Pre-requisites:
A system with CentOS Stream 9 installed and running
Access to a terminal or command line
Root or sudo privileges
The standard SSH port on most Linux/Unix systems is TCP port 22. Every hacker trying to access your SSH server will first attack this port. Most ports are closed by default. Ports are like doors to your environment.
Changing the default SSH port adds an extra layer of security by reducing the risk of your password being cracked from a brute force attack. Port 22 is subject to numerous unauthorized attempts by attackers who want to gain access to unsecured servers.
Port numbers range from 0 to 65535. Port numbers 0-1023 are reserved for common TCP/IP applications and are called well-known ports. It is important to select a port that is not already in use by other services. It is advisable to opt for a custom ssh port within the private ports range 49152 to 65535.
Use the cat command to see a list of network services and the ports mapped to them.
cat /etc/services
All authentication related events in CentOS 9 are logged here including successful and failed login attempts. This log file can be very useful to detect possible hacking attempts. Setting the port to a different number should drastically cut down on the number of attempts to crack ssh.
/var/log/secure
Run the following command to open the sshd_config file and modify the ssh port number
vi /etc/ssh/sshd_config
Run the following command in the vi editor to search for the string "Port 22"
/Port 22
Type ("/") then search the term "Port 22" and press enter. To search in Vim, press n for next instance and N for previous instance.
Press the i key to enter Insert Mode and place the cursor below #Port 22 and type your desired port number
#Port 22
Press escape to enter command mode then run the following command to write and quit the file:
:wq
Run the following command to restart the sshd service:
systemctl restart sshd
If SELinux is involved, you can’t simply change the port, without letting the security system know.
If you don't have the semanage tool installed, you can install it with:
dnf install policycoreutils-python-utils
Allow new SSH port on SELinux
semanage port -a -t ssh_port_t -p tcp 55555
Confirm that the new port has been added to list of allowed ports for ssh
semanage port -l | grep ssh
To delete the newly added SSH port on SELinux
semanage port -d -t ssh_port_t -p tcp 55555
Confirm that the newly added port has been removed from list of allowed ports for ssh
semanage port -l | grep ssh
If you prefer using the netstat command, you can check with:
netstat -tunlp
Open port on Firewalld
firewall-cmd --add-port=55555/tcp --permanent
firewall-cmd --reload
To remove access to a port using Firewalld
firewall-cmd --remove-port=55555/tcp --permanent
firewall-cmd --reload
List open ports using Firewalld
firewall-cmd --list-ports
To establish an SSH connection after this change, enter the following command to specify the new ssh port:
ssh root@IP_address_of_the_server -p NewPort
To allow only specific IP addresses to your Linux machine, add the following to sshd_config
AllowUsers *@192.168.1.100
This line allows any user to log in only if their SSH client is connecting from the IP address 192.168.1.100
Then, run the following command to restart the sshd service:
systemctl restart sshd
See the accompanying guide on our YouTube channel