Skip to main content

Mac OS-X tips: How to run SSHD on an alternative port

This tip falls into one of those "I had to spend more than 10 minutes looking for an answer" category, so it's a worthwhile subject for a quick blog post.

Why Run SSH?

Running SSH on Mac OS-X allows you to login to your machine remotely, and also copy file securely via SCP command to and from your Mac OS-X host.

But I am behind my own $50 router/firewall. Can I still connect to my computer from outiside?

Yes. Most off the shelf routers and firewalls will allow you to do two things that are needed for this:

  1. Assign a permanent IP address to your Mac on a local network (see your router documentation for more details)
  2. Create a port forwarding rule on your router. Eg - any request to port 22 on your external IP (provided by your router) can be routed to the specific IP address of your Mac. Exact specifics on this configuration are once again available in your router documentation. Most off the shelf routers support this, including basic Netgear and D-Link.

So let's assume you've set this whole thing up and you are now able to connect from outside to port 22 of your external IP address on your firewall, which is then routed to your Mac port 22. This is great, since now you copy files via SCP from the internet to your computer, connect to it from your work office, etc, etc.

But why would you want to run SSH on alternative port, and not 22?

Simple answer is that port 22 is probably the most obvious port to "probe" from outside. Hackers typically run automated port scans of publicly visible IP addresses, but running it for all 64K ports takes a long time, so typically those scans are just for a small subset of ports. Port 22 is a clear indication of a server system which makes it a likely candidate for an attack. Turn of port 22 and to the outside world your system appears a lot more boring. Boring is good. So I still want to use my SSH connection, but would rather not do it on the default port. More expensive firewalls and routers will allow you to route eg. port 33333 from the outside to port 22 on the inside. But none of the cheap off-the-shelf routers I've seen allow you to do that. They just take input port, and destination IP which means the outside port and inside port must be the same. That's a silly limitation and a small bummer. So to make this work with my cheap a$$ router I have to change the listening port on my Mac. Frankly, this isn't a bad idea either, since whenever you connect your laptop to a public wi-fi network anyone can directly connect to your Mac and probe the open ports. So keeping port 22 open on your Mac is not that great of an idea. So. In order to change the port on Mac OS-X for your SSH daemon, follow the following steps:

  1. Open Terminal and as edit the file /etc/services (as root)
  2. Add a line at the bottom: secret-ssh 43539/tcp # secret SSH port
  3. Edit file /System/Library/LaunchDaemons/ssh.plist and replace the code:
    <key>SockServiceName </key>
    <string>ssh </string>
    <key>SockServiceName </key>
    <string>secret-ssh </string>
  4. Change your port forwarding configuration on your firewall to route port 43539 instead
  5. Open "Sharing" control panel and ensure that "Remote Login" is checked off (if not uncheck it). Then check it again to start with the new configuration.

Now you should be able to run SSH command to your external IP as follows: ssh -p 43539 ip_address_of_your_server -l username To copy files from remote hosts to your Mac desktop, run the following command:

scp -P 43539 local_file.txt username@ip_address_of_your_server:~/Desktop

Note that "scp" command requires an upper case "P", while regular "ssh" wants a lower case "p" to declare remote server's port. That's it, hope it helps! :)


deKay said…
Hey, thanks for this - really useful! I have one thing to add though - you (may) need to add an entry to the firewall settings to allow connections.
Unknown said…
No worries, glad it was useful. Yes - of course you must enable the port on your firewall, I think I mentioned this too.
Anonymous said…
If I want to choose another port number, how do I determine which numbers are good or bad choices? Could I interfere with other processes if I choose an arbitrary number?
Anonymous said…
This produced an odd warning on Leopard. I see in Console:

3/9/08 10:48:06 PM[1] (com.openssh.sshd) Unknown key: SHAuthorizationRight

Seems to work regardless.

Best explanation I can find:

Re: The mysterious SHAuthorizationRight key
by Dave Zarzycki Dec 03, 2007; 01:01pm :: R
A project at Apple is overloading the launchd configuration file
schema to store non-launchd preferences. We hope to resolve this
matter in the next major version of Mac OS X.

