Dev Blog

If you need to change the default SSH port on Ubuntu for any reason, this guide will instruct you on how to do it properly for newer releases. This guide is based on an Ubuntu 22.04 system that has been gradually upgraded from 16.04.

Config files philosophy introduction

To ensure smooth system upgrades in Ubuntu, it's best not to edit the main configuration files directly. Many configuration directories contain subdirectories ending with .d This is where you should add your custom configurations.

In case of SSH, first we should check main SSH Daemon configuration file located in /etc/ssh/sshd_config. Notice that there are configuration file for ssh client default options /etc/ssh/ssh_config and for the server option it is file containing letted d in name: /etc/ssh/sshd_config. The server configuration should contain Include directive at the top. In my case before upgrading to Ubuntu 22.04 there were manual modifications made, so the file was not updates by apt. That's why if possible we should not modify main configuration files.

The Include directive in sshd_config file should have following form:

Include /etc/ssh/sshd_config.d/*.conf

If your configuration file does not contain Include directive, check if you have distribution provided file created by apt, it should be in /etc/ssh/sshd_config.ucf-dist. This might be good point to move your customizations to sshd_config.d directory. This can by done by using diff command to see what's changed:

cd /etc/ssh
diff sshd_config sshd_config.ucf-dist

Then, create relevant files in /etc/ssh/sshd_config.d/ and use new distribution provided file. The usual approach is to split configuration files into logical parts and name them prefixim with numbers, as the configuration files are included in alphabetical order.

Setting up firewall

Before changing SSH port, ensure that incoming connections on the new port are allowed.

Adding UFW rule to allow our new port:

sudo ufw allow 2242/tcp

I've set 2242 port in this example. The alternative port 2222 seems very popular, the added security from setting custom port is minimal in my opinion, as ports can be scanned anyway. Use your own judgment about port number.

Now let's start temporary SSH server with customized port with -D flag - this will run sshd in foreground so we can stop it with CTRL+C. The absolute path is required for starting sshd:

sudo /usr/sbin/sshd -D -p 2242

And try connect to it from our local machine:

ssh -p2242 hs2.maslosoft.com

We should see warning about host authenticity because we are connecting to different port. This is expected behavior:

The authenticity of host '[hs2.maslosoft.com]:2242 ([54.39.190.33]:2242)' can't be established.
ED25519 key fingerprint is SHA256:CztMtNY5/+w/KI3/bcqNXTmYuptg8X5P916c/XDekb8.

Lastly we need to stop temporary SSH server by pressing CTRL+C.

Setting port in custom configuration file

To set new port for ssh connections I've created file /etc/ssh/sshd_config.d/90-port.conf with following content:

Port 2242

Finally we need to restart SSH server:

sudo service ssh restart

Surprisingly this will not disrupt current connection.