How to configure SSH on CentOS 7 to use a different port

In this guide, we will learn how to configure SSH on CentOS 7 to use other ports.

Even if the SSH server is configured to listen on a port other than the default port 22, it may not give you much benefit from a security perspective, but it still has some advantages; for example,

  • Reduce the attack surface by protecting the server from automatic random attacks against services running on the default port, attacks against the exploitation of vulnerabilities related to specific versions of OpenSSH and its encryption libraries,
  • Reduce the size of the log file as it stops brute force failed login attempts against the default SSH port.

Configure SSH to use a different port on CentOS 7

Read this guide step by step to learn how to configure an SSH server to listen on other ports.

  1. Log in to your server and open the OpenSSH server configuration file, / etc / ssh / sshd_config Edit it.
    vim /etc/ssh/sshd_config
  2. Uncomment the line, #Port 22 And set it to the required port. But for security, just in case, configure sshd to listen on two ports (the default port and the required port) so that your configuration file has two lines as shown below. After confirming that the new port is normal, delete the default port setting.
    Port 22
    Port 3456 <where 3456 is your preferred port>

    note:

    • Make sure no other services are using the new port.
    • Replace the port accordingly.
  3. If the firewall is running, allow new ports to pass.
    firewall-cmd --add-port=3456/tcp --permanent
    firewall-cmd --reload
  4. Restart the sshd service
    systemctl restart sshd
  5. If you encounter such an error by restarting sshd;
    Job for sshd.service failed because the control process exited with error code. See "systemctl status sshd.service" and "journalctl -xe" for details.

    And by running journalctl -xe According to the suggestion, you find that sshd cannot start with the new port set due to SELinux permissions, as shown in the following journalctl output;

    # journalctl -xe 
    ...output snipped...
    Sep 16 08:21:12 server1 kernel: type=1400 audit(1537086072.510:4): avc: denied { name_bind } for pid=1074 comm="sshd" src=6378 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unres
    Sep 16 08:21:12 server1 sshd[1074]: error: Bind to port 6378 on 0.0.0.0 failed: Permission denied.
    Sep 16 08:21:12 server1 sshd[1074]: error: Bind to port 6378 on :: failed: Permission denied.
    Sep 16 08:21:12 server1 kernel: type=1400 audit(1537086072.515:5): avc: denied { name_bind } for pid=1074 comm="sshd" src=6378 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unres
    Sep 16 08:21:12 server1 sshd[1074]: fatal: Cannot bind any address.
    Sep 16 08:21:12 server1 systemd[1]: sshd.service: main process exited, code=exited, status=255/n/a
    Sep 16 08:21:12 server1 systemd[1]: Failed to start OpenSSH server daemon.
    ...output snipped...

    This is the solution to this problem. You need to tell SELinux about this change by running the following command.

    semanage port -a -t ssh_port_t -p tcp 3456

    Now verify that SELinux allows sshd to listen on two ports:

    semanage port -l | grep ssh
    ssh_port_t  tcp      3456, 22

    If you cannot find the semanage command, check which package provides semanage and install the package;

    yum whatprovides semanage
    ...output snipped...
    policycoreutils-python-2.5-22.el7.x86_64 : SELinux policy core python utilities
    Repo : base
    Matched from:
    Filename : /usr/sbin/semanage
    yum install -y policycoreutils-python
  6. Test if you can log in to the server using the new SSH port
    ssh -p 3456 [email protected]

    If successful, go ahead and delete the default port by commenting out in the sshd configuration file, or block it on the firewall. Remember to restart sshd after the change or reload the firewall separately.

This marks the end of our simple guide on how to configure SSH to use other ports on CentOS 7.

Other ssh tutorials

Connect to VNC server via SSH tunnel

Monitor Linux host with Nagios check_by_ssh plugin

Configure SSH public key authentication in Linux

How to enable RDP / SSH file transfers with guacamole

.

Sidebar