Secure shell, more commonly known as SSH, is a network protocol that provides secure channels for server communications on a network in a client-server architecture. This protocol is used in many applications, such as users accessing shell accounts on a server or during communications for authentication. SSH communications go through something called a port, which is essentially a communications endpoint on a server. By default, SSH uses the TCP (Transmission Control Protocol) port 22. Being able to modify this SSH port number on your CentOS 7 server is an easy and proven way that you can enhance server security by switching to a less-commonly known port.
In this guide, we will show you how you can change the SSH port number to any desired choice on your own CentOS 7 server.
To change the SSH port of your server, you must edit the configuration file for the SSH daemon that is found in /etc/ssh/sshd_config. Before we do this step however, we will create a backup of the existing sshd configuration file as a matter of good practice. Use the copy command cp with the flag -p, which preserves last edited information, to make a copy of the file and save it in a backup file whose name includes the date, which is achieved by appending the result of $(date +%F) to the filename. The %F ensures that the full date in year-month-date format is used when obtaining the current date with date.
cp -p /etc/ssh/sshd_config /etc/ssh/sshd_config.orig.$(date +%F)
With our backup file saved, you are now free to modify the sshd configuration file as you wish. Open this file in the vi text editor:
Search the file for a line that appears as either #Port 22 or Port 22. If the line contains the “#” symbol, meaning that the line is commented out and thus is ignored, remove this symbol and change the port number from 22, which is the default SSH port, to your desired port. In our example, we will use port 2222 so our line in the sshd configuration file will look as follows:
When choosing a new port number, try to avoid using a common port from this list: 21, 80, 443, 25, 110, 113. Also stay away from ports that are already in use by your CentOS 7 server. Generally, it is recommended to use a new port number that is over 1024. If you have difficulty choosing a new port number however, you can look up what common ports are used online through lists of well-known TCP and UDP port numbers that are available, and choose one that is not listed.
After writing your new port in the configuration file, save and close the file. To bring your changes into effect, you must restart the SSH daemon. Do this with the following command:
systemctl restart sshd.service
Be careful however, you are not done quite yet! There are some additional steps you must take if you have SELinux, a Linux kernel security module also known as Security-Enhanced Linux, enabled on your server. If you have a firewall running, you also must continue with the following. If you do not have SELinux or firewalld, skip to the last step before the end of the tutorial. If you do have either of these, please continue.
By default, SELinux only allows SSH on the port 22. We must change this to our new port. In our example, we are using 2222 but you should replace this number with the number of your port in the below command, which uses semanage port to configure ports in the SELinux policy:
semanage port -a -t ssh_port_t -p tcp 2222
You can verify that SELinux has the new port by searching the output of the semanage port -l command, which lists the ports that are working with SELinux. The tool grep is used to search this output for you, and outputs only the relevant lines that contain the word SSH. To do the verification, run:
semanage port -l | grep ssh
The output of the above command should look like the following:
ssh_port_t tcp 2222, 22
Next, to allow the new port in your firewall, you have to run add the port to the public zone permanently. Replace the number 2222 below with your own port number that you set in the SSH configuration file and run:
firewall-cmd --permanent --zone=public --add-port=2222/tcp
You must restart the firewall for the changes to be done. This is extremely important is that otherwise, if your changes are not applied you will be locked out of SSH to this server if you logout! Reload firewall using:
Once the firewalld and SELinux configuration is complete (or if you have skipped to this section), you can test that your new SSH port configuration is working. The command ss calls a utility that investigates Linux sockets, which is just a complicated term for a communication point for the server. This command will let you find the port that is listening for SSH on your server, and we can search the output for the exact port numbers for SSH. To do this, first enter:
ss -tnlp|grep ssh
The output will look something like this:
LISTEN 0 128 *:2222 *:* users:(("sshd",2786,3))
Ensure that you see your new port number in the output, much like we can see 2222 in the line above for our port we are using in the tutorial.
Congratulations! Now you have successfully configured a new port for SSH on your CentOS 7 server. If this introduction to the basics was helpful to you, please feel free to share this tutorial with your friends.