Change an instance's default remote port - Elastic Compute Service

Changing default remote access ports, such as port 3389 for RDP on Windows and port 22 for SSH on Linux, enhances system security. This practice protects your instance from automated attacks and port scanning that target these well-known ports. This topic explains how to change the default remote port of an ECS instance.

Change a Windows instance's default remote port

This section shows how to change the default remote port of a Windows instance, using Windows Server 2022 as an example.

Important

When you use Microsoft Remote Desktop for Mac to connect to a Windows ECS instance, only the default port 3389 is supported.

Connect to the Windows instance.
For more information, see Connect to a Windows instance by using Workbench.
Modify the value of the PortNumber registry subkey.
1. Press Win (Windows logo key)+R to open the Run dialog box.
2. Enter regedit.exe and press Enter to open Registry Editor.
3. In the navigation pane on the left, navigate to HKEY_LOCAL_MACHINE > System > CurrentControlSet > Control > Terminal Server > Wds > rdpwd > Tds > tcp.
4. In the right pane, find and right-click the PortNumber registry subkey, and then select Modify.
5. In the dialog box, enter the new remote port number in the Value data text box. In this example, use 3399. Under Base, select Decimal and click OK.
6. In the navigation pane on the left, navigate to HKEY_LOCAL_MACHINE > System > CurrentControlSet > Control > Terminal Server > WinStations > RDP-Tcp.
7. In the right pane, find and right-click the PortNumber registry subkey, and then select Modify.
8. In the dialog box, enter the new remote port number in the Value data text box. In this example, use 3399. Under Base, select Decimal and click OK.
Restart the ECS instance in the ECS console.
For more information, see Restart instances.
Check the status of the Windows firewall and disable it.
For more information, see Manage the Windows firewall.
Add a security group rule to allow inbound traffic on the new remote port.
For more information, see Add a security group rule.
To connect to the instance, append the new port number to its remote address.

Change a Linux instance's default remote port

This section shows how to change the default remote port of a Linux instance, using Alibaba Cloud Linux 3 as an example.

Important

After you complete these steps, you can no longer use the default port 22 to remotely access the ECS instance.

Connect to the Linux instance.
For more information, see Log on to a Linux instance by using Workbench.
Run the following command to back up the sshd configuration file:
```
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config_bak
```
Modify the port number for the sshd service.
1. Run the following command to edit the sshd_config file:
```
sudo vim /etc/ssh/sshd_config
```
2. Press i to enter Insert mode.
3. Change the port number.
  In this example, find the Port 22 line and change it to Port 1022.
4. Press the Esc key, enter :wq, and then press Enter to save your changes and exit.
Run the following command to restart the sshd service and apply the port change.
```
sudo systemctl restart sshd
```
Check the status of the Linux system firewall and disable it.
For more information, see Manage the system firewall on Linux.
Add a security group rule to allow inbound traffic on TCP port 1022.
For more information, see Add a security group rule.
Verify the change by connecting to the instance on the new port with an SSH client.
When you log on, enter the new port number in the Port text box. In this example, enter 1022.