SFTP (SSH File Transfer Protocol) is a secure file protocol for transferring files between two hosts via an encrypted connection. This also allows you to perform various file operations on the remote file and continue file transfer.
SFTP can be used instead of the legacy FTP protocol. It has all the functions of FTP but with a safer connection.
This article explains how to change the default SFTP port on Linux. We will also show you how to configure your firewall to allow for new ports.
Don’t confuse SFTP with FTPS. Both protocols have the same purpose. However, FTPS stands for FTP Secure, and this is an extension of the standard FTP protocol with support for TLS.
What Port Does SFTP Use?
SFTP is an SSH subsystem and provides the same level of security as SSH.
The default SFTP port is 22.
Change the SFTP Port
Changing the default SFTP / SSH port adds an additional layer of security to your server by reducing the risk of automatic attacks.
The following steps explain how to change the SSH Port on a Linux machine.
1. Select a New Port Number
On Linux, port numbers under 1024 are reserved for popular services and can only be rooted. Although you can use ports in the range 1-1024 for SSH services to avoid port allocation problems, it is recommended to select ports above 1024.
This example shows how to change an SFTP / SSH port to 4422, but you can choose whatever port you like.
2. Adjust the Firewall
Before changing the SFTP / SSH port, you must open a new port on your firewall.
If you use UFW, the default firewall in Ubuntu, run the following command to open the port:
sudo ufw allow 4422/tcp
On CentOS, the default firewall management tool is FirewallD. To open a port, enter the following command:
sudo firewall-cmd --permanent --zone=public --add-port=4422/tcp
sudo firewall-cmd --reload
CentOS users also need to adjust SELinux rules to allow new SSH ports:
sudo semanage port -a -t ssh_port_t -p tcp 4422
If you use another Linux distribution running iptables, to open a new port run:
sudo iptables -A INPUT -p tcp --dport 4422 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
3. Configure SFTP / SSH
The SSH server configuration is stored in the / etc / ssh / sshd_config file. Open file with your text editor:
sudo vim /etc/ssh/sshd_config
Look for the starting line with Port 22. Usually, this line is commented using the hash symbol (#). Delete hash # and enter your new SSH port number:
Be careful when editing configuration files. Incorrect configuration can prevent the SSH service from starting.
When finished, save the file and restart the SSH service for the changes to take effect:
sudo systemctl restart ssh
On CentOS, the SSH service is called sshd:
sudo systemctl restart sshd
Make sure the SSH daemon is listening on a new port:
ss -an | grep 4422
The output will look like this:
tcp LISTEN 0 128 0.0.0.0:4422 0.0.0.0:* tcp ESTAB 0 0 192.168.121.108:4422 192.168.121.1:57638 tcp LISTEN 0 128 [::]:4422 [::]:*
Use the New SFTP Port
To determine the port number activate the sftp command with the -P option followed by the new port number:
sftp -P 4422 username@remote_host_or_ip
If you are using a SFTP client GUI, just enter a new port in the client interface.
The default SFTP port is 22. However, you can change the port to whatever number you want.
If you regularly connect to several systems, you can simplify your workflow by defining all your connections in the SSH configuration file.
Feel free to leave a comment if you have questions.