How To Change OpenSSH Port On CentOS 7

Some webmasters believe that changing SSH port number from the default 22 can enhance security. The notion is since SSH default port number is 22 and everyone knows it, including the hackers, it isn’t safe.

Changing the SSH port number to something other than 22 will enhance your server’s security in that the bad guys won’t know which port or ports SSH communicates on. This is a cool trick, but won’t stop someone who is determined to break into your servers.

Just by using simple port scanner or similar tools, hackers can figure out all the connecting ports on your servers. This is an old technique that probably isn’t applicable in our time today.

In my opinion, the best way to protect your SSH server is to implement password-less logon using certificates and encryption. Using this method, only machines that already have the encryption key will be allowed to sign on using SSH protocol.

Enhance your coding experience with this split keyboard that offers up to 9" of separation.

Another way is to configure your firewall to only all SSH connections from a pre-defined machine whose IP address is white-listed in the firewall rules. Anything else will not enhance your server security any better.

If you still want to change the default SSH port number on your CentOS 7, then continue below to learn how. I am going to show you how to do that easily.

 

  • Changing the default SSH port on CentOS 7

To change the default SSH port, the first thing you want to do is backup the current SSH configuration on your system. To do that, run the commands below.

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

This creates a new named sshd_config.bak with the current settings of the sshd_config file. If something goes wrong, you can then restore the file from the backup.

Next, run the commands below to open the default SSH configuration file

sudo vi /etc/ssh/sshd_config

When the file opens, make the below change and save the file. Un-comment or remove the (#) before the line the reads Port and change the port number you want to use.

# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
Port 2244
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

Save the file.

After saving, don’t exit until you’ve completed these steps.

By default, SELinux only allows port 22 for SSH. What you need to do is enable the newly created port through SELinux. To do that, run the commands below

sudo semanage port -a -t ssh_port_t -p tcp 2244

If you run the commands above and get an error that semanage command not found, run the commands below to install it.

sudo yum -y install policycoreutils-python

Then go and run the semange commend again to allow the new port through SELinux.

After that, run the commands below to allow the new port through the firewall.

sudo firewall-cmd --permanent --zone=public --add-port=2244/tcp

Reload the firewall configurations

sudo firewall-cmd --reload

Restart SSH by  running the commands below.

sudo systemctl restart sshd.service

Verify that SSH is now running on the new port by running the commands below.

ss -tnlp | grep ssh
LISTEN          0                128                              *:2244 *:*                                     users:((“sshd”,10783,3))
LISTEN          0               128                              :::2244 :::*                                     users:((“sshd”,10783,4))

Exit and try signing in using the new port number.

ssh root@192.168.0.1 -p 2244

Enjoy!

Protect yourself and your devices with the most trusted internet security software availabe.

Invest in some screen real estate with a new big screen, backlit monitor availabe in five different sizes and price points.

6 thoughts on “How To Change OpenSSH Port On CentOS 7”

  1. I have been trying to find a solution for this for days !! I am playing with a centos minimal installation that almost drove me crazy. Thank you so much!!!

  2. Great topic simple and fast :)

    Thanks.

    Just if you would like to add:
    When I did:
    sudo firewall-cmd –permanent –zone=public –add-port=2244/tcp
    got:
    centOS FirewallD is not running

    To overcome this I did:
    systemctl enable firewalld
    systemctl start firewalld
    systemctl status firewalld

    Thanks

  3. Thanks for the direction, worked like a charm. One small thing I have noticed, at least for me is that I have always had an issue re-enumerating SSH on a new port with the reload command and today didn’t seem to be an exception instead I stop and start SSH.

    #systemctl stop sshd
    #systemctl start sshd

    Something to consider if you run into the same problem as me.

  4. Great tutorial, thank you. I’ts great how you’ve covered the selinux side of it too.

    The only thing that I’d add is at the very end when you say:
    “Exit and try signing in using the new port number.”

    It would be best to say:
    “Without closing your current ssh session, open a new window and try signing in using the new port number.”
    Keeping the original window open will allow you to correct any configuration steps that you might make and stop you from being locked out of your server.

    All the best,
    Trys

Leave a Reply

Your email address will not be published. Required fields are marked *