How To Change Ssh Port On Centos 7

admin14 April 2024Last Update :

Understanding the Importance of Changing the SSH Port

Changing the default SSH port (port 22) on your CentOS 7 server is a fundamental security measure to prevent unauthorized access through automated attacks or brute force attempts. By moving away from the default port, you can reduce the risk of being targeted by bots and attackers who often scan for open SSH ports.

Benefits of Changing the SSH Port

  • Security through obscurity: While not a foolproof method, changing the SSH port adds an extra layer of difficulty for potential attackers.
  • Reduced noise in logs: Fewer automated attacks mean cleaner logs, making it easier to spot genuine issues.
  • Compliance: Some security policies and compliance standards may require non-standard ports for services like SSH.

Preparation Before Changing the SSH Port

Before proceeding with the port change, ensure that you have administrative access to the server and that you are prepared to troubleshoot in case of connectivity issues.

Backup Configuration Files

Always back up your current SSH configuration file before making changes. This allows you to restore the original settings if needed.

cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

Check for Port Conflicts

Verify that the new SSH port you plan to use is not already in use by another service on your server.

netstat -tulpn | grep LISTEN

Changing the SSH Port on CentOS 7

The process of changing the SSH port involves editing the SSH daemon configuration file and adjusting firewall rules to allow traffic on the new port.

Editing the SSH Configuration File

Locate and edit the sshd_config file using a text editor such as vi or nano.

vi /etc/ssh/sshd_config

Find the line that specifies the port number, which by default will be #Port 22. Remove the comment (#) and change the number to your desired port, for example, Port 2222.

Configuring SELinux for the New Port

If SELinux is enforcing, add a rule to allow SSH to listen on the new port.

semanage port -a -t ssh_port_t -p tcp 2222

Adjusting Firewall Rules

Update the firewall settings to permit traffic on the new SSH port.

firewall-cmd --permanent --zone=public --add-port=2222/tcp
firewall-cmd --reload

Restarting the SSH Service

Apply the changes by restarting the SSH daemon.

systemctl restart sshd.service

Troubleshooting Post-Change Issues

After changing the SSH port, you might encounter connectivity issues. Ensure that the new port is correctly configured and not blocked by any firewalls.

Verifying SSH Access on the New Port

Test SSH access on the new port from a remote machine to confirm that the changes were successful.

ssh -p 2222 user@yourserver.com

Reverting Changes if Necessary

If you cannot connect after the port change, revert to the backup configuration and restart the SSH service.

mv /etc/ssh/sshd_config.bak /etc/ssh/sshd_config
systemctl restart sshd.service

Best Practices for Managing SSH Access

Beyond changing the SSH port, consider implementing additional security measures to protect your server.

Using Key-Based Authentication

Disable password authentication and use SSH keys for a more secure login method.

Implementing Fail2Ban

Install and configure Fail2Ban to automatically block IP addresses that exhibit malicious behavior.

Regularly Updating Software

Keep your system and its packages updated to patch known vulnerabilities.

Frequently Asked Questions

Is changing the SSH port enough to secure my server?

While changing the SSH port can deter automated attacks, it should be part of a broader security strategy that includes updates, firewalls, and strong authentication methods.

Can I use any port number for SSH?

You can use any unused port between 1024 and 65535, keeping in mind that ports below 1024 are reserved for well-known services.

How do I know if SELinux is enforcing?

Use the command getenforce to check the current SELinux status.

getenforce

What should I do if I’m locked out of my server after changing the SSH port?

If you have physical or console access to the server, log in directly and revert the SSH configuration changes. If remote access is your only option, you may need to contact your hosting provider for assistance.

References

Leave a Comment

Your email address will not be published. Required fields are marked *


Comments Rules :

Breaking News