How to Change the Default SSH Port on CentOS 7: A Complete Security Guide
Securing a server is a critical task for any system administrator. One of the most common targets for automated bots and malicious attacks is the default Secure Shell (SSH) port, port 22. By constantly scanning this well-known port, attackers can attempt brute-force logins to gain unauthorized access.
A simple yet highly effective security measure is to change the default SSH port to a non-standard one. This technique, known as security through obscurity, immediately reduces your server’s exposure to automated scanners. This guide will walk you through the essential steps to change the SSH port on a CentOS 7 server, including crucial firewall and SELinux configurations.
Step 1: Choose a New Port Number
Before making any changes, you need to select a new port for SSH. It’s important to choose a port that is not already in use by another service.
- Well-known ports range from 0 to 1023 and are reserved for system services. You should avoid these.
- The recommended range for custom ports is between 1024 and 65535.
Pick an unused port within this range. For this guide, we will use port 2222 as an example. You can verify if your chosen port is already in use with a command like ss -tlpn | grep ':2222'. If it returns no output, the port is likely free.
Step 2: Edit the Main SSH Configuration File
The primary configuration file for the SSH daemon is /etc/ssh/sshd_config. This is where we will specify the new port.
First, it is always a best practice to create a backup of the configuration file before making any edits. This allows you to easily revert your changes if something goes wrong.
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
Now, open the configuration file using a text editor like nano or vi:
sudo nano /etc/ssh/sshd_config
Inside the file, look for the line that specifies the port. It will likely be commented out with a # symbol and look like this:
#Port 22
You need to uncomment this line by removing the # and change the number to your chosen port.
Port 2222
Save the file and exit the editor. (In nano, press CTRL + X, then Y, then Enter).
Step 3: Configure SELinux to Allow the New Port
CentOS 7 uses SELinux (Security-Enhanced Linux) by default, which adds a strict layer of security policies. Simply changing the port in sshd_config is not enough, as SELinux will prevent the SSH service from running on a non-standard port.
You must explicitly tell SELinux that your new port is approved for SSH traffic.
First, ensure you have the necessary tools to manage SELinux policies. Install them if they are not already present:
sudo yum install -y policycoreutils-python
Next, use the semanage command to add a new rule for your custom port. Replace 2222 with the port you selected.
sudo semanage port -a -t ssh_port_t -p tcp 2222
This command informs SELinux that port 2222 is of the ssh_port_t type and is allowed for the SSH service.
Step 4: Update Your Firewall Rules
Your server’s firewall is likely blocking all incoming traffic except on specifically allowed ports. You must create a new rule to allow connections on your new SSH port. CentOS 7 typically uses firewalld.
Add a rule to permanently allow traffic on your new port:
sudo firewall-cmd --permanent --zone=public --add-port=2222/tcp
After adding the new rule, you must reload the firewall for the changes to take effect:
sudo firewall-cmd --reload
At this point, you have rules for both the old port (22) and the new one (2222). It is recommended to leave the old rule in place until you have successfully tested the new connection.
Step 5: Restart the SSH Service and Test the Connection
With all configurations in place, the final step is to restart the SSH service to apply the new settings.
sudo systemctl restart sshd
This is the most critical part of the process. Do not close your current SSH session. If there is a mistake in your configuration, closing the session could lock you out of your server permanently.
Instead, open a new terminal window on your local machine and attempt to connect to the server using the new port. You can specify the port using the -p flag in the SSH command:
ssh your_username@your_server_ip -p 2222
If the connection is successful and you are prompted for your password or key, your configuration is working correctly.
Once you have confirmed that you can log in successfully using the new port, you can safely close your original SSH session. As a final cleanup step, you can remove the old firewall rule for port 22 to fully secure the server:
sudo firewall-cmd --permanent --zone=public --remove-service=ssh
sudo firewall-cmd --reload
Final Thoughts
Changing your default SSH port is a fundamental step in hardening your CentOS 7 server. By moving away from the commonly targeted port 22, you significantly reduce your server’s visibility to automated attacks and brute-force attempts.
Remember, this is just one layer of a comprehensive security strategy. For even greater protection, you should also consider:
- Disabling password-based authentication in favor of SSH keys.
- Using a tool like Fail2Ban to automatically block IPs that exhibit malicious behavior.
- Keeping your system and all software regularly updated.
By following these steps, you have made a meaningful improvement to your server’s security posture.
Source: https://kifarunix.com/how-to-configure-ssh-to-use-a-different-port-on-centos-7/
