
#

Similarly, for sftp.

# sftp -P 2222 root@centos-8.centlinux.com
root@centos-8.centlinux.com's password:
Connected to root@centos-8.centlinux.com.
sftp>

Read Also: How to change SSH Default Port in CentOS 8

Linux Pocket Guide: Essential Commands

(36)

$23.33 (as of March 7, 2025 18:51 GMT +00:00 – More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)

Conclusion

Changing the default SSH port in CentOS 8 is a simple yet effective security measure to reduce unauthorized login attempts and brute-force attacks. By modifying the SSH configuration file, updating firewall rules, and restarting the SSH service, you can enhance server security while maintaining remote accessibility.

Always ensure that the new port is properly configured and accessible before closing your existing SSH session to avoid being locked out.

Your Linux servers deserve expert care! I provide reliable management and optimization services tailored to your needs. Discover how I can help on Fiverr!

FAQs

Why should I change the default SSH port in CentOS 8?
Changing the default SSH port (22) helps reduce unauthorized access attempts and brute-force attacks by making your server less visible to automated scanners.

How do I change the SSH port in CentOS 8?
To change the SSH port, you need to modify the SSH configuration file, update the firewall rules, and restart the SSH service. This ensures that SSH connections are established on the new port while maintaining security and accessibility.

What are the best practices for choosing a new SSH port?
It is recommended to choose a port number between 1024 and 65535 to avoid conflicts with well-known services. Additionally, documenting the change and ensuring firewall rules are updated is essential for seamless access.

What security measures should be taken after changing the SSH port?
After changing the port, ensure that the new port is open in the firewall, disable root login, and enable key-based authentication to enhance security. Regularly monitor SSH logs for any suspicious activity.

How can I verify that the new SSH port is working properly?
You can check if the SSH service is listening on the new port by reviewing the SSH daemon status and logs. Testing the connection from a remote client using the updated port ensures that the configuration change is successful.