Changing sshd port

spiffybrian · May 4, 2026, 10:40am

I have been trying to do some security hardening on a new system, and I’ve come across a somewhat concerning “feature” of the upcp process.

An important security tenant is to reduce the attack surface on the server, and one important thing to do is to lock down the ssh port.

I do this by adding firewall rules into the pre and post chains to allow access from a defined set of authorized IPs and the in the post chain drop all ssh packets. This also relies on deleting the access to port 22 in the normal allow chain that is added by default.

It turns out that after running “upcp -sb” the default allow port 22 rule is quietly added back negating the IP authorizations.

This is not great, but what I want to know is when does the system run “upcp” by itself? Is this done on a daily basis, and if so is there a way to tun it off so that it can be manually run when needed under manual control?

msaladna · May 4, 2026, 1:56pm

ApisCP comes hardened out of the box. I wouldn’t overthink it. A top-down architecture is available through ARCHITECTURE.md. To change the port, use the system.sshd-port Scope.

# Change port from 22/TCP -> 42069/TCP
cpcmd scope:set system.sshd-port 42069

Scope usage is necessary so the firewall can provide continuous protection against threats. This leads me to my second point, I’d let the firewall operate organically by leaving the port as-is rather than relying on security through obscurity. Persistent threats are sent to a high-performance ipset list, which provides weeklong blocks across all ports on the server.

For example, here are usage figures from 2 production servers,