How to Change the SSH Port in Linux
By default, SSH listens on port 22. Changing the default SSH port adds an extra layer of security to your server by reducing the risk of automated attacks.
This tutorial explains how to change the default SSH port in Linux. We will also show you how to configure your firewall to allow access to the new SSH port.
Quick Reference
For a printable quick reference, see the SSH cheatsheet .
| Step | Command |
|---|---|
| Open firewall port | sudo ufw allow 5522/tcp |
| Edit SSH config | sudo vim /etc/ssh/sshd_config |
| Set new port | Port 5522 |
| Restart SSH | sudo systemctl restart ssh |
| Verify listening | `ss -tlnp |
| Connect to new port | ssh -p 5522 user@host |
Changing the SSH Port
Changing the SSH port of a Linux server is a simple task. All you need to do is to edit the SSH configuration file and restart the service.
The following sections explain how to change the SSH Port on a Linux system.
1. Choosing a New Port Number
In Linux, port numbers below 1024 are reserved for well-known services and can only be bound to by root. Although you can use a port within a 1-1024 range for the SSH service to avoid issues with port allocation in the future, it is recommended to choose a port above 1024.
In this example we will change the SSH port to 5522, you can choose any port you want.
2. Adjusting Firewall
Before changing the SSH port, you will need to adjust your firewall to allow traffic on the new SSH port.
If you are using UFW , the default firewall configuration tool for Ubuntu, run the following command to open the new SSH port:
sudo ufw allow 5522/tcpIn CentOS, the default firewall management tool is FirewallD. To open the new port run:
sudo firewall-cmd --permanent --zone=public --add-port=5522/tcp
sudo firewall-cmd --reloadCentOS users also need to adjust the SELinux rules:
sudo semanage port -a -t ssh_port_t -p tcp 5522On RHEL, Fedora, and derivatives where semanage is not available, install it with:
sudo dnf install policycoreutils-python-utilsIf you are using nftables, add a rule to accept the new port:
sudo nft add rule inet filter input tcp dport 5522 acceptIf you are using iptables as your firewall, to open the new port, run:
sudo iptables -A INPUT -p tcp --dport 5522 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT3. Configuring SSH
Open the SSH configuration file /etc/ssh/sshd_config with your text editor:
sudo vim /etc/ssh/sshd_configSearch
for the line starting with Port 22. In most cases, this line starts with a hash (#) character. Remove the hash # and enter the new SSH port number:
Port 5522Be extra careful when modifying the SSH configuration file. The incorrect configuration may cause the SSH service to fail to start.
On Ubuntu 22.10 and later, including 24.04, OpenSSH may be started through ssh.socket. In that case, changing Port in sshd_config is not enough because the socket can still listen on port 22. Check whether socket activation is enabled:
systemctl is-active ssh.socketIf the output is active, create a drop-in to override the listening port:
sudo systemctl edit ssh.socketAdd the following, clearing the existing listeners with an empty ListenStream= before setting the new one:
[Socket]
ListenStream=
ListenStream=5522Reload systemd and restart the socket:
sudo systemctl daemon-reload
sudo systemctl restart ssh.socketOnce done, apply the changes. If ssh.socket is not active, restart the SSH service:
sudo systemctl restart sshIn CentOS the ssh service is named sshd:
sudo systemctl restart sshdTo verify that SSH daemon is listening
on the new port 5522, use ss
:
ss -an | grep 5522The output should look something like this:
tcp LISTEN 0 128 0.0.0.0:5522 0.0.0.0:*
tcp ESTAB 0 0 192.168.121.108:5522 192.168.121.1:57638
tcp LISTEN 0 128 [::]:5522 [::]:*Using the New SSH Port
To specify the port, invoke the ssh
command followed by the -p <port_number> option:
ssh -p 5522 username@remote_host_or_ipIf you are regularly connecting to multiple systems, you can simplify your workflow by defining all of your connections in the SSH config file .
Troubleshooting
Connection refused after changing the port
Confirm the SSH daemon is listening on the new port with ss -tlnp | grep sshd. If the output still shows port 22, the daemon did not pick up the change. On Ubuntu 22.10 and later check socket activation; otherwise restart with sudo systemctl restart sshd.
Error: Permission denied or SELinux blocks the new port
SELinux only allows SSH on ports defined in the ssh_port_t type. Run sudo semanage port -a -t ssh_port_t -p tcp 5522. Confirm with sudo semanage port -l | grep ssh.
Firewall rule not persisted after reboot
UFW and FirewallD persist rules by default. With plain iptables, save the rules with sudo iptables-save > /etc/iptables/rules.v4 or use the iptables-persistent package.
Cannot connect after editing sshd_config
Test the config syntax before restarting: sudo sshd -t. Keep an existing SSH session open while testing changes so that a fresh session can be opened from another terminal to verify.
Conclusion
You have changed the default SSH port on a Linux server and adjusted the firewall to allow traffic on the new port. For a stronger layer of security, also set up SSH key-based authentication and restrict SSH access to trusted IPs in your firewall.
Linuxize Weekly Newsletter
A quick weekly roundup of new tutorials, news, and tips.
About the authors
Dejan Panovski
Dejan Panovski is the founder of Linuxize, an RHCSA-certified Linux system administrator and DevOps engineer based in Skopje, Macedonia. Author of 800+ Linux tutorials with 20+ years of experience turning complex Linux tasks into clear, reliable guides.
View author page