Change SSH port on CentOS 7 (with SELinux and Fail2Ban)
One of the most common tasks when setting up a SSH server is to change the SSH port. Changing the SSH port, as you will see in the next paragraph, is a trivial task. On CentOS, however you also have to deal with SELinux a security module made to further secure Linux. Also if you’re using Fail2Ban, a common software to prevent unauthorized access, you will have to configure that too.
Are you searching how to set up plain SSH on CentOS 7?
If you’re searching how to setup a simple ssh server I have a good article about it
Why change the SSH port?
Changing the port SSH listens to is often used as a measure to secure servers. Actually, it only prevents automated scanners (crawlers, botnets) and script kiddies from discovering you are using SSH. A serious attacker will not give up its search when port 22 refuses connection. Nevertheless, automated scanners that scan the network for known vulnerabilities take CPU time and bandwidth to be served, avoiding such attempts can indeed prove useful. However, don’t think hiding your SSH port is actually enough to secure your server, server hardening is a complex matter and it will require a broader knowledge.
Changing SSH port
Changing the SSH port is actually pretty simple, open /etc/ssh/sshd_config using your favorite editor and search for the following line:
Change 22 with the port number of your choice. Be careful: choose an unused/not-well-known port (at least >1023).
Opening the new port on firewallD
Opening a port on firewallD is easy:
# firewall-cmd --add-port YOUR_PORT_HERE/tcp
Replace YOUR_PORT_HERE with the actual port you chose in the previous step.
Adding the new port to SELinux
And now the big deal, configuring SELinux to behave with the new port. To do so simply do:
# semanage port -a -t ssh_port_t -p tcp YOUR_PORT_HERE
Of course change YOUR_PORT_HERE with the actual port you chose in the previous step. If you get an error like “ValueError: Port tcp/7222 already defined” it means the port you selected is already defined for some other service. In that case you need to start over with the tutorial and select another port. It is possible to change an already defined port, but that’s unadvisable.
This step is optional depending on whether you’re using Fail2Ban or not. If you’re using it open /etc/fail2ban/jail.conf and search for the following section:
[sshd] # To use more aggressive sshd filter (inclusive sshd-ddos failregex): #filter = sshd-aggressive port = ssh logpath = %(sshd_log)s backend = %(sshd_backend)s
Change the value of port to the actual port you chose during this tutorial. For example for port 7222 the file will look like this:
[sshd] # To use more aggressive sshd filter (inclusive sshd-ddos failregex): #filter = sshd-aggressive port = 7222 logpath = %(sshd_log)s backend = %(sshd_backend)s
Fail2Ban will continue detecting possible break-in attempts even if you don’t modify the configuration, if you don’t do it however, Fail2Ban won’t be able to close the appropriate port.
Everything ready? Flip the switch (with a plan B)
Configured everything? It’s time to test the new configuration! If you followed my tips throughout the tutorial, even if something goes wrong (unless you messed the ssh file syntax) you should be able to ssh again in your server. Once you’re ready do:
# systemctl restart sshd # systemctl restart fail2ban
In this moment you might lose your ssh connection. Now, on another host, try to ssh in your server using your new port:
$ ssh USERNAME@YOUR_IP/HOSTNAME -p YOUR_NEW_PORT
If you followed this tutorial I do think you’ve been successful. If you’re not successful you should be able to ssh in your server using port 22 as before. Do so and try to spot errors reading the tutorial once more while you check for mistakes.
Mop up (Important!)
If you’ve successfully ssh’d in your server it’s time to finalize the settings and mop up. If you’re using a SSH connection to perform these steps be sure to use the new port rather than the previous one.
The first thing is to configure the ssh daemon, open /etc/ssh/sshd_config using your favorite editor and delete/comment out the following line:
In this way you will essentially tell sshd not to listen on port 22, the default one.
Now it’s time to finalize the firewall configuration:
# firewall-cmd --add-port YOUR_PORT_HERE/tcp --permanent # firewall-cmd --reload
Be sure to get the port right now, we’re almost done and a mistake here can be difficult to correct! If you actually do a mistake, port 22 should still be available, you haven’t yet restarted the daemon.
This is the final step, after these commands port 22 will be closed for good, be sure to have everything working! If you’re sure it’s time to finalize:
# systemctl restart sshd # firewall-cmd --remove-service ssh --permanent # firewall-cmd --reload
You now know how to change the ssh port on CentOS 7 also configuring the firewall, SELinux and Fail2Ban. Changing the SSH port isn’t always useful but it can be a first-step toward server hardening and it can surely save some resources if you’re getting many automated scans on your server.