Changing the SSH Port on macOS: A Step-by-Step Guide

Introduction / Why This Is Needed

The standard SSH port (22) is well-known to attackers and often targeted by automated attacks. Changing the port to a non-standard one is a simple and effective way to enhance your server's security by filtering out random scans. In this guide, you will change the SSH port on macOS while maintaining full remote access functionality.

Prerequisites / Preparation

• A computer with macOS (version 11.0 Big Sur or newer recommended).
• Administrative rights (sudo password).
• Terminal (built-in Terminal app or iTerm2).
• Ensure the SSH server is installed (it's built into macOS) and preferably already running.

Step 1: Check SSH Server Status

First, ensure the SSH server (sshd daemon) is active. Open Terminal and run:

sudo systemsetup -getremotelogin

If you see Remote Login: On, the server is running. If Remote Login: Off, enable it:

sudo systemsetup -setremotelogin on

💡 Tip: After enabling, it may take 5–10 seconds for the server to start listening on the port.

Step 2: Back Up the Configuration File

Before editing a system file, create a backup. This allows you to quickly restore settings if something goes wrong.

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup

Step 3: Change the Port in the SSH Configuration

The main SSH server configuration file is /etc/ssh/sshd_config. Open it in a text editor (e.g., nano):

sudo nano /etc/ssh/sshd_config

In the opened file, find the line starting with #Port 22. Remove the comment symbol (#) and change 22 to your desired port. For example:

Port 2222

Choose a port in the 1024–65535 range that isn't used by other services. Avoid ports reserved for common services (e.g., 3306 for MySQL, 5432 for PostgreSQL).

Save changes: In nano, press Ctrl+O, then Enter, and exit (Ctrl+X).

⚠️ Important: Ensure there are no other lines with the Port directive in the file. If such lines exist, comment them out (add # at the beginning) or delete them, leaving only one active line.

Step 4: Restart the SSH Service

For changes to take effect, restart the SSH daemon. Run in Terminal:

sudo launchctl unload /System/Library/LaunchDaemons/ssh.plist
sudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist

These commands unload and reload the SSH service, applying the new configuration.

💡 Tip: On very old macOS versions (before 10.10), other commands may be required: sudo launchctl stop com.openssh.sshd and sudo launchctl start com.openssh.sshd.

Step 5: Verify SSH Is Listening on the New Port

Ensure the SSH server now listens on your specified port:

sudo lsof -i -P | grep LISTEN | grep ssh

The output should include a line containing your port (e.g., *:2222). If the port doesn't appear, recheck the configuration file and restart the service.

Also, try connecting locally to confirm it works:

ssh -p 2222 username@localhost

Replace 2222 with your port and username with your macOS username. On successful connection, you'll see the command prompt.

Potential Issues

Error: "Connection refused" or "Connection timeout"

• Cause: SSH server isn't running or isn't listening on the specified port.
• Solution: Check server status (Step 1) and port correctness (Step 5). Ensure only one Port directive exists in the config.

Error: "Permission denied (publickey,password)"

• Cause: Incorrect credentials or missing SSH key setup.
• Solution: Verify login and password. If using keys, ensure the public key is added to ~/.ssh/authorized_keys and has 600 permissions.

Firewall blocking the connection

• Cause: If you manually configured firewall rules (e.g., via pf), the new port may be blocked.
• Solution: Add a rule for the new port in /etc/pf.conf and reload pf:

  echo "pass in proto tcp from any to any port 2222" | sudo pfctl -f -
  sudo pfctl -e
  

  Replace 2222 with your port. If using the standard application firewall (System Settings → Security & Privacy → Firewall), it operates per application, not per port. So if SSH is already allowed, the port is open automatically.

Cannot connect from a remote computer

• Cause: Router or cloud provider isn't forwarding traffic to the new port.
• Solution: Configure port forwarding on your router or in your cloud service's control panel (AWS Security Groups, Google Cloud Firewall Rules) for the new port.

SSH stops working after port change

• Cause: Syntax error in the configuration file or port conflict.
• Solution: Restore the backup:

  sudo cp /etc/ssh/sshd_config.backup /etc/ssh/sshd_config
  sudo launchctl unload /System/Library/LaunchDaemons/ssh.plist
  sudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist
  

  Then check config syntax: sudo sshd -t (will output errors if any).

SIP (System Integrity Protection) preventing editing?

• Cause: Since macOS El Capitan, SIP protects system files. However, /etc/ssh/sshd_config isn't protected and can be edited with sudo without issues. If you encounter access errors, ensure you're using sudo and the correct path.

Verification

After completing all steps, you should successfully connect to the SSH server on the new port. Check:

1. Local connection: ssh -p <new_port> username@localhost.
2. Remote connection (if needed): From another device, use ssh -p <new_port> username@your_ip.

If both methods work, the port change was successful.

Additional Recommendations

• Update all scripts, configurations, and bookmarks that use SSH to specify the new port.
• Consider using SSH keys instead of passwords for added security.
• Regularly update macOS and OpenSSH packages via System Settings → Software Update.
• For even greater security, set up fail2ban or similar tools to block repeated login attempts.

Now your SSH server on macOS runs on a non-standard port, significantly reducing the risk of automated attacks. Don't forget to remember the new port and update client-side settings.