Change SSH port on CentOS 7 (with SELinux and Fail2Ban)

Linux Permissions

One of the most common tasks when setting up a SSH server is to change the SSH port. Changing the SSH port, as you will see in the next paragraph, is a trivial task. On CentOS, however you also have to deal with SELinux a security module made to further secure Linux. Also if you’re using Fail2Ban, a common software to prevent unauthorized access,  you will have to configure that too.

Are you searching how to set up plain SSH on CentOS 7?

If you’re searching how to setup a simple ssh server I have a good article about it

Important
I take absolutely NO responsibility of what you do with your machine; use this tutorial as a guide and remember you can possibly cause data loss if you touch things carelessly.

Why change the SSH port?

Changing the port SSH listens to is often used as a measure to secure servers. Actually, it only prevents automated scanners (crawlers, botnets) and script kiddies from discovering you are using SSH. A serious attacker will not give up its search when port 22 refuses connection. Nevertheless, automated scanners that scan the network for known vulnerabilities take CPU time and bandwidth to be served, avoiding such attempts can indeed prove useful. However, don’t think hiding your SSH port is actually enough to secure your server, server hardening is a complex matter and it will require a broader knowledge.

Changing SSH port

Warning!
Messing up with the SSH daemon, the firewall and SELinux can cause problems if you are using SSH. Imagine using a SSH connection to change the SSH port, you input a command and suddenly get cut out of your server, if you can reach your server physically that is not a problem, but if you can’t you’re on your own.

During the whole tutorial I suggest you to review the commands carefully, also I will provide you with tips to avoid losing your connection if you’re on SSH.

Changing the SSH port is actually pretty simple, open /etc/ssh/sshd_config using your favorite editor and search for the following line:

Port 22

Change 22 with the port number of your choice. Be careful: choose an unused/not-well-known port (at least >1023).

Tip!

For the time being, I suggest you to leave two ports defined to test and have a fallback plan in the case you’re using an SSH connection to perform these steps. For example, if you want to use SSH on port 7222 your file will look like this:

Port 22
Port 7222

We will remove Port 22 toward the end of the tutorial, when you’re sure everything works as intended.

Opening the new port on firewallD

Opening a port on firewallD is easy:

# firewall-cmd --add-port YOUR_PORT_HERE/tcp

Replace YOUR_PORT_HERE with the actual port you chose in the previous step.

Tip!
This command opens the port temporarily. We will make the setting permanent after you’re sure everything works as intended. If you’re sure about what you’re doing add –permanent at the end of the previous command.

Adding the new port to SELinux

And now the big deal, configuring SELinux to behave with the new port. To do so simply do:

# semanage port -a -t ssh_port_t -p tcp YOUR_PORT_HERE

Of course change YOUR_PORT_HERE with the actual port you chose in the previous step. If you get an error like “ValueError: Port tcp/7222 already defined” it means the port you selected is already defined for some other service. In that case you need to start over with the tutorial and select another port. It is possible to change an already defined port, but that’s unadvisable.

Tip!
Many people will tell you to turn SELinux off altogether. That’s a bad suggestion, SELinux is an important mechanism to further secure your server. This tutorial isn’t turning off your SELinux.

Configuring Fail2Ban

This step is optional depending on whether you’re using Fail2Ban or not. If you’re using it open /etc/fail2ban/jail.conf and search for the following section:

[sshd]

# To use more aggressive sshd filter (inclusive sshd-ddos failregex):
#filter = sshd-aggressive
port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s

Change the value of port to the actual port you chose during this tutorial. For example for port 7222 the file will look like this:

[sshd]

# To use more aggressive sshd filter (inclusive sshd-ddos failregex):
#filter = sshd-aggressive
port    = 7222
logpath = %(sshd_log)s
backend = %(sshd_backend)s

Fail2Ban will continue detecting possible break-in attempts even if you don’t modify the configuration, if you don’t do it however, Fail2Ban won’t be able to close the appropriate port.

Tip!
You can also specify multiple, comma-separated values such as: ssh,7222.

Everything ready? Flip the switch (with a plan B)

Configured everything? It’s time to test the new configuration! If you followed my tips throughout the tutorial, even if something goes wrong (unless you messed the ssh file syntax) you should be able to ssh again in your server. Once you’re ready do:

# systemctl restart sshd
# systemctl restart fail2ban

In this moment you might lose your ssh connection. Now, on another host, try to ssh in your server using your new port:

$ ssh USERNAME@YOUR_IP/HOSTNAME -p YOUR_NEW_PORT

If you followed this tutorial I do think you’ve been successful. If you’re not successful you should be able to ssh in your server using port 22 as before. Do so and try to spot errors reading the tutorial once more while you check for mistakes.

Mop up (Important!)

If you’ve successfully ssh’d in your server it’s time to finalize the settings and mop up. If you’re using a SSH connection to perform these steps be sure to use the new port rather than the previous one.

SSH daemon

The first thing is to configure the ssh daemon, open /etc/ssh/sshd_config using your favorite editor and delete/comment out the following line:

Port 22

In this way you will essentially tell sshd not to listen on port 22,  the default one.

FirewallD

Now it’s time to finalize the firewall configuration:

# firewall-cmd --add-port YOUR_PORT_HERE/tcp --permanent
# firewall-cmd --reload

Be sure to get the port right now, we’re almost done and a mistake here can be difficult to correct! If you actually do a mistake, port 22 should still be available, you haven’t yet restarted the daemon.

Finalizing

This is the final step, after these commands port 22 will be closed for good, be sure to have everything working! If you’re sure it’s time to finalize:

# systemctl restart sshd
# firewall-cmd --remove-service ssh --permanent
# firewall-cmd --reload

Conclusion

You now know how to change the ssh port on CentOS 7 also configuring the firewall, SELinux and Fail2Ban. Changing the SSH port isn’t always useful but it can be a first-step toward server hardening and it can surely save some resources if you’re getting many automated scans on your server.

Image courtesy of Kev-shine
mark

You may also like...

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.