How to change the SSH port on AlmaLinux

SSH runs on port 22 by default, which makes it a primary target for automated brute-force attacks. Changing this port reduces your server’s exposure to these attacks by removing it from the most commonly scanned ports.

You will update the SSH configuration file, select a new port number and restart the SSH service. This prevents most automated scanning tools from finding your SSH service while maintaining secure remote access for legitimate users.

Before you begin

You need root or sudo access to your AlmaLinux server.
We recommend creating a backup of your SSH configuration before making changes.
Note down your new port number. You will need it to connect after the change.
Check that any applications using SSH (deployment tools, monitoring services) support custom ports.

Change the SSH port configuration

The SSH daemon reads its configuration from /etc/ssh/sshd_config. You will edit this file to specify a new port number, which tells SSH where to listen for incoming connections.

Connect to your server via SSH.
Use your current SSH connection to access the server. This connection will remain active while you make changes.
Navigate to the SSH configuration directory.
Run cd /etc/ssh to move into the directory containing the SSH configuration files.
Open the SSH configuration file.
Run nano sshd_config to open the file in the nano text editor. You can use vim or vi if you prefer.
Find the port configuration line.
Press Ctrl+W to open the search function in nano. Type Port and press Enter. This locates the line that controls which port SSH uses.
Change the port number.
Replace 22 with a port number between 1025 and 65535. Ports below 1024 are reserved for system services. Choose a number that does not conflict with other services running on your server. If you use specific applications that require SSH access, check their documentation for port requirements.
Save the configuration file.
Press Ctrl+X to exit nano. Press Y when prompted to save changes, then press Enter to confirm the filename.

Your SSH configuration now specifies the new port. The change takes effect after you restart the SSH service.

Restart the SSH service

Restarting the SSH service applies your configuration changes. The service will stop listening on port 22 and start listening on your new port instead.

Restart the SSH daemon.
Run systemctl restart sshd to restart the service. This applies your port change immediately.
Verify the service is running.
Run systemctl status sshd to check the service status. You should see active (running) in the output, which confirms SSH restarted correctly.
Test the new port.
Open a new terminal window without closing your current SSH session. Run ssh -p [your-port] user@your-server-ip, replacing [your-port] with your new port number, user with your username and your-server-ip with your server’s IP address. If the connection succeeds, your port change worked correctly.

Keep your original SSH session open until you confirm the new port works. This prevents you from being locked out if something goes wrong.

Update firewall rules

Your firewall needs to allow traffic on the new SSH port. Without this rule, connections to your new port will be blocked even though SSH is listening.

Add a firewall rule for the new port.
Run firewall-cmd --permanent --add-port=[your-port]/tcp, replacing [your-port] with your new port number. This allows TCP connections on your chosen port.
Reload the firewall.
Run firewall-cmd --reload to apply the new rule. The firewall now permits SSH connections on your new port.
Remove the old port rule.
Run firewall-cmd --permanent --remove-service=ssh to stop allowing connections on port 22. Run firewall-cmd --reload again to apply this change.

Your firewall configuration now matches your SSH configuration. Port 22 is closed and your new port accepts SSH connections.

Wrapping up

Your AlmaLinux server now runs SSH on a custom port instead of the default port 22. You updated the SSH configuration, restarted the service and configured your firewall to allow connections on the new port. This reduces your exposure to automated brute-force attacks that target the default SSH port.

Update any SSH clients, deployment scripts or monitoring tools to use your new port. Store your port number securely so you can access your server when needed. Our guide on securing your VPS covers additional hardening steps including key-based authentication and fail2ban configuration.