{"id":643,"date":"2018-09-07T04:30:37","date_gmt":"2018-09-07T01:30:37","guid":{"rendered":"http:\/\/kifarunix.com\/?p=643"},"modified":"2024-03-11T19:43:45","modified_gmt":"2024-03-11T16:43:45","slug":"how-to-configure-ssh-to-use-a-different-port-on-centos-7","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/how-to-configure-ssh-to-use-a-different-port-on-centos-7\/","title":{"rendered":"How to Configure SSH to use a different Port on CentOS 7"},"content":{"rendered":"\n<p>In this guide, we are going to learn how to configure SSH to use a different Port on CentOS. Even though configuring <a href=\"https:\/\/www.openssh.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">SSH<\/a> Server to listen on a different port other than the default port, 22, may not gain you much from security point of view, there are still some advantages that goes with it;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>reduces attack surface by shielding your server against automated random attacks that targets services running on default ports, <span class=\"comment-copy\">attacks that target exploitation of vulnerabilities associated with specific versions of OpenSSH and its crypto libraries,<\/span><\/li>\n\n\n\n<li>r<span class=\"comment-copy\">educes the size of the log files as it stops bruteforced failed login attempts directed towards the default SSH port.<\/span><\/li>\n<\/ul>\n\n\n\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Table of Contents<\/h2><nav><ul><li><a href=\"#configuring-ssh-to-use-a-different-port-on-cent-os-7\">Configuring SSH to use a different Port on CentOS 7<\/a><ul><li><a href=\"#check-if-se-linux-is-enforcing\">Check if SELinux is Enforcing<\/a><\/li><li><a href=\"#add-new-port-to-se-linux-policy\">Add New Port to SELinux Policy<\/a><\/li><li><a href=\"#configuring-ssh-to-use-a-different-port\">Configuring SSH to use a different Port<\/a><\/li><li><a href=\"#verify-the-new-ssh-port\">Verify the New SSH Port<\/a><\/li><li><a href=\"#connect-to-ssh-using-the-new-port\">Connect to SSH using the New Port<\/a><\/li><li><a href=\"#other-ssh-tutorials\">Other SSH Tutorials<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"configuring-ssh-to-use-a-different-port-on-cent-os-7\">Configuring SSH to use a different Port on CentOS 7<\/h2>\n\n\n\n<p>Step through this guide to learn how to configure SSH server to listen on a different port.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"check-if-se-linux-is-enforcing\">Check if SELinux is Enforcing<\/h3>\n\n\n\n<p>Before you can proceed, check if SELinux is enforcing. If it is enforcing, you need to allow a port that you intend to use for SSH through SELinux policy.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sestatus<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\nSELinux status:                 enabled\nSELinuxfs mount:                \/sys\/fs\/selinux\nSELinux root directory:         \/etc\/selinux\nLoaded policy name:             targeted\nCurrent mode:                   enforcing\nMode from config file:          enforcing\nPolicy MLS status:              enabled\nPolicy deny_unknown status:     allowed\nMax kernel policy version:      31\n<\/code><\/pre>\n\n\n\n<p>As you can see above, SELinux is enforcing.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"add-new-port-to-se-linux-policy\">Add New Port to SELinux Policy<\/h3>\n\n\n\n<p>Add the new SSH port to the SELinux policy by running the following command, replacing <code>PORT 3456<\/code> with your desired SSH port:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>semanage port -a -t ssh_port_t -p tcp 3456<\/code><\/pre>\n\n\n\n<p>This will add the new SSH port to the SELinux policy and allow SSH to use it.<\/p>\n\n\n\n<p>Now, verify that SELinux has allowed sshd to listen on the two ports:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>semanage port -l | grep ssh<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>ssh_port_t  tcp      <strong>3456<\/strong>, 22<\/code><\/pre>\n\n\n\n<p>If semanage command is not found, check which package provides semanage and install that package;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>yum whatprovides semanage<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>...output snipped...