How to change SSH Port on CentOs 6, 7 and 8 Print

How to change SSH port on centos 6
Changing SSH Port will help to secure your Linux VPS server, here is ultimate guide how to secure linux vps server.

The default port number is TCP port # 22, but you can set the port number that the sshd server listens.

To change the port, first of all, you will have to open the SSH configuration file:

/etc/ssh/sshd_config

Then type:

Port PortNumberHere

OR

ListenAddress IPv4Address:Port

ListenAddress IPv6Address:Port

ListenAddress Hostname:Port

If you have not specified a port, the sshd, by default, listens to the previously specified addresses and port options. You can allow multiple listenaddress and options in sshd_config.

Run ssh on a non-standard port # 2022 using Port option
To edit /etc/ssh/sshd_config, enter:

# vi /etc/ssh/sshd_config

Edit to set Port to 2022:

Port 2022

Save and close the file.

change the ssh port

CentOS run ssh on a non-standard port # 2022 using
Try ListenAddress as follows:

## bind sshd to two IP address on a non-standard port ##

ListenAddress 192.168.1.5:2022

ListenAddress 203.1.2.3:2022

Save and close the file

Reload SSHD service
You should update the following before you restart the system and before the changes to be applied:

SELinux configuration
Firewall settings
fail2ban settings
OpenSSH SELinux user
If you are using SELinux, add tcp port # 2022 to port contexts for OpenSSH server:

# semanage port -a -t ssh_port_t -p tcp 2022

Update firewall settings
Update firewall settings so that users can login using TCP # 2022.

To edit, /etc/sysconfig/iptables and open sshd port 2022:

# vi /etc/sysconfig/iptables

Edit/append as follows:

## delete or comment out port 22 line ##

## -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

## open port 2022

-A INPUT -m state --state NEW -m tcp -p tcp --dport 2022 -j ACCEPT

Save and close the file.

IPv6 users, edit /etc/sysconfig/ip6tables file too:

Temporally, stop the firewall by typing:

# service iptables stop

# service ip6tables stop

Fail2ban settings
Use fail2ban to update the rules.

Restart sshd on a CentOS
Type the following command to restart / reload SSHD service:

# service sshd reload

Verify new port settings with this netstat command:

# netstat -tulpn | grep sshd

Finally, star the firewall on a CentOS:

# service iptables start

## IPv6 ##

# service ip6tables start

Connect to ssh server on port # 2022 using ssh command:

ssh -p PortNumberHere user@server-name-here

ssh -p PortNumberHere user@server-name-here commandNameHere

ssh -p 2022 nixcraft@192.168.1.5

ssh -p 2022 nixcraft@192.168.1.5 df

To connect to ssh server on port # 2022 using scp command type:

scp -P PortNumberHere source user@server-name-here:/path/to/dest

scp -P 2022 resume.pdf nixcraft@nas01:/backups/personal/nixcraft/files/

To connect to ssh server on port # 2022 using sftp command type:

sftp -P PortNumberHere user@server-name-here

sftp -P 2022 nixcraft@192.168.1.5

To connect to ssh server on port # 2022 using rsync command type:

Change SSH port number with rsync command:

sync -av -e 'ssh -p PORT-NUMBER-HERE' source user@server-name

So to backup /home/vivek to server1.nixcraft.net.in at port number 2022, enter:

rsync -av -e 'ssh -p 2022' /home/vivek/ backupop@server1.nixcraft.net.in

How to change SSH port on Centos 6, 7, and 8.

How to change SSH port on centos 7
Changing the SSH port is actually pretty simple.

Open /etc/ssh/sshd_config and search for the following line:

Port 229

Be careful: choose an unused/not-well-known port (at least >1023).

