Special offer
popup-offers
English
+370 5 205 5502 sales@monovm.com
Login Sign Up

How to change SSH port on Centos 6, 7, and 8.

The full form of SSH is Secure Shell daemon, so it is a network protocol used for performing remotely secure logins for the Linux systems through a secured channel by an unsecured network using robust cryptography. By default, an SSH listens on port 22, so it is good to change the default SSH port for adding extra security to the server by decreasing the automated attack’s risk. So in this post, we will cover the complete details on How to change the SSH port on Centos 6, 7, and 8 quickly (The procedure of CentOS 6 is also valid on CentOS 5). 

23 Sep, 20 by Susith Nonis 14 min Read
Tutorials
How to change SSH port on Centos 6, 7, and 8.

Detailed tutorial on how to change the SSH Port

 

How to change SSH port on CentOS 6

The default port number is TCP port # 22, but you can set the port number of the SSHD server according to your requirements. 

  • First of all, you will have to open the SSH configuration file to change the port, so execute the following command in the terminal:

/etc/ssh/sshd_config

  • After executing the above command, execute one of these commands: 

Port PortNumberHere

Or

ListenAddress IPv4Address:Port

ListenAddress IPv6Address:Port

ListenAddress Hostname:Port

  • If you have not specified a port, the SSHD, by default,  then it will work on the previously specified addresses and port options. You can also allow multiple listenaddress and options in sshd_config.
  • For running SSH on a non-standard port # 2022 using Port option, use the following command:

# vi /etc/ssh/sshd_config

  • Now, edit to set the port to 2022 and save the file for making the changes successfully: 

Port 2022

  • If you want to run SSH on a non-standard port # 2022 using the port option, then try ListenAddress as follows:

## bind sshd to two IP address on a non-standard port ##

ListenAddress 192.168.1.5:2022

ListenAddress 203.1.2.3:2022

  • Once you use the command successfully, save and close the file. 

Remember, you need to update the following before you restart the system and before the changes to be applied:

  1. SELinux configuration
  2. Firewall settings
  3. fail2ban settings

SELinux configuration

If you are using SELinux, add tcp port # 2022 to port contexts for OpenSSH server:

# semanage port -a -t ssh_port_t -p tcp 2022

 

Update firewall settings

  • Update firewall settings so that users can log in using TCP # 2022, so use the following command to edit, /etc/sysconfig/iptables and open SSHD port 2022:

# vi /etc/sysconfig/iptables

  • After that, edit the values as follow:

## delete or comment out port 22 line ##

## -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

## open port 2022

-A INPUT -m state --state NEW -m tcp -p tcp --dport 2022 -j ACCEPT

  • Once you edit the values, save and close the file.
  • If you are a IPv6 users, edit /etc/sysconfig/ip6tables file as well, so temporally, stop the firewall by typing:

# service iptables stop

# service ip6tables stop

 

Fail2ban settings

Fail2ban works to scan all of the log files to ban the IPs with any malicious actions, password failures, SSH logins, exploitations, etc., use it to update the rules.

  • Now, type the following command for restarting SSHD services: 

# service sshd reload

  • Once you execute the command successfully, then verify new port settings with this netstat command:

# netstat -tulpn | grep sshd

  • Now, use the below commands for starting the firewall on a CentOS:

# service iptables start

## IPv6 ##

# service ip6tables start

  • Connect to ssh server on port # 2022 using SSH command:

ssh -p PortNumberHere user@server-name-here

ssh -p PortNumberHere user@server-name-here commandNameHere

ssh -p 2022 XYZ@192.168.1.5

ssh -p 2022 XYZ@192.168.1.5 df

  • For connecting to SSH server on port # 2022 using scp command type:

scp -P PortNumberHere source user@server-name-here:/path/to/dest

scp -P 2022 resume.pdf XYZ@nas01:/backups/personal/XYZ/files/

  • To connect to ssh server on port # 2022 using sftp command type:

sftp -P PortNumberHere user@server-name-here

sftp -P 2022 XYZ@192.168.1.5

  • To connect to SSH server on port # 2022 using rsync command type:
  • Change SSH port number with rsync command:

sync -av -e 'ssh -p PORT-NUMBER-HERE' source user@server-name

  • So to backup /home/XYZ to server1.XYZ.net.in at port number 2022, enter:

rsync -av -e 'ssh -p 2022' /home/XYZ/ backupop@server1.XYZ.net.i

 

How to change SSH port on CentOS 7

In this section, we will give you brief information on changing the SSH port on centos 7. It is simple, but you have to follow every step to eliminate the chances of errors. 

First, open /etc/ssh/sshd_config and search for the following Port 229 and make sure to choose an unused/not-well-known port (at least >1023). 

For opening a port on firewallD, use the following command: 

# firewall-cmd --add-port YOUR_PORT_HERE/tcp

SELinux Configuration

Configuring SELinux to behave with the new port and type the following:

# semanage port -a -t ssh_port_t -p tcp YOUR_PORT_HERE

 

Fail2Ban Settings

  • Open /etc/fail2ban/jail.conf and search for the following section for configuring Fail2Ban:

[sshd]

# To use more aggressive sshd filter (inclusive sshd-ddos failregex):

#filter = sshd-aggressive

port = ssh

logpath = %(sshd_log)s

backend = %(sshd_backend)s

  • Now, change the values of the port to a actual port by using the following commands:

[sshd]

# To use more aggressive sshd filter (inclusive sshd-ddos failregex):

#filter = sshd-aggressive

port = 7222

logpath = %(sshd_log)s

backend = %(sshd_backend)s

  • After the execution of these commands, Fail2Ban won’t be able to close the appropriate port.
  • Now type the following commands to test the new configurations: 

# systemctl restart sshd

# systemctl restart fail2ban

  • You can also try to ssh in the server by a new port:

$ ssh USERNAME@YOUR_IP/HOSTNAME -p YOUR_NEW_PORT

  • Once you complete the above steps successfully, finalize the settings and mop up, so use the new port rather than the previous one.
  • Configure the ssh daemon, open /etc/ssh/sshd_config delete/comment out the Port 22 in it. 
  • Now you have told sshd not to listen on port 22, which is the default port.
  • It is time to finalize the firewall configuration:

# firewall-cmd --add-port YOUR_PORT_HERE/tcp --permanent

# firewall-cmd --reload

  • After that, type the following commands:

# systemctl restart sshd.service

# firewall-cmd --remove-service ssh --permanent

# firewall-cmd --reload

  • If you face the below error by restarting the SSHD: 

job for sshd.service failed because the control process exited with error code. See "systemctl status sshd.service" and "journalctl -xe" for details.

  • In this case, run journalctl –xe by following command:

# journalctl –xe

  • After executing the command you will get the output like this: 

server1 kernel: type=1400 audit(1537086072.510:4): avc: denied { name_bind } for pid=1074 comm="sshd" src=6378 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unres

server1 sshd[1074]: error: Bind to port 6378 on 0.0.0.0 failed: Permission denied.

server1 sshd[1074]: error: Bind to port 6378 on :: failed: Permission denied.

server1 kernel: type=1400 audit(1537086072.515:5): avc: denied { name_bind } for pid=1074 comm="sshd" src=6378 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unres

server1 sshd[1074]: fatal: Cannot bind any address.

server1 systemd[1]: sshd.service: main process exited, code=exited, status=255/n/a

server1 systemd[1]: Failed to start OpenSSH server daemon.

 

  • You have to run the below commands to set the changes for the system: 

semanage port -a -t ssh_port_t -p tcp 3456

  • Now, you can verify that SELinux has allowed SSHD to listen on the two ports:

semanage port -l | grep ssh

ssh_port_t  tcp     3456, 22

  • Type the below commands after running the above one: 

yum whatprovides semanage

  • Once you run the command successfully, the output will be like this:

policycoreutils-python-2.5-22.el7.x86_64 : SELinux policy core python utilities

Repo : base

Matched from:

Filename : /usr/sbin/semanage

yum install -y policycoreutils-python

  • Finally, check that you can log in to a server through a new SSH port, so you the following command to check it: 

ssh -p 3456 root@server1

 

How to Change SSH Port in CentOS 8

  • First you need to check Status of SSH Service in CentOS 8 using systemctl command:

[root@centos-8 ~]# systemctl status sshd.service

  • After executing the above command, you will a get message like this: 

â sshd.service - OpenSSH server daemon

   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)

   Active: active (running) since Sat 2020-08-08 17:59:18 PKT; 2s ago

     Docs: man:sshd(8)

          man:sshd_config(5)

 Main PID: 1564 (sshd)

     Tasks: 1 (limit: 5916)

   Memory: 1.2M

   CGroup: /system.slice/sshd.service

          ââ1564 /usr/sbin/sshd -D -oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,> 

Aug 08 17:59:18 centos-8.centlinux.com systemd[1]: Starting OpenSSH server daemon...

Aug 08 17:59:18 centos-8.centlinux.com sshd[1564]: Server listening on 0.0.0.0 port 22.

Aug 08 17:59:18 centos-8.centlinux.com sshd[1564]: Server listening on :: port 22.

Aug 08 17:59:18 centos-8.centlinux.com systemd[1]: Started OpenSSH server daemon.

