How to Change the SFTP Port

Posted 

4 min read

SFTP (SSH File Transfer Protocol) is a secure file protocol for transferring files between two hosts over an encrypted connection. It also allows you to perform various file operations on remote files and to resume file transfers.

SFTP can be used as a replacement for the legacy FTP protocol. It has all the functionality of FTP but with a more secure connection.

This article explains how to change the default SFTP port in Linux. We will also show you how to configure your firewall to allow on the new port.

Don’t confuse SFTP with FTPS. Both protocol serve the same purpose. However, FTPS stands for FTP Secure, and it is an extension to the standard FTP protocol with support for TLS.

What Port Does SFTP Use

SFTP is a subsystem of SSH and provides the same level of security as SSH.

The default SFTP port is 22.

Changing the SFTP Port

Changing the default SFTP/SSH port adds an extra layer of security to your server by reducing the risk of automated attacks.

The best way to protect your server from attacks is to configure your firewall to allow access to port 22 only from trusted hosts and set up an SSH key-based authentication .

The following steps describe how to change the SSH Port on Linux machines.

1. Choosing a New Port Number

In Linux, port numbers below 1024 are reserved for well-known services and can only be bound to by root. Although you can use a port within the 1-1024 range for the SSH service to avoid port allocation issues, it is recommended to choose a port above 1024.

This example shows how to change the SFTP/SSH port to 4422, but you can choose any port of your liking.

2. Adjusting Firewall

Before changing the SFTP/SSH port, you’ll need to open the new port in your firewall.

If you are using UFW, the default firewall in Ubuntu , run the following command to open the port:

sudo ufw allow 4422/tcp

In CentOS, the default firewall management tool is FirewallD. To open the port, enter the following commands:

sudo firewall-cmd --permanent --zone=public --add-port=4422/tcpsudo firewall-cmd --reload

CentOS users also need to adjust the SELinux rules to allow the new SSH port:

sudo semanage port -a -t ssh_port_t -p tcp 4422

If you are using another Linux distribution that runs iptables, to open the new port run:

sudo iptables -A INPUT -p tcp --dport 4422 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

3. Configuring SFTP/SSH

The SSH server configuration is stored in the /etc/ssh/sshd_config file. Open the file with your text editor:

sudo vim /etc/ssh/sshd_config

Search for the line starting with Port 22. Typically, this line is commented out using the hash (#) symbol. Remove the hash # and enter your new SSH port number:

/etc/ssh/sshd_config
Port 4422

Be very careful when editing the configuration file. An incorrect configuration may prevent the SSH service to start.

Once done, save the file and restart the SSH service for changes to take effect:

sudo systemctl restart ssh

In CentOS the SSH service is named sshd:

sudo systemctl restart sshd

Verify that SSH daemon is listening on the new port:

ss -an | grep 4422

The output should look something like this:

tcp   LISTEN      0        128            0.0.0.0:4422           0.0.0.0:*
tcp   ESTAB       0        0      192.168.121.108:4422     192.168.121.1:57638
tcp   LISTEN      0        128               [::]:4422              [::]:*

Using the New SFTP Port

To specify the port number invoke the sftp command with the -P option followed by the new port number:

sftp -P 4422 username@remote_host_or_ip

If you are using a GUI SFTP client, simply enter the new port in the client interface.

Conclusion

The default SFTP port is 22. However, you can change the port to whatever number you want.

If you are regularly connecting to multiple systems, you can simplify your workflow by defining all of your connections in the SSH config file .

Feel free to leave a comment if you have any questions.