LiveChat 
Support 
SSH Port: The Default Port 22, How to Change It, and How to Secure It
The default SSH port is 22 (TCP). Every `ssh user@host` you run without extra flags is really `ssh -p 22 user@host` — the client assumes 22 because that’s the IANA-assigned port for the SSH protocol. Most questions about the SSH port boil down to three things: which port `sshd` is actually listening on, how to connect when it isn’t 22, and whether moving it off 22 does anything for security. This guide answers all three precisely, including a modern Ubuntu socket-activation gotcha that locks people out of their own servers.
Key Takeaways
• Default SSH port: 22/TCP. The client and server both assume it unless told otherwise.
• Connect on a custom port: `ssh -p 2222 user@host` (note the capital `-P` is for `scp`).
• Check what’s listening: `ss -tlnp | grep ssh` or `grep -i port /etc/ssh/sshd_config`.
• Open the firewall BEFORE you restart sshd — this is the #1 lockout cause.
• On Ubuntu 22.10+, `ssh.socket` can override the `Port` in `sshd_config`. Edit the socket, not just the config.
• Moving off port 22 is obscurity, not security. Real security is key-only auth, no root login, and fail2ban.
What is the default SSH port?
The default SSH port is 22/TCP, registered with IANA for the Secure Shell protocol since the late 1990s. When you connect, the flow is:
- Your SSH client opens a TCP connection to port 22 on the target host.
- `sshd` (the SSH daemon) is listening on that port and answers with its version banner.
- Key exchange, authentication, and the encrypted session follow.
Because 22 is universal, you almost never specify it. These two commands are identical:
“`bash ssh [email protected] ssh -p 22 [email protected] “`
The `-p` flag is the per-connection override. It’s lowercase for `ssh`. For `scp` and `sftp`, the port flag is uppercase `-P` — a small inconsistency that trips people up constantly:
“`bash scp -P 2222 backup.tar.gz [email protected]:/tmp/ “`
How do I connect to SSH on a non-default port?
If the server’s `sshd` listens on something other than 22, pass `-p` with the right number:
“`bash ssh -p 2222 [email protected] “`
Typing `-p` every time gets old. Pin the port per-host in `~/.ssh/config` on your client machine so plain `ssh myserver` just works:
“`sshconfig Host myserver HostName 198.51.100.10 User deploy Port 2222 IdentityFile ~/.ssh/id_ed25519 “`
Now `ssh myserver` connects on 2222 automatically, and `scp file myserver:/tmp/` honours the same port. This is the cleanest way to handle non-standard ports — the configuration lives in one place instead of in your shell history.
How do I check which port sshd is listening on?
There are two perspectives: what the daemon is configured to use, and what it’s actually bound to right now. Check both — they can disagree (see the Ubuntu socket gotcha below).
Configured value — read the daemon config:
“`bash grep -i ‘^port’ /etc/ssh/sshd_config
“`
If that returns nothing, the directive is commented out and the effective value is the built-in default, 22. Also check drop-in files, which override the main config:
“`bash grep -ri ‘^port’ /etc/ssh/sshd_config /etc/ssh/sshd_config.d/ “`
The authoritative way to dump the effective config (resolving all includes and defaults) is to ask `sshd` itself:
“`bash sudo sshd -T | grep -i ‘^port’
“`
Actual bound port — ask the kernel what’s listening:
“`bash ss -tlnp | grep ssh
“`
If `ss` shows a port your config doesn’t mention, something else is binding the socket — on modern systemd distros, that’s almost always `ssh.socket`.
How do I change the SSH port (the complete, safe procedure)?
Changing the SSH port is straightforward — but the order of operations matters, because one wrong sequence locks you out of a remote box. Follow this exactly.
Rule zero: keep your current SSH session open the entire time. Do not disconnect until you’ve verified a brand-new connection works on the new port. If anything goes wrong, your existing session is your lifeline to fix it.
Step 1 — Set the port in sshd_config
Edit the daemon config and set (or uncomment) the `Port` directive:
“`bash sudo nano /etc/ssh/sshd_config “`
“`sshconfig Port 2222 “`
You can list multiple `Port` lines to listen on both 22 and 2222 during a transition — a smart move that lets you migrate without a hard cutover.
