In this guide, we are going to learn how to configure SSH to use a different Port on CentOS. Even though configuring SSH Server to listen on a different port other than the default port, 22, may not gain you much from security point of view, there are still some advantages that goes with it;
- reduces attack surface by shielding your server against automated random attacks that targets services running on default ports, attacks that target exploitation of vulnerabilities associated with specific versions of OpenSSH and its crypto libraries,
- reduces the size of the log files as it stops bruteforced failed login attempts directed towards the default SSH port.
Table of Contents
Configuring SSH to use a different Port on CentOS 7
Step through this guide to learn how to configure SSH server to listen on a different port.
Check if SELinux is Enforcing
Before you can proceed, check if SELinux is enforcing. If it is enforcing, you need to allow a port that you intend to use for SSH through SELinux policy.
sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 31
As you can see above, SELinux is enforcing.
Add New Port to SELinux Policy
Add the new SSH port to the SELinux policy by running the following command, replacing PORT 3456 with your desired SSH port:
semanage port -a -t ssh_port_t -p tcp 3456This will add the new SSH port to the SELinux policy and allow SSH to use it.
Now, verify that SELinux has allowed sshd to listen on the two ports:
semanage port -l | grep sshssh_port_t tcp 3456, 22If semanage command is not found, check which package provides semanage and install that package;
yum whatprovides semanage...output snipped...
policycoreutils-python-2.5-22.el7.x86_64 : SELinux policy core python utilities
Repo : base
Matched from:
Filename : /usr/sbin/semanageInstall it as follows;
yum install -y policycoreutils-pythonConfiguring SSH to use a different Port
Login to your server and open the OpenSSH server configuration file, /etc/ssh/sshd_config for editing.
Uncomment the line, # Port 22 and set it to a desired port. But as a safety measure, just in case things go south, configure sshd to listen on two ports, the default port and the desired port such that your config files have two lines like as shown below. Once you confirm that the new port works fine, remove the default port setting.
Port 22
Port 3456Note:
- Ensure that no other service is using the new port.
- Replace the ports accordingly.
Open New SSH Port on Firewall
If firewall is running, allow the new port on through it.
firewall-cmd --add-port=3456/tcp --permanent
firewall-cmd --reload Restart sshd service
systemctl restart sshdVerify the New SSH Port
After restarting the SSH service, check if the SSH port has been updated successfully. You can do this by running the following command:
ss -altnp4 | grep sshdLISTEN 0 128 *:3456 *:* users:(("sshd",pid=1176,fd=3))
LISTEN 0 128 *:22 *:* users:(("sshd",pid=1176,fd=5))Connect to SSH using the New Port
Test that you can login to the server with new SSH port;
ssh -p 3456 root@server1If this is successful, go ahead and remove the default port by commenting out in the sshd configuration file or block it on firewall.
Remember to restart sshd after the changes or reload firewall respectively.
That marks the end of our simple guide on configuring SSH to use a different Port on CentOS 7.
Other SSH Tutorials
Connect to VNC Server via SSH Tunnel
Monitor Linux Hosts using Nagios check_by_ssh Plugin
Helpful, Thank You.
Explained in detailed manner and even error which can come through also shown. Keep us the good work. Thanks a lot for sharing your knowledge.