Knowledge

How to change the SSH port on Ubuntu

#Security

Moving SSH off the default port 22 cuts down on automated brute-force noise in your logs. Here is how to do it safely on Ubuntu, including the socket-activation change that catches people out on 24.04, without locking yourself out.

Published by Mark van Eijk on June 23, 2026 · 1 minute read

  1. Set the new port in sshd_config
  2. Ubuntu 22.10 and newer: update the socket too
  3. Open the new port in the firewall
  4. Apply the change
  5. Test in a new session — don't close the old one
  6. Clean up the firewall

Changing the port is not real security on its own — see optimizing web application and server security for the controls that matter — but it dramatically reduces the volume of drive-by login attempts. Here's how to do it without losing access to your server.

Set the new port in sshd_config

Edit the SSH daemon config:

sudo nano /etc/ssh/sshd_config

Find the Port line, uncomment it, and set your chosen port (pick something above 1024, for example 2222):

Port 2222

Ubuntu 22.10 and newer: update the socket too

This is the step most guides miss. On Ubuntu 22.10, 24.04, and later, ssh is socket-activated by systemd, so the Port in sshd_config is ignored — the listening port is defined in ssh.socket instead.

Check whether socket activation is in use:

sudo systemctl status ssh.socket

If it's active, override the socket's port:

sudo systemctl edit ssh.socket

Add these lines in the editor (the empty ListenStream= clears the default of 22):

[Socket]
ListenStream=
ListenStream=2222

On older releases (Ubuntu 22.04 and earlier) there's no socket — the sshd_config change alone is enough.

Open the new port in the firewall

If you run UFW, allow the new port before restarting, or you'll lock yourself out:

sudo ufw allow 2222/tcp

Apply the change

Reload systemd and restart SSH:

sudo systemctl daemon-reload
sudo systemctl restart ssh.socket ssh

Test in a new session — don't close the old one

Keep your current SSH session open. From another terminal, connect on the new port:

ssh -p 2222 user@your-server

Only once that succeeds should you close the original session. If the new connection is refused or rejected, work through SSH Permission denied (publickey) and double-check the firewall rule.

Clean up the firewall

After confirming the new port works, remove the old rule if you'd added one for port 22:

sudo ufw delete allow 22/tcp

Subscribe to our newsletter

Do you want to receive regular updates with fresh and exclusive content to learn more about web development, hosting, security and performance? Subscribe now!

Related articles

How to extract private key from PFX file

Moving SSH off the default port 22 cuts down on automated brute-force noise in your logs. Here is how to do it safely on Ubuntu, including the socket-activation change that catches people out on 24.04, without locking yourself out.

Read more →

How to extract the certificate from a PFX file

Moving SSH off the default port 22 cuts down on automated brute-force noise in your logs. Here is how to do it safely on Ubuntu, including the socket-activation change that catches people out on 24.04, without locking yourself out.

Read more →