Tuesday 10 March 2015

CentOS 7 / RHEL 7 : change OpenSSH port number ( SELINUX enabled )

Original post: http://sharadchhetri.com/2014/10/15/centos-7-rhel-7-change-openssh-port-number-selinux-enabled/

CentOS 7 / RHEL 7 : change OpenSSH port number ( SELINUX enabled )

The tutorial will explain about how to change default ssh port number in OpenSSH Server on CentOS 7 and RHEL 7 . We will change the SSH default port no. 22 to our desired number and we will keep SELINUX enabled. We will also add new firewalld rule with respect to new ssh port number.



Generally for security point of view , we change the default ssh port number 22 to any other port number. Always be careful while selecting new port number. We should select the number above the “well known port number” that is above port number 1024 . Also we should not use same application /Utility specific default port number, for example just as we use in tomcat port 8080, MySQL 3306. In simple words, select the port number above 1024 as well as should not conflict with any application/utility/program etc.

Change SSH port number

First take the backup of sshd_config file.And then go for edit.
cp -p /etc/ssh/sshd_config /etc/ssh/sshd_config.orig.$(date +%F)
Now edit the file /etc/ssh/sshd_config. Search for line #Port 22 or Port 22 .
Note: The # is used for commenting the line. But because ssh has well known port number 22 (below 1024). It will by default listen on port number 22.
Remove # from line Port 22. And the change 22 to new port number, here we have selected 2292 .
sed -i 's/#Port 22/Port 27628/g' /etc/ssh/sshd_config
Or
vi /etc/ssh/sshd_config

Port 2292

SELINUX for SSH

By default SELINUX only allow port no. 22 for ssh. Now add new port context 2292.
Note: Replace 2292 in case you have selected different port number
semanage port -a -t ssh_port_t -p tcp 2292
Now check once the port context for ssh
semanage port -l | grep ssh
Below given is output from our server
[root@localhost ~]# semanage port -l | grep ssh
ssh_port_t                     tcp      2292, 22
[root@localhost ~]#
Now Restart the SSH service
systemctl restart sshd.service

Allow port 2292 with firewalld

Now allow port number 2292 for ssh. Run the below given command. It will permanently add the new firewalld rule in public zone for port 2292 with TCP protocol.
firewall-cmd --permanent --zone=public --add-port=2292/tcp
Reload firewalld
firewall-cmd --reload

Check listening ssh port with ss command

With ss command, you can find the listening port for ssh. Use below command for this
ss -tnlp|grep ssh
Below given output is reference from our server
[root@localhost ~]# ss -tnlp|grep ssh
LISTEN     0      128                       *:2292                     *:*      users:(("sshd",2786,3))
LISTEN     0      128                      :::2292                    :::*      users:(("sshd",2786,4))
[root@localhost ~]#
Try to do ssh access to server by using port no. 2292 from remote client.
ssh -p 2292 root@192.168.56.101
* Change 192.168.56.101 with your server ip address.
* Change 2292 with your new ssh port number as you set while reading this post.
* Change root with user name which is allowed to get ssh access in your server.
If all works from remote - remove 22 port from firewall

firewall-cmd --permanent --zone=public --remove-port=22/tcp
firewall-cmd --reload


Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)