Changing the SSH port from the default running Port (ie Port 22) will strengthen the security and prevent lot of direct shell attacs to a server or virtual host running on Linux (Cent OS 6, Ubuntu 14.04, Ubuntu 12.04 or a Fedora 20 / 19). It adds another layer of security to the server and prevent penetration by preventing protection from initial attacks, like information gathering attempts or casual threats against known vulnerabilities.
Changing SSH Port from its default running port is a must do for new servers or virtual hosting machines (vps) that runs linux. In most virutal hosts or servers, running linux on local network or act as internet server ssh is a standard way of connecting one machine to another. ssh generaly used to execute shell commands or scp and sftp are used for file transfers. It is much more secure than standard FTP.
Changing SSH Port will prevent general casual scans for security holes. Generaly the ssh is running on port 22 and most of the scnanning goes to 22 or 222 or 2222 etc. I ran an experiment with a virtual machine exposed to the internet which had sshd listening on port 22.The first day itself I got 2000 failed login attempts. Then I changed it to 4922. The second day I got 0 attempts. This is just a test for measuring the attacks. But it’s clear that moving off the standard ssh port reduces your server’s profile.
If it’s more difficult to scan for your ssh server, your chances of being attacked with an ssh server exploit are reduced. A dedicated attacker can still figure your servers IP (perhaps via a website you host) and launch a dedicated attack of port scans. Paranoid server administrators might want to check into port knocking to reduce that probability even further.
How to Change SSH Port from Default to Another and how to Connect to It
In Cent OS 6 or Fedora 20
1. Open Terminal go root user
su -
Open the sshd_config file with text editor
vi /etc/ssh/sshd_config
Find
#Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress ::
Most probably near line 17
Remove the # from the starting of the line. Now ssh runs on 22. Change it to another. say for example 4922.
Port 4922
Save and Close the File.
If you restart the sshd daemon the ssh will listen on Port 4922.
But if you are using SELinux or Firewalld then the port 22 is open and 4922 is closed so you cannot directly connect to 4922.
For that you want to open port 4922
For SELinux
# semanage port -a -t ssh_port_t -p tcp 2022
Update Firewall settings
# vi /etc/sysconfig/iptables
Edit/append as follows:
## delete or comment out port 22 line ## ## -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT ## open port 2022 -A INPUT -m state --state NEW -m tcp -p tcp --dport 2022 -j ACCEPT
Save and close the file. If you are using IPv6, edit /etc/sysconfig/ip6tables file too. Temporally, stop the firewall so that you will not loos the connectivity to the server:
# service iptables stop
# service ip6tables stop
If you are using firewalld (Fedora 20) then Add the Port open for permenant
# firewall-cmd --zone=public --add-port=4922/tcp --permanent
To get a complete list of running services in firewalld
firewall-cmd --zone=public --list-services
To get all active services in firewalld
firewall-cmd --get-services
Type the following command to restart / reload SSHD service:
service sshd restart
Verify new port settings with the following netstat command:
netstat -tulpn | grep sshd
Finally, start the firewall on a CentOS Linux:
service iptables start
## IPv6 ##
service ip6tables start
IF Firewalld (Fedora 20) then
service firewalld restart
Be carefull if the firewalls are not configured correctly then you cannot connect to ssh with the new port. So Before starting the firewalls check the settings are correct.
In Ubuntu 14.04 or Ubuntu 12.04
The commands are slightly different in Ubuntu.
- Open a Terminal Window and enter :
sudo vi /etc/ssh/sshd_config
- Change or add the following and save.
Port <ENTER YOUR PORT>
Protocol 2
PermitRootLogin no
DebianBanner no
- Restart SSH server, open a Terminal Window and enter :
sudo /etc/init.d/ssh restart
After these settings done try to connect to the server from a local computer .
ssh IP Address
Then you will get a message
ssh: connect to host SERVER IP port 22: Connection refused.
How to Connect to SSH with the New Port (Port 4922)
The syntax is:
ssh -p PortNumberHere [email protected] ssh -p 4922 [email protected]192.168.1.10
ssh -p PortNumberHere [email protected] ShellCommand ssh -p 4922 [email protected] df
How to connect to ssh server on port # 4922 using scp command?
The syntax is:
scp -P PortNumberHere source [email protected]:/path/to/dest scp -P 4922 ubuntu.ico [email protected]:/home/smashingweb/personal/files/
How to connect to ssh server on port # 4922 using sftp command?
The syntax is:
sftp -P PortNumberHere [email protected] sftp -P 4922 [email protected]192.168.1.5
How do I connect to ssh server on port # 4922 using rsync command?
The syntax is as follows to change SSH port number with rsync command:
sync -av -e 'ssh -p PORT-NUMBER-HERE' source [email protected]
So to backup /home/smashingweb to server1.smashingweb.info at port number 4922, enter:
rsync -av -e 'ssh -p 4922' /home/smashingweb/ [email protected]
Just update the .ssh/config file to override the port settings. This will save some time whenever using the scp command.
Open the .ssh/config file
vi ~/.ssh/config
OR
vi $HOME/.ssh/config
Add/Append the following config option for a shortcut to server1 as per our sample setup:
Host server1
HostName server1.smashingweb.info
User smashingweb
Port 4922
IdentityFile /nfs/shared/users/smashingweb/keys/server1/id_rsa
Save and close the file. To open your new SSH session to server1.smashingweb.info by typing the following command:
$ ssh server1
That is it. Also changing the SSH protocol from 1 to 2 will strengthen more security . For this just edit the /etc/ssh/sshd_config file and remove # on the Protocol line and add as
Protocol 2
Other Articles
(this reddit thread or this other one)
Related articles
- How To Secure SSH Servers (linuxmoz.com)
- Linux sshd customization for the safest remote server access (searchdatacenter.techtarget.com)
- Centos 6: Setup SSH to run on startup (fortunatofusca.wordpress.com)
- SSH/OpenSSH/PortForwarding (sathishkumarblog.wordpress.com)
- Simple Security: Denyhosts and SSH on Non-Standard Ports (tummy.com)
- Top 20 OpenSSH Server Best Security Practices (cloudfaqs.wordpress.com)
- Change Default Port for SSH Service on Ubuntu 10.04+ (sirmaple.wordpress.com)
- Ubuntu 14.04 – some MySQL ecosystem notes (bytebot.net)