Aged Alibaba Cloud business account How to Change Default SSH Port on Alibaba Cloud ECS

Why Bother Changing Your SSH Port?

Aged Alibaba Cloud business account It's Not Just for the Paranoid

Let’s be real for a second. If your Alibaba Cloud ECS server is still using port 22 for SSH, you’re basically leaving your front door wide open with a neon sign that says ‘PLEASE ENTER.’ Yeah, it’s convenient—just type `ssh user@ip` and boom, you’re in. But here’s the kicker: every script kiddie and bot on the internet is scanning port 22 24/7. They’re not out to steal your grandma’s recipe for banana bread (hopefully), but they’re definitely trying to brute-force their way in to turn your server into a crypto-mining rig or spam machine. Changing the port is like moving your spare key from under the doormat to a clever hiding spot. It won’t stop a determined hacker, but it’ll make your server less attractive to the lazy bots doing mass scans. Less noise in your logs means you can actually spot real threats when they pop up. Think of it as a tiny step that adds up to big security wins.

Script Kiddies vs. Your Server

Script kiddies—those folks with pre-written hacking tools and zero real skills—are your biggest nuisance. They don’t care about your data; they just want to compromise as many servers as possible to sell compute power or send spam. The default SSH port is like walking into a grocery store and shouting, ‘I’ve got a safe over here!’ Every single bot scans port 22 first. Switch to a non-standard port, and suddenly your server isn’t on their radar. It’s not foolproof, but it’s like moving your house from a busy downtown street to a quiet suburban neighborhood. Yeah, someone *could* still break in, but they’re way less likely to stumble upon it accidentally. Bottom line: if you’re not changing the port, you’re playing Russian roulette with your server’s security. Don’t be that person.

Step 1: Preparing Your Alibaba Cloud ECS Instance

Logging In via Existing SSH Connection

Before you start changing anything, make sure you’re logged into your server. Open a terminal session and SSH in as usual. Now, here’s the golden rule: DO NOT CLOSE THIS SESSION until you’ve confirmed the new port works. I’ve seen people get locked out because they closed their session too early—it’s like changing the locks on your house and throwing away the keys. If you mess up, you’ll need to rely on Alibaba Cloud’s web console to fix things, which is doable but annoying. Also, double-check that you have console access enabled for your instance. Alibaba Cloud’s web console is your safety net. If you screw up, you can always log in via the console and fix your configs. Think of it as having a spare key hidden in a plant pot outside your house. Always have a backup plan.

Backing Up Your Configuration Files

Before touching any system files, BACK THEM UP. Seriously, do it. Run `sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak` right now. It’s like taking a photo of your recipe before you start cooking. What if you accidentally delete a crucial line or misconfigure something? Reverting to the backup takes seconds. Skipping this step is how people spend hours trying to remember what they changed. I’ve been there—trust me, it’s a pain. Backup first, then modify. It’s the golden rule of sysadmin life. No exceptions.

Step 2: Modifying the SSH Configuration

Edit /etc/ssh/sshd_config

Time to crack open the SSH config file. Open it with your favorite editor—I’ll use nano because it’s beginner-friendly. Type `sudo nano /etc/ssh/sshd_config`. Now, find the line that says `#Port 22`. It’s probably commented out with a `#`. Change that to `Port 2222` (or pick your own non-standard port—more on that later). Don’t add a new line; just modify the existing one. Save the file and exit. If you’re using vi, press `Esc`, then type `:wq` to save. For nano, hit `Ctrl+O` to save, then `Ctrl+X` to exit. Simple, right? Just don’t typo the port number. One wrong digit and you’ll be troubleshooting for hours.

Choosing a Good Port Number

Port numbers range from 0 to 65535. Ports 0-1023 are reserved for standard services (like port 80 for HTTP), so avoid those. Pick a number above 1024. Common choices are 2222, 5555, or 12345. But avoid obvious patterns—like 22222 or 1111—because bots might still scan those. Some people pick random numbers like 65000, but don’t go too high—some systems have limits. Check Alibaba Cloud’s docs, but generally, as long as it’s above 1024 and not used by another service on your server, you’re good. Remember: the goal isn’t to hide the port; it’s to make it less obvious. Don’t overcomplicate it. Just pick something you’ll remember.

Step 3: Updating Alibaba Cloud Security Group Rules

Adding a New Inbound Rule

Changing the port on your server isn’t enough—the cloud firewall (security group) must allow the new port too. Log in to the Alibaba Cloud console, go to ECS, find your instance, and click on its Security Groups tab. Find the security group attached to your server and click Configure Rules. Add a new inbound rule: set protocol to TCP, port range to your new port (e.g., 2222), and source to your IP address (or `0.0.0.0/0` if you want to allow all IPs—though better practice is to restrict it to your specific IP). Do not remove the old port 22 rule yet! Keep both ports open for now. You’ll delete the old rule later once you’re sure the new one works. Security groups are like bouncers at a club—they decide who gets in. If you forget to update them, your server will ignore the new port entirely, and you’ll get locked out.

Removing the Old Port Rule (Carefully!)

Once you’ve confirmed the new port works (more on testing in the next section), go back to your security group rules and delete the inbound rule for port 22. But don’t rush this step. Keep port 22 open for at least a few hours or until you’re 100% confident everything’s working. I’ve seen clients delete the old rule too soon, then panic when they couldn’t SSH in. If you get locked out, don’t sweat—Alibaba Cloud’s web console lets you log in via the browser and fix things. But it’s easier to avoid the panic altogether by keeping both ports open until you’re sure. Patience is key here. Security isn’t a race.