\npolicycoreutils-python-2.5-22.el7.x86_64 : SELinux policy core python utilities\nRepo : base\nMatched from:\nFilename : \/usr\/sbin\/semanage<\/code><\/pre>\n\n\n\n<p>Install it as follows;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>yum install -y policycoreutils-python<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"configuring-ssh-to-use-a-different-port\">Configuring SSH to use a different Port<\/h3>\n\n\n\n<p>Login to your server and open the OpenSSH server configuration file, <strong>\/etc\/ssh\/sshd_config <\/strong>for editing. <\/p>\n\n\n\n<p>Uncomment the line, <strong># Port 22<\/strong> and set it to a desired port. <strong>But as a safety measure, just in case things go south, configure sshd to listen on two ports, the default port and the desired port such that your config files have two lines like as shown below. Once you confirm that the new port works fine, remove the default port setting.<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Port 22\nPort 3456<\/code><\/pre>\n\n\n\n<p>Note<span style=\"color: initial;\">:<\/span><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><span style=\"color: initial;\">Ensure that no other service is using the new port.<\/span><\/li>\n\n\n\n<li><span style=\"color: initial;\">Replace the ports accordingly.<\/span><\/li>\n<\/ul>\n\n\n\n<p>Open New SSH Port on Firewall<\/p>\n\n\n\n<p>If firewall is running, allow the new port on through it.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>firewall-cmd --add-port=3456\/tcp --permanent\nfirewall-cmd --reload <\/code><\/pre>\n\n\n\n<p>Restart sshd service<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl restart sshd<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"verify-the-new-ssh-port\">Verify the New SSH Port<\/h3>\n\n\n\n<p>After restarting the SSH service, check if the SSH port has been updated successfully. You can do this by running the following command:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ss -altnp4 | grep sshd<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>LISTEN     0      128          *:3456                     *:*                   users:((\"sshd\",pid=1176,fd=3))\nLISTEN     0      128          *:22                       *:*                   users:((\"sshd\",pid=1176,fd=5))<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"connect-to-ssh-using-the-new-port\">Connect to SSH using the New Port<\/h3>\n\n\n\n<p>Test that you can login to the server with new SSH port;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><span style=\"background-color: rgb(241, 241, 241); color: initial;\">ssh -p 3456 root@server1<\/span><\/code><\/pre>\n\n\n\n<p>If this is successful, go ahead and remove the default port by commenting out in the sshd configuration file or block it on firewall.<\/p>\n\n\n\n<p>Remember to restart sshd after the changes or reload firewall respectively. <\/p>\n\n\n\n<p>That marks the end of our simple guide on configuring SSH to use a different Port on CentOS 7.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"other-ssh-tutorials\">Other SSH Tutorials<\/h3>\n\n\n\n<p><a title=\"Connect to VNC Server via SSH Tunnel\" href=\"https:\/\/kifarunix.com\/connect-to-vnc-server-via-ssh-tunnel\/\" target=\"_blank\" rel=\"bookmark noopener noreferrer\">Connect to VNC Server via SSH Tunnel<\/a><\/p>\n\n\n\n<p><a title=\"Monitor Linux Hosts using Nagios check_by_ssh Plugin\" href=\"https:\/\/kifarunix.com\/monitor-linux-hosts-using-nagios-check_by_ssh-plugin\/\" target=\"_blank\" rel=\"bookmark noopener noreferrer\">Monitor Linux Hosts using Nagios check_by_ssh Plugin<\/a><\/p>\n\n\n\n<p><a title=\"Configure SSH Public Key Authentication in Linux\" href=\"https:\/\/kifarunix.com\/configure-ssh-public-key-authentication-in-linux\/\" target=\"_blank\" rel=\"bookmark noopener noreferrer\">Configure SSH Public Key Authentication in Linux<\/a><\/p>\n\n\n\n<p><a title=\"How to Enable RDP\/SSH File Transfer Over Guacamole\" href=\"https:\/\/kifarunix.com\/how-to-enable-rdp-ssh-file-transfer-over-guacamole\/\" target=\"_blank\" rel=\"bookmark noopener noreferrer\">How to Enable RDP\/SSH File Transfer Over Guacamole<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this guide, we are going to learn how to configure SSH to use a different Port on CentOS. Even though configuring SSH Server to<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[121],"tags":[71,125],"class_list":["post-643","post","type-post","status-publish","format-standard","hentry","category-howtos","tag-ssh","tag-sshd","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/643"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=643"}],"version-history":[{"count":6,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/643\/revisions"}],"predecessor-version":[{"id":20993,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/643\/revisions\/20993"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=643"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=643"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=643"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}