Running OpenSSH on a custom port

OpenSSH Server Configuration | Client Configuration

The OpenSSH sshd(8) daemon can be run on a non-standard port. Note that this simple obfuscation will not stand up to an attacker with a clue, who will simply use a port scanning tool to locate services running on custom ports. Running sshd on a custom port may, however, spare the logs from brute force attack spam from hacked systems. Other methods to restrict access involve running sshd behind a firewall that first requires a VPN to access, automatically blocking brute force SSH attacks, using port knocking to open access, and other methods.

OpenSSH Server Configuration

Either update the sshd_config configuration file to include a custom port statement, or use the -p option to sshd. The sshd_config(5) and sshd(8) manuals go into more detail on the operation and precedence of the various port and listen address configuration options.

Server configuration should be managed under version control so that configuration can be replicated or reproduced on new or additional systems, thus minimizing the time a human must spend setting up systems.

Client Configuration

The OpenSSH ssh and scp commands must be informed of the custom server port. This can either be done on the command line:

$ ssh -p 1234
$ ssh -oPort=1234
$ scp -oPort=1234 somefile
$ sftp -oPort=1234

or in a user ~/.ssh/config configuration file (or perhaps in the system-wide ssh_config configuration file). This method avoids the need to specify the custom port option with each various command:

Host server gh
Port 1234
ForwardAgent no
ForwardX11 no
Protocol 2
StrictHostKeyChecking yes
ControlMaster auto
ControlPath ~/tmp/ssh.%r_%h_%p

Using a configuration file entry also avoids the need to add a -p 1234 or -oPort=1234 to the RSYNC_RSH or similar settings, for external programs such as rsync that may use OpenSSH.