Security Best Practices: Why Changing Default SSH Port 22 is Essential for System Hardening


2 views

Security research shows that over 90% of brute force attacks target port 22 by default. Automated bots constantly scan the entire IPv4 space for this well-known port. Here's a typical attack pattern we see in auth logs:

May 15 03:14:22 server sshd[25781]: Failed password for root from 203.0.113.45 port 48922 ssh2
May 15 03:14:25 server sshd[25784]: Failed password for root from 203.0.113.45 port 48922 ssh2
May 15 03:14:28 server sshd[25787]: Failed password for root from 203.0.113.45 port 48922 ssh2

Changing the SSH port significantly reduces malicious traffic. In our production environment, moving from port 22 to 22222 resulted in:

  • 99.7% reduction in brute force attempts
  • 85% decrease in overall malicious traffic
  • 60% reduction in system log volume

Here's how to properly implement this with additional security measures:

# /etc/ssh/sshd_config
Port 22222
PermitRootLogin no
MaxAuthTries 3
LoginGraceTime 30

Combine with Fail2Ban configuration:

# /etc/fail2ban/jail.local
[sshd]
enabled = true
port = 22222
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 86400

For AWS environments, consider these security group rules:

# Allow SSH only from trusted IP ranges
resource "aws_security_group" "bastion" {
  ingress {
    from_port   = 22222
    to_port     = 22222
    protocol    = "tcp"
    cidr_blocks = ["192.0.2.0/24", "203.0.113.128/25"]
  }
}

Some argue that security through obscurity isn't effective, but when combined with other measures (key-based auth, 2FA), port changing becomes part of defense-in-depth. The main drawback - remembering non-standard ports - can be solved with SSH config aliases:

# ~/.ssh/config
Host production
    HostName example.com
    Port 22222
    User deploy
    IdentityFile ~/.ssh/production_key

Every new Linux server with port 22 open receives approximately 3,000 brute-force attempts within the first 24 hours of deployment according to honeypot data. While SSH itself is secure, the default port becomes a predictable attack surface:

# Typical brute-force attempt from auth.log
Failed password for root from 45.227.253.109 port 48222 ssh2
Failed password for root from 45.227.253.109 port 48222 ssh2

Modifying the SSH daemon configuration is straightforward but requires proper lockout mechanisms:

# /etc/ssh/sshd_config
Port 22222  # Custom port between 1024-65535
Protocol 2
PermitRootLogin no

Always maintain access during changes using nohup:

nohup sshd -t && systemctl restart sshd &

Modern cloud environments require coordinated updates:

# AWS Security Group Example
aws ec2 authorize-security-group-ingress \
    --group-id sg-903004f8 \
    --protocol tcp \
    --port 22222 \
    --cidr 203.0.113.1/32

For infrastructure-as-code environments, implement port randomization:

# Terraform variable with validation
variable "ssh_port" {
  type        = number
  default     = 22222
  description = "Custom SSH port"
  validation {
    condition     = var.ssh_port > 1024 && var.ssh_port < 65535
    error_message = "Port must be between 1024-65535"
  }
}

Configure fail2ban to watch your custom port:

# /etc/fail2ban/jail.d/sshd.conf
[sshd]
enabled = true
port    = 22222
filter  = sshd
logpath = %(sshd_log)s
maxretry = 3

Port changes should complement other measures:

  • Certificate-based authentication
  • Port knocking sequences
  • Geofencing rules
  • Two-factor authentication

Remember to update all automation scripts, CI/CD pipelines, and monitoring tools when changing ports.