Step 2 — Open the new port in the firewall FIRST
This is the step people skip, and it’s why they get locked out. Open the firewall before restarting sshd, not after.
On Debian/Ubuntu with `ufw`:
“`bash sudo ufw allow 2222/tcp sudo ufw status “`
On RHEL/Rocky/AlmaLinux with `firewalld`:
“`bash sudo firewall-cmd –permanent –add-port=2222/tcp sudo firewall-cmd –reload “`
Step 3 — Update SELinux (RHEL-family only)
On systems with SELinux in enforcing mode, the kernel will block `sshd` from binding to a non-standard port even if the config is correct. You must label the port for the `ssh_port_t` type:
“`bash sudo semanage port -a -t ssh_port_t -p tcp 2222
sudo semanage port -l | grep ssh_port_t “`
If `semanage` isn’t installed: `sudo dnf install policycoreutils-python-utils`.
Step 4 — Mind the systemd socket (the Ubuntu footgun)
On Ubuntu 22.10 and newer, OpenSSH ships with socket activation enabled. The `ssh.socket` unit owns the listening port, and it ignores the `Port` line in `sshd_config`. You can set `Port 2222`, restart the service, and still find `sshd` stubbornly bound to 22 — because the socket, not the daemon, decides the port.
Check whether socket activation is in play:
“`bash systemctl status ssh.socket “`
If it’s active, change the port there instead:
“`bash sudo systemctl edit ssh.socket “`
Add an override that clears the default and sets your port:
“`ini [Socket] ListenStream= ListenStream=2222 “`
The empty `ListenStream=` is required — it resets the inherited value before you add the new one. Then reload and restart:
“`bash sudo systemctl daemon-reload sudo systemctl restart ssh.socket “`
This single behaviour is responsible for a large share of “I changed the port but it didn’t work / I’m locked out” reports on modern Ubuntu. Always check `ss -tlnp | grep ssh` after restarting to confirm the real bound port.
Step 5 — Restart and verify from a NEW session
Validate the config syntax, then restart:
“`bash sudo sshd -t # syntax check; silent = OK sudo systemctl restart ssh # or: sudo systemctl restart ssh.socket “`
Now, without closing your current session, open a second terminal and connect on the new port:
“`bash ssh -p 2222 [email protected] “`
Only once that succeeds should you close the original session and, optionally, remove the old `ufw allow 22/tcp` rule.
Quick reference: SSH port operations
| Task | Command / Setting | |
|---|---|---|
| Default port | `22/TCP` (IANA-assigned) | |
| Connect on custom port | `ssh -p 2222 user@host` | |
| Check configured port | `sudo sshd -T \ | grep ‘^port’` |
| Check actual bound port | `ss -tlnp \ | grep ssh` |
| Change port (config) | `Port 2222` in `/etc/ssh/sshd_config` | |
| Change port (Ubuntu socket) | `ListenStream=2222` via `systemctl edit ssh.socket` | |
| Open firewall (ufw) | `sudo ufw allow 2222/tcp` | |
| Open firewall (firewalld) | `sudo firewall-cmd –permanent –add-port=2222/tcp` | |
| SELinux label (RHEL) | `sudo semanage port -a -t ssh_port_t -p tcp 2222` | |
| Restart daemon | `sudo systemctl restart ssh` |
Does changing the SSH port actually improve security?
This is the question everyone really wants answered, so let’s be precise about it.
Changing SSH off port 22 is security through obscurity. A determined attacker runs a port scan, finds your new port in seconds (`nmap -p- host` enumerates all 65,535 ports), and the moved port has bought you nothing against them. Anyone telling you that moving to 2222 “secures” your server is wrong.
But there is one concrete, legitimate reason to do it anyway: it eliminates the constant flood of automated bot login attempts that hammer port 22 around the clock. Internet-wide scanners and SSH brute-force botnets target 22 by default and almost never bother probing random high ports. Moving off 22 collapses that background noise — your auth logs go quiet, `fail2ban` has far less to chew through, and genuine anomalies actually stand out instead of drowning in bot spam. Cleaner logs and less noise is a real operational benefit. It is not a security control.
