The default SSH port 22 is the first target for automated brute-force bots and port scanners. Changing it to a non-standard port cuts down login noise in your logs and reduces exposure to mass scanning tools. This is not a replacement for proper SSH hardening (key-based auth, fail2ban, disabling root login), but it is a practical first layer that works well alongside those measures.
This guide walks through changing the SSH port on Rocky Linux 10, AlmaLinux 10, RHEL 10, and Fedora 42 with SELinux in enforcing mode and firewalld active. Every step includes verification so you never lock yourself out.
Why Change the Default SSH Port
Port 22 receives thousands of automated login attempts daily on any public-facing server. Moving SSH to a different port eliminates most of this noise because bots scan well-known ports and move on. Your auth logs become useful again – real threats stand out instead of drowning in bot traffic. Combined with key-based authentication and tools like fail2ban, a non-standard port makes your server significantly harder to find and attack.
Prerequisites
- Rocky Linux 10, AlmaLinux 10, RHEL 10, or Fedora 42 server
- Root or sudo access
- SELinux in enforcing mode (confirm with
getenforce) - Firewalld running (confirm with
systemctl status firewalld) - A second terminal or console session open – do not close your current SSH session until the new port is tested and confirmed working
Step 1: Choose a New SSH Port
Pick a port number between 1024 and 65535 that is not already in use on your server. Avoid well-known ports (80, 443, 3306, 8080, etc.) and ports registered with IANA for common services. Good choices are high-numbered ports like 2222, 33000, 49152, or anything in the 10000-65535 range that your organization does not already use.
Check whether your chosen port is already in use:
ss -tlnp | grep 33000No output means the port is free. We use port 33000 throughout this guide – replace it with your chosen port number.
Step 2: Add the New Port to SELinux
SELinux only allows sshd to bind to ports labeled as ssh_port_t. By default, only port 22 has this label. If you skip this step and try to start sshd on a different port, SELinux blocks the bind and sshd fails with a “Permission denied” error.
Install the policycoreutils-python-utils package that provides the semanage command:
sudo dnf -y install policycoreutils-python-utilsCheck which ports currently have the ssh_port_t label:
semanage port -l | grep sshThe default output shows only port 22 labeled for SSH:
ssh_port_t tcp 22Add your new port to the ssh_port_t type:
sudo semanage port -a -t ssh_port_t -p tcp 33000Verify the port was added by checking the label again:
semanage port -l | grep sshBoth ports should now appear in the output:
ssh_port_t tcp 33000, 22If the port is already assigned to a different SELinux type, the -a flag returns an error. Use -m (modify) instead to reassign it:
sudo semanage port -m -t ssh_port_t -p tcp 33000For more on managing SELinux ports programmatically, see our guide on managing SELinux with Ansible.
Step 3: Update sshd_config
Back up the current SSH configuration before making changes:
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bakOn Rocky Linux 10, AlmaLinux 10, and RHEL 10, the preferred method is to use the drop-in configuration directory. This keeps your customization separate from the main config file, so package upgrades do not overwrite your changes:
echo "Port 33000" | sudo tee /etc/ssh/sshd_config.d/custom-port.confAlternatively, you can edit the main sshd_config file directly. Open it in your editor:
sudo vi /etc/ssh/sshd_configFind the line #Port 22, uncomment it, and change the port number:
Port 33000You can also listen on multiple ports simultaneously by adding more than one Port directive. This is useful during migration when you want both ports active temporarily:
Port 22
Port 33000Validate the configuration syntax before proceeding:
sudo sshd -tNo output means the configuration is valid. If there are syntax errors, fix them before continuing.
Step 4: Update Firewalld
Add the new SSH port to firewalld. Keep port 22 open for now – you will remove it only after confirming the new port works. This prevents locking yourself out if something goes wrong.
sudo firewall-cmd --permanent --add-port=33000/tcpReload firewalld to apply the change:
sudo firewall-cmd --reloadVerify the port appears in the active rules:
sudo firewall-cmd --list-portsYou should see your new port listed:
33000/tcpWarning: Do not remove port 22 from the firewall yet. If you remove it before testing the new port, and the new port does not work, you will be locked out of the server. Only remove port 22 after Step 6 confirms the new port is working.
Step 5: Restart SSH and Test
Restart the SSH daemon to apply the port change:
sudo systemctl restart sshdCheck the service status to confirm sshd started without errors:
systemctl status sshdThe output should show sshd as active and running:
● sshd.service - OpenSSH server daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)
Active: active (running)Do not close your current SSH session. Open a new terminal window and test connecting on the new port:
ssh -p 33000 [email protected]Replace user with your username and 192.168.1.10 with your server IP address. If the connection succeeds, the port change is working correctly. If it fails, your original session is still open on port 22 for troubleshooting.
Step 6: Verify the Change
Confirm sshd is listening on the new port using the ss command:
ss -tlnp | grep sshdThe output should show sshd bound to your new port on both IPv4 and IPv6:
LISTEN 0 128 0.0.0.0:33000 0.0.0.0:* users:(("sshd",pid=12345,fd=3))
LISTEN 0 128 [::]:33000 [::]:* users:(("sshd",pid=12345,fd=4))Once confirmed, remove port 22 from the firewall to close the default port:
sudo firewall-cmd --permanent --remove-service=sshReload firewalld to apply:
sudo firewall-cmd --reloadVerify port 22 is no longer open:
sudo firewall-cmd --list-allThe ssh service should no longer appear in the services line, and your custom port should show under ports:
services: cockpit dhcpv6-client
ports: 33000/tcpStep 7: Update SSH Client Config (Optional)
To avoid typing -p 33000 every time you connect, add the server to your local SSH client configuration. Edit ~/.ssh/config on your workstation:
vi ~/.ssh/configAdd a host block with your server details:
Host myserver
HostName 192.168.1.10
Port 33000
User adminNow you can connect with just:
ssh myserverFor file transfers, SCP uses uppercase -P for the port flag, while SFTP uses lowercase -P:
scp -P 33000 file.txt [email protected]:/tmp/With the SSH config in place, both SCP and SFTP pick up the port automatically when you use the host alias.
Reverting to Port 22
If you need to switch back to the default SSH port, remove the drop-in configuration file (or edit sshd_config to set Port 22):
sudo rm /etc/ssh/sshd_config.d/custom-port.confRe-add the default SSH service to the firewall and remove the custom port:
sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --permanent --remove-port=33000/tcp
sudo firewall-cmd --reloadRestart sshd to apply:
sudo systemctl restart sshdRemove the custom SELinux port label since it is no longer needed:
sudo semanage port -d -t ssh_port_t -p tcp 33000Verify sshd is back on port 22:
ss -tlnp | grep sshdYou should see sshd listening on port 22 again. If you run into SELinux denials during any of these steps, check our SELinux troubleshooting guide for detailed debugging steps.
Conclusion
The SSH port is now changed on your Rocky Linux 10, AlmaLinux 10, or RHEL 10 server with SELinux enforcing mode intact. The process comes down to three systems that all need updating: SELinux port labels with semanage, the sshd configuration, and the firewalld rules – always in that order, and always tested before removing port 22 access.
For a more complete SSH hardening setup, disable password authentication in favor of key-based auth, enable SSH two-factor authentication, and set up fail2ban to automatically block IPs with repeated failed login attempts.
