Why change default ssh port? [closed]

I've noticed that a lot of admins change the default ssh port.

Is there any rational reason to do so?


It isn't as useful as some people claim, but it will at least reduce the impact on your log files as many brute force login attempts only use the default port rather than scanning to see if SSH is listening elsewhere. Some attacks will scan for SSH elsewhere though, so it is no silver bullet.

If your server is going to be a shared host of some sort, rather than just serving the needs of your projects, using a non-default port can be a pain as you will have to explain it to your users over and over and over and over when they forget and their client programs fail to connect to port 22!

Another possible problem with SSH on a non-standard port is if you encounter a client with a restrictive out-going filter set, who can't connect to your custom port because their filter only allows, for example, ports 22, 53, 80 and 443 to be the destination for new out-going connections. This is uncommon, but certainly not unheard of. On a similar matter, some ISPs may see encrypted traffic on a port other than those where it is generally expected (port 443 or HTTPS, 22 for SSH, and so on) as an attempt to hide a P2P connection and throttle (or block) the connection in an inconvenient manner.

I personally keep SSH on the standard port for convenience. As long as the usual precautions are taken (strong password/key policy, restricting root logins, ...) it need not be a worry and the log file growth issue when you are hit with a brute force attack can be mitigated using tools such as fial2ban to temporarily block hosts that give too many bad sets of authentication credentials in a given space of time.

Whatever port you chose, if you do move away from 22, make sure it is below 1024. Under most Unix-a-like setups in their default config, only root (or users in the root group) can listen on ports below 1024, but any user can listen on the higher ports. Running SSH on a higher port increases the chance of a rogue (or hacked) user managing to crash your SSH daemon and replace it with their own or a proxy.


It's a simple (but surprisingly effective) form of security through obscurity.

If your SSH server isn't on port 22 it's far less likely to get found by those scanning the whole internet looking for weak passwords on default accounts. If you're scanning the whole net you can't afford to check all 64k possible ports to find the SSH server.

However if someone is actively targeting you specifically it provides no benefit, since a simple one-off nmap scan will reveal the port on which it's actually running.