Opening the new port on firewallD
Opening a port on firewallD is easy:

# firewall-cmd --add-port YOUR_PORT_HERE/tcp

Adding the new port to SELinux
Configuring SELinux to behave with the new port abd type the following:

adding new port to selinux

# semanage port -a -t ssh_port_t -p tcp YOUR_PORT_HERE

Configuring Fail2Ban
Open /etc/fail2ban/jail.conf and search for the following section:

[sshd]

# To use more aggressive sshd filter (inclusive sshd-ddos failregex):

#filter = sshd-aggressive

port = ssh

logpath = %(sshd_log)s

backend = %(sshd_backend)s

Change the value of port to the actual port by using:

[sshd]

# To use more aggressive sshd filter (inclusive sshd-ddos failregex):

#filter = sshd-aggressive

port = 7222

logpath = %(sshd_log)s

backend = %(sshd_backend)s

Fail2Ban won’t be able to close the appropriate port.

Flip the switch
Type the followings to test the new configuration:

# systemctl restart sshd

# systemctl restart fail2ban

Try to ssh in your server using your new port:

$ ssh USERNAME@YOUR_IP/HOSTNAME -p YOUR_NEW_PORT

Mopping up:
If you’ve successfully ssh’d in your server, finalize the settings and mop up. Use the new port rather than the previous one.

SSH daemon
Configure the ssh daemon, open /etc/ssh/sshd_config delete/comment out the following line:

Port 22

Now you have told sshd not to listen on port 22, the default one.

FirewallD
Finalize the firewall configuration:

# firewall-cmd --add-port YOUR_PORT_HERE/tcp --permanent

# firewall-cmd --reload

Finalizing
This is the final step.

Type the following commands:

finalizing steps

# systemctl restart sshd.service

# firewall-cmd --remove-service ssh --permanent

# firewall-cmd --reload

If by restarting sshd you encounter such an error;

job for sshd.service failed because the control process exited with error code. See "systemctl status sshd.service" and "journalctl -xe" for details.

Run journalctl –xe byfollowing command:

# journalctl –xe

The final output will be:

server1 kernel: type=1400 audit(1537086072.510:4): avc: denied { name_bind } for pid=1074 comm="sshd" src=6378 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unres

server1 sshd[1074]: error: Bind to port 6378 on 0.0.0.0 failed: Permission denied.

server1 sshd[1074]: error: Bind to port 6378 on :: failed: Permission denied.

server1 kernel: type=1400 audit(1537086072.515:5): avc: denied { name_bind } for pid=1074 comm="sshd" src=6378 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unres

server1 sshd[1074]: fatal: Cannot bind any address.

server1 systemd[1]: sshd.service: main process exited, code=exited, status=255/n/a

server1 systemd[1]: Failed to start OpenSSH server daemon.

Tell about this change by running the command below:

semanage port -a -t ssh_port_t -p tcp 3456

Now, verify that SELinux has allowed sshd to listen on the two ports:

semanage port -l | grep ssh

ssh_port_t tcp 3456, 22

type:

yum whatprovides semanage

Output will be:

policycoreutils-python-2.5-22.el7.x86_64 : SELinux policy core python utilities

Repo : base

Matched from:

Filename : /usr/sbin/semanage

yum install -y policycoreutils-python

Test that you can login to the server with new SSH port

ssh -p 3456 root@server1

How to Change Default SSH Port in CentOS 8
Check Status of SSH Service in CentOS 8 using systemctl command:

[root@centos-8 ~]# systemctl status sshd.service

The screen will be as follow:

â sshd.service - OpenSSH server daemon

Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)

Active: active (running) since Sat 2020-08-08 17:59:18 PKT; 2s ago

Docs: man:sshd(8)

man:sshd_config(5)

Main PID: 1564 (sshd)

Tasks: 1 (limit: 5916)

Memory: 1.2M

CGroup: /system.slice/sshd.service

ââ1564 /usr/sbin/sshd -D -oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,>

Aug 08 17:59:18 centos-8.centlinux.com systemd[1]: Starting OpenSSH server daemon...

Aug 08 17:59:18 centos-8.centlinux.com sshd[1564]: Server listening on 0.0.0.0 port 22.

Aug 08 17:59:18 centos-8.centlinux.com sshd[1564]: Server listening on :: port 22.

Aug 08 17:59:18 centos-8.centlinux.com systemd[1]: Started OpenSSH server daemon.

