Secure Your macOS Remote SSH Access by Changing Listening Port
Enhance the Security of Your macOS Remote SSH Access by Changing the Listening Port
Changing the default SSH port is a common security measure that is often referred to as a “security through obscurity” technique. This type of technique relies on the idea that hiding or obfuscating important information can make it more difficult for attackers to find and exploit a system. In the case of SSH, changing the default port makes it more difficult for attackers to find and target the service, as they would need to know the non-standard port number in order to connect to it.

Remote Secure Shell (SSH) access is a common method for securely accessing your Mac device. However, the default port for SSH (port 22) is well-known and is often targeted by malicious actors. In this tutorial, I will show you how to change the listening port for SSH on a macOS machine to improve the security of your remote access.
Step-by-step tutorial:
- Open the terminal on your macOS machine and enter the following command to open the /etc/services file:
sudo nano /etc/services - Scroll down until you find the lines related to the SSH service. You can also find them by searching for the port number 22. The two lines will appear as follows:
ssh 22/udp # SSH Remote Login Protocol
ssh 22/tcp # SSH Remote Login Protocol - Now modify the port numbers in both lines to the number you’ve chosen. It is recommended to choose a port number between 20000 and 40000, as ports outside this range are typically reserved for native macOS services or may be allocated as ephemeral ports. Here some references for the record: https://support.apple.com/en-us/HT202944. Don’t mind for the line space formatting, it will work not matter how.
- Save the file by pressing
CTRL + Oand thenEnter. Exit the editor by pressingCTRL + X.
WARNING: Once you change the SSH listening port, all new connections you try to establish via the ssh command will try to use that port instead of the default port 22. If you want to modify this behavior, you will have to change the SSH default client port through the ssh_config file. To do that just check the next section on this article. Alternatively, you can just specify the desired port each time you try to connect via SSH by using the -p flag.
In other words, to connect to an SSH server listening on port 22, you would need to use the following command:ssh -p 22 username@server instead of the standard ssh username@server .
Restore SSH client default behaviour
In case you want to stick with having the SSH command establishing new connections through port 22, follow along these steps:
- Open the /etc/ssh/ssh_config file using the following command:
sudo nano /etc/ssh/ssh_config - Locate the line that reads
#Port 22and remove the#to uncomment the line. - Save the file by pressing
CTRL + Oand thenEnter. Exit the editor by pressingCTRL + X.
After having completed all the steps above, including the optional ones related to restoring the default SSH client behaviour related to which port to connect to, you will have to restart the SSH server. To restart the SSH server, go to the Settings app and toggle the Remote Login option off and then on again.
Your SSH server will now be listening on the new port and the SSH command will connect using the default port 22. You’re good to go.
If you have any questions or need support, please don’t hesitate to leave a comment below.
Conclusion
Changing the listening port for SSH is just one of many security measures you can take to secure your remote access. It is also important to secure your home router and limit external access to only trusted sources. For additional security, consider disabling password authentication and using key-based authentication as outlined in our article “Secure Your macOS Remote SSH Access by Disabling Password Login”:
If you liked 👏 this article you may enjoy reading through some of my other articles. Oh, and don’t forget to follow me! 🫵
Further reading
Below, you can find some of my other articles:




