.png "How to Change SSH Server Default Port Number on Windows System (Step-by-Step Guide 2026)")
How to Change SSH Server Default Port Number on Windows System (Step-by-Step Guide 2026)
In today’s cybersecurity landscape, leaving your SSH server running on the default port is like leaving your front door unlocked in a crowded city. Attackers constantly scan networks for open port 22, targeting systems with weak configurations. If you are running an SSH server on a Windows system, changing the default port is one of the simplest yet effective hardening techniques you can implement.
This guide is written from a cybersecurity expert’s perspective, designed to help beginners and professionals alike securely change the SSH default port on Windows systems. Whether you are managing a personal server, enterprise infrastructure, or a cybersecurity lab, this step-by-step guide will help you implement the change safely without breaking your SSH access.
Table of Contents
- What is SSH and Why It Matters
- Why Change the Default SSH Port
- Prerequisites Before You Start
- Locate SSH Configuration File
- How to Change SSH Port on Windows
- Configure Windows Firewall
- Restart SSH Service
- Test the New SSH Port
- Advanced Security Tips
- Common Errors and Fixes
- Frequently Asked Questions
- Related Posts
What is SSH and Why It Matters?
Secure Shell (SSH) is a cryptographic network protocol used to securely access remote systems over an unsecured network. It is widely used by system administrators, developers, and cybersecurity professionals for remote server management, file transfers, and secure communication.
On Windows systems, SSH functionality is provided through OpenSSH Server, which is now built into modern Windows versions such as Windows 10 and Windows Server editions. This makes it easier than ever to enable secure remote access without relying on third-party tools.
However, default configurations are often predictable, and attackers exploit this predictability to launch brute-force attacks.
Why Change the Default SSH Port?
By default, SSH runs on port 22. This is widely known, and automated bots constantly scan for systems listening on this port. Changing the port does not make your system completely secure, but it significantly reduces noise from automated attacks.
Here are the key reasons to change your SSH port:
- Reduce automated brute-force attacks
- Minimize log clutter from malicious login attempts
- Add an extra layer of obscurity to your server
- Improve baseline security posture
In cybersecurity, this technique is often referred to as "security through obscurity." While not sufficient alone, it is a valuable part of a layered defense strategy.
Prerequisites Before You Start
Before making any changes, ensure you have the following:
- Administrator access to your Windows system
- OpenSSH Server installed and running
- Basic understanding of command line or PowerShell
- Backup of your SSH configuration file
To check if SSH server is installed, run the following command in PowerShell:
Get-WindowsCapability -Online | Where-Object Name -like 'OpenSSH.Server*'
Locate SSH Configuration File
The SSH server configuration file on Windows is located at:
C:\ProgramData\ssh\sshd_config
This file contains all the settings that control how your SSH server behaves. You will need to edit this file to change the default port.
Open Notepad as Administrator and load this file carefully. Avoid using non-admin editors, as they will not allow you to save changes.
How to Change SSH Port on Windows?
Follow these steps carefully to change the SSH port:
Step 1: Open sshd_config File
Open the configuration file using Notepad or any text editor with administrative privileges.
Step 2: Locate the Port Setting
Find the following line:
#Port 22
This line is commented out, meaning the default port 22 is being used.
Step 3: Modify the Port
Remove the comment and change the port number:
Port 2222
You can choose any unused port between 1024 and 65535. Avoid commonly used ports such as 80, 443, or 21.
Step 4: Save the File
After making the changes, save the file and close the editor.
Configure Windows Firewall
Changing the SSH port is not enough. You must allow the new port through the Windows Firewall, or your connection will fail.
Run the following command in PowerShell as Administrator:
New-NetFirewallRule -Name "SSH-Port-2222" -DisplayName "SSH Port 2222" -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 2222
This command creates a new inbound rule to allow traffic on port 2222.
Restart SSH Service
After updating the configuration and firewall settings, restart the SSH service to apply changes:
Restart-Service sshd
If the service fails to restart, check the configuration file for syntax errors.
Test the New SSH Port
Now test your SSH connection using the new port:
ssh username@your-ip -p 2222
Ensure the connection works before closing your current session. This prevents accidental lockout.
Advanced Security Tips
Changing the SSH port is just the beginning. For a truly secure setup, implement the following:
- Disable password authentication and use SSH keys
- Restrict login to specific users
- Enable logging and monitoring
- Use intrusion detection systems
- Limit SSH access by IP address
Combining these measures creates a strong defense against unauthorized access.
Common Errors and Fixes
Connection Refused
This usually means the firewall is blocking the port or SSH service is not running.
Permission Denied
Check user credentials or SSH key configuration.
Service Fails to Restart
Verify the sshd_config file for syntax errors.
Port Already in Use
Choose a different port and update the configuration accordingly.
Related Cybersecurity Guides
- How to Install SSH Server on Windows Using PowerShell (Step-by-Step 2026 Guide)
- What is SSH and How It Works? Full Guide with Servers, Clients & Top Tools
- EvilWAF Explained: Complete Guide to WAF Bypass, Features, Installation & Usage (2026)
- WiFi Explained Simply: How It Works, Security Risks and Hidden Dangers (2026 Guide)
- FTP Explained Simply: Complete Guide to FTP Server, Clients & Top Tools (2026)
- DNS Explained Simply: How Domain Name System Works + Records Guide
- What is Switching in Networking? Types, Working and Uses Explained (2026)
Frequently Asked Questions
Is changing the SSH port enough for security?
No. It reduces automated attacks but should be combined with other security practices.
Which port should I choose?
Any unused port between 1024 and 65535 is acceptable. Avoid well-known ports.
Can I revert back to port 22?
Yes. Simply update the configuration file and restart the SSH service.
Does changing the port affect performance?
No. It has no impact on performance.
Is this method safe for production servers?
Yes, as long as firewall rules and configurations are correctly applied.
Conclusion
Changing the default SSH port on a Windows system is a simple yet powerful step toward improving your server’s security. While it does not replace strong authentication methods or firewall configurations, it significantly reduces exposure to automated attacks.
As a cybersecurity professional, always think in layers. Security is not about a single setting but a combination of best practices working together. Implement this change today, and take the first step toward a more secure Windows environment.
If you found this guide helpful, consider implementing additional hardening techniques to further protect your systems.