InfrawireInfrawire Logo
Service StatusClient Area

🔐 Secure SSH Connection

Complete guide to secure your SSH connection by changing the port and configuring additional security options to prevent brute force attacks.

🔐 Secure SSH Connection to Prevent Brute Force Attacks

The default SSH port (22) is often targeted by automated brute force attacks. This guide will teach you how to change the SSH port and configure additional security options to protect your server.

📋 Prerequisites

  • A VPS server with root or sudo access
  • An active SSH connection
  • UFW installed and configured (see the tutorial Install UFW)

⚠️ IMPORTANT: Keep an SSH session open

Important: Before starting, keep an active SSH session. If something goes wrong, you'll still be able to connect and fix the problem.

Open two SSH terminals in parallel:

  • Terminal 1: Working session (to make modifications)
  • Terminal 2: Backup session (just in case)

🔧 Change SSH Port

Step 1: Choose a new port

Choose a port between 1024 and 65535. Common ports to avoid:

  • 22 (default SSH port, heavily targeted)
  • 80, 443 (HTTP/HTTPS)
  • 3306, 5432 (databases)

Examples of secure ports: 2222, 2200, 1022, 5000

Step 2: Modify SSH configuration

# Edit SSH configuration file
sudo nano /etc/ssh/sshd_config

Step 3: Change the port

Find the line #Port 22 and modify it:

# Before
#Port 22

# After (replace 2222 with your chosen port)
Port 2222

Tip: Use Ctrl + W in nano to search for "Port 22"

Step 4: Save and quit

In nano:

  • Ctrl + X to quit
  • Y to confirm
  • Enter to save

Step 5: Verify syntax

# Verify that the configuration is valid
sudo sshd -t

If this command returns no errors, your configuration is correct.

Step 6: Allow the new port in UFW

# Allow the new SSH port (replace 2222 with your port)
sudo ufw allow 2222/tcp

# Optional: Remove the old port 22 if you no longer use it
sudo ufw delete allow 22/tcp

# Reload UFW
sudo ufw reload

# Verify that the rule is active
sudo ufw status | grep 2222

Step 7: Restart SSH service

# Restart SSH with the new configuration
sudo systemctl restart sshd

# Verify that SSH is still working
sudo systemctl status sshd

Step 8: Test the new connection

In a new terminal, test the connection with the new port:

# Replace 2222 with your port and user@your-ip with your credentials
ssh -p 2222 user@your-ip

If the connection works, you can close the old session on port 22.

🔒 Additional Security Options

Disable root login

Important: Disabling root login via SSH is an excellent security practice. Make sure you have a user with sudo configured before making this modification.

# Edit SSH configuration
sudo nano /etc/ssh/sshd_config

# Find and modify this line
PermitRootLogin no

# Save and restart
sudo sshd -t
sudo systemctl restart sshd

Limit connection attempts

sudo nano /etc/ssh/sshd_config

# Add or modify these lines
MaxAuthTries 3              # Maximum 3 connection attempts
LoginGraceTime 30           # 30 second timeout to connect

Disable password authentication (use only SSH keys)

sudo nano /etc/ssh/sshd_config

# Modify this line
PasswordAuthentication no
PubkeyAuthentication yes

Warning: Only enable this option if you have configured an SSH key and tested that it works!

Use only SSH protocol version 2

sudo nano /etc/ssh/sshd_config

# Add this line (if it doesn't exist)
Protocol 2

Disable X11 tunnels (if you don't need them)

sudo nano /etc/ssh/sshd_config

# Modify this line
X11Forwarding no

Recommended complete configuration

Here is a complete secure SSH configuration to add in /etc/ssh/sshd_config:

# Custom SSH port
Port 2222

# Disable root login
PermitRootLogin no

# Connection limits
MaxAuthTries 3
LoginGraceTime 30

# Disable password authentication (if you use SSH keys)
# PasswordAuthentication no
# PubkeyAuthentication yes

# SSH protocol version 2 only
Protocol 2

# Disable X11 forwarding
X11Forwarding no

# Disable TCP tunnels
AllowTcpForwarding no

# Inactivity timeout before disconnect
ClientAliveInterval 300
ClientAliveCountMax 2

After each modification, don't forget to:

# Verify syntax
sudo sshd -t

# Restart SSH
sudo systemctl restart sshd

🔄 Create a user with sudo (if necessary)

If you have disabled root login, make sure you have a user with sudo privileges:

# Create a new user
sudo adduser myuser

# Add the user to the sudo group
sudo usermod -aG sudo myuser

# Test that the user can use sudo
su - myuser
sudo whoami
# Should display "root"

✅ Final Verification

Verify that SSH is working

# Check service status
sudo systemctl status sshd

# Verify that SSH is listening on the correct port
sudo netstat -tlnp | grep ssh
# or
sudo ss -tlnp | grep ssh

# Verify configuration
sudo sshd -T | grep port

Verify SSH logs

# View connection attempts
sudo tail -f /var/log/auth.log

# View successful connections
sudo grep "Accepted" /var/log/auth.log

# View failed attempts
sudo grep "Failed" /var/log/auth.log

🛡️ Additional Protection with fail2ban

fail2ban is a tool that automatically blocks IPs that attempt brute force attacks.

Install fail2ban

sudo apt update
sudo apt install fail2ban -y

Basic configuration

# Copy the configuration file
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

# Edit the configuration
sudo nano /etc/fail2ban/jail.local

Recommended configuration for SSH:

[sshd]
enabled = true
port = 2222                    # Your new SSH port
maxretry = 3                   # Number of attempts before ban
bantime = 3600                 # Ban time in seconds (1 hour)
findtime = 600                 # Time window to count attempts (10 minutes)

Enable fail2ban

# Start fail2ban
sudo systemctl start fail2ban

# Enable on boot
sudo systemctl enable fail2ban

# Check status
sudo systemctl status fail2ban

# View banned IPs
sudo fail2ban-client status sshd

🆘 Troubleshooting

Cannot connect via SSH anymore

If you are locked out of the server:

  1. Use your backup session (Terminal 2 that you kept open)

  2. If you don't have a backup session:

    • Contact Infrawire support with your credentials
    • Use the VNC/KVM console from your control panel
    • Connect directly and restore the old configuration: 
      sudo nano /etc/ssh/sshd_config
# Put back Port 22
sudo systemctl restart sshd

SSH port is not responding

# Verify that SSH is listening on the port
sudo netstat -tlnp | grep ssh

# Verify that the port is open in UFW
sudo ufw status | grep 2222

# Check SSH logs
sudo journalctl -u sshd -n 50

Need to connect with the old port temporarily

If you need to connect with the old port (22) before removing it:

# Temporarily allow port 22
sudo ufw allow 22/tcp

# Connect
ssh -p 22 user@your-ip

# Once connected, remove the rule
sudo ufw delete allow 22/tcp

📚 Additional resources

❓ Frequently Asked Questions

Q: What port should I choose for SSH?
A: Choose a port between 1024 and 65535. Avoid common ports (80, 443, 3306, etc.). Ports like 2222, 2200, or 1022 are good choices.

Q: Can I use the same port for multiple services?
A: No, each service must have its own unique port.

Q: Do I really need to change the SSH port?
A: It's highly recommended. It significantly reduces automated brute force attacks.

Q: Is fail2ban necessary if I changed the port?
A: No, but it's a recommended additional security layer.

Q: How do I connect with the new port from an SSH client?
A: Use the -p option: ssh -p 2222 user@your-ip

Good security! 🚀

Previous article

📝 Install WordPress on a Linux VPS

Next article

⚡ Test VPS Bandwidth

Still need help?

Contact our support

Our team is available 24/7 to help you

Join our Discord

Join our community to exchange and get help