How to change the SSH connection port and disable password authorization

    In this article, we will see how to change the standard SSH connection port to a non-standard one, and disable password authentication.

    !!! IMPORTANT !!!

    Make sure you have already created SSH keys before doing this, and successfully connected to the server using them. Or you have access to the server via VNC to enable password authorization back and return the default settings.

    And so, first you need to edit the sshd_config file:

    vim /etc/ssh/sshd_config

    In the line Port 22 (Uncomment if commented out) and change port 22 to the desired port, for example 22333:

    Port 22333

    Restart the sshd service:

    systemctl restart sshd

    Check if the installed port 22333 is listening:

    netstat -tupln | grep ssh

    If we see that the sshd service listens to the port we need 22333 or another one that you set, then in order for us to connect already using it, you need to allow its use from outside.

    To do this, you need to add a rule to the iptables list:

    iptables -A INPUT -p tcp --dport 22333 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

    or like this:

    iptables -I INPUT -p tcp --dport 22333 -m state --state NEW -j ACCEPT

    With the iptables -L command, we can see that the rule has been added.

    After that, you need to save the rules so that after the restart the installed port remains available.

    For Centos 7 use this command:

    service iptables save

    For Ubuntu, we use a different command. To do this, you need to install iptables-persistent.

    apt-get install iptables-persistent

    If you get an error that there is no suitable package or repository, update the repositories. After that, install the updates.

    apt update
    apt upgrade

    If this package is installed and you want to save the rules:

    dpkg-reconfigure iptables-persistent

    During reconfiguration, answer YES to both questions.

    After that, you can save the rules for ipv4:

    iptables-save | sudo tee /etc/iptables/rules.v4

    For ipv6:

    ip6tables-save | sudo tee /etc/iptables/rules.v6

    If the firewall is enabled, add a rule for it:

    firewall-cmd --permanent --add-port=22333/tcp

    And also restart the firewalld service:

    systemctl restart firewalld

    Disable SSH password authentication

    To do this, edit the /etc/ssh/sshd_config file:

    vim /etc/ssh/sshd_config

    Looking for the line:

    PasswordAuthentication yes

    And change it to:

    PasswordAuthentication no

    If there is a # symbol (commented out) at the beginning of this line, remove it. Save the file after making these changes and restart the sshd service:

    systemctl restart ssh

    Now you can restart the server and make sure you did everything right.


    If everything is done correctly, then the connection to the server with the new port will pass without "dancing" incidents.