  • We can tweak /etc/ssh/sshd_config file to customize SSH service according to our requirements. There is no Port directive in this file, and the SSH service uses the default ssh port number 22.
  • Add a Port directive in sshd_config file by using the echo command.

[root@centos-8 ~]# echo "Port 50" >> /etc/ssh/sshd_config

  • SELinux configuration does not allow any service to run on a non-default port configure SElinux to enable SSH to use port 50/tcp.
  • Use semanage command to add port 50/tcp to type ssh_port_t:

[root@centos-8 ~]# semanage port -a -t ssh_port_t -p tcp 50


Firewall Settings 

Now, you need to list down allowed ports or services in the firewall.

[root@centos-8 ~]# firewall-cmd --list-all

Once you execute the above command, you will see the following: 

public (active)

  target: default

  icmp-block-inversion: no

  interfaces: ens33

  sources:

  services: cockpit dhcpv6-client ssh

  ports:

  protocols:

  masquerade: no

  forward-ports:

  source-ports:

  icmp-blocks:

  rich rules:

  • You can also type Systemctl firewalld instead of the above-executed command.
  • Now, block this SSH service and allow a new SSH port in the firewall.

[root@centos-8 ~]# firewall-cmd --permanent --remove-service=ssh

success

[root@centos-8 ~]# firewall-cmd --permanent --add-port=50/tcp

success

[root@centos-8 ~]# firewall-cmd --reload

success

  • After that, type the following command to restart service:

[root@client  ~]# systemctl restart sshd

  • You also need to verify status of SSH Service by typing:

[root@centos-8 ~]# systemctl status sshd.service

  • After executing the command, you will get the message like this: 

â sshd.service - OpenSSH server daemon

   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)

   Active: active (running) since Sat 2020-08-08 18:13:37 PKT; 14s ago

     Docs: man:sshd(8)

          man:sshd_config(5)

 Main PID: 10376 (sshd)

     Tasks: 1 (limit: 5916)

   Memory: 1.2M

   CGroup: /system.slice/sshd.service

          ââ10376 /usr/sbin/sshd -D -oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc>

Aug 08 18:13:37 centos-8.centlinux.com systemd[1]: Stopped OpenSSH server daemon.

Aug 08 18:13:37 centos-8.centlinux.com systemd[1]: Starting OpenSSH server daemon...

Aug 08 18:13:37 centos-8.centlinux.com sshd[10376]: Server listening on 0.0.0.0 port 50.

Aug 08 18:13:37 centos-8.centlinux.com sshd[10376]: Server listening on :: port 50.

Aug 08 18:13:37 centos-8.centlinux.com systemd[1]: Started OpenSSH server daemon.

  • Now, type the following command to access SSH service using ssh and sftp commands from the default ssh port:

[root@centos-8 ~]# ssh root@centos-8.xyz.com

  • You will get the output like this after executing the above command. This output will show that the Firewall is not allowing traffic through port 22.

ssh: connect to host centos-8.centlinux.com port 22: Connection refused

[root@centos-8 ~]# sftp root@centos-8.centlinux.com

ssh: connect to host centos-8.centlinux.com port 22: Connection refused

Connection closed

Connection closed

  • Now, you can access the SSH service by using ssh command:

[root@centos-8 ~]# ssh root@centos-8.centlinux.com -p 50

The authenticity of host '[centos-8.centlinux.com]:50 ([192.168.116.206]:50)' can't be established.

ECDSA key fingerprint is SHA256:skGj4xg0w+jIQtrfF8AOdfItgcXUQQu+bWUFfvws1Hk.

Are you sure you want to continue connecting (yes/no/[fingerprint])? yes

Warning: Permanently added '[centos-8.centlinux.com]:50,[192.168.116.206]:50' (ECDSA) to the list of known hosts.

root@centos-8.centlinux.com's password:

Last login: Sat Aug  8 17:59:01 2020

[root@centos-8 ~]#

  • Similarly,  execute the following commands for sftp:

[root@centos-8 ~]# sftp -P 50 root@centos-8.centlinux.com

root@centos-8.centlinux.com's password:

Connected to root@centos-8.centlinux.com.

sftp>

 

Conclusion

Congratulations! You made it to the end. If you're looking to set up your very own SSD-based CentOS VPS, then you can do it easily. As we have mentioned earlier, it is good to change the SSH port on CentOS because it offers extra security for the server. We have included a step-by-step procedure that is easier to understand. 

Tags:
Category:

Tutorials

Susith Nonis

Susith Nonis

I'm fascinated by the IT world and how the 1's and 0's work. While I veture into the world of Technology I try to share what I know in the simplest way possible. Not a fan of coffee, a sweet addict and a self accredited 'master chef'.