Step 4: Testing the New SSH Port

Don't Close Your Current Session Yet!

Before you close your current SSH session, open a new terminal window. Try connecting to your server using the new port: `ssh -p 2222 your_username@your_server_ip`. If it works, great! You’re not locked out. If it fails, stay calm—your old session is still open, so you can debug without panic. Common mistakes? Typos in the port number, forgetting to restart SSH, or security group rules not updated. Let’s troubleshoot step by step. First, check your security group rules in the Alibaba Cloud console. Did you add the correct port? Second, did you restart the SSH service? Run `sudo systemctl restart sshd` (or `sudo service ssh restart` on older systems). Third, check if your server’s local firewall (like UFW) is blocking the port. Fix any of these issues, then try again. Once it works, then close your old session.

Connecting via the New Port

Let’s say you get a `Connection refused` error. Start by checking your security group rules. Log into the Alibaba Cloud console, navigate to the security group, and verify the inbound rule exists for your new port. Next, check if SSH is running on the new port: run `sudo netstat -tuln | grep 2222` (replace 2222 with your port). If nothing shows up, you probably forgot to restart SSH. Run `sudo systemctl restart sshd` and try again. If you see the port listed but still can’t connect, check your server’s local firewall. For Ubuntu, run `sudo ufw status`—if active, add the rule with `sudo ufw allow 2222/tcp`. For CentOS, use `sudo firewall-cmd --add-port=2222/tcp --permanent` followed by `sudo firewall-cmd --reload`. Once you can connect successfully, open a new terminal tab and run a few commands (`ls`, `whoami`, etc.) to confirm everything’s working. Only then should you close your old session and delete the port 22 rule from your security group.

Common Pitfalls and Troubleshooting

Firewall Conflicts

It’s easy to forget that Alibaba Cloud’s security group isn’t the only firewall in play. Your server might have its own firewall—like UFW on Ubuntu or firewalld on CentOS—blocking the new port. If you changed the port but still can’t connect, this is the first thing to check. On Ubuntu, run `sudo ufw status` to see if the firewall is active. If yes, add the new port: `sudo ufw allow 2222/tcp`. On CentOS, run `sudo firewall-cmd --list-all` to check active rules. If the port isn’t listed, add it with `sudo firewall-cmd --add-port=2222/tcp --permanent` and reload with `sudo firewall-cmd --reload`. Always check both the cloud provider’s firewall and the server’s local firewall. It’s like checking both the front door and the back door before leaving the house.

SSH Daemon Not Restarting

If you change the port and restart SSH but it fails, check the logs. Run `sudo journalctl -u sshd` to see why. Common mistakes: typos in `sshd_config` (like `Port=2222` instead of `Port 2222`), duplicate `Port` lines, or accidentally commenting out the line you meant to change. For example, if you have two `Port` lines—one uncommented for 22 and another for 2222—SSH will fail to start. Open `sshd_config` again, verify there’s only one `Port` line, and that it’s uncommented. If you’re stuck, revert to your backup: `sudo cp /etc/ssh/sshd_config.bak /etc/ssh/sshd_config` and restart SSH again. No shame in using backups—they’re why you made them. Also, avoid editing `sshd_config` over SSH if you’re not sure; use the Alibaba Cloud web console for safety. If your SSH service crashes, the console gives you a direct line to fix it without needing SSH.

Final Thoughts and Best Practices

Additional Security Layers

Changing the SSH port is a great first step, but it’s just the beginning. For real security, combine it with other measures. Disable password logins entirely and use SSH keys instead—way more secure and less prone to brute-force attacks. In `sshd_config`, set `PasswordAuthentication no` and `PubkeyAuthentication yes`. Also, limit root login: set `PermitRootLogin no` to force users to log in with a regular account and then `sudo` to escalate privileges. If you want extra protection, install fail2ban. It automatically blocks IPs with repeated failed login attempts, like a bouncer kicking out troublemakers. These steps turn your server from a low-hanging fruit into a hardened fortress. Remember: security is about layers. One layer isn’t enough, but many small layers add up to massive protection.

Regular Audits and Monitoring

Security isn’t a one-time task—it’s a habit. Set up logging for SSH connections and review them weekly. Tools like `logwatch` can email you daily summaries of login attempts. If you see weird IPs trying to connect (especially from countries you don’t do business in), investigate immediately. Also, periodically audit your security group rules. Are there unused rules? Can you tighten source IPs? For example, instead of allowing `0.0.0.0/0`, restrict access to your office IP or home network. Use Alibaba Cloud’s Cloud Firewall or third-party tools like Fail2Ban to monitor and block threats automatically. Think of it like checking your home’s locks every few months. It’s not glamorous, but it keeps the bad guys out. And if you ever feel stuck, Alibaba Cloud’s documentation and community forums are full of helpful advice. You’re not alone in this.

Wrapping It Up

Alright, let’s recap. Changing your Alibaba Cloud ECS SSH port from 22 is a simple but effective security measure. It’s not the silver bullet, but it’s a quick win that reduces noise in your logs and deters casual attackers. Follow these steps: backup your configs, update the port, adjust security groups, test thoroughly, and then tighten up other settings. And remember—if you get locked out, Alibaba Cloud’s web console is your lifeline. Don’t panic. Security is all about making small, smart changes that add up. Now go forth and secure that server like a pro—without overcomplicating it. You’ve got this.