Share on Social Media

Learn how to effortlessly change SSH port number in Linux 9 with our step-by-step guide. Enhance your system’s security by customizing the SSH default port for secure remote access management. #centlinux #linux #ssh

What is SSH?

SSH stands for Secure Shell. It’s a cryptographic network protocol used for secure communication over an unsecured network. SSH provides a secure channel between two devices, typically a client (such as a computer) and a server, allowing encrypted data exchange and secure remote access to systems.

SSH is widely used for various purposes, including:

  1. Remote Login: SSH enables users to log in to remote systems securely over a network, providing a command-line interface for executing commands and managing the remote system.
  2. Secure File Transfer: SSH supports secure file transfer protocols such as SCP (Secure Copy Protocol) and SFTP (SSH File Transfer Protocol), allowing users to securely transfer files between systems.
  3. Tunneling: SSH can create secure tunnels, forwarding network connections from one device to another, enhancing security for services such as web browsing or database access.
  4. Remote Command Execution: Administrators can remotely execute commands or scripts on remote systems using SSH, facilitating system administration tasks.

Overall, SSH plays a crucial role in enabling secure remote access, data transfer, and management of systems in various computing environments, including servers, workstations, and IoT devices.

What is the SSH Port Number?

The SSH port, by default, is port 22. It’s the network port used by the SSH (Secure Shell) protocol to establish secure connections between a client and a server. SSH is commonly used for remote login, command execution, and secure file transfer.

Why Change SSH Default Port?

Changing the default SSH port from 22 to another port can enhance security for several reasons:

  1. Reduced Visibility: Automated attacks often target common ports like 22. Changing the SSH port makes it less visible to automated scans, reducing the likelihood of unauthorized access attempts.
  2. Mitigation of Brute Force Attacks: Changing the default port can help mitigate brute force attacks, as attackers would need to scan a wider range of ports to find the SSH service.
  3. Enhanced Security through Obscurity: While not a foolproof security measure on its own, changing the SSH port adds an additional layer of security through obscurity, making it slightly more challenging for attackers to discover and target the SSH service.
  4. Administrative Control: Changing the SSH port allows administrators to have more control over their server’s security configuration, aligning with their organization’s security policies and best practices.
  5. Customization: It enables customization of the network configuration, which may be beneficial in environments with specific networking requirements or where certain ports are already in use for other services.

Overall, changing the default SSH port is one of several security measures that can be implemented to enhance the security posture of a system or network.

It’s important to note that changing the SSH port is not a foolproof security measure on its own. It’s just one part of a comprehensive security strategy that should include strong passwords, firewalls, regular software updates, and other best practices.

Read Also: Oh My Zsh! Fancy Linux Shell for Developers

Change SSH Port in Linux

Login to your Rocky Linux server as root user by using ssh command.

# ssh root@192.168.116.128
The authenticity of host '192.168.116.128 (192.168.116.128)' can't be established.
ED25519 key fingerprint is SHA256:0HIa3JkQYbEmBNv/W6RyztUXEmxtgCheMZSSErNWi5E.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.116.128' (ED25519) to the list of known hosts.
root@192.168.116.128's password:
Last login: Sun May  7 00:37:27 2023 from 192.168.116.1

sshd service is currently running at the default port: 22/tcp. Therefore, you have easily obtained a ssh shell by using the usual syntax of ssh command.

Execute ss command to check the status of sshd service addresses and ports.

# ss -tulpn | grep sshd
tcp   LISTEN 0      128          0.0.0.0:22        0.0.0.0:*    users:(("sshd",pid=816,fd=3))
tcp   LISTEN 0      128             [::]:22           [::]:*    users:(("sshd",pid=816,fd=4))

sshd service is running at the default port and listening on all IPv4 and IPv6 interfaces.

Create a configuration file in /etc/ssh/sshd_config.d directory to define Port directive with new service port. Or you can execute following echo command at Linux terminal to do the same.

# echo "Port 1028" >> /etc/ssh/sshd_config.d/02-changeport.conf

If you are SELinux in enforcing mode for your Linux operating system, then you are also required to add this new service port in your SELinux policy.

For management of SELinux policies, you are required semanage command.

The semanage command is not installed in a minimal Rocky Linux 9 server.

Therefore, if you are unable to find it on your Linux server then you should install it by installing policycoreutils-python-utils packages.

# dnf install -y policycoreutils-python-utils

Now, execute semanage command to add new SSH port in SELinux policy.

# semanage port -a -t ssh_port_t -p tcp 1028

You are also required to allow this new SSH port in Linux firewall.

# firewall-cmd --permanent --add-port=1028/tcp
success

# firewall-cmd --reload
success

Restart sshd service to load new configurations.

# systemctl restart sshd.service

Check the status of your sshd service port again.

# ss -tulpn | grep sshd
tcp   LISTEN 0      128          0.0.0.0:1028      0.0.0.0:*    users:(("sshd",pid=1791,fd=3))
tcp   LISTEN 0      128             [::]:1028         [::]:*    users:(("sshd",pid=1791,fd=4))

Your sshd service is now running at new port: 1028/tcp.

Now, try to obtain a new SSH shell.

# ssh root@192.168.116.128
ssh: connect to host 192.168.116.128 port 22: Connection refused

As expected, you have received a ‘Connection refused’ error. Because there isn’t any service running on port 22/tcp.

Now, obtain a ssh shell by specifying the non-default service port i.e 1028/tcp in your same Linux command.

# ssh root@192.168.116.128 -p 1028
root@192.168.116.128's password:
Last login: Sun May  7 00:38:00 2023 from 192.168.116.128

At this time, you have successfully obtain a SSH shell.

Video to Change Default Port for SSH

YouTube player

Final Thoughts

Taking the initiative to change SSH port in Linux 9 is a proactive step towards bolstering your system’s security. By customizing the SSH port number, you mitigate common attack vectors and fortify your defenses against unauthorized access attempts. With our comprehensive guide, navigating this security enhancement becomes straightforward, empowering you to safeguard your system effectively. If you are new to Linux command-line, then we suggest that you should attend online training: Linux command line for beginners

Leave a Reply

Your email address will not be published. Required fields are marked *