Table of Contents
In this article, I will take you through the steps to change default ssh port number in Linux. ssh is known as secure shell which is used to establish connection with remote host securely on default ssh port number 22. Sometimes due to some security reason or to stop any kind of brute force attacks, you want to change the default port to some another port.
This can be easily achieved by changing the ssh port number in ssh configuration file. We will now go ahead and check the steps to change the default port below.
Change SSH Port Number
Also Read: 8 Popular Linux cp command Examples for Professionals
1. Change SSH Port Number in sshd_config
First, you need to change the ssh port number /etc/ssh/sshd_config file to some free port say 4800 in this case. Please make sure that selected port is free and not being used in any other services.
[root@sshserver ~]# vi /etc/ssh/sshd_config Port 4800
Now you can press Esc. Then save and exit by using wq! . This will save the file and exit out.
2. Restart sshd service
Once ssh port number is changed, you need to restart sshd service using systemctl restart sshd command for the changes to reflect.
[root@sshserver ~]# systemctl restart sshd
or, you can also restart your sshd service through traditional way by running service sshd restart command.
[root@sshserver ~]# service sshd restart
Redirecting to /bin/systemctl restart sshd.service
3. Check sshd service status
Now you can check the sshd service status by using systemctl status sshd command. As you can see from below output, sshd service is running from past 1 min 7 s and server is listening on Port 4800.
[root@sshserver ~]# systemctl status sshd ● sshd.service - OpenSSH server daemon Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled) Active: active (running) since Sat 2020-03-28 05:09:06 EST; 1min 7s ago Docs: man:sshd(8) man:sshd_config(5) Main PID: 3758 (sshd) CGroup: /system.slice/sshd.service └─3758 /usr/sbin/sshd -D Mar 28 05:09:06 znode3 systemd[1]: Starting OpenSSH server daemon... Mar 28 05:09:06 znode3 sshd[3758]: Server listening on :: port 4800. Mar 28 05:09:06 znode3 systemd[1]: Started OpenSSH server daemon. Mar 28 05:09:06 znode3 sshd[3758]: Server listening on 0.0.0.0 port 4800.
NOTE:
Port 22 in sshd_config, it will be a good idea to add another Port 4800 in next line to open both Port 22 and 4800 in case something goes wrong with the configuration and you lose the ssh connection of the remote system. This is specially needs to be taken care when the Server is geographically separated and you don't have physical access of the remote server.4. Check selinux status
Now you need to check the selinux status by running sestatus command to make sure it will not be blocking any requests. As you can see from below output, current mode is set to permissive which means it will not enforce any selinux policies but will only show the warnings. You can also disable selinux if you want to completely switch it off. You can refer to Best Way to Disable SELinux on CentOS/RedHat 7 to know more about disabling SELinux.
[root@sshserver ~]# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 31
You can also disable SELinux by setting SELinux=disabled as you can see below.
[root@sshserver ~]# cat /etc/selinux/config SELINUX=disabled
Now press ESC and then wq! to save and exit.
5. Restart your system
For the selinux policy to take effect, you need to reboot your system using init 6 command once.
[root@sshserver ~]# init 6
or, you can also run reboot command to restart your system.
[root@sshserver ~]# reboot
6. Allow port 4800 through your firewall
You also need to allow ssh Port 4800 from firewall to allow the connections on this port.
[root@sshserver ~]# firewall-cmd --permanent --add-port=4800/tcp success
Sometimes it might happen that you do not want firewalld service running and you want to stop it completely. In that case you can stop the service by running systemctl stop firewalld command as shown below.
[root@sshserver ~]# systemctl stop firewalld
Check Firewalld Status. Now you can notice that firewalld service went to Inactive state and hence not running.
[root@sshserver ~]# systemctl status firewalld ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled) Active: inactive (dead) since Sat 2020-03-28 05:23:27 EST; 25s ago Docs: man:firewalld(1) Process: 5715 ExecStart=/usr/sbin/firewalld --nofork --nopid $FIREWALLD_ARGS (code=exited, status=0/SUCCESS) Main PID: 5715 (code=exited, status=0/SUCCESS) Mar 28 05:18:48 localhost systemd[1]: Starting firewalld - dynamic firewall daemon... Mar 28 05:18:49 localhost systemd[1]: Started firewalld - dynamic firewall daemon. Mar 28 05:18:50 localhost firewalld[5715]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker0 -o ...ain?). Mar 28 05:18:50 localhost firewalld[5715]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker0 -o ...ain?). Mar 28 05:23:24 localhost systemd[1]: Stopping firewalld - dynamic firewall daemon... Mar 28 05:23:27 localhost systemd[1]: Stopped firewalld - dynamic firewall daemon.
NOTE:
Port 4800 is open and allowed through IPTABLES also in case IPTABLES is active in your system. If it is not allowed, you can check 30 Most Popular IPTABLES Command in Linux to allow this port through IPTABLES firewall.7. Check port connection
Now you can try to telnet ssh Port 4800 from another system and check if the ssh port is open or not. As you can see from below output, ssh Port 4800 is now open and getting connected remotely.
[root@localhost ~]# telnet 192.168.0.110 4800 Trying 192.168.0.110... Connected to 192.168.0.110. Escape character is '^]'. SSH-2.0-OpenSSH_7.4
Also Read: How to Configure SSH Host Based Authentication Per User