Alibaba Cloud foreign card top up How to Change Default SSH Port on Alibaba Cloud ECS

Alibaba Cloud / 2026-05-21 22:27:04

Why change the default SSH port on Alibaba Cloud ECS?

Changing the default SSH port on an Alibaba Cloud ECS is one of those small security tweaks that feels like swapping the “front door” lock from “standard issue” to “a little more annoying to pick.” It won’t make your server magically invincible, because determined attackers will still find ways in. But it can reduce the amount of automated, opportunistic scanning traffic hitting your SSH service every minute of every day. In other words: fewer bots knocking, fewer logs screaming, and a calmer server life.

Also, it’s just good practice. Security shouldn’t rely on “security through obscurity,” yet obscurity can still help in the real world by adding friction for random internet noise. Think of it as putting up a “Beware of dog” sign on a dog that is mostly theoretical. Still, the sign might help.

Before you start: the safety briefing (a.k.a. “don’t lock yourself out”)

When you change the SSH port, you’re basically telling your SSH daemon: “Hey, listen on a different door number.” That means you must update all the places that expect SSH on the old port—particularly:

  • Alibaba Cloud foreign card top up Your server’s SSH configuration (so it actually listens on the new port).
  • Alibaba Cloud Security Groups and/or firewall rules (so traffic to the new port is allowed).
  • Your client command (so you connect to the new port).

The biggest danger is changing the server port but forgetting to open the new port in the security group. The result: you can’t connect, you stare at the screen like a confused raccoon, and then you do emergency recovery. The good news: if you follow the steps in order, you’ll be fine.

Step 1: Identify your current SSH configuration

First, log in to your ECS using the current SSH port (commonly 22). Once you’re connected, check what SSH server configuration file you’re using. On most Linux distributions, the relevant file is:

  • Alibaba Cloud foreign card top up /etc/ssh/sshd_config

If your system uses a different location, you can still usually find it by searching, but let’s keep it straightforward.

Step 2: Back up the SSH config file

Make a copy so you can revert quickly if something goes sideways. For example:

cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

Yes, backups are boring. But boring is good. Boring means “I can undo my mistake.”

Step 3: Check your current SSH port setting

Open the SSH configuration file and look for a line like:

#Port 22

or possibly:

Port 22

If the line is commented out, SSH typically defaults to port 22. The safest approach is to explicitly set your new port rather than relying on defaults.

Step 4: Choose a new SSH port

Pick a port that is not in use and is not likely to conflict with other services. Commonly, people choose something in the 20000–50000 range, like 2222 or 22022. For this article, let’s use 2222 as the example.

Example decision:

  • Old port: 22
  • New port: 2222

Replace 2222 with whatever you choose, but keep consistency across your server config, security group, and client command.

Step 5: Edit sshd_config to change the port

Open /etc/ssh/sshd_config with your preferred editor. If you’re using a minimal environment, nano is often available. For example:

nano /etc/ssh/sshd_config

Find the line that sets the port. You can either:

  • Alibaba Cloud foreign card top up Uncomment and change it: Port 22 -> Port 2222
  • Add a new line if it doesn’t exist

So you want something like:

Port 2222

Save and exit.

Tip: If you want to be extra cautious, you can change the setting first and then verify configuration validity before restarting SSH. That way you don’t accidentally deploy a broken config and end up in “SSH limbo.”

Step 6: Test the SSH configuration before restarting

Before restarting the SSH daemon, check for syntax errors. Many systems support a command like:

sshd -t

If this returns success (no output and exit code 0, typically), you’re likely okay. If it reports issues, fix them before proceeding.

This step is worth the extra minute. It’s like reading the warning label before hitting “Start.”

Step 7: Restart SSH to apply the change

Restart SSH safely using systemctl if available:

systemctl restart sshd

On some distributions, the service name is ssh instead of sshd. If restart sshd fails, try:

systemctl restart ssh

You can also do a “reload” depending on your setup, but restart is the most common approach after port changes.

To be extra careful, you can check status:

systemctl status sshd --no-pager

If status looks healthy, you’re ready for the network side of the change.

Step 8: Update Alibaba Cloud Security Group inbound rules

Now for the part where the universe tests your patience. Even if SSH is listening on the new port, Alibaba Cloud networking must allow inbound connections to that port. This is typically controlled by Security Groups.

Log in to Alibaba Cloud Console and locate your ECS instance.

Navigate to the Security Group associated with the instance. Then add or modify an inbound rule:

  • Protocol: TCP
  • Port range: 2222 (or your chosen port)
  • Source IP: your IP (recommended) or 0.0.0.0/0 (less recommended)

If your security group currently allows port 22 from anywhere, you can leave it temporarily, but many people prefer to tighten things after confirming the new port works. A cautious approach:

  • Add port 2222 inbound rule first
  • Test connectivity
  • Then remove/disable port 22 rule

Alibaba Cloud foreign card top up This reduces the chance of being locked out.

Step 9: Confirm the ECS is actually listening on the new port

Back on the ECS, confirm SSH is listening on the new port.

