How to Configure SSH to use a different Port on CentOS 7

2
9724

In this guide, we are going to learn how to Configure SSH to use a different Port on CentOS 7.

Even though configuring SSH Server to listen on a different port other than the default port, 22, may not gain you much from security point of view, there are still some advantages that goes with it;

  • reduces attack surface by shielding your server against automated random attacks that targets services running on default ports, attacks that target exploitation of vulnerabilities associated with specific versions of OpenSSH and its crypto libraries,
  • reduces the size of the log files as it stops bruteforced failed login attempts directed towards the default SSH port.

Configure SSH to use a different Port on CentOS 7

Step through this guide to learn how to configure SSH server to listen on a different port.

  1. Login to your server and open the OpenSSH server configuration file, /etc/ssh/sshd_config for editing.
    vim /etc/ssh/sshd_config
  2. Uncomment the line, # Port 22 and set it to a desired port. But as a safety measure, just in case things go south, configure sshd to listen on two ports, the default port and the desired port such that your config files have two lines like as shown below. Once you confirm that the new port works fine, remove the default port setting.
    Port 22
    Port 3456 <where 3456 is your preferred port>

    Note:

    • Ensure that no other service is using the new port.
    • Replace the ports accordingly.
  3. If firewall is running, allow the new port on through it.
    firewall-cmd --add-port=3456/tcp --permanent
    firewall-cmd --reload
  4. Restart sshd service
    systemctl restart sshd
  5. If by restarting sshd you encounter such an error;
    Job for sshd.service failed because the control process exited with error code. See "systemctl status sshd.service" and "journalctl -xe" for details.

    And by running journalctl -xe as suggested you find out the sshd fails to start with new port set due SELinux permissions as shown in the journalctl output below;

    # journalctl -xe 
    ...output snipped...
    Sep 16 08:21:12 server1 kernel: type=1400 audit(1537086072.510:4): avc: denied { name_bind } for pid=1074 comm="sshd" src=6378 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unres
    Sep 16 08:21:12 server1 sshd[1074]: error: Bind to port 6378 on 0.0.0.0 failed: Permission denied.
    Sep 16 08:21:12 server1 sshd[1074]: error: Bind to port 6378 on :: failed: Permission denied.
    Sep 16 08:21:12 server1 kernel: type=1400 audit(1537086072.515:5): avc: denied { name_bind } for pid=1074 comm="sshd" src=6378 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unres
    Sep 16 08:21:12 server1 sshd[1074]: fatal: Cannot bind any address.
    Sep 16 08:21:12 server1 systemd[1]: sshd.service: main process exited, code=exited, status=255/n/a
    Sep 16 08:21:12 server1 systemd[1]: Failed to start OpenSSH server daemon.
    ...output snipped...

    Here is how to fix this. You need to tell SELinux about this change by running the command below.

    semanage port -a -t ssh_port_t -p tcp 3456

    Now, verify that SELinux has allowed sshd to listen on the two ports:

    semanage port -l | grep ssh
    ssh_port_t  tcp      3456, 22

    If semanage command is not found, check which package provides semanage and install that package;

    yum whatprovides semanage
    ...output snipped...
    policycoreutils-python-2.5-22.el7.x86_64 : SELinux policy core python utilities
    Repo : base
    Matched from:
    Filename : /usr/sbin/semanage
    yum install -y policycoreutils-python
  6. Test that you can login to the server with new SSH port
    ssh -p 3456 [email protected]

    If this is successful, go ahead and remove the default port by commenting out in the sshd configuration file or block it on firewall. Remember to restart sshd after the changes or reload firewall respectively.

That marks the end of our simple guide on how to Configure SSH to use a different Port on CentOS 7.

Other SSH Tutorials

Connect to VNC Server via SSH Tunnel

Monitor Linux Hosts using Nagios check_by_ssh Plugin

Configure SSH Public Key Authentication in Linux

How to Enable RDP/SSH File Transfer Over Guacamole

2 COMMENTS

  1. Explained in detailed manner and even error which can come through also shown. Keep us the good work. Thanks a lot for sharing your knowledge.

LEAVE A REPLY

Please enter your comment!
Please enter your name here