# Changing SSH Port on Oracle Cloud Ubuntu: The Complete Guide

When you provision an Ubuntu instance on Oracle Cloud, you'll notice something different from standard Ubuntu installations: the system uses **iptables** instead of ufw for firewall management. This distinction is crucial when you want to change your SSH port—simply editing `/etc/ssh/sshd_config` won't be enough. You need to configure both the SSH daemon and the firewall rules, plus update Oracle Cloud's network security settings.

This guide walks you through the complete process of safely changing your SSH port on Oracle Cloud.

## Why This Matters

SSH typically runs on port 22, which is a well-known target for brute-force attacks and automated scanning. Changing it to an uncommon port significantly reduces unwanted connection attempts and improves security through obscurity. However, if you skip the firewall configuration, your new SSH port simply won't accept connections—leaving you locked out of your instance.

## Step 1: Modify the SSH Configuration File

Start by editing the SSH daemon configuration:

```bash
sudo nano /etc/ssh/sshd_config
```

Locate the line that specifies the port. It may be commented out with a `#` symbol:

```
# Port 22
```

Uncomment it and change it to your desired port (we'll use `2222` in this example):

```
Port 2222
```

Save the file by pressing `Ctrl + X`, then `Y`, then `Enter`.

## Step 2: Update iptables Firewall Rules

This is the critical step that many people miss. You need to add a new iptables rule to allow traffic on your new SSH port.

First, check your current iptables rules and their line numbers:

```bash
sudo iptables -L INPUT --line-numbers
```

This command displays output similar to:

```
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
2    ACCEPT     icmp --  anywhere             anywhere
3    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
4    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
5    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
6    REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
```

The key insight: you must insert your new SSH rule **above the reject-all rule** (line 6 in this example). Insert the rule at position 6:

```bash
sudo iptables -I INPUT 6 -p tcp --dport 2222 -m state --state NEW -j ACCEPT
```

Breaking down this command:
- `-I INPUT 6` — Insert at position 6 in the INPUT chain
- `-p tcp` — Protocol is TCP
- `--dport 2222` — Destination port is 2222
- `-m state --state NEW` — Match new connections
- `-j ACCEPT` — Accept the connection

## Step 3: Persist iptables Configuration

By default, iptables rules are lost when you reboot. Save them using `netfilter-persistent`:

```bash
sudo netfilter-persistent save
```

This command writes your iptables rules to disk so they survive system restarts.

## Step 4: Restart the SSH Service

Apply your configuration changes:

```bash
sudo systemctl daemon-reload
sudo systemctl restart ssh
```

Verify the service is running:

```bash
sudo systemctl status ssh
```

## Step 5: Update Oracle Cloud Network Security Rules

SSH won't work until you update Oracle Cloud's security lists. Navigate through the web console:

1. Go to **Networking** → **Virtual Cloud Networks**
2. Select your VCN
3. Click **Security Lists**
4. Open the **Default Security List**
5. Click **Add Ingress Rules**

Fill in the following fields:

| Field | Value |
|-------|-------|
| **Source Type** | CIDR |
| **Source CIDR** | `0.0.0.0/0` |
| **IP Protocol** | TCP |
| **Source Port Range** | All |
| **Destination Port Range** | `2222` |

Click **Save**. Oracle Cloud will apply the rule within seconds.

## Testing Your Connection

Once all changes are in place, test the new SSH connection from your local machine:

```bash
ssh -i ssh-xxx.key -p 2222 ubuntu@your-public-ip
```

Replace `ssh-xxx.key` with your private key path and `your-public-ip` with your instance's public IP address.

If the connection succeeds, you've successfully changed your SSH port. If it hangs or times out, double-check:
- iptables rule was inserted (check with `sudo iptables -L INPUT --line-numbers`)
- Oracle Cloud security list rule was created
- SSH daemon restarted successfully

## Cleaning Up: Removing the Old Port 22 Rule

Once you've confirmed SSH works on the new port, remove the old rule for port 22 to reduce attack surface.

First, identify the line number of the old SSH rule:

```bash
sudo iptables -L INPUT --line-numbers
```

Delete it using the `-D` (delete) flag:

```bash
sudo iptables -D INPUT 3
```

Replace `3` with the actual line number from your output.

Save the updated rules:

```bash
sudo netfilter-persistent save
```

Also remove the old port 22 ingress rule from Oracle Cloud's security list:

1. Return to **Networking** → **Virtual Cloud Networks** → **Security Lists**
2. Find the rule for port 22 in the ingress rules list
3. Click the **X** icon to delete it

## Key Takeaways

- **Oracle Cloud uses iptables, not ufw** — Configure the firewall accordingly
- **Rule position matters** — Insert above the reject-all rule to avoid blocking yourself
- **Three layers of configuration** — SSH config, iptables, and Oracle Cloud security rules must all be updated
- **Test before cleaning up** — Confirm the new port works before removing the old rule
- **Persist your changes** — Use `netfilter-persistent save` to survive reboots

Changing SSH ports is a quick security hardening measure that's well worth the few minutes it takes to configure properly.

---

Reference
