How to change SSH Default Port in CentOS 8

This article will guide you about, how to change ssh default port in CentOS 8. #centlinux #linux #ssh

What is SSH?

Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. Typical applications include remote command-line, login, and remote command execution, but any network service can be secured with SSH. (Courtesy: Wikipedia)

SSH provides a secure channel over an unsecured network by using a client–server architecture, connecting an SSH client application with an SSH server. The protocol specification distinguishes between two major versions, referred to as SSH-1 and SSH-2. The standard TCP port for SSH is 22. SSH is generally used to access Unix-like operating systems, but it can also be used on Microsoft Windows. Windows 10 uses OpenSSH as its default SSH client and SSH server.

SSH considered as the entry point to any Linux based server, therefore it is the most favorite target for attackers. Since, everyone is aware that the SSH runs on port 22, thus one can attempt different type of attacks on this port.

It is a best practice to change SSH default port of your server. Although, doing so didn’t guarantees that one cannot find it. Because there are many port scanners, that can search and list down the open ports on a server. But changing ssh default port to some other port will make things a little bit more difficult for the attacker.

Recommended Online Training: Learn Bash Shell in Linux for Beginners

Is it safe to change SSH port?

Yes, changing the SSH port from the default port 22 to another port can enhance the security of your server by reducing the risk of automated attacks and port scanning. However, while changing the SSH port is a helpful security measure, it should not be relied upon as the sole method of securing your SSH service. Here are some considerations for safely changing the SSH port:

Benefits of Changing the SSH Port

1. Reduced Visibility to Attackers:
   • Automated bots and scripts typically scan the default port 22 for vulnerabilities. Changing the port makes your SSH service less visible to these automated attacks.
2. Additional Layer of Security:
   • Though not a substitute for robust security practices, changing the port can add an extra layer of security by obscurity.

Read Also: How to Change SSH Port Number in Linux 9

Check Status of SSH Service

Verify current status of SSH service by using systemctl command.

# systemctl status sshd.service
â sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
   Active: active (running) since Sat 2020-08-08 17:59:18 PKT; 2s ago
     Docs: man:sshd(8)
           man:sshd_config(5)
 Main PID: 1564 (sshd)
    Tasks: 1 (limit: 5916)
   Memory: 1.2M
   CGroup: /system.slice/sshd.service
           ââ1564 /usr/sbin/sshd -D -oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,>

Aug 08 17:59:18 centos-8.centlinux.com systemd[1]: Starting OpenSSH server daemon...
Aug 08 17:59:18 centos-8.centlinux.com sshd[1564]: Server listening on 0.0.0.0 port 22.
Aug 08 17:59:18 centos-8.centlinux.com sshd[1564]: Server listening on :: port 22.
Aug 08 17:59:18 centos-8.centlinux.com systemd[1]: Started OpenSSH server daemon.

You can see that the service is running on default SSH port number 22.

Change SSH Default Port in CentOS 8

SSH daemon/service configurations are located in /etc/ssh/sshd_config file. We can tweak them to customize SSH service according to our requirements.

Initially there is no Port directive in this file, instead, the SSH service is using the default ssh port number 22.

Let’s add a Port directive in sshd_config file by using echo command.

# echo "Port 2222" >> /etc/ssh/sshd_config

This one shot setting is quiet enough to change ssh default port number.

Configure SELinux to Allow SSH custom Port

Default SELinux configuration does not allow any service to run on a non-default port. Therefore, we have to configure SElinux to allow SSH to use port 2222/tcp.

We need semanage command to configure SELinux settings. If you are using a minimal installed CentOS 8 system then it is not available on your system. Install policycoreutils-python-utils package to get semanage command.

Then use semanage command to add port 2222/tcp to type ssh_port_t.

# semanage port -a -t ssh_port_t -p tcp 2222

Configure Firewall to Allow SSH custom Port

List down allowed ports or services in Linux firewall.

# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens33
  sources:
  services: cockpit dhcpv6-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

SSH service is by default allowed in most distributions of Linux including CentOS / RHEL 8.

Now, we need to block this ssh service and allow our new ssh port in Linux firewall.

# firewall-cmd --permanent --remove-service=ssh
success
# firewall-cmd --permanent --add-port=2222/tcp
success
# firewall-cmd --reload
success

Restart SSH Service

Restart SSH Service to apply changes that we have made in sshd_config file.

# systemctl restart sshd.service

Verify status of SSH Service.

# systemctl status sshd.service
â sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
   Active: active (running) since Sat 2020-08-08 18:13:37 PKT; 14s ago
     Docs: man:sshd(8)
           man:sshd_config(5)
 Main PID: 10376 (sshd)
    Tasks: 1 (limit: 5916)
   Memory: 1.2M
   CGroup: /system.slice/sshd.service
           ââ10376 /usr/sbin/sshd -D -oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc>

Aug 08 18:13:37 centos-8.centlinux.com systemd[1]: Stopped OpenSSH server daemon.
Aug 08 18:13:37 centos-8.centlinux.com systemd[1]: Starting OpenSSH server daemon...
Aug 08 18:13:37 centos-8.centlinux.com sshd[10376]: Server listening on 0.0.0.0 port 2222.
Aug 08 18:13:37 centos-8.centlinux.com sshd[10376]: Server listening on :: port 2222.
Aug 08 18:13:37 centos-8.centlinux.com systemd[1]: Started OpenSSH server daemon.

You can see that the service is now running on non-default port 2222 instead of default ssh port number 22.

Access SSH Service using custom Port

Try to access SSH service using ssh and sftp commands from the default ssh port.

# ssh root@centos-8.centlinux.com
ssh: connect to host centos-8.centlinux.com port 22: Connection refused

# sftp root@centos-8.centlinux.com
ssh: connect to host centos-8.centlinux.com port 22: Connection refused
Connection closed.
Connection closed

It confirms that Linux Firewall is not allowing the traffic through port 22.

Now, access the SSH service by using ssh command from the non-default ssh port.

# ssh root@centos-8.centlinux.com -p 2222
The authenticity of host '[centos-8.centlinux.com]:2222 ([192.168.116.206]:2222)' can't be established.
ECDSA key fingerprint is SHA256:skGj4xg0w+jIQtrfF8AOdfItgcXUQQu+bWUFfvws1Hk.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[centos-8.centlinux.com]:2222,[192.168.116.206]:2222' (ECDSA) to the list of known hosts.
root@centos-8.centlinux.com's password:
Last login: Sat Aug  8 17:59:01 2020
#

Similarly, for sftp.

# sftp -P 2222 root@centos-8.centlinux.com
root@centos-8.centlinux.com's password:
Connected to root@centos-8.centlinux.com.
sftp>

Read Also: How to change SSH Default Port in CentOS 8

Conclusion

In this guide, you have learned how to change SSH default port in CentOS 8 Server. If you are having difficulty understanding the commands used in this guide, then there is a good book for you. The book title is How Linux Works, 2nd Edition: What Every Superuser Should Know Second Edition (PAID LINK) and it is written by Brian Ward.