Default SSH Port: What It Is & How to Change It
SSH is the primary way to manage a Linux VPS remotely. Its default port is one of the most scanned ports on the internet — knowing how to change it is a basic hardening step for any server.
What Is the Default SSH Port?
The default SSH port is TCP 22.
Every Linux server running OpenSSH listens on port 22 by default. Automated bots continuously scan the entire IPv4 address space for open port 22 and attempt brute-force logins. If you check your auth logs on a fresh VPS, you will typically see hundreds or thousands of failed login attempts within the first hour:
journalctl -u ssh --since "1 hour ago" | grep "Failed password" | wc -l
Changing the default port does not make SSH more secure against a targeted attacker — but it eliminates nearly all automated scan traffic, which dramatically reduces noise in your logs and lowers the chance of a configuration mistake being exploited.
How to Change the SSH Port
Step 1: Edit sshd_config
nano /etc/ssh/sshd_config
Find the line:
#Port 22
Uncomment it and change the port number (choose any unused port between 1024–65535, e.g. 2222):
Port 2222
Avoid common alternatives like
2222or22222— they are also frequently scanned. Choosing something like47821is more effective.
Step 2: Open the New Port in UFW
Do this before restarting SSH — otherwise you will lock yourself out.
ufw allow 2222/tcp
ufw reload
ufw status
Step 3: Restart SSH
systemctl restart sshd
Step 4: Test the New Port
Without closing your current session, open a new terminal and connect on the new port:
ssh -p 2222 root@YOUR_SERVER_IP
Only remove the old port 22 rule after confirming the new port works:
ufw delete allow 22/tcp
ufw reload
Connecting on a Non-Default SSH Port
Command Line
ssh -p 2222 user@your-server-ip
SSH Config File (Avoid Typing the Port Every Time)
Edit ~/.ssh/config on your local machine:
Host myserver
HostName your-server-ip
User root
Port 2222
Now you can connect with just:
ssh myserver
PuTTY (Windows)
In the PuTTY session configuration, change the Port field from 22 to your custom port before connecting.
Running SSH on Multiple Ports
You can listen on multiple ports simultaneously — useful as a transition when switching ports:
Port 22
Port 2222
Remove the old port from sshd_config once you have updated all your connection scripts and SSH config files.
Firewall Rules Reference
UFW
# Allow new SSH port
ufw allow 2222/tcp
# Remove old SSH port (after confirming new port works)
ufw delete allow 22/tcp
# Check status
ufw status numbered
iptables
# Allow new port
iptables -A INPUT -p tcp --dport 2222 -j ACCEPT
# Remove old port rule
iptables -D INPUT -p tcp --dport 22 -j ACCEPT
# Save rules (Ubuntu/Debian)
iptables-save > /etc/iptables/rules.v4
SSH Port vs SSH Key Authentication
Changing the port is a security through obscurity measure — it reduces noise but is not a substitute for proper authentication hardening. For real security, combine both:
- Change the port to reduce automated scan traffic
- Disable password authentication and use SSH keys only
# In /etc/ssh/sshd_config
PasswordAuthentication no
PermitRootLogin prohibit-password
See our full guide on securing your VPS with SSH keys for the complete setup.
Common Issues
Locked out after changing the port
If you forgot to update the firewall before restarting SSH, use your hosting provider's VNC console or KVM console to log in and either revert the port change or open the new port in the firewall. VMHeaven customers can access the console directly from the control panel.
SSH still listening on port 22
Check if there are multiple SSH config files overriding your setting:
sshd -T | grep port
Also check for config drop-ins:
ls /etc/ssh/sshd_config.d/
Any .conf files in that directory can override the main config.
Connection refused on new port
Confirm SSH is actually listening:
ss -tlnp | grep sshd
If the new port is not listed, the service did not restart cleanly:
systemctl status sshd
journalctl -u sshd -n 20