How to Change Default SSH Port in CentOS / RHEL 8

This article will guide you about, how to change default ssh port in CentOS / RHEL 8.

 

Table of Contents:

• What is SSH?
• Check Status of SSH Service
• Change Default SSH Port in CentOS / RHEL 8
• Configure SELinux to Allow Non-Default SSH Port
• Configure Firewall to Allow Non-Default SSH port
• Restart SSH Service
• Access Service using Non-Default SSH Port
• Conclusion

 

What is SSH? :

Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. Typical applications include remote command-line, login, and remote command execution, but any network service can be secured with SSH. (Courtesy: Wikipedia)

SSH provides a secure channel over an unsecured network by using a client–server architecture, connecting an SSH client application with an SSH server. The protocol specification distinguishes between two major versions, referred to as SSH-1 and SSH-2. The standard TCP port for SSH is 22. SSH is generally used to access Unix-like operating systems, but it can also be used on Microsoft Windows. Windows 10 uses OpenSSH as its default SSH client and SSH server.

SSH considered as the entry point to any Linux based server, therefore it is the most favorite target for attackers. Since, everyone is aware that the SSH runs on port 22, thus one can attempt different type of attacks on this port.

It is a best practice to change the default SSH port of your server. Although, doing so didn’t guarantees that one cannot find it. Because there are many port scanners, that can search and list down the open ports on a server. But changing default ssh port to someother port will make things a little bit more difficult for the attacker.

 

Check Status of SSH Service:

Verify current status of SSH service by using systemctl command.

# systemctl status sshd.service
â sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
   Active: active (running) since Sat 2020-08-08 17:59:18 PKT; 2s ago
     Docs: man:sshd(8)
           man:sshd_config(5)
 Main PID: 1564 (sshd)
    Tasks: 1 (limit: 5916)
   Memory: 1.2M
   CGroup: /system.slice/sshd.service
           ââ1564 /usr/sbin/sshd -D -oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,>

Aug 08 17:59:18 centos-8.centlinux.com systemd[1]: Starting OpenSSH server daemon...
Aug 08 17:59:18 centos-8.centlinux.com sshd[1564]: Server listening on 0.0.0.0 port 22.
Aug 08 17:59:18 centos-8.centlinux.com sshd[1564]: Server listening on :: port 22.
Aug 08 17:59:18 centos-8.centlinux.com systemd[1]: Started OpenSSH server daemon.

You can see that the service is running on default SSH port number 22.

 

Change Default SSH Port in CentOS / RHEL 8:

SSH daemon/service configurations are located in /etc/ssh/sshd_config file. We can tweak them to customize SSH service according to our requirements.

Initially there is no Port directive in this file, instead, the SSH service is using the default ssh port number 22.

Let's add a Port directive in sshd_config file by using echo command.

# echo "Port 2222" >> /etc/ssh/sshd_config

This one shot setting is quiet enough to change the default ssh port number.

 

Configure SELinux to Allow Non-Default SSH Port:

Default SELinux configuration does not allow any service to run on a non-default port. Therefore, we have to configure SElinux to allow SSH to use port 2222/tcp.

We need semanage command to configure SELinux settings. If you are using a minimal installed CentOS 8 system then it is not available on your system. Install policycoreutils-python-utils package to get semanage command.

Then use semanage command to add port 2222/tcp to type ssh_port_t.

# semanage port -a -t ssh_port_t -p tcp 2222

 

Configure Firewall to Allow Non-Default SSH port:

List down allowed ports or services in Linux firewall.

# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens33
  sources:
  services: cockpit dhcpv6-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

SSH service is by default allowed in most distributions of Linux including CentOS / RHEL 8.

Now, we need to block this ssh service and allow our new ssh port in Linux firewall.

# firewall-cmd --permanent --remove-service=ssh
success
# firewall-cmd --permanent --add-port=2222/tcp
success
# firewall-cmd --reload
success

 

Restart SSH Service:

Restart SSH Service to apply changes that we have made in sshd_config file.

# systemctl restart sshd.service

Verify status of SSH Service.

# systemctl status sshd.service
â sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
   Active: active (running) since Sat 2020-08-08 18:13:37 PKT; 14s ago
     Docs: man:sshd(8)
           man:sshd_config(5)
 Main PID: 10376 (sshd)
    Tasks: 1 (limit: 5916)
   Memory: 1.2M
   CGroup: /system.slice/sshd.service
           ââ10376 /usr/sbin/sshd -D -oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc>

Aug 08 18:13:37 centos-8.centlinux.com systemd[1]: Stopped OpenSSH server daemon.
Aug 08 18:13:37 centos-8.centlinux.com systemd[1]: Starting OpenSSH server daemon...
Aug 08 18:13:37 centos-8.centlinux.com sshd[10376]: Server listening on 0.0.0.0 port 2222.
Aug 08 18:13:37 centos-8.centlinux.com sshd[10376]: Server listening on :: port 2222.
Aug 08 18:13:37 centos-8.centlinux.com systemd[1]: Started OpenSSH server daemon.

You can see that the service is now running on non-default port 2222 instead of default ssh port number 22.

 

Access Service using Non-Default SSH Port:

Try to access SSH service using ssh and sftp commands from the default ssh port.

# ssh root@centos-8.centlinux.com
ssh: connect to host centos-8.centlinux.com port 22: Connection refused

# sftp root@centos-8.centlinux.com
ssh: connect to host centos-8.centlinux.com port 22: Connection refused
Connection closed.
Connection closed

It confirms that Linux Firewall is not allowing the traffic through port 22.

Now, access the SSH service by using ssh command from the non-default ssh port.

# ssh root@centos-8.centlinux.com -p 2222
The authenticity of host '[centos-8.centlinux.com]:2222 ([192.168.116.206]:2222)' can't be established.
ECDSA key fingerprint is SHA256:skGj4xg0w+jIQtrfF8AOdfItgcXUQQu+bWUFfvws1Hk.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[centos-8.centlinux.com]:2222,[192.168.116.206]:2222' (ECDSA) to the list of known hosts.
root@centos-8.centlinux.com's password:
Last login: Sat Aug  8 17:59:01 2020
#

Similarly, for sftp.

# sftp -P 2222 root@centos-8.centlinux.com
root@centos-8.centlinux.com's password:
Connected to root@centos-8.centlinux.com.
sftp>

 

Conclusion:

You have successfully changed the default SSH port of CentOS / RHEL 8 Server. If you are having difficulty understanding the commands used in this guide, then there is a good book for you. The book title is How Linux Works, 2nd Edition: What Every Superuser Should Know Second Edition and it is written by Brian Ward.