04-10-2020, 06:26 PM
Before we begin, please note that changing SSHD's port isn't much about security but about reducing the size of your log files and shaving off few CPU cycles due to the inevitable automated(/random) login attempts directed towards the default SSH port (ie port 22.)
Indeed, our assumption here is that you do know better and that you've already disabled SSH password login in favour of the public-key authentication [1]; thus our problem is to get SSH daemon off its default port to not bother with those failed login attempts that are piling up in the logs and get the 'poor' fail2ban service a break (in case you did install it), which save us few CPU cycles.
1-Make SSHD Listen on 2 Ports:
What we'll do is to configure 'sshd' to listen on two ports, the default and the random one (eg 4600.) This is a good practice to avoid being locked out of the VPS if something goes wrong.
Next we need to check if SSHD does indeed listen on both ports, as follows:
At our surprise, SSHD failed to listen on our selected port!!.. What might be the cause? If we check the logs, we see this:
2- Enable the Selected Port Usage by SSHD with SELinux:
So, SSHD failed with a permission denied. Of course, SSHD doesn't have the permission to listen on any port other than its own/22; says WHO?.. Well, SELinux says so, and it's in its enforcing mode.
What we need to do is ask SELinux for permission to use port 4600 for SSHD, like so:
Now let's test again to see if it's working:
It's all good!
3- Open the Firewall to the Selected SSHD Port:
We need to let the port 4600 through the firewall:
Before: only ssh and dhcp services are allowed to pass through
We now want to allow port 4600/tcp through
Now TCP traffic through port 4600 is also allowed:
4-Test SSHD Login with the Custom Port:
At this stage we have to completely logout and test if we can login with the new port:
If we exit our shell both as root and sudoer:
Our setup is working!
5-Disable SSHD Default Port:
> To Shut-off SSHD default port through the firewall
From this moment onward, we're done with those random poking around port 22; the logs will be much cleaner and fail2ban will thank you for it.
6- Make SSHD Listen on the Selected Port Only:
> Last thing to do is to completely remove port 22 from the SSHD config and restart the SSHD daemon, and I'll leave that to you.
That's all there is to it.
Notes:
[1]- If you're unsure, please check Running Fedora inside an LXD/LXC System Container for a reminder.
Indeed, our assumption here is that you do know better and that you've already disabled SSH password login in favour of the public-key authentication [1]; thus our problem is to get SSH daemon off its default port to not bother with those failed login attempts that are piling up in the logs and get the 'poor' fail2ban service a break (in case you did install it), which save us few CPU cycles.
1-Make SSHD Listen on 2 Ports:
What we'll do is to configure 'sshd' to listen on two ports, the default and the random one (eg 4600.) This is a good practice to avoid being locked out of the VPS if something goes wrong.
Code: (Select All)
vi /etc/ssh/sshd_config
# Uncomment the line, # Port 22
Port 22
Port 4600Next we need to check if SSHD does indeed listen on both ports, as follows:
Code: (Select All)
[root@centos ~]# netstat -tulpn|grep sshd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 836/sshd
tcp6 0 0 :::22 :::* LISTEN 836/sshd At our surprise, SSHD failed to listen on our selected port!!.. What might be the cause? If we check the logs, we see this:
Code: (Select All)
[root@centos ~]# journalctl -u sshd -f
-- Logs begin at Wed 2020-04-08 14:54:06 +01. --
Apr 10 16:39:52 centos.xyz.xy sshd[836]: Server listening on :: port 22.
Apr 10 16:39:52 centos.xyz.xy sshd[836]: error: Bind to port 4600 on 0.0.0.0 failed: Permission denied.
Apr 10 16:39:52 centos.xyz.xy sshd[836]: error: Bind to port 4600 on :: failed: Permission denied.
Apr 10 16:39:52 centos.xyz.xy systemd[1]: Started OpenSSH server daemon.2- Enable the Selected Port Usage by SSHD with SELinux:
So, SSHD failed with a permission denied. Of course, SSHD doesn't have the permission to listen on any port other than its own/22; says WHO?.. Well, SELinux says so, and it's in its enforcing mode.
Code: (Select All)
[root@centos ~]# semanage port -l | grep ssh
ssh_port_t tcp 22What we need to do is ask SELinux for permission to use port 4600 for SSHD, like so:
Code: (Select All)
[root@centos ~]# semanage port -a -t ssh_port_t -p tcp 4600
# Now let's see:
[root@centos ~]# semanage port -l | grep ssh
ssh_port_t tcp 4600, 22Now let's test again to see if it's working:
Code: (Select All)
# First restart SSHD
[root@centos ~]# systemctl restart sshd
#check on which ports SSHD is listening on:
[root@static ~]# netstat -tulpn|grep sshd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2776/sshd
tcp 0 0 0.0.0.0:4600 0.0.0.0:* LISTEN 2776/sshd
tcp6 0 0 :::22 :::* LISTEN 2776/sshd
tcp6 0 0 :::4600 :::* LISTEN 2776/sshd 3- Open the Firewall to the Selected SSHD Port:
We need to let the port 4600 through the firewall:
Before: only ssh and dhcp services are allowed to pass through
Code: (Select All)
[root@centos ~]# firewall-cmd --zone=public --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens3
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:We now want to allow port 4600/tcp through
Code: (Select All)
[root@centos ~]# firewall-cmd --zone=public --add-port=4600/tcp --permanent
success
[root@centos ~]# firewall-cmd --reload
successNow TCP traffic through port 4600 is also allowed:
Code: (Select All)
[root@centos ~]# firewall-cmd --zone=public --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens3
sources:
services: dhcpv6-client ssh
ports: 4600/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:4-Test SSHD Login with the Custom Port:
At this stage we have to completely logout and test if we can login with the new port:
If we exit our shell both as root and sudoer:
Code: (Select All)
[root@centos ~]# exit
logout
[user@centos ~]$ exit
logout
Connection to 50.*.*.* closed.
[user@local ~]$ ssh -i ~/.ssh/centos-key-ecdsa 50.*.*.* -p 4600
Activate the web console with: systemctl enable --now cockpit.socket
Last login: ....
[user@centos ~]............................YOUR.IN5-Disable SSHD Default Port:
> To Shut-off SSHD default port through the firewall
Code: (Select All)
[root@centos ~]# firewall-cmd --zone=public --remove-service=ssh --permanent
success
[root@centos ~]# firewall-cmd --reload
success
[root@centos ~]# firewall-cmd --zone=public --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens3
sources:
services: dhcpv6-client
ports: 4600/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:6- Make SSHD Listen on the Selected Port Only:
> Last thing to do is to completely remove port 22 from the SSHD config and restart the SSHD daemon, and I'll leave that to you.
That's all there is to it.
Notes:
[1]- If you're unsure, please check Running Fedora inside an LXD/LXC System Container for a reminder.