SSH Config with Custom Port
Configure SSH connections on non-standard ports. Common for hardened servers, Bitbucket Data Center, and environments behind restrictive firewalls.
Detailed Explanation
Custom Port SSH Configuration
Running SSH on a non-standard port is a common hardening practice that reduces automated brute-force attacks. Many services also use non-standard ports by default.
Example Config
Host hardened-server
HostName server.example.com
User admin
Port 2222
IdentityFile ~/.ssh/id_ed25519_server
IdentitiesOnly yes
Host gitlab-behind-firewall
HostName gitlab.company.com
User git
Port 443
IdentityFile ~/.ssh/id_ed25519_work
IdentitiesOnly yes
Common Non-Standard Ports
| Service | Common Port | Why |
|---|---|---|
| Hardened servers | 2222, 2200 | Avoid default-port scanners |
| Bitbucket Server | 7999 | Atlassian default |
| GitLab over HTTPS port | 443 | Bypass firewalls that block port 22 |
| Corporate SSH | 8022 | Internal convention |
Port 443 Trick
Some corporate networks block outbound connections on port 22. If a Git hosting service supports SSH over port 443 (GitHub does via ssh.github.com), you can bypass this:
Host github.com
HostName ssh.github.com
User git
Port 443
IdentityFile ~/.ssh/id_ed25519_github
IdentitiesOnly yes
Benefits of Non-Standard Ports
- Reduces log noise: Automated bots target port 22 by default
- Simple defense layer: Not security by itself, but reduces attack surface
- Bypass restrictions: Port 443 often passes through corporate firewalls
Drawbacks
- You must remember (or configure) the custom port
- Not a substitute for proper authentication (keys, fail2ban)
- Port scanning tools will still find the service
Combining with Fail2Ban
Non-standard ports work best combined with key-only authentication and fail2ban for rate limiting.
Use Case
Administrators running SSH on non-standard ports for security hardening, and developers connecting to services that use non-standard SSH ports like Bitbucket Server or corporate infrastructure.