Changing a non-standard port: how to enhance server security

Introduction

One of the simplest yet most effective ways to improve server security is to change the default port for remote access protocols. Protocols such as SSH and RDP use well-known ports by default (22 and 3389, respectively). This makes them vulnerable to automated attacks and scanning. Changing these ports to non-standard ones can reduce the number of hacking attempts.

Why change the standard port

• Reduce the number of automated attacks. Bots scan networks for open standard ports.
• Camouflage from scanners. A non-standard port will not be displayed as a vulnerability during a superficial scan.
• Additional level of security. This is not a replacement for full protection, but an additional barrier.

Please note: changing the port is not a means of protection against an experienced attacker, but a preventive measure.

How to change the SSH port to a non-standard one

By default, SSH runs on port 22. To change it:

Step 1: Log in to the server

Connect to the server via SSH: 

				
					ssh root@your_server_ip
				
			

Step 2: Open the configuration file

Open the file /etc/ssh/sshd_config using a text editor, such as nano:

				
					nano /etc/ssh/sshd_config

				
			

Find the line:

				
					#Port 22
				
			

Remove the # symbol and replace the port number:

				
					Port 2222
				
			

Replace 2222 with any other available port (for example, between 1025 and 65535).

Step 3: Configure the firewall

Open the selected port in firewalld or iptables. Example for firewalld:

				
					firewall-cmd --permanent --add-port=2222/tcp
firewall-cmd --reload

				
			

Step 4: Restart the SSH service

				
					systemctl restart sshd
				
			

Step 5: Check the connection

Perform a test connection with the new port:

				
					ssh -p 2222 user@your_server_ip

				
			

Important! Do not close the current connection until you are sure that the new one is working.

How to change the RDP port in Windows

By default, the RDP protocol uses port 3389. To change it, you will need to edit the registry.

Step 1: Launch the Registry Editor

Open regedit → go to:

				
					HKEY_LOCAL_MACHINESystemCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp
				
			

Find the PortNumber parameter and open it. Select the Decimal representation type, then specify the new port number (for example, 3390).

Step 2: Configure the Windows firewall

Open access to the new port:

				
					netsh advfirewall firewall add rule name="RDP Custom Port" protocol=TCP dir=in localport=3390 action=allow
				
			

Step 3: Restart your computer

You will need to restart your computer for the changes to take effect.

Step 4: Connect using the new port

In the Remote Desktop Connection client, specify the port manually: 

				
					your_server_ip:3390
				
			

Important recommendations

• Remember the new port. Otherwise, you may lose access to the server.
• Do not use ports that are already occupied by other services. For example, 80, 443, 3306, etc.
• Add the new port to the firewall exceptions before restarting the service.
• Use non-standard ports as part of your overall security system. Install fail2ban, two-factor authentication, and a VPN.

Conclusion

Changing to a non-standard port is a simple but effective security measure. It’s not a panacea, but it’s an excellent first step toward protecting your server from attacks. By properly configuring your SSH and RDP ports, you reduce the likelihood of automated hacking attempts and show that you care about the security of your environment.

Use this solution in conjunction with other security measures, and your server will be well protected.

Table of Contents