Use one of these commands depending on your tools:

ss -tulpn | grep 2222

Or:

netstat -tulpn | grep 2222

You should see sshd listening on the new port. If you don’t, the configuration change didn’t apply or SSH failed to restart correctly.

In that case, revert to your backup and restart again, or check /var/log/auth.log and /var/log/secure depending on the distro for clues.

Step 10: Connect from your local machine using the new port

From your local computer, connect using the -p option with the new port. Example:

ssh -p 2222 username@your_server_ip

Replace username and your_server_ip accordingly.

If you use an identity file (SSH key), include -i:

ssh -p 2222 -i /path/to/key username@your_server_ip

The first time you connect to a new port, you might see a host key warning. That’s normal if your local known_hosts doesn’t yet recognize the host key for that new combination.

Step 11: Only then consider closing port 22

Once you’ve successfully connected over the new port, you can tighten security by removing or disabling inbound access to port 22 in the security group.

Do this in a controlled manner:

  • Confirm you can connect using port 2222.
  • Then remove the inbound rule for port 22.

Some people also keep port 22 open temporarily for a “just in case” window. Others prefer to remove it immediately. Either is fine—just make sure you won’t regret your choices in ten minutes.

Common pitfalls and how to avoid them

Pitfall 1: You changed the SSH port but forgot the security group

This is the classic facepalm scenario. The fix is simple: add an inbound rule for the new port, then try again. If you can’t add rules fast enough while you’re locked out, you may need to use Alibaba Cloud’s console access tools or recovery options. Avoid the problem by following the “add firewall rule first, test second” approach.

Pitfall 2: SSH didn’t restart correctly

If sshd fails to restart, you might still have SSH listening on the old port (or not at all). Check:

  • sshd -t output
  • service status via systemctl
  • logs: /var/log/auth.log or /var/log/secure

If you have access to the console, you can fix the config and restart.

Pitfall 3: You edited the wrong SSH config file

Some systems include extra config snippets. For example, there can be includes like:

Include /etc/ssh/sshd_config.d/*.conf

If you changed the main config but another snippet overrides it, your effective port might not change. Search your ssh configuration directory for “Port”.

For example:

grep -R "^\s*Port\b" /etc/ssh/ /etc/ssh/sshd_config*

Then ensure there’s only one effective Port directive (or that the correct one wins based on include order).

Pitfall 4: Using a port that’s blocked or already used

Pick a port that isn’t already used by another service. Otherwise, sshd might fail or bind incorrectly. If in doubt, choose a high, uncommon port like 2222 or 22022.

Extra hardening (optional, but you might enjoy it)

Changing the port is just one layer. If you want to feel extra secure without making your life miserable, consider these improvements as well:

  • Disable password authentication and rely on SSH keys.
  • Limit allowed users via AllowUsers or AllowGroups (where appropriate).
  • Use fail2ban or similar tooling to rate-limit suspicious attempts.
  • Set up two-factor authentication if you’re feeling ambitious.

But if you change too many things at once, you’ll also make debugging harder. Do it step by step. Security is a journey, not a fireworks show.

Roll back plan: what to do if you can’t connect

Alibaba Cloud foreign card top up Sometimes despite your best intentions, you might lose access. Here’s the calm rollback mindset:

  • If you can still access the server via console or Alibaba Cloud emergency tools, open /etc/ssh/sshd_config and revert Port back to 22.
  • Restart sshd.
  • Revert the security group rule for port 2222 and restore the port 22 rule if needed.

Because you created a backup copy earlier, rolling back is fast. Without that backup, you may end up “remembering” what you did, which is not a reliable engineering strategy. Humans are famously good at forgetting details.

Verification checklist (use this like a recipe)

If you like structured sanity, follow this checklist:

  • In /etc/ssh/sshd_config: Port 2222 set (or your chosen port).
  • sshd -t passes (no configuration errors).
  • sshd restarted successfully.
  • On server: sshd listening on port 2222 (ss/ netstat check).
  • Alibaba Cloud Security Group inbound allows TCP port 2222 from your IP.
  • From your local machine: ssh -p 2222 username@ip works.
  • After success: optionally remove inbound rule for port 22.

If all items are true, you’ve successfully changed the default SSH port on Alibaba Cloud ECS without creating a support ticket for future-you.

Final thoughts

Changing the default SSH port on Alibaba Cloud ECS is a practical, low-effort improvement that can cut down on noise and reduce automated scan attempts. It’s not a magic shield, but it’s a good move when combined with key-based authentication, firewall rules, and thoughtful monitoring.

Remember: servers don’t care what you intended. They only care what you configured and what the network allows. So follow the order, verify listening, update security group rules, then test your SSH connection with the new port.

Now go forth and enjoy the rare luxury of fewer bot pings and cleaner logs. Your ECS will thank you, or at least it won’t complain quite as loudly.

TelegramContact Us
CS ID
@cloudcup
Contact
TelegramSupport
CS ID
@yanhuacloud
Contact