Announcement

Collapse
No announcement yet.

Changing the SSH port

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Changing the SSH port

    Introduction


    I’m sure most of you have experienced this scenario : A server is put online, and although you’ve secured it properly, you still see people attempting to brute force attack your server by attempting to login via SSH.

    Code:
    sshd[25808]: input_userauth_request: invalid user ubnt [preauth]
    sshd[25808]: Received disconnect from 91.224.161.103: 11:  [preauth]
    sshd[25810]: Invalid user test from 91.224.161.103
    sshd[25810]: input_userauth_request: invalid user test [preauth]
    sshd[25810]: Received disconnect from 91.224.161.103: 11:  [preauth]
    sshd[25812]: Invalid user tech from 91.224.161.103
    sshd[25812]: input_userauth_request: invalid user tech [preauth]
    sshd[25812]: Received disconnect from 91.224.161.103: 11:  [preauth]
    sshd[25814]: Received disconnect from 91.224.161.103: 11:  [preauth]


    Although you've setup your server to only allow SSH key based authentication (and as such nobody can login with a password), people are still trying to find their way in. You can dramatically recude these number of attacks by switching your SSH daeon to a non standard port.

    In this post, I'll show you how to change that port,

    Centos comes with SELinux, and when enabled, SELinux by default wlll only allow the ssh daemon to run on port 22.

    Any attempt to restart the ssh daemon and using a different port will result in the following error


    Code:
    sshd[778]: Received signal 15; terminating.
    sshd[27278]: error: Bind to port 2022 on 0.0.0.0 failed: Permission denied.
    sshd[27278]: error: Bind to port 2022 on :: failed: Permission denied.
    sshd[27278]: fatal: Cannot bind any address.
    sshd[27286]: error: Bind to port 2022 on 0.0.0.0 failed: Permission denied.
    sshd[27286]: error: Bind to port 2022 on :: failed: Permission denied.
    sshd[27286]: fatal: Cannot bind any address.
    sshd[27291]: Server listening on 0.0.0.0 port 22.
    sshd[27291]: Server listening on :: port 22.


    To check if SELinux is enabled, execute the sestatus command:

    Code:
    [root@localhost ~]# sestatus
    SELinux status:                 enabled
    SELinuxfs mount:                /selinux
    Current mode:                   enforcing
    Mode from config file:          enforcing
    Policy version:                 21
    Policy from config file:        targeted

    When disabled you'll see this

    Code:
    [root@localhost ~]# sestatus 
    SELinux status:                 disabled

    When SELinux is disabled you should be able to put the SSHD daemon on any port you like. However, when SELinux is enabled, you'll need to do some extra work.

    To view the allowed ports for ssh you can execute the following command

    Code:
    [root@ip-172-30-0-30 ~]# semanage port -l | grep ssh
    ssh_port_t                     tcp      22

    If you don't have the semanage command in your CentOS distro (ex: the minimal distro), you can install it using sudo yum install policycoreutils-python

    To allow the SSH daemon to also run on port 2022, you need to execute this (this can take a while to return)

    Code:
    [root@ip-172-30-0-30 ~]# semanage port -a -t ssh_port_t -p tcp 2022

    After that, you'll be able to run the ssh daemon on port 2022

    Code:
    [root@ip-172-30-0-30 ~]# semanage port -l | grep ssh
    ssh_port_t                     tcp      2022, 22

    As you can see the daemon starts up fine:

    Code:
    sshd[27291]: Received signal 15; terminating.
    sshd[27367]: Server listening on 0.0.0.0 port 2022.
    sshd[27367]: Server listening on :: port 2022.
    Last edited by DaMysterious; 08-31-2019, 01:37 PM.
Working...
X