Anonymous said…
Thanks for the tips. For what it's worth, people with the excellent linux-based Linksys 54g router (and variations of that router) can use a few awesome open source firmwares that will give the ability to port map, along with lots of other juicy stuff.

You basically get a very expensive router in the body of a standard, cheap router.
Anonymous said…
I posted awhile back asking how to know what port numbers are allocated to programs, and which are not. The answer is determined by the IANA, and you can see a full list of ports at:

The list includes all 64,000 ports, so it is long. But if you had a particular number in mind you like to try, you can scroll and see if it is unallocated or not.

My only original problem with this hack is that, well, you're telling everyone what port is being used, which sort of defeats the whole purpose!
Unknown said…
Thanks, this worked for me :)
Anonymous said…
Telling everybody what port? Gawd, come on! If you're not smart enough to infer that the port number is an example--you have 64,000 to choose from in your own setup--the you probably shouldn't be screwing with SSH in the first place.
Anonymous said…
how do you as edit /etc/services? (im new to bash)
Anonymous said…
Use vi, of course!
Unknown said…
sudo vi /etc/services

:w (saves the file)
:q (quits the file)
MacNetDaemon said…
I know this post is a few years old but I found this information very useful to implement on my snow leopard server after discovering repeated attempts by person(s) unknown to hack into my server via port 22. The only additions I made were adding a reference to the UDP port and of course choosing a different port. Thank you for this info.
Thanks this was very easy to follow.
Anonymous said…
why not just edit these lines and change the port from 22 to whatever instead of adding secret-ssh?

ssh 22/udp # SSH Remote Login Protocol
ssh 22/tcp # SSH Remote Login Protocol

Rob said…
Thanks for this!

Popular posts from this blog

Car or Auto Make-Model-Year Database : For Breakfast

Make Model What? If you like me were tasked with loading a database of recent car makes/models/years, you would start by looking on the web and seeing if someone else just has it out there, readily available, hopefully for free, but perhaps for a tiny nominal fee.? If only it was that simple... I looked and looked, and couldn't find anything that would fit the above requirements. So I thought, who would know about US car models better than Kelly Blue Book? So I went on their site, and sure enough they have a javascript file that lists all known to them makes and models of used cars. Since the file is public, I figured it's not really "evil" if I scrape and parse it for my own benefit. Disagree? Have a better source? Then leave a comment. Anyway, to cut the long story short, I'm hoping to save a day or so to someone else who may, like me, be looking for this information. The ruby module shown below retrieves and parses the javascript from KBB site into

On Ruby on Rails with PostgreSQL, and Acts as Paranoid

Back a few years ago I was researching differences between PostgreSQL and MySQL databases, and chose PostgreSQL because at the time it supported foreign key constraints and many other fantastic SQL extensions that make developer's life a lot easier. Today I am sure MySQL is just as functional as PostgreSQL, and it does appear to be a more popular choice as the Rails DB than MySQL. I still prefer PostgreSQL, it just feels more natural to me coming out of Oracle background, so I am probably biased (who isn't?) Anyway, in the last year and a half or so, I've been writing Rails apps that use PG-based databases and found a few random tricks I'd love to share here. Opinions differ here, but just like accountants like the ancient double entry accounting system, I personally prefer a double validation system - where Rails validates my objects before/after updates, but the database double checks this using proper constraints. Rail's validation system is very robust and exte

Getting RMagic and friends to work on OS-X Mountain Lion

Upgraded my ruby environment today to Mountain Lion. Here is a quick checklist that I went through to get everything working.  The largest change was having to reinstall XCode and command line tools, and also download XQuarts in order to reinstall ImageMagick successfully. Without it, I was getting errors building RMagick of the following shape: ld: file not found: /usr/lib/libltdl.7.dylib for architecture x86_64 clang: error: linker command failed with exit code 1 (use -v to see invocation) make: *** [RMagick2.bundle] Error 1 Quick checklist: Install Mountain Lion Install XCode 4.4 Install command line tools from XCode 4.4 Preferences dialog Install XQuartz In terminal run brew update brew uninstall imagemagick brew install --fresh imagemagick wipe out your ~/.rvm folder reinstall RVM and install the latest ruby 1.9.3-p-194 run "bundle" in the project folder run "rake" and rejoice References: