In this guide, we are going to learn how to configure SSH to use a different Port on CentOS. Even though configuring SSH Server to listen on a different port other than the default port, 22, may not gain you much from security point of view, there are still some advantages that goes with it;
- reduces attack surface by shielding your server against automated random attacks that targets services running on default ports, attacks that target exploitation of vulnerabilities associated with specific versions of OpenSSH and its crypto libraries,
- reduces the size of the log files as it stops bruteforced failed login attempts directed towards the default SSH port.
Table of Contents
Configure SSH to use a different Port on CentOS 7
Step through this guide to learn how to configure SSH server to listen on a different port.
Check if SELinux is Enforcing
Before you can proceed, check if SELinux is enforcing. If it is enforcing, you need to allow a port that you intend to use for SSH through SELinux policy.
SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 31
As you can see above, SELinux is enforcing.
Add New Port to SELinux Policy
Add the new SSH port to the SELinux policy by running the following command, replacing
PORT 3456 with your desired SSH port:
semanage port -a -t ssh_port_t -p tcp 3456
This will add the new SSH port to the SELinux policy and allow SSH to use it.
Now, verify that SELinux has allowed sshd to listen on the two ports:
semanage port -l | grep ssh
ssh_port_t tcp 3456, 22
If semanage command is not found, check which package provides semanage and install that package;
yum whatprovides semanage
...output snipped... policycoreutils-python-2.5-22.el7.x86_64 : SELinux policy core python utilities Repo : base Matched from: Filename : /usr/sbin/semanage
Install it as follows;
yum install -y policycoreutils-python
Configure SSH to use a different Port on CentOS
Login to your server and open the OpenSSH server configuration file, /etc/ssh/sshd_config for editing.
Uncomment the line, # Port 22 and set it to a desired port. But as a safety measure, just in case things go south, configure sshd to listen on two ports, the default port and the desired port such that your config files have two lines like as shown below. Once you confirm that the new port works fine, remove the default port setting.
Port 22 Port 3456
- Ensure that no other service is using the new port.
- Replace the ports accordingly.
Open New SSH Port on Firewall
If firewall is running, allow the new port on through it.
firewall-cmd --add-port=3456/tcp --permanent firewall-cmd --reload
Restart sshd service
systemctl restart sshd
Verify the New SSH Port
After restarting the SSH service, check if the SSH port has been updated successfully. You can do this by running the following command:
ss -altnp4 | grep sshd
LISTEN 0 128 *:3456 *:* users:(("sshd",pid=1176,fd=3)) LISTEN 0 128 *:22 *:* users:(("sshd",pid=1176,fd=5))
Connect to SSH using the New Port
Test that you can login to the server with new SSH port;
ssh -p 3456 root@server1
If this is successful, go ahead and remove the default port by commenting out in the sshd configuration file or block it on firewall.
Remember to restart sshd after the changes or reload firewall respectively.
That marks the end of our simple guide on how to Configure SSH to use a different Port on CentOS 7.