Change SSH Port from Default – Cent OS 6, Ubuntu 14.04, Fedora 20

Changing the SSH port from the default running Port (ie Port 22) will strengthen the security and prevent lot of direct shell attacs to a server or virtual host running on Linux (Cent OS 6, Ubuntu 14.04, Ubuntu 12.04 or a Fedora 20 / 19). It adds another layer of security to the server and prevent penetration by preventing protection from initial attacks, like information gathering attempts or casual threats against known vulnerabilities.

Changing SSH Port from its default running port is a must do for new servers or virtual hosting machines (vps) that runs linux. In most virutal hosts or servers, running linux on local network or act as internet server ssh is a standard way of connecting one machine to another. ssh generaly used to execute shell commands or scp and sftp are used for file transfers. It is much more secure than standard FTP.

Changing SSH Port will prevent general casual scans for security holes. Generaly the ssh is running on port 22 and most of the scnanning goes to 22 or 222 or 2222 etc. I ran an experiment with a virtual machine exposed to the internet which had sshd listening on port 22.The first day itself I got 2000 failed login attempts. Then I changed it to 4922. The second day I got 0 attempts. This is just a test for measuring the attacks. But it’s clear that moving off the standard ssh port reduces your server’s profile.

If it’s more difficult to scan for your ssh server, your chances of being attacked with an ssh server exploit are reduced. A  dedicated attacker can still figure your servers IP (perhaps via a website you host) and launch a dedicated attack of port scans. Paranoid server administrators might want to check into port knocking to reduce that probability even further.

How to Change SSH Port from Default to Another and how to Connect to It

In Cent OS 6 or Fedora 20

1. Open Terminal go root user

su -

Open the sshd_config file with text editor

vi /etc/ssh/sshd_config

Find

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

Most probably near line 17

Remove the # from the starting of the line. Now ssh runs on 22. Change it to another. say for example 4922.

Port 4922

Save and Close the File.

If you restart the sshd daemon the ssh will listen on Port 4922.

But if you are using SELinux or Firewalld then the port 22 is open and 4922 is closed so you cannot directly connect to 4922.

For that you want to open port 4922

For SELinux

# semanage port -a -t ssh_port_t -p tcp 2022

Update Firewall settings

# vi /etc/sysconfig/iptables

Edit/append as follows:

 
## delete or comment out port 22 line ##
## -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
## open port 2022
-A INPUT -m state --state NEW -m tcp -p tcp --dport 2022 -j ACCEPT

Save and close the file. If you are using IPv6, edit /etc/sysconfig/ip6tables file too. Temporally, stop the firewall so that you will not loos the connectivity to the server:

# service iptables stop
 # service ip6tables stop

If you are using firewalld (Fedora 20) then Add the Port open for permenant

# firewall-cmd --zone=public --add-port=4922/tcp --permanent

To get a complete list of running services in firewalld

firewall-cmd --zone=public --list-services

To get all active services in firewalld

firewall-cmd --get-services

Type the following command to restart / reload SSHD service:

service sshd restart

Verify new port settings with the following netstat command:

netstat -tulpn | grep sshd

Finally, start the firewall on a CentOS Linux:

 service iptables start

## IPv6 ##

 service ip6tables start

IF Firewalld (Fedora 20) then

service firewalld restart

Be carefull if the firewalls are not configured correctly then you cannot connect to ssh with the new port. So Before starting the firewalls check the settings are correct.

In Ubuntu 14.04 or Ubuntu 12.04

The commands are slightly different in Ubuntu.

• Open a Terminal Window and enter :

sudo vi /etc/ssh/sshd_config

• Change or add the following and save.

Port <ENTER YOUR PORT>
Protocol 2
PermitRootLogin no
DebianBanner no

• Restart SSH server, open a Terminal Window and enter :

sudo /etc/init.d/ssh restart

After these settings done try to connect to the server from a local computer .

ssh IP Address

Then you will get a message
ssh: connect to host SERVER IP port 22: Connection refused.

How to Connect to SSH with the New Port (Port 4922)

The syntax is:

ssh -p PortNumberHere [email protected]
ssh -p 4922 [email protected]192.168.1.10

ssh -p PortNumberHere [email protected] ShellCommand
ssh -p 4922 [email protected] df

How to connect to ssh server on port # 4922 using scp command?

The syntax is:

scp -P PortNumberHere source [email protected]:/path/to/dest
scp -P 4922 ubuntu.ico [email protected]:/home/smashingweb/personal/files/

How to connect to ssh server on port # 4922 using sftp command?

The syntax is:

sftp -P PortNumberHere [email protected]
sftp -P 4922 [email protected]192.168.1.5

How do I connect to ssh server on port # 4922 using rsync command?

The syntax is as follows to change SSH port number with rsync command:

sync -av -e 'ssh -p PORT-NUMBER-HERE' source [email protected]

So to backup /home/smashingweb to server1.smashingweb.info at port number 4922, enter:

rsync -av -e 'ssh -p 4922' /home/smashingweb/ [email protected]

Just update the .ssh/config file to override the port settings. This will save some time whenever using the scp command.

Open the .ssh/config file

vi ~/.ssh/config

OR

vi $HOME/.ssh/config

Add/Append the following config option for a shortcut to server1 as per our sample setup:

Host server1
     HostName server1.smashingweb.info
     User smashingweb
     Port 4922
     IdentityFile /nfs/shared/users/smashingweb/keys/server1/id_rsa

Save and close the file. To open your new SSH session to server1.smashingweb.info by typing the following command:

$ ssh server1

That is it. Also changing the SSH protocol from 1 to 2 will strengthen more security . For this just edit the /etc/ssh/sshd_config file and remove # on the Protocol line and add as

Protocol 2

Other Articles

Cyberciti

Major.io

(this reddit thread or this other one)

DigitalOcean

The Fan Club

Related articles

• How To Secure SSH Servers (linuxmoz.com)
• Linux sshd customization for the safest remote server access (searchdatacenter.techtarget.com)
• Centos 6: Setup SSH to run on startup (fortunatofusca.wordpress.com)
• SSH/OpenSSH/PortForwarding (sathishkumarblog.wordpress.com)
• Simple Security: Denyhosts and SSH on Non-Standard Ports (tummy.com)
• Top 20 OpenSSH Server Best Security Practices (cloudfaqs.wordpress.com)
• Change Default Port for SSH Service on Ubuntu 10.04+ (sirmaple.wordpress.com)
• Ubuntu 14.04 – some MySQL ecosystem notes (bytebot.net)