We can tweak /etc/ssh/sshd_config file to customize SSH service according to our requirements.

There is no Port directive in this file and SSH service is using the default ssh port number 22.

Add a Port directive in sshd_config file by using echo command.

[root@centos-8 ~]# echo "Port 50" >> /etc/ssh/sshd_config

Configure SELinux to Allow Non-Default SSH Port:
SELinux configuration does not allow any service to run on a non-default port configure SElinux to allow SSH to use port 50/tcp.

Use semanage command to add port 50/tcp to type ssh_port_t:

[root@centos-8 ~]# semanage port -a -t ssh_port_t -p tcp 50

Configure Firewall to Allow Non-Default SSH port:
List down allowed ports or services in firewall.

[root@centos-8 ~]# firewall-cmd --list-all

You will see the following

public (active)

target: default

icmp-block-inversion: no

interfaces: ens33

sources:

services: cockpit dhcpv6-client ssh

ports:

protocols:

masquerade: no

forward-ports:

source-ports:

icmp-blocks:

rich rules:

Or you can type:

Systemctl firewalld

configure firewall

Block this ssh service and allow new ssh port in firewall.

[root@centos-8 ~]# firewall-cmd --permanent --remove-service=ssh

success

[root@centos-8 ~]# firewall-cmd --permanent --add-port=50/tcp

success

[root@centos-8 ~]# firewall-cmd --reload

success

Restart SSH Service on CentOS 8:
Type the following command to restart service:

[root@client ~]# systemctl restart sshd

restart sshd

Verify status of SSH Service by typing:

[root@centos-8 ~]# systemctl status sshd.service

The screen will be:

â sshd.service - OpenSSH server daemon

Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)

Active: active (running) since Sat 2020-08-08 18:13:37 PKT; 14s ago

Docs: man:sshd(8)

man:sshd_config(5)

Main PID: 10376 (sshd)

Tasks: 1 (limit: 5916)

Memory: 1.2M

CGroup: /system.slice/sshd.service

ââ10376 /usr/sbin/sshd -D -oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc>

Aug 08 18:13:37 centos-8.centlinux.com systemd[1]: Stopped OpenSSH server daemon.

Aug 08 18:13:37 centos-8.centlinux.com systemd[1]: Starting OpenSSH server daemon...

Aug 08 18:13:37 centos-8.centlinux.com sshd[10376]: Server listening on 0.0.0.0 port 50.

Aug 08 18:13:37 centos-8.centlinux.com sshd[10376]: Server listening on :: port 50.

Aug 08 18:13:37 centos-8.centlinux.com systemd[1]: Started OpenSSH server daemon.

Access Service using Non-Default SSH Port:
Type the following command to access SSH service using ssh and sftp commands from the default ssh port:

[root@centos-8 ~]# ssh root@centos-8.centlinux.com

Output will be:

ssh: connect to host centos-8.centlinux.com port 22: Connection refused

[root@centos-8 ~]# sftp root@centos-8.centlinux.com

ssh: connect to host centos-8.centlinux.com port 22: Connection refused

Connection closed.

Connection closed

The output above reveals that the Firewall is not allowing the traffic through port 22.

Access the SSH service by using ssh command:

[root@centos-8 ~]# ssh root@centos-8.centlinux.com -p 50

The authenticity of host '[centos-8.centlinux.com]:50 ([192.168.116.206]:50)' can't be established.

ECDSA key fingerprint is SHA256:skGj4xg0w+jIQtrfF8AOdfItgcXUQQu+bWUFfvws1Hk.

Are you sure you want to continue connecting (yes/no/[fingerprint])? yes

Warning: Permanently added '[centos-8.centlinux.com]:50,[192.168.116.206]:50' (ECDSA) to the list of known hosts.

root@centos-8.centlinux.com's password:

Last login: Sat Aug 8 17:59:01 2020

[root@centos-8 ~]#

Similarly, for sftp:

[root@centos-8 ~]# sftp -P 50 root@centos-8.centlinux.com

root@centos-8.centlinux.com's password:

Connected to root@centos-8.centlinux.com.