Change SSH Port on RHEL 9 / Rocky Linux 9 / Fedora with SELinux

Changing the default SSH port from 22 to a custom port reduces automated brute-force login attempts and port scanning noise. On RHEL-based systems running SELinux in enforcing mode, you need to relabel the new port before sshd can bind to it. This guide covers changing the SSH port on RHEL 9, Rocky Linux 9, AlmaLinux 9, Fedora, and older RHEL 7/8 variants with SELinux and firewalld properly configured.

Prerequisites

• RHEL 9/8/7, Rocky Linux 9/8, AlmaLinux 9/8, or Fedora server
• Root or sudo access
• SELinux in enforcing mode (check with getenforce)
• Firewalld running (or iptables if preferred)
• A second terminal or console session open as a safety net – do not close your current SSH session until the new port is verified

Choose a port number between 1024 and 65535 that is not already in use. We use port 33000 throughout this guide – replace it with your chosen port.

Step 1: Backup SSH Configuration

Before making any changes, back up the current sshd configuration:

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak.$(date +%F)

Verify the backup exists:

$ ls /etc/ssh/sshd_config*
/etc/ssh/sshd_config  /etc/ssh/sshd_config.bak.2026-03-19

Step 2: Change SSH Port in sshd_config

Open the SSH daemon configuration file:

sudo vi /etc/ssh/sshd_config

Find the line #Port 22 and change it to your new port:

Port 33000

Save and close the file.

On RHEL 9 / Rocky Linux 9 / AlmaLinux 9, you can also use the drop-in configuration directory instead of editing the main file:

echo "Port 33000" | sudo tee /etc/ssh/sshd_config.d/custom-port.conf

Validate the configuration before proceeding:

sudo sshd -t

No output means the syntax is valid. If errors appear, fix them before continuing.

Step 3: Allow New SSH Port in SELinux

SELinux only allows sshd to bind to ports labeled as ssh_port_t. By default, only port 22 has this label. Attempting to start sshd on a different port without SELinux relabeling results in a “Permission denied” bind error.

First, install the policycoreutils-python-utils package which provides the semanage command:

sudo dnf -y install policycoreutils-python-utils

Check the current SELinux port label for SSH:

$ semanage port -l | grep ssh
ssh_port_t                     tcp      22

Add the new port to the ssh_port_t type:

sudo semanage port -a -t ssh_port_t -p tcp 33000

Verify the port was added:

$ semanage port -l | grep ssh
ssh_port_t                     tcp      33000, 22

Both ports are now allowed. If your chosen port is already assigned to another SELinux type, use -m (modify) instead of -a (add):

sudo semanage port -m -t ssh_port_t -p tcp 33000

For more on managing SELinux ports and booleans with Ansible, check our automation guide.

Step 4: Open Firewall Port

Add the new SSH port to firewalld. Keep the default SSH service (port 22) open for now – you will remove it after verifying the new port works:

sudo firewall-cmd --permanent --add-port=33000/tcp
sudo firewall-cmd --reload

Verify the port is listed in the active rules:

$ sudo firewall-cmd --list-ports
33000/tcp

If firewalld is not installed, install and enable it:

sudo dnf -y install firewalld
sudo systemctl enable --now firewalld
sudo firewall-cmd --permanent --add-port=33000/tcp
sudo firewall-cmd --reload

Step 5: Restart sshd and Verify

Restart the SSH daemon to apply the new port:

sudo systemctl restart sshd

Check that sshd is running and listening on the new port:

$ sudo systemctl status sshd
● sshd.service - OpenSSH server daemon
     Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)
     Active: active (running)

Confirm the port is listening:

$ ss -tlnp | grep 33000
LISTEN  0  128  0.0.0.0:33000  0.0.0.0:*  users:(("sshd",pid=12345,fd=3))
LISTEN  0  128     [::]:33000     [::]:*  users:(("sshd",pid=12345,fd=4))

Step 6: Test SSH on the New Port

Before closing your current session, open a new terminal and test the connection on the new port:

ssh -p 33000 [email protected]

Replace user with your actual username and 192.168.1.10 with the server IP. If the connection succeeds, the port change is working.

You can also verify from the server itself:

ssh -p 33000 localhost

Step 7: Remove Default SSH Port from Firewall

Only after confirming SSH works on the new port, remove the default port 22 from the firewall:

sudo firewall-cmd --permanent --remove-service=ssh
sudo firewall-cmd --reload

Verify port 22 is no longer open:

$ sudo firewall-cmd --list-all | grep -E 'services|ports'
  services: cockpit dhcpv6-client
  ports: 33000/tcp

The ssh service should no longer appear in the services list.

Connecting with the Custom SSH Port

When connecting to the server from now on, specify the port with -p:

ssh -p 33000 [email protected]

To avoid typing the port every time, add it to your local ~/.ssh/config:

Host myserver
    HostName 192.168.1.10
    Port 33000
    User admin

Then connect with just:

ssh myserver

For SCP and SFTP, use the uppercase -P flag for SCP:

scp -P 33000 file.txt [email protected]:/tmp/
sftp -P 33000 [email protected]

Troubleshooting SSH Port Change Issues

sshd fails to start – “Permission denied” bind error

This means SELinux is blocking the port. Check the audit log:

sudo ausearch -m AVC -ts recent | grep sshd

Fix by running the semanage port command from Step 3. If the port is already assigned to another type, use -m to modify it.

semanage command not found

Install the required package:

sudo dnf -y install policycoreutils-python-utils

Connection refused on new port

Check these in order:

1. sshd is running: systemctl status sshd
2. sshd is listening on the correct port: ss -tlnp | grep sshd
3. Firewall allows the port: sudo firewall-cmd --list-ports
4. SELinux allows the port: semanage port -l | grep ssh
5. No cloud provider security group blocking the port (AWS, GCP, Azure)

Port already defined error from semanage

If semanage port -a returns “Port tcp/33000 already defined”, the port is assigned to another SELinux type. Use modify instead:

sudo semanage port -m -t ssh_port_t -p tcp 33000

Reverting back to port 22

To revert the change, edit /etc/ssh/sshd_config and set Port 22 (or remove the drop-in file), then restore the firewall:

sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --permanent --remove-port=33000/tcp
sudo firewall-cmd --reload
sudo systemctl restart sshd

Remove the custom SELinux port label:

sudo semanage port -d -t ssh_port_t -p tcp 33000

Conclusion

The SSH port is now changed on your RHEL / Rocky Linux / AlmaLinux / Fedora server with SELinux enforcing mode intact. The key steps are: update sshd_config, label the port in SELinux with semanage, open it in the firewall, and always test before removing port 22 access.

For additional SSH hardening, consider disabling password authentication in favor of key-based auth, enabling SSH two-factor authentication, and setting up fail2ban to block repeated failed login attempts.

Related guides:

• SSH Commands Cheat Sheet for Linux Users
• Disable SSH Reverse DNS Lookups in Linux/Unix
• How To Create SSH Tunnels on Linux CLI
• Change or Update SSH Key Passphrase on Linux / Unix
• Disable SELinux on RHEL / Rocky Linux / AlmaLinux