Change SSH Port on Rocky Linux Without Getting Locked Out

This is the step that catches the most beginners. Not because it’s technically difficult — it isn’t — but because the order of operations matters, and if you get it wrong, you lose SSH access to your server.

The sequence is: open the firewall rule first, then change the SSH config, then restart SSH. Never the other way around.

Before You Start

Make sure you have:

A non-root user with sudo access (from Part 2.7)
Your SSH key working for that user
The Vultr web console URL bookmarked as a backup — you’ll thank yourself if something goes wrong

Step 1 — Choose Your New Port

Pick a port number between 1024 and 65535 that isn’t used by another service. Common choices: 2222, 2200, 2020. Avoid well-known service ports.

For this guide, examples use 2222 — substitute your actual choice throughout.

Step 2 — Open the New Port in firewalld FIRST

This is the step that prevents lockouts. Do this before touching sshd_config.

# Add the new SSH port to firewalld permanently
sudo firewall-cmd --permanent --add-port=2222/tcp

# Reload firewalld to apply
sudo firewall-cmd --reload

# Verify the port is open
sudo firewall-cmd --list-ports

Expected output from the last command should include 2222/tcp.

Step 3 — Edit sshd_config

sudo nano /etc/ssh/sshd_config

Find the Port line. It may be commented out with #:

#Port 22

Uncomment it and change the value:

Port 2222

While you have the file open, find PermitRootLogin and set it to no:

PermitRootLogin no

If the line doesn’t exist, add it. If it’s commented out, uncomment it and change the value.

Save and exit: Ctrl+O, Enter, Ctrl+X.

nano editor showing sshd_config with Port 2222 and PermitRootLogin no highlighted — Two changes in sshd_config: Port number and PermitRootLogin. Both on the same edit, save once.

Step 4 — Check the Config for Errors

Before restarting SSH, verify the config file has no syntax errors:

sudo sshd -t

No output means no errors. If you see an error message, go back and fix it before continuing.

Step 5 — Restart SSH

sudo systemctl restart sshd

SSH is now listening on port 2222 only. Port 22 is closed.

Step 6 — Test From a New Terminal Window

Do not close your current session yet.

Open a completely new terminal window and test the connection with the new port:

ssh -p 2222 youruser@your-server-ip

Or in Termius: edit the saved connection and update the port number from 22 to 2222.

If this works — you’re connected on the new port, everything is correct. You can close the old session.

If this fails — you still have your original session open. Debug from there before anything else.

Step 7 — Remove Port 22 from firewalld

Now that you’ve confirmed the new port works, close port 22:

sudo firewall-cmd --permanent --remove-service=ssh
sudo firewall-cmd --reload

Verify port 22 is no longer open:

sudo firewall-cmd --list-all

The services: line should no longer include ssh, and ports: should show 2222/tcp.

Update Your SSH Client

Termius: Edit the saved host connection → change Port from 22 to 2222.

Mac Terminal: Update any saved SSH commands or aliases to include -p 2222.

~/.ssh/config (optional but useful — saves typing -p 2222 every time):

nano ~/.ssh/config

Add or update:

Host your-server-nickname
  HostName your-server-ip
  User youruser
  Port 2222
  IdentityFile ~/.ssh/id_ed25519

Now ssh your-server-nickname connects with the right port automatically.

If You Get Locked Out

It happens. The fix is straightforward if you know where to go.

Vultr web console: Log in to your Vultr dashboard → click your server → click the Console tab. This opens a browser-based terminal session that bypasses SSH entirely. You can type commands directly.

Vultr dashboard showing the Console tab on a server detail page — The Vultr console tab. Browser-based access to your server regardless of SSH state. Bookmark this page before you need it.

From the console, fix whichever step went wrong:

If you forgot to open the port in firewalld:

sudo firewall-cmd --permanent --add-port=2222/tcp
sudo firewall-cmd --reload

If sshd_config has an error:

sudo nano /etc/ssh/sshd_config
# Fix the error
sudo systemctl restart sshd

If you want to temporarily revert to port 22 while you debug:

sudo nano /etc/ssh/sshd_config
# Change Port back to 22
sudo systemctl restart sshd
sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --reload

Verify Everything Is Working

Final check after you’ve confirmed the new port works and old session is closed:

# Confirm SSH is listening on the right port
sudo ss -tlnp | grep sshd

# Check auth log — should show your successful login on new port
sudo tail -20 /var/log/secure | grep sshd

The ss output should show port 2222, not 22.

Frequently Asked Questions

Why do I get locked out when changing the SSH port?

The most common cause: you restarted SSH with the new port but forgot to open that port in firewalld first. The firewall blocks the new port, port 22 is now closed by SSH config, and you're locked out. Always open the firewall rule before restarting sshd.

What do I do if I get locked out?

Use the Vultr web console — accessible from your Vultr dashboard under the server's 'Console' tab. It gives you direct browser-based access to the server regardless of SSH state. From there you can fix the firewall or sshd_config and restore access.

Why disable root login if I already have a non-root user?

Root is the username every bot tries first. Disabling direct root login means even if an attacker gets your SSH port and somehow gets past key authentication, they cannot log in as root directly. It adds a layer without any inconvenience to your workflow.

Does changing SSH port actually improve security?

It significantly reduces automated scan noise — bots targeting port 22 disappear from your logs immediately. It does not stop a targeted attacker using a port scanner. The real security comes from key-only authentication, which is covered in article 3.5.