The changes that *actually* secure SSH are these, and you should do all of them whether or not you move the port:
Use key-based authentication and disable passwords
Password auth is the single biggest SSH attack surface. Generate a key, install it, then turn passwords off:
“`bash ssh-keygen -t ed25519 -C “deploy@laptop” ssh-copy-id -p 2222 [email protected] “`
In `/etc/ssh/sshd_config`:
“`sshconfig PubkeyAuthentication yes PasswordAuthentication no KbdInteractiveAuthentication no “`
With passwords disabled, brute-force attempts are simply impossible — there’s no password to guess.
Disable root login
Never let anyone SSH in directly as root. Log in as an unprivileged user and escalate with `sudo`:
“`sshconfig PermitRootLogin no “`
Run fail2ban
`fail2ban` watches your auth log and temporarily bans IPs that fail repeatedly, throttling brute-force and credential-stuffing attempts automatically:
“`bash sudo apt install fail2ban # Debian/Ubuntu sudo systemctl enable –now fail2ban “`
Point its `sshd` jail at your custom port if you moved it.
Allow-list by source where you can
If you connect from known networks, restrict access with firewall rules or `AllowUsers` / `Match Address` blocks so only trusted sources can even reach `sshd`. This is far stronger than any port change.
In short: key-only auth + no root login + fail2ban is the actual defense. A moved port on top of that is a nice-to-have that quiets your logs — never the security itself.
Hardening SSH on infrastructure you fully control
Every technique above — changing the port, enforcing key-only auth, configuring the firewall and SELinux, running fail2ban — requires full root access to the server. On shared hosting you don’t get that; the SSH daemon is managed for you and locked down. To own your SSH configuration end to end, you need a server you control.
DarazHost provides Linux SSD VPS (Bronze, Silver, Gold, Crystal, Master, and Titan plans) and dedicated servers with full root SSH access. That means you can set a custom SSH port, disable password authentication, harden `sshd` exactly the way this guide describes, and run `ufw`, `firewalld`, or `fail2ban` — all under your control, on fast SSD infrastructure backed by 99.9% uptime. And if you ever do lock yourself out mid-change, 24/7 technical support can help you get a console session and back in. Secure infrastructure with root in your hands is the foundation everything in this guide is built on.
Frequently asked questions
What is the default SSH port number? The default SSH port is 22/TCP, the IANA-registered port for the Secure Shell protocol. Both the SSH client and the `sshd` server assume port 22 unless explicitly told otherwise with `-p` (client) or the `Port` directive (server).
How do I connect to SSH on a port other than 22? Use the `-p` flag: `ssh -p 2222 user@host`. For `scp`/`sftp` the flag is uppercase `-P`. To avoid typing it every time, add a `Host` block with `Port 2222` to `~/.ssh/config` on your client.
I changed the Port in sshd_config on Ubuntu but it didn’t work — why? On Ubuntu 22.10 and later, OpenSSH uses socket activation, and `ssh.socket` overrides the `Port` line in `sshd_config`. Run `systemctl status ssh.socket`; if it’s active, change the port with `sudo systemctl edit ssh.socket`, set `ListenStream=` (empty) then `ListenStream=2222`, and run `daemon-reload` plus `restart ssh.socket`.
Does changing the SSH port make my server more secure? Not meaningfully. It’s security through obscurity — a port scan finds the new port in seconds. Its one real benefit is eliminating automated bot brute-force noise on port 22, which keeps your logs clean. Genuine SSH security comes from key-only authentication (`PasswordAuthentication no`), disabling root login (`PermitRootLogin no`), and `fail2ban`.
How do I avoid locking myself out when changing the SSH port? Open the new port in the firewall before restarting `sshd`, update SELinux if applicable, keep your current session open, run `sshd -t` to validate the config, then test the new port from a second terminal before closing the original. If you can’t reconnect, your still-open session lets you revert.
Conclusion
The SSH port story is simple once you separate the facts from the folklore. The default is 22/TCP; you connect to a different one with `ssh -p`; you change it by setting `Port` in `sshd_config` (or `ListenStream` in `ssh.socket` on modern Ubuntu), opening the firewall first, and labelling SELinux on RHEL. Moving off 22 is a legitimate way to quiet automated bot noise and clean up your logs — but it is obscurity, not security. The controls that actually protect SSH are key-only authentication, disabled root login, and `fail2ban`. Do those first, move the port second, and always keep a session open while you work.
