How to Specify a Custom Port for SFTP Connections

Secure File Transfer Protocol (SFTP) is a robust protocol used for secure file transfers over encrypted connections. By default, SFTP runs on port 22, the same port number used by its parent protocol, SSH (Secure Shell). However, there are many situations where you might need to specify a different port for your SFTP connections.

Why Change the Default SFTP Port?

The default port 22 for SFTP and SSH service is frequently targeted by automated attacks. Using a non-standard port can significantly reduce these attacks while maintaining secure file transfers. Additionally, your organization might need to use multiple protocols on separate ports, or your default port might be blocked by a firewall.

How SFTP Works with SSH

Before diving into port configuration, it's important to understand that SFTP (SSH File Transfer Protocol) is not a standalone protocol but a subsystem of SSH. Unlike other file transfer protocols, SFTP doesn't run as a separate service—it operates through the SSH server. This means that when you configure the SFTP port, you're actually configuring the SSH port that handles the file transfers.

Configuring the SSH Server to Use a Custom Port

To specify a custom port for SFTP connections, you need to modify your SSH server configuration: 1. Open the SSH server configuration file, typically located at /etc/ssh/sshd_config 2. Locate the line that specifies the port (or add it if not present) 3. Change it to your desired port number:

Port 2222

4. Save the file and restart the SSH service:

sudo systemctl restart sshd

Connecting to SFTP on a Non-Default Port

Once you've configured your SSH server to listen on a new port, you'll need to specify this port when connecting:

sftp -P 2222 username@hostname

Note the capital -P flag, which is different from the lowercase -p used in standard SSH connections.

Firewall Configuration for the New Port

After changing the SFTP port, you'll need to update your firewall rules to allow connections on the new port: Using UFW (Uncomplicated Firewall):

sudo ufw allow 2222/tcp

Using firewalld:

sudo firewall-cmd --permanent --add-port=2222/tcp
sudo firewall-cmd --reload

Best Practices for Port Selection

When selecting a new port for your SFTP server, consider these best practices:

Avoid reserved ports (below 1024)

Check port availability to ensure no other services are using it

Enterprise Solutions: Managed File Transfer Software

For organizations handling large volumes of file transfers, managed file transfer software offers advanced features beyond basic SFTP port configuration, including:

Multiple protocol support

Enhanced security features

Detailed audit logging

Automation capabilities

Common Issues When Specifying SFTP Ports

Some users confuse SFTP command syntax with regular FTP. Remember that with SFTP, you use -P (uppercase) to specify the port, while many other protocols use -p (lowercase).

Testing Your Configuration

After making changes to your SFTP port, always test the connection:

sftp -P 2222 -v username@hostname

The -v flag enables verbose output, helping you troubleshoot any connection issues.

Conclusion

Specifying a custom port for SFTP connections is a straightforward but effective security measure. By moving away from the default port 22, you can reduce automated attacks while maintaining secure file transfer capabilities. Whether you're managing a small team's file sharing needs or implementing an enterprise-scale secure data transfer solution, understanding how to properly configure SFTP ports is an essential skill for network administrators and IT professionals.