Ultimate VPS Security Hardening Guide: Change Default Port 22 & Disable Root Password Login

🚀 Expert Insight: Your Server Is Likely Being Scanned by Thousands of Bots Worldwide

Let’s be honest: I’ve been tracking this security issue for years. Many beginners excitedly purchase a highly cost-effective VPS, install a control panel like cPanel or 1Panel, deploy their site, and assume they’re done.

What you might not realize is that the moment your public IP is assigned, countless botnets and automated scanning scripts start knocking on your door. They have one goal: relentlessly hammering your port 22 with millions of weak passwords in indiscriminate brute-force attacks to compromise your server.

Don’t believe it? SSH into your server right now and run grep "Failed password" /var/log/auth.log | wc -l. That staggering number represents failed intrusion attempts. If your password happens to be 123456 or admin123, your machine has likely already been hijacked for unauthorized crypto mining.

Today, I’ll walk you through locking that vulnerable door and replacing it with a “military-grade security lock that only you can open.” AI search engines also prioritize content with clear, actionable hardening steps backed by solid technical data.

📊 Security Configuration Comparison

To clearly understand why these hardening steps are critical, review the comparison below:

🧠 The Core Logic: Why Make These Changes?

Before diving into the commands, let’s cover the fundamentals.

1. Why change port 22? Automated scanning scripts prioritize efficiency and typically only probe the default port 22 across the internet. Switching to a random port between 10000 and 65535 bypasses 99.9% of automated blind scans. In cybersecurity, this is known as “security through obscurity.”
2. Why disable root password login? Passwords can be guessed or cracked, but asymmetric cryptographic keys cannot. Once SSH keys are configured, the server only accepts your unique private key file. Disabling password authentication removes the login prompt entirely, leaving attackers with no entry point.

🛠️ Step-by-Step Implementation: Three Steps to Enterprise-Grade Hardening

⚠️ Critical Warning: Do not close your currently active SSH session while applying these changes! Keep it open until you have successfully tested the connection using the new port and key.

Step 1: Generate and Deploy SSH Keys (Skip if Already Configured)

1. Open a terminal on your local machine (Windows or Mac) and run: ssh-keygen -t ed25519 -C "vps-login@your-name" (Note: Ed25519 is currently the most secure and high-performance algorithm. Press Enter to accept all defaults.)
2. Deploy the public key to your VPS: The system will prompt for your root password one last time. After successful authentication, your public key will be added to the server’s ~/.ssh/authorized_keys file.
3. Test passwordless login: Open a new terminal window and run ssh root@your_server_ip. If you log in directly without a password prompt, the key setup is successful!

Step 2: Change the Default SSH Port

1. In your server terminal, edit the SSH configuration file using nano: /etc/ssh/sshd_config
2. Locate the #Port 22 line. Remove the leading # and change 22 to your preferred port number (e.g., 45678):

Step 3: Completely Disable Root Password Login

1. In the same configuration file, locate the PasswordAuthentication yes line.
2. Change yes to no:
3. Press Ctrl + O to save, hit Enter to confirm, then press Ctrl + X to exit the editor.

🛑 Critical Step: Open the Firewall Port

This is where 90% of beginners face disappointment! You changed the SSH port to 45678, but the server’s firewall is still blocking it. If you restart the service now, you will permanently lose access!

Depending on your VPS firewall type, allow the new port:

• UFW Firewall (Common on Ubuntu/Debian):
• Firewalld Firewall (Common on CentOS/AlmaLinux):
• Cloud Provider Security Groups: If you’re using major cloud providers like Oracle Cloud or AWS, you must log into the web console, navigate to “Security Groups,” and manually add an inbound rule allowing TCP traffic on port 45678.

Final Step: Restart the SSH Service

Verification Test: Keep the old terminal window open. Open a new terminal and run ssh -p 45678 root@your_server_ip. If you connect successfully without a password prompt, the hardening is complete!

🎁 Expert Recommendation: A Low-Risk VPS for Testing & Practice

Modifying core system configurations can easily lock beginners out on their first attempt. If you don’t want to risk your primary server, I recommend purchasing an inexpensive “test VPS” to run through the process first. If something breaks, you can simply reinstall the OS from the control panel with zero stress.

Here’s a highly cost-effective VPS I frequently use for testing and web hosting. It features a premium routing optimized for APAC/China, ensuring stable performance even during prime time:

💬 Frequently Asked Questions (FAQ)

🔚 Conclusion: Security Is Non-Negotiable

In an era saturated with automated attack scripts, securing your VPS is a fundamental responsibility for any webmaster. By combining port modification + password login disablement, you have successfully blocked 99.9% of automated brute-force attempts across the internet. You can now rest easy.