*Cube-Host– full cloud services!!

get a consultation
WhatsApp Telegram
EN

Changing a non-standard port: how to enhance server security

Changing a non-standard port how to enhance server security

Changing a Non-Standard Port: How to Enhance Server Security

Changing default ports (like SSH 22 or RDP 3389) is a practical way to reduce automated scanning noise and brute-force attempts. It’s not “magic security”, but it’s a useful layer in a defense-in-depth strategy — especially on public VPS hosting.

This guide shows how to change ports safely on a Linux VPS (SSH) and on a Windows VPS (RDP), how to avoid lockouts, and how to validate firewall and connectivity.

What a Non-Standard Port Actually Improves (and What It Doesn’t)

  • Improves: reduces background scans and “password spray” volume, lowers log noise, reduces random brute force attempts.
  • Does not replace: strong authentication, firewall restrictions, updates, and intrusion prevention.
  • Best use-case: combine port change with IP restrictions (allow only your addresses) and key-based auth (Linux) or NLA + restricted scope (Windows).

Golden Rule: Don’t Lock Yourself Out

Before changing any management port:

  • Make sure you have provider console / emergency access available.
  • Open the new port in the provider firewall and server firewall first.
  • Keep the old port active until you confirm login works on the new one.
  • Document the new port (team password manager / runbook).

Linux: Change SSH Port Safely (Ubuntu/Debian example)

On a Linux VPS, SSH is usually the #1 target. The safest pattern is: allow new port → configure SSH → restart → test → then close old port.

Step 1 — Choose a new port and check it’s free

Pick a port like 2222, 22022, or any high port that is not used by your services.

# Check if a port is already in use (replace 2222)
sudo ss -lntp | grep ':2222' || echo "Port 2222 is free"

Step 2 — Open the new port in firewall (UFW example)

# Allow new SSH port
sudo ufw allow 2222/tcp

# Keep existing SSH port until you verify access
sudo ufw allow 22/tcp

sudo ufw status

If you don’t use UFW, open the port in your firewall tool (iptables/nftables/firewalld) and also ensure it’s allowed in your VPS hosting provider panel firewall.

Step 3 — Change SSH daemon config

Edit SSH config:

sudo nano /etc/ssh/sshd_config

Set (or add) these lines:

Port 2222
# Keep this enabled
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes

Tip: It’s safer to first verify key-based login works, and only then disable passwords.

Step 4 — Validate config and restart SSH

sudo sshd -t
sudo systemctl restart ssh
sudo systemctl status ssh --no-pager

Step 5 — Test connection on the new port (do this BEFORE closing 22)

# From your local PC
ssh -p 2222 user@SERVER_IP

Only after you successfully login on the new port:

sudo ufw delete allow 22/tcp
sudo ufw status

Windows: Change RDP Port Safely (Windows Server / Windows VPS)

On a Windows VPS, changing the RDP port can reduce automated scans, but you should also restrict the rule by IP and keep NLA enabled. If possible, consider RD Gateway / VPN for external access.

Step 1 — Pick a new RDP port and open it in provider firewall

Choose a port like 3390 or 53389. First open it in your provider firewall in the VPS hosting panel to avoid “it works internally but not externally”.

Step 2 — Change the RDP port in registry

Run PowerShell as Administrator on the server (example uses 53389):

# Set new RDP port (Decimal)
$NewPort = 53389
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name 'PortNumber' -Value $NewPort

Step 3 — Create Windows Firewall rule for the new port

# Allow inbound TCP on the new port
New-NetFirewallRule -DisplayName "RDP (TCP $NewPort)" -Direction Inbound -Protocol TCP -LocalPort $NewPort -Action Allow

Best practice: restrict by your IP (replace x.x.x.x):

New-NetFirewallRule -DisplayName "RDP (TCP $NewPort) - My IP only" `
  -Direction Inbound -Protocol TCP -LocalPort $NewPort -RemoteAddress x.x.x.x -Action Allow

Step 4 — Restart Remote Desktop Services (or reboot)

Reboot is the simplest and most reliable way. If you cannot reboot immediately, restart the service (this can drop your current session):

Restart-Service TermService -Force

Step 5 — Test from your PC

From Windows client:

Test-NetConnection SERVER_IP -Port 53389

In mstsc, connect like: SERVER_IP:53389

Quick Verification Checklist

  • New port is allowed in provider firewall and server firewall.
  • Service listens on the new port (ss/netstat checks).
  • You can login on the new port before disabling the old one.
  • Credentials and key/NLA policies are still valid after changes.
  • Team has documentation of the new port and access path.

Conclusion

Changing a default port is a good “noise reduction” and hardening step, but the real security comes from strong authentication and restricted access. Use it as part of a layered approach on your Linux VPS or Windows VPS on professional VPS hosting.

Prev

More articles: