Cyberithub

7 Easy Steps to Change ssh port number in Linux(RedHat/CentOS 7)

In this article, I will take you through the steps to change default ssh port number in Linux. ssh is known as secure shell which is used to establish connection with remote host securely on default ssh port number 22. Sometimes due to some security reason or to stop any kind of brute force attacks, you want to change the default port to some another port.

This can be easily achieved by changing the ssh port number in ssh configuration file. We will now go ahead and check the steps to change the default port below.

7 Easy Steps to Change ssh port number in Linux(RedHat/CentOS 7) 1

Change SSH Port Number

Also Read: 8 Popular Linux cp command Examples for Professionals

1. Change SSH Port Number in sshd_config

First, you need to change the ssh port number /etc/ssh/sshd_config file to some free port say 4800 in this case. Please make sure that selected port is free and not being used in any other services.

[root@sshserver ~]# vi /etc/ssh/sshd_config
Port 4800

Now you can press Esc. Then save and exit by using wq! . This will save the file and exit out.

2. Restart sshd service

Once ssh port number is changed, you need to restart sshd service using systemctl restart sshd command for the changes to reflect.

[root@sshserver ~]# systemctl restart sshd

or, you can also restart your sshd service through traditional way by running service sshd restart command.

[root@sshserver ~]# service sshd restart
Redirecting to /bin/systemctl restart sshd.service

3. Check sshd service status

Now you can check the sshd service status by using systemctl status sshd command. As you can see from below output, sshd service is running from past 1 min 7 s and server is listening on Port 4800.

[root@sshserver ~]# systemctl status sshd
● sshd.service - OpenSSH server daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2020-03-28 05:09:06 EST; 1min 7s ago
Docs: man:sshd(8)
man:sshd_config(5)
Main PID: 3758 (sshd)
CGroup: /system.slice/sshd.service
└─3758 /usr/sbin/sshd -D

Mar 28 05:09:06 znode3 systemd[1]: Starting OpenSSH server daemon...
Mar 28 05:09:06 znode3 sshd[3758]: Server listening on :: port 4800.
Mar 28 05:09:06 znode3 systemd[1]: Started OpenSSH server daemon.
Mar 28 05:09:06 znode3 sshd[3758]: Server listening on 0.0.0.0 port 4800.

NOTE:

Please note that instead of replacing Port 22 in sshd_config, it will be a good idea to add another Port 4800 in next line to open both Port 22 and 4800 in case something goes wrong with the configuration and you lose the ssh connection of the remote system. This is specially needs to be taken care when the Server is geographically separated and you don’t have physical access of the remote server.

4. Check selinux status

Now you need to check the selinux status by running sestatus command to make sure it will not be blocking any requests. As you can see from below output, current mode is set to permissive which means it will not enforce any selinux policies but will only show the warnings. You can also disable selinux if you want to completely switch it off. You can refer to Best Way to Disable SELinux on CentOS/RedHat 7 to know more about disabling SELinux.

[root@sshserver ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 31

You can also disable SELinux by setting SELinux=disabled as you can see below.

[root@sshserver ~]# cat /etc/selinux/config
SELINUX=disabled

Now press ESC and then wq! to save and exit.

5. Restart your system

For the selinux policy to take effect, you need to reboot your system using init 6 command once.

[root@sshserver ~]# init 6

or, you can also run reboot command to restart your system.

[root@sshserver ~]# reboot

6. Allow port 4800 through your firewall

You also need to allow ssh Port 4800 from firewall to allow the connections on this port.

[root@sshserver ~]# firewall-cmd --permanent --add-port=4800/tcp
success

Sometimes it might happen that you do not want firewalld service running and you want to stop it completely. In that case you can stop the service by running systemctl stop firewalld command as shown below.

[root@sshserver ~]# systemctl stop firewalld

Check Firewalld Status. Now you can notice that firewalld service went to Inactive state and hence not running.

[root@sshserver ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: inactive (dead) since Sat 2020-03-28 05:23:27 EST; 25s ago
Docs: man:firewalld(1)
Process: 5715 ExecStart=/usr/sbin/firewalld --nofork --nopid $FIREWALLD_ARGS (code=exited, status=0/SUCCESS)
Main PID: 5715 (code=exited, status=0/SUCCESS)

Mar 28 05:18:48 localhost systemd[1]: Starting firewalld - dynamic firewall daemon...
Mar 28 05:18:49 localhost systemd[1]: Started firewalld - dynamic firewall daemon.
Mar 28 05:18:50 localhost firewalld[5715]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker0 -o ...ain?).
Mar 28 05:18:50 localhost firewalld[5715]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker0 -o ...ain?).
Mar 28 05:23:24 localhost systemd[1]: Stopping firewalld - dynamic firewall daemon...
Mar 28 05:23:27 localhost systemd[1]: Stopped firewalld - dynamic firewall daemon.

NOTE:

Please make sure to check ssh Port 4800 is open and allowed through IPTABLES also in case IPTABLES is active in your system. If it is not allowed, you can check 30 Most Popular IPTABLES Command in Linux to allow this port through IPTABLES firewall.

7. Check port connection

Now you can try to telnet ssh Port 4800 from another system and check if the ssh port is open or not. As you can see from below output, ssh Port 4800 is now open and getting connected remotely.

[root@localhost ~]# telnet 192.168.0.110 4800
Trying 192.168.0.110...
Connected to 192.168.0.110.
Escape character is '^]'.
SSH-2.0-OpenSSH_7.4

 

 

Also Read: How to Configure SSH Host Based Authentication Per User

Leave a Comment