Skip to main content
HashnodeFiko Borizqy (Bestafiko)

Command Palette

Search for a command to run...

Changing SSH Port on Oracle Cloud Ubuntu: The Complete Guide

Published
5 min read
Changing SSH Port on Oracle Cloud Ubuntu: The Complete Guide
F
Fiko Borizqy

I wrote these tutorials for myself in future when I forget for the next steps.

When you provision an Ubuntu instance on Oracle Cloud, you'll notice something different from standard Ubuntu installations: the system uses iptables instead of ufw for firewall management. This distinction is crucial when you want to change your SSH port—simply editing /etc/ssh/sshd_config won't be enough. You need to configure both the SSH daemon and the firewall rules, plus update Oracle Cloud's network security settings.

This guide walks you through the complete process of safely changing your SSH port on Oracle Cloud.

Why This Matters

SSH typically runs on port 22, which is a well-known target for brute-force attacks and automated scanning. Changing it to an uncommon port significantly reduces unwanted connection attempts and improves security through obscurity. However, if you skip the firewall configuration, your new SSH port simply won't accept connections—leaving you locked out of your instance.

Step 1: Modify the SSH Configuration File

Start by editing the SSH daemon configuration:

sudo nano /etc/ssh/sshd_config

Locate the line that specifies the port. It may be commented out with a # symbol:

# Port 22

Uncomment it and change it to your desired port (we'll use 2222 in this example):

Port 2222

Save the file by pressing Ctrl + X, then Y, then Enter.

Step 2: Update iptables Firewall Rules

This is the critical step that many people miss. You need to add a new iptables rule to allow traffic on your new SSH port.

First, check your current iptables rules and their line numbers:

sudo iptables -L INPUT --line-numbers

This command displays output similar to:

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
2    ACCEPT     icmp --  anywhere             anywhere
3    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
4    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
5    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
6    REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

The key insight: you must insert your new SSH rule above the reject-all rule (line 6 in this example). Insert the rule at position 6:

sudo iptables -I INPUT 6 -p tcp --dport 2222 -m state --state NEW -j ACCEPT

Breaking down this command:

  • -I INPUT 6 — Insert at position 6 in the INPUT chain
  • -p tcp — Protocol is TCP
  • --dport 2222 — Destination port is 2222
  • -m state --state NEW — Match new connections
  • -j ACCEPT — Accept the connection

Step 3: Persist iptables Configuration

By default, iptables rules are lost when you reboot. Save them using netfilter-persistent:

sudo netfilter-persistent save

This command writes your iptables rules to disk so they survive system restarts.

Step 4: Restart the SSH Service

Apply your configuration changes:

sudo systemctl daemon-reload
sudo systemctl restart ssh

Verify the service is running:

sudo systemctl status ssh

Step 5: Update Oracle Cloud Network Security Rules

SSH won't work until you update Oracle Cloud's security lists. Navigate through the web console:

  1. Go to NetworkingVirtual Cloud Networks
  2. Select your VCN
  3. Click Security Lists
  4. Open the Default Security List
  5. Click Add Ingress Rules

Fill in the following fields:

Field Value
Source Type CIDR
Source CIDR 0.0.0.0/0
IP Protocol TCP
Source Port Range All
Destination Port Range 2222

Click Save. Oracle Cloud will apply the rule within seconds.

Testing Your Connection

Once all changes are in place, test the new SSH connection from your local machine:

ssh -i ssh-xxx.key -p 2222 ubuntu@your-public-ip

Replace ssh-xxx.key with your private key path and your-public-ip with your instance's public IP address.

If the connection succeeds, you've successfully changed your SSH port. If it hangs or times out, double-check:

  • iptables rule was inserted (check with sudo iptables -L INPUT --line-numbers)
  • Oracle Cloud security list rule was created
  • SSH daemon restarted successfully

Cleaning Up: Removing the Old Port 22 Rule

Once you've confirmed SSH works on the new port, remove the old rule for port 22 to reduce attack surface.

First, identify the line number of the old SSH rule:

sudo iptables -L INPUT --line-numbers

Delete it using the -D (delete) flag:

sudo iptables -D INPUT 3

Replace 3 with the actual line number from your output.

Save the updated rules:

sudo netfilter-persistent save

Also remove the old port 22 ingress rule from Oracle Cloud's security list:

  1. Return to NetworkingVirtual Cloud NetworksSecurity Lists
  2. Find the rule for port 22 in the ingress rules list
  3. Click the X icon to delete it

Key Takeaways

  • Oracle Cloud uses iptables, not ufw — Configure the firewall accordingly
  • Rule position matters — Insert above the reject-all rule to avoid blocking yourself
  • Three layers of configuration — SSH config, iptables, and Oracle Cloud security rules must all be updated
  • Test before cleaning up — Confirm the new port works before removing the old rule
  • Persist your changes — Use netfilter-persistent save to survive reboots

Changing SSH ports is a quick security hardening measure that's well worth the few minutes it takes to configure properly.

Reference

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

F

Fiko Borizqy (Bestafiko)

52 posts

I wrote these tutorials for myself in future when I forget for the next steps.