Knowledge

What port does SSH use (and how to change it)

#Development

SSH uses TCP port 22 by default. You can change it in the SSH daemon config, but the port itself is not a security feature, so know what changing it does and does not buy you.

Published by Mark van Eijk on June 23, 2026 · 1 minute read

  1. The default SSH port
  2. Connecting on a non-default port
  3. Changing the SSH port on the server
  4. Does changing the port improve security?

The default SSH port

SSH listens on TCP port 22 by default. That is the port your client connects to unless you tell it otherwise:

ssh user@server.example.com        # implicitly port 22
ssh -p 22 user@server.example.com  # the same thing, spelled out

Port 22 is assigned to SSH by IANA, so it is what every client, firewall rule and hosting panel assumes.

Connecting on a non-default port

If a server runs SSH on another port, pass it with -p (lowercase) for ssh, and -P (uppercase) for scp:

ssh -p 2222 user@server.example.com
scp -P 2222 file.txt user@server.example.com:/tmp/

To avoid typing it every time, set it in ~/.ssh/config:

Host myserver
    HostName server.example.com
    User deploy
    Port 2222

Then just ssh myserver.

Changing the SSH port on the server

Edit the SSH daemon config and set the Port directive:

sudo nano /etc/ssh/sshd_config

Port 2222

Before restarting, open the new port in your firewall, or you will lock yourself out:

sudo ufw allow 2222/tcp

On distributions with SELinux (RHEL, Rocky, AlmaLinux) you also have to register the port:

sudo semanage port -a -t ssh_port_t -p tcp 2222

Then restart the daemon:

sudo systemctl restart ssh    # or: sudo systemctl restart sshd

Keep your current session open and test the new port from a second terminal before logging out. If it works, you can remove the old 22/tcp firewall rule.

Does changing the port improve security?

Moving off port 22 cuts down the noise in your logs from automated bots scanning the default port, but it is security through obscurity, not real protection. A port scan finds the new port in seconds. The changes that actually matter:

  • Use key-based authentication and set PasswordAuthentication no.
  • Disable direct root login with PermitRootLogin no.
  • Put the server behind a firewall and, ideally, only allow SSH from known IPs.

If your key auth is misconfigured, see SSH Permission denied (publickey). For the related "address already in use" problem when a port is taken, see Address already in use (port already bound).

Subscribe to our newsletter

Do you want to receive regular updates with fresh and exclusive content to learn more about web development, hosting, security and performance? Subscribe now!

Related articles

Install PHP memcached extension on macOS

SSH uses TCP port 22 by default. You can change it in the SSH daemon config, but the port itself is not a security feature, so know what changing it does and does not buy you.

Read more →

How to delete a local (and remote) Git branch

SSH uses TCP port 22 by default. You can change it in the SSH daemon config, but the port itself is not a security feature, so know what changing it does and does not buy you.

Read more →