SFTP (SSH File Transfer Protocol) is a secure file protocol for transferring files between two hosts over an encrypted connection. It also allows you to perform various file operations on remote files and to resume file transfers.
SFTP can be used as a replacement for the legacy FTP protocol. It has all the functionality of FTP but with a more secure connection.
This article explains how to change the default SFTP port in Linux. We will also show you how to configure your firewall to allow on the new port.
What Port Does SFTP Use
SFTP is a subsystem of SSH and provides the same level of security as SSH.
The default SFTP port is 22.
Changing the SFTP Port
Changing the default SFTP/SSH port adds an extra layer of security to your server by reducing the risk of automated attacks.
The following steps describe how to change the SSH Port on Linux machines.
1. Choosing a New Port Number
In Linux, port numbers below 1024 are reserved for well-known services and can only be bound to by root. Although you can use a port within the 1-1024 range for the SSH service to avoid port allocation issues, it is recommended to choose a port above 1024.
This example shows how to change the SFTP/SSH port to 4422, but you can choose any port of your liking.
2. Adjusting Firewall
Before changing the SFTP/SSH port, you’ll need to open the new port in your firewall.
If you are using UFW, the default firewall in Ubuntu , run the following command to open the port:
sudo ufw allow 4422/tcp
In CentOS, the default firewall management tool is FirewallD. To open the port, enter the following commands:
sudo firewall-cmd --permanent --zone=public --add-port=4422/tcp
sudo firewall-cmd --reload
CentOS users also need to adjust the SELinux rules to allow the new SSH port:
sudo semanage port -a -t ssh_port_t -p tcp 4422
If you are using another Linux distribution that runs iptables, to open the new port run:
sudo iptables -A INPUT -p tcp --dport 4422 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
3. Configuring SFTP/SSH
The SSH server configuration is stored in the /etc/ssh/sshd_config
file. Open the file with your text editor:
sudo vim /etc/ssh/sshd_config
Search for the line starting with Port 22
. Typically, this line is commented out using the hash (#
) symbol. Remove the hash #
and enter your new SSH port number:
Port 4422
Be very careful when editing the configuration file. An incorrect configuration may prevent the SSH service to start.
Once done, save the file and restart the SSH service for changes to take effect:
sudo systemctl restart ssh
In CentOS the SSH service is named sshd
:
sudo systemctl restart sshd
Verify that SSH daemon is listening on the new port:
ss -an | grep 4422
The output should look something like this:
tcp LISTEN 0 128 0.0.0.0:4422 0.0.0.0:*
tcp ESTAB 0 0 192.168.121.108:4422 192.168.121.1:57638
tcp LISTEN 0 128 [::]:4422 [::]:*
Using the New SFTP Port
To specify the port number invoke the sftp
command with the -P
option followed by the new port number:
sftp -P 4422 username@remote_host_or_ip
If you are using a GUI SFTP client, simply enter the new port in the client interface.
Conclusion
The default SFTP port is 22. However, you can change the port to whatever number you want.
If you are regularly connecting to multiple systems, you can simplify your workflow by defining all of your connections in the SSH config file .
Feel free to leave a comment if you have any questions.