Help Harden a CentOS Server, Change SSH Port from Default Port Number 22
Edit the SSH configuration file to modify SSH port number. The configuration file is sshd_config. Adding Port XXXX where XXXX is the required port number. Then update SELinux and iptables. This is done to help harden CentOS against the less skilled hackers. The Secure Shell (SSH) is used to access a CentOS Server from another computer. For example when accessing a Virtual Private Server (VPS) to perform configuration changes. CentOS is a common option for a VPS operating system. This tutorial provides details on changing the SSH default port number for a CentOS server.
Steps to Change the CentOS SSH Port Number
The following steps are performed to change default SSH port number on CentOS:
- Login to the CentOS server.
- Back up then edit the /etc/ssh/sshd_config file.
- Add the line Port XXXX to the file, where XXXX is the new port number.
- Update the SELinux policy for the new SSH port.
- Update the iptables firewall rule for the new SSH port.
- Restart the services or the server.
- Check the changes worked by connecting on the new port.
Practice and Keep A Back Up
It is recommended to practice the instructions that follow on a local test environment before doing it on a live machine. This ensures familiarity with the process and reduces the risk of making mistakes on a live server. CentOS can be configured on a local Virtual Machine (VM) to practice these changes (see the Further Information section at the end of the article). For a remote VPS if you make a mistake reconfiguring the SSH port you may not be able to connect to it. It will require resetting via your service provider’s control panel. Always ensure you have a backup of any data that needs to be kept in the event the VPS needs to be reset. If SSH is the only option for configuration of a remote VPS consider other hardening options first, for example adding a sudo user for SSH login and removing the root user login over SSH. This article uses the shell (command line terminal) to change the CentOS configuration, based on a minimal CentOS install.
Edit the File sshd_config
To change the SSH port number edit the /etc/ssh/sshd_config file. Start by taking a copy in case anything goes wrong. For all commands in this article only enter the text after the # or $ prompt character, as seen on the terminal screen. Here’s the command to copy sshd_config to sshd_cfg_old:
# cp /etc/ssh/sshd_config /etc/ssh/sshd_cfg_old
Editing is done with vi or nano. On a minimal CentOS install, typical for a VPS, nano will not be installed by default. To edit sshd_config using vi:
# vi /etc/ssh/sshd_config
Or if logged in as a user with sudo ability:
$ sudo vi /etc/ssh/sshd_config
Add the Required Port Number
Select a new port number above 1024, one that is meaningful to you so it is remembered, or pick a random one. See List of TCP and UDP Port Numbers on Wikipedia. Some admins just double up port numbers, e.g. 22 becomes 2222, but that is familiar to hackers so pick something else, e.g. pick a memorable year and double it. For example 2×1066 is 2132, so port 2132 can be remembered as “Twice Battle of Hastings“.
The Port line should be in the first page of the file, as either Port 22 or commented out as #Port 22. Go to the line. Press Insert to enter edit mode. Remove the # if present and change the port number to the required value. Press the Esc key to return to command mode and enter :wq to write out the file and quit vi.
Update SELinux with the New Port Number
If the Security Enhanced Linux module (SELinux) is running then update selinux with the new port number. Failure to update SELinux for the new port will result in a Permission denied showing in the SELinux log. To check that selinux is enabled run sestatus:
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 24
Policy from config file: targeted
Use semanage to add the new port number to SELinux, see the article RHEL 6: semanage SELinux Command Not Found on how to install the command if not present (e.g. if using the CentOS minimal install). For this article this command was used to check the package for semanage:
# yum provides /usr/sbin/semange
And this command to install it:
# yum -y install policycoreutils-python
The port numbers for SELinux can be displayed using a semanage command (pipe to less to page through the list):
# semanage port -l | less
In the list of ports will be found ssh_port tcp 22. Use semanage to add the new port number:
# semanage port -a -t ssh_port_t -p tcp 2132
Update Firewall Rules for the New Port Number
The iptables firewall rules are listed using:
There will be a rule showing that SSH is only allowed on port 22. This needs changing to the new port number. Use vi to open /etc/sysconfig/iptables:
# vi /etc/sysconfig/iptables
Go to this line:
-A INPUT -p tcp -m state –state NEW -m tcp –dport 22 -j ACCEPT
Change 22 after –dport to the new port number, e.g. 2132 (press Insert to enter edit mode in vi):
-A INPUT -p tcp -m state –state NEW -m tcp –dport 2132 -j ACCEPT
Save and exit (Esc key then :wq). Restart iptables:
# service iptables restart
With the SSH config file changed, SELinux updated and iptables rules updated SSH can be restarted:
# /etc/init.d/sshd restart
As an alternative to restarting iptables and ssh restart the the CentOS server:
# shutdown -r now
Login to CentOS Using SSH to Test The New Port
On a Windows system a program such as PuTTY can be used to access a CentOS server using SSH. In this example the port number is 2132. To connect with the new port number enter it in the Port box.
With the host name or IP address also entered select Open. The terminal prompt should appear allowing for a normal login.
(Note: If accessing a CentOS VPS on a VirtualBox virtual machine on the local computer you will need to change the Network Address Translation port from 22 to the new number, see the third article listed below.)