How to Change the Default SSH Port on CentOS September 6, 2024

September 6, 2024 / Security and Backup

Secure Shell (SSH) is the primary method for remotely accessing Linux servers. By default, SSH listens on port 22, which is widely targeted by automated brute-force attacks. Changing the default SSH port does not replace proper security practices, but it can significantly reduce unauthorised login attempts and noise in server logs.

This guide explains how to safely change the default SSH port on CentOS 7, CentOS 8, CentOS Stream, and RHEL-based systems, while avoiding common misconfigurations that may result in loss of access.

Before proceeding, ensure the following:

  • You have root access or a user with sudo privileges.
  • You have console or out-of-band access (recommended) in case SSH access fails.
  • No applications or services depend on SSH using the default port 22.
  • The server is using firewalld by default on CentOS (older iptables).

Important Notes

  • Valid TCP ports range from 1 to 65535.
  • Ports 1024–65535 are non-privileged and recommended.
  • Always test the SSH configuration before restarting the service.
  • Do not close your current SSH session until you have confirmed that the new port works.

Follow the steps:

  1. Log in to the server using SSH or console access: 
    ssh username@server_ip
  2. Edit the SSH Configuration File
    1. Open the SSH daemon configuration file using vi: 
      vi /etc/ssh/sshd_config
    2. Locate the following line: 
      #Port 22
    3. If the line is commented, uncomment it and change the port number. Example: 
      Port 2222
    4. Save and exit the file (:wq).
  3. Validate the SSH Configuration
    Before restarting the SSH service, validate the configuration to prevent lockouts:

    sshd -t

    If no output is returned, the configuration is valid. Any errors must be corrected before continuing.

  4. Update the Firewall Rules
    1. CentOS uses firewalld, which must allow the new SSH port for incoming connections.
    2. Add the new port permanently (example uses 22222): 
      firewall-cmd --permanent --add-port=22222/tcp
    3. Reload the firewall to apply the change: 
      firewall-cmd --reload
    4. Optional: Verify that the port is open: 
      firewall-cmd --list-ports

      After this, SSH will be accessible on the new port 22222 once the SSH service is restarted.

  5. Restart the SSH Service
    1. Restart the SSH daemon to apply changes: 
      systemctl restart sshd
    2. Confirm the service is running: 
      systemctl status sshd
  6. Test SSH Access on the New Port
    Open a new terminal window and connect using the new port:

    ssh username@server_ip -p 2222

    Do not close your existing SSH session until you have confirmed that the new connection works.

Troubleshooting: SSH Connection Refused

  • Verify the SSH service is running
  • Confirm firewall rules are correctly applied
  • Ensure the correct port is specified in the SSH command

We hope you found this article helpful. If you need further assistance, please get in touch with our support team.

Spread the love
Tagged:

Related Articles

How to Troubleshoot SSH Key Permission Issues

September 10, 2025

How to Use netstat and ss to Check Linux’s Listening Ports

September 1, 2025

How to Allow or Block Ports Using FirewallD and UFW

August 29, 2025

How to Enable StrictHostKeyChecking in SSH

August 20, 2025