Some webmasters believe that changing SSH port number from the default 22 can enhance security. The notion is since SSH default port number is 22 and everyone knows it, including the hackers, it isn’t safe.
Changing the SSH port number to something other than 22 will enhance your server’s security in that the bad guys won’t know which port or ports SSH communicates on. This is a cool trick, but won’t stop someone who is determined to break into your servers.
Just by using simple port scanner or similar tools, hackers can figure out all the connecting ports on your servers. This is an old technique that probably isn’t applicable in our time today.
In my opinion, the best way to protect your SSH server is to implement password-less logon using certificates and encryption. Using this method, only machines that already have the encryption key will be allowed to sign on using SSH protocol.
Another way is to configure your firewall to only all SSH connections from a pre-defined machine whose IP address is white-listed in the firewall rules. Anything else will not enhance your server security any better.
If you still want to change the default SSH port number on your CentOS 7, then continue below to learn how. I am going to show you how to do that easily.
- Changing the default SSH port on CentOS 7
To change the default SSH port, the first thing you want to do is backup the current SSH configuration on your system. To do that, run the commands below.
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
This creates a new named sshd_config.bak with the current settings of the sshd_config file. If something goes wrong, you can then restore the file from the backup.
Next, run the commands below to open the default SSH configuration file
sudo vi /etc/ssh/sshd_config
When the file opens, make the below change and save the file. Un-comment or remove the (#) before the line the reads Port and change the port number you want to use.
# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
Save the file.
After saving, don’t exit until you’ve completed these steps.
By default, SELinux only allows port 22 for SSH. What you need to do is enable the newly created port through SELinux. To do that, run the commands below
sudo semanage port -a -t ssh_port_t -p tcp 9990
If you run the commands above and get an error that semanage command not found, run the commands below to install it.
sudo yum -y install policycoreutils-python
Then go and run the semange commend again to allow the new port through SELinux.
After that, run the commands below to allow the new port through the firewall.
sudo firewall-cmd --permanent --zone=public --add-port=9990/tcp
Reload the firewall configurations
sudo firewall-cmd --reload
Restart SSH by running the commands below.
sudo systemctl restart sshd.service
Verify that SSH is now running on the new port by running the commands below.
ss -tnlp | grep ssh
LISTEN 0 128 *:9990*:* users:((“sshd”,10783,3))
LISTEN 0 128 :::9990:::* users:((“sshd”,10783,4))
Exit and try signing in using the new port number.
ssh email@example.com -p 9990