You changed the SSH port and now you are locked out
You edited the SSH configuration, restarted the service, and opened a new terminal to test. The connection hangs. You stare at a blinking cursor while your existing session remains the only lifeline to the server. This happens when the firewall blocks the new port, or when the SSH daemon fails to bind because the port is already in use. You can recover. Keep the current session open. Follow the steps below to fix the configuration, update the firewall, and verify the connection before you close anything.
What is actually happening
SSH defaults to port 22. Every automated scanner on the internet hits port 22. Changing the port reduces noise in your logs. It does not make the server unhackable. It just stops the bots that only check the default. Think of the SSH port like the door number on a building. Port 22 is the front door everyone knows. Changing to 2222 is like moving the entrance to a side alley. The building is the same, but the bots knocking on the front door get no answer.
The SSH daemon (sshd) listens on the port defined in /etc/ssh/sshd_config. When you change the port, you tell sshd to stop listening on 22 and start listening on your new number. The firewall must also allow traffic to that new number. If the firewall blocks it, the connection drops. If sshd cannot bind, the service crashes. Fedora uses firewalld by default. You must update the persistent rules and reload the runtime configuration. SELinux also enforces port types. If you use a non-standard port, you must register it with the SELinux policy, or sshd gets denied permission to bind.
Change the port in the config and the firewall at the same time. A mismatch locks you out.
How to change the SSH port safely
Before you edit anything, check what port sshd is currently using. This confirms the baseline and ensures you are not fighting a cached configuration. Use sshd -T to print the effective configuration. This command processes all includes and overrides, showing the real settings the daemon will use.
sudo sshd -T | grep ^port
# WHY: sshd -T prints the effective configuration after all includes are processed.
# WHY: grep filters the output to show only the active port setting.
# WHY: This reveals the real port, even if the main config file has comments or overrides.
Edit the configuration file in /etc/ssh/sshd_config. Never edit files in /usr/lib/ssh/. Those ship with the package and get overwritten on updates. Your changes in /etc/ survive upgrades. If you are worried about locking yourself out, add the new port alongside the old port first. This lets sshd listen on both ports during the transition. Once you verify the new port works, remove the old one.
# /etc/ssh/sshd_config
# Uncomment the Port line by removing the leading hash.
# Add a second Port line to listen on both ports during migration.
# This prevents lockout while you test the new configuration.
Port 22
Port 2222
Always test the configuration syntax before restarting. A typo in the config file will cause sshd to refuse to start. If sshd crashes, you lose access. Run the test command to catch errors early. Note the difference between sshd -T and sshd -t. The -T flag prints settings. The -t flag checks syntax. Use -t to validate before you restart.
sudo sshd -t
# WHY: sshd -t checks the configuration file for syntax errors without starting the daemon.
# WHY: If the command returns no output, the syntax is valid.
# WHY: If there is an error, the message tells you exactly which line to fix.
Update the firewall to allow traffic on the new port. Fedora uses firewalld. You need to add the port to the permanent configuration and reload the runtime rules. If you skip the reload, the change only applies after a reboot. Run firewall-cmd --reload after every rule change. Otherwise the runtime config and the persistent config diverge. If you use custom zones, specify --zone=public or your zone name. The command below applies to the default zone.
sudo firewall-cmd --permanent --add-port=2222/tcp
# WHY: --permanent writes the rule to the persistent configuration file.
# WHY: --add-port=2222/tcp allows TCP traffic on port 2222.
# WHY: This rule survives reboots and service restarts.
sudo firewall-cmd --reload
# WHY: --reload applies the permanent rules to the running firewall immediately.
# WHY: Without this, the new port is blocked until the next reboot.
SELinux allows sshd to listen on non-standard ports, but you must define the port type. If you see a permission denied error when binding, add the port to the SELinux policy. The semanage command is part of the policycoreutils-python-utils package. Install it if the command is missing.
sudo dnf install policycoreutils-python-utils
# WHY: semanage is required to manage SELinux port mappings.
# WHY: The package provides the semanage command and python bindings.
# WHY: Install this once if you plan to manage SELinux policies.
sudo semanage port -a -t ssh_port_t -p tcp 2222
# WHY: semanage port adds the new port to the SELinux policy for ssh_port_t.
# WHY: -a adds a new rule. Use -m to modify an existing rule.
# WHY: This allows sshd to bind to the port under SELinux enforcement.
Restart the SSH daemon to apply the new port. Check the status immediately after to ensure it started correctly. Use systemctl status to see the state and recent log lines. Always check status before restart. If the service is already running, restart stops and starts it. If it is stopped, restart starts it. The command handles both cases safely.
sudo systemctl restart sshd
# WHY: restart stops the current daemon and starts a new instance with the updated config.
# WHY: The new instance binds to the port defined in sshd_config.
# WHY: If the config is invalid, the service fails to start and logs the error.
sudo systemctl status sshd
# WHY: status shows the current state and recent log lines.
# WHY: Look for "active (running)" to confirm the service is healthy.
# WHY: If the service failed, the output shows the reason near the bottom.
Test the config with sshd -t before you restart. A syntax error kills the daemon and locks you out.
Verify the connection
Open a new terminal window. Do not close the existing session. Connect to the server using the new port. If the connection succeeds, the change is complete. If it fails, check the firewall and the SSH logs. Use the -p flag to specify the port. You can also check which ports are listening with ss. This command shows the socket state and the process bound to each port.
ssh -p 2222 user@hostname
# WHY: -p specifies the port number for the SSH connection.
# WHY: This connects to the new port instead of the default port 22.
# WHY: Keep the original session open until this connection works.
ss -tlnp | grep sshd
# WHY: ss -tlnp lists TCP listening sockets with the associated process name.
# WHY: grep filters the output to show only sshd entries.
# WHY: This confirms sshd is bound to the expected ports on all interfaces.
Open a second terminal to test. Never close your working session until the new connection is verified.
Common pitfalls and what the error looks like
If you pick a port that another service is using, sshd fails to start. The journal shows a bind error. Check which process is using the port with ss -tlnp. Choose a different port or stop the conflicting service.
sshd[1234]: error: Bind to port 8080 on 0.0.0.0 failed: Address already in use.
If the firewall blocks the port, the connection hangs and times out. You do not get a "Connection refused" message. The packet is dropped silently. Run firewall-cmd --list-ports to verify the port is allowed. If the port is missing, add it and reload.
ssh: connect to host example.com port 2222: Connection timed out
SELinux denials show up in journalctl -t setroubleshoot with a one-line summary. Read those before disabling SELinux. If sshd cannot bind due to SELinux, the error mentions permission denied. Add the port to the policy with semanage.
sshd[1234]: error: Bind to port 2222 on 0.0.0.0 failed: Permission denied.
Check journalctl -xeu sshd if the service won't start. The log tells you if the port is taken or blocked by SELinux.
When to change the SSH port
Use a non-standard port when you want to reduce automated scanning noise in your logs. Use port 22 when you are managing many servers and want consistency across your infrastructure. Use key-based authentication when you want to secure SSH without relying on port obscurity. Use a jump host when you need to access internal servers without exposing SSH to the public internet. Stay on port 22 if your firewall already blocks all inbound traffic except authorized sources.
Changing the port is a convenience, not a security control. Use strong keys and fail2ban for real protection.