How to Change the SFTP Port

By 

Dejan Panovski

Updated on

6 min read

Editing sshd_config to change the SFTP port on Linux

SFTP (SSH File Transfer Protocol) is a secure file protocol for transferring files between two hosts over an encrypted connection. It also allows you to perform various file operations on remote files and to resume file transfers.

SFTP can be used as a replacement for the legacy FTP protocol. It has all the functionality of FTP but with a more secure connection.

This article explains how to change the default SFTP port in Linux. We will also show you how to configure your firewall to allow connections on the new port.

Info
Do not confuse SFTP with FTPS. Both protocols serve the same purpose. However, FTPS stands for FTP Secure, and it is an extension to the standard FTP protocol with support for TLS.

What Port Does SFTP Use

SFTP is a subsystem of SSH and shares the same port and the same level of security as SSH.

The default SFTP port is 22.

Quick Reference

For a printable quick reference, see the SSH cheatsheet .

CommandDescription
sudo ufw allow 4422/tcpOpen port in UFW
sudo firewall-cmd --permanent --zone=public --add-port=4422/tcpOpen port in FirewallD
sudo sshd -tTest sshd_config for syntax errors
sudo systemctl restart sshRestart SSH service (Debian, Ubuntu)
sudo systemctl restart sshdRestart SSH service (Fedora, RHEL)
ss -an | grep 4422Verify SSH is listening on the new port
sftp -P 4422 user@hostConnect via SFTP on a custom port

Changing the SFTP Port

Changing the default SFTP/SSH port adds an extra layer of security to your server by reducing the risk of automated attacks.

Info
The best way to protect your server from attacks is to configure your firewall to allow access to port 22 only from trusted hosts and set up SSH key-based authentication . For a broader set of hardening steps, see SSH Hardening Best Practices .

The following steps describe how to change the SSH port on Linux machines.

1. Choosing a New Port Number

In Linux, port numbers below 1024 are reserved for well-known services and can only be bound to by root. Although you can use a port within the 1–1024 range for the SSH service, it is recommended to choose a port above 1024 to avoid conflicts with other services. The range 49152–65535 consists of ephemeral ports not assigned to any standard service and is a safe choice.

Before picking a port, verify it is not already in use:

Terminal
ss -tlnp | grep 4422

If the command returns no output, the port is free. This example uses port 4422, but you can choose any available port.

2. Adjusting the Firewall

Before changing the SFTP/SSH port, you will need to open the new port in your firewall.

If you are using UFW , run the following command to open the port:

Terminal
sudo ufw allow 4422/tcp

On Fedora, RHEL, and derivatives, the default firewall management tool is FirewallD. To open the port, run:

Terminal
sudo firewall-cmd --permanent --zone=public --add-port=4422/tcp
sudo firewall-cmd --reload

On Fedora, RHEL, and derivatives, you may also need to update the SELinux policy to allow the new SSH port:

Terminal
sudo semanage port -a -t ssh_port_t -p tcp 4422

If you are using another Linux distribution that runs iptables, run:

Terminal
sudo iptables -A INPUT -p tcp --dport 4422 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

3. Configuring SFTP/SSH

The SSH server configuration is stored in the /etc/ssh/sshd_config file. Open the file with your text editor:

Terminal
sudo vim /etc/ssh/sshd_config

Search for the line starting with Port 22. Typically, this line is commented out using the hash (#) symbol. Remove the hash and enter your new SSH port number:

/etc/ssh/sshd_configini
Port 4422

Before restarting the service, test the configuration file for syntax errors:

Terminal
sudo sshd -t

If the command returns no output, the configuration is valid. An incorrect configuration will prevent the SSH service from starting, so always run this check before restarting.

Once done, save the file and restart the SSH service for the changes to take effect.

On Debian and Ubuntu:

Terminal
sudo systemctl restart ssh

On Fedora, RHEL, and derivatives, the SSH service is named sshd:

Terminal
sudo systemctl restart sshd

Verify that the SSH daemon is listening on the new port:

Terminal
ss -an | grep 4422

The output should look something like this:

output
tcp   LISTEN      0        128            0.0.0.0:4422           0.0.0.0:*
tcp   ESTAB       0        0      192.168.121.108:4422     192.168.121.1:57638
tcp   LISTEN      0        128               [::]:4422              [::]:*

Using the New SFTP Port

To specify the port number, invoke the sftp command with the -P option followed by the new port number:

Terminal
sftp -P 4422 username@remote_host_or_ip

If you are using a GUI SFTP client, enter the new port number in the client interface.

To avoid specifying the port on every connection, you can define it in the SSH config file :

~/.ssh/configini
Host myserver
    HostName remote_host_or_ip
    Port 4422
    User username

With this in place, you can connect with just sftp myserver.

Troubleshooting

SSH service fails to restart after changing the port
A syntax error in sshd_config will prevent the service from starting. Run sudo sshd -t to check for errors before restarting. Fix any reported issues, then retry.

Cannot connect on the new port
The firewall rule may not have been applied correctly. Run ss -tlnp | grep 4422 to confirm the SSH daemon is listening, and run sudo ufw status or sudo firewall-cmd --list-ports to confirm the port is open in the firewall.

SELinux denying the new port on RHEL or Fedora
SELinux restricts SSH to ports it knows about. Register the new port with sudo semanage port -a -t ssh_port_t -p tcp 4422. If semanage is not installed, install it with sudo dnf install policycoreutils-python-utils.

Locked out of the server after changing the port
Do not close your existing SSH session until you have verified the new port works by opening a second session with ssh -p 4422 user@host. If you are locked out, use the server provider’s emergency console or out-of-band access to revert the port change.

FAQ

Does changing the SSH port also change the SFTP port?
Yes. SFTP is a subsystem of SSH and runs on the same port. Changing the SSH port in sshd_config automatically changes the port for both SSH and SFTP connections.

Can SSH listen on multiple ports at the same time?
Yes. Add multiple Port lines to /etc/ssh/sshd_config, one per port:

/etc/ssh/sshd_configini
Port 22
Port 4422

This lets you keep port 22 open temporarily while you verify the new port works.

What port number should I choose?
Choose a port above 1024 to avoid conflicts with reserved services. Ports in the range 49152–65535 are not assigned to any standard service. Avoid commonly scanned alternatives such as 2222 or 8022.

Will changing the port stop all brute-force attacks?
It significantly reduces automated scan traffic but is not a substitute for proper security measures. Use SSH key-based authentication and restrict access by IP address in your firewall for effective protection.

Conclusion

Changing the default SFTP/SSH port is a simple step that reduces exposure to automated scanning. Combined with SSH key-based authentication and firewall rules, it forms part of a solid baseline for securing remote access. For more ways to restrict SFTP access, see How to Set Up an SFTP Chroot Jail .

If you have any questions, feel free to leave a comment below.

Tags

ssh security

Linuxize Weekly Newsletter

A quick weekly roundup of new tutorials, news, and tips.

About the authors

Dejan Panovski

Dejan Panovski

Dejan Panovski is the founder of Linuxize, an RHCSA-certified Linux system administrator and DevOps engineer based in Skopje, Macedonia. Author of 800+ Linux tutorials with 20+ years of experience turning complex Linux tasks into clear, reliable guides.

View author page