In this guide, we are going to learn how to Configure SSH to use a different Port on CentOS 7.
Even though configuring SSH Server to listen on a different port other than the default port, 22, may not gain you much from security point of view, there are still some advantages that goes with it;
- reduces attack surface by shielding your server against automated random attacks that targets services running on default ports, attacks that target exploitation of vulnerabilities associated with specific versions of OpenSSH and its crypto libraries,
- reduces the size of the log files as it stops bruteforced failed login attempts directed towards the default SSH port.
Configure SSH to use a different Port on CentOS 7
Step through this guide to learn how to configure SSH server to listen on a different port.
- Login to your server and open the OpenSSH server configuration file, /etc/ssh/sshd_config for editing.
vim /etc/ssh/sshd_config
- Uncomment the line, # Port 22 and set it to a desired port. But as a safety measure, just in case things go south, configure sshd to listen on two ports, the default port and the desired port such that your config files have two lines like as shown below. Once you confirm that the new port works fine, remove the default port setting.
Port 22 Port 3456 <where 3456 is your preferred port>
Note:
- Ensure that no other service is using the new port.
- Replace the ports accordingly.
- If firewall is running, allow the new port on through it.
firewall-cmd --add-port=3456/tcp --permanent firewall-cmd --reload
- Restart sshd service
systemctl restart sshd
- If by restarting sshd you encounter such an error;
Job for sshd.service failed because the control process exited with error code. See "systemctl status sshd.service" and "journalctl -xe" for details.
And by running journalctl -xe as suggested you find out the sshd fails to start with new port set due SELinux permissions as shown in the journalctl output below;
# journalctl -xe ...output snipped... Sep 16 08:21:12 server1 kernel: type=1400 audit(1537086072.510:4): avc: denied { name_bind } for pid=1074 comm="sshd" src=6378 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unres Sep 16 08:21:12 server1 sshd[1074]: error: Bind to port 6378 on 0.0.0.0 failed: Permission denied. Sep 16 08:21:12 server1 sshd[1074]: error: Bind to port 6378 on :: failed: Permission denied. Sep 16 08:21:12 server1 kernel: type=1400 audit(1537086072.515:5): avc: denied { name_bind } for pid=1074 comm="sshd" src=6378 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unres Sep 16 08:21:12 server1 sshd[1074]: fatal: Cannot bind any address. Sep 16 08:21:12 server1 systemd[1]: sshd.service: main process exited, code=exited, status=255/n/a Sep 16 08:21:12 server1 systemd[1]: Failed to start OpenSSH server daemon. ...output snipped...
Here is how to fix this. You need to tell SELinux about this change by running the command below.
semanage port -a -t ssh_port_t -p tcp 3456
Now, verify that SELinux has allowed sshd to listen on the two ports:
semanage port -l | grep ssh
ssh_port_t tcp 3456, 22
If semanage command is not found, check which package provides semanage and install that package;
yum whatprovides semanage
...output snipped... policycoreutils-python-2.5-22.el7.x86_64 : SELinux policy core python utilities Repo : base Matched from: Filename : /usr/sbin/semanage
yum install -y policycoreutils-python
- Test that you can login to the server with new SSH port
ssh -p 3456 root@server1
If this is successful, go ahead and remove the default port by commenting out in the sshd configuration file or block it on firewall. Remember to restart sshd after the changes or reload firewall respectively.
That marks the end of our simple guide on how to Configure SSH to use a different Port on CentOS 7.