Setup SSH to run on a non-standard port

Posted on in Categories News last updated March 18, 2006

By default OpenSSH (SSH Remote Login Protocol) server runs on tcp port 22. This is useful for a single system connected to DSL/ADSL or home internet equipments. Others cannot guess your port easily (until and unless they perform port scan). If port scan is blocked, then no one can figure it out your ssh port (again some one need to write a script to try connection at every port). This make your servers just a little more difficult to access.

Open /etc/ssh/sshd_config file and look for line Port 22 and change line to Port 2222. Restart sshd server.

Sshd is running on a non-standard port, connection attempts to the system will fail. You need to connect using following command:

$ ssh -p 2222 [email protected]

OR

$ ssh -p 2222 [email protected]

Where,

  • -p: Port to connect to on the remote host.

Scp also supports same option with capital letter P.

$ scp -P 2222 [email protected]:/home/rocky/mp3/abc.mp3 /tmp

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin and a trainer for the Linux operating system/Unix shell scripting. He has worked with global clients and in various industries, including IT, education, defense and space research, and the nonprofit sector. Follow him on Twitter, Facebook, Google+.

4 comment

  1. Another *very important* thing you should do is to not allow ‘root’ login to SSH. Thus you have to login as a normal user and then ‘su – root’ over if you need root access. This closes yet another avenue for an attacker to enter.

    Same file as mentioned about, just make sure this line is out:

    PermitRootLogin no

    Restart SSHd, all set. After that, login like this:

    ssh -l USER -p PORT HOSTNAME

    fak3r

  2. @fak3r: Good point. We’re already setup that way. The fact that if you’re already vulnerable to being brute forced on standard SSH port 22 would make you even more vulnerable to actually being cracked if you even allowed root login like that. Then, the attacker would have better chances on your server (if you allowed it) by simply trying just “root”.

  3. standard SSH port 9923 would make you even more vulnerable to actually being cracked if you even allowed root login like that. Then, the attacker would have better chances on your server (if you allowed it) by simply trying just “root”.

Leave a Comment