Change Default SSH Port
"Secure Shell (SSH)" uses port "22" by default. With this common information, lots of tools can knock your public server's door and sometimes you may find this disturbing.
As much as changing default port number for SSH reduces the amount of login tries, it's not a complete security solution. Because, you know, a simple "nmap" scan can find information about your open ports. However, most script kiddies won't bother with that.
Changing Default SSH Port
The default location of SSH daemon configuration is "/etc/ssh/sshd_config". Notice the "d" after "ssh". With this file, you can change your SSH daemon configuration as well as the listening port. However, if you're running behind a firewall, make sure you open that port before changing your SSH configuration. Otherwise, you may lock yourself out!
Opening Related Port
In my CentOS 7 machine, I'm using "firewall-cmd" as firewall. Therefore, I'll show opening port permanently on firewall-cmd.
First, let's check our zones. Note this command. We'll use this to be sure that we've opened the port:
root@gnuadmin ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: enp0s3
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
Seems like we only have one active zone. If you've multiple zones, you can check the active zone by:
root@gnuadmin ~]# firewall-cmd --get-active-zones
public
interfaces: enp0s3
Let's open the port number "33333". Be sure that no other application using the port you'd like to use for SSH:
root@gnuadmin ~]# firewall-cmd --permanent --zone=public --add-port=33333/tcp
success
With this command, we've permanently opened a TCP port, numbered 33333 in our "public" zone. After changing port states, you've to reload settings:
Now let's see what we got:
root@gnuadmin ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: enp0s3
sources:
services: dhcpv6-client ssh
ports: 33333/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
root@gnuadmin ~]# firewall-cmd --list-ports
33333/tcp
Since we've opened the desired port, let's change the SSH daemon configuration.
Changing SSH Daemon Listen Port
Simply, open "/etc/ssh/sshd_config" file and find the #Port 22 line. Uncomment it by removing the # character and change the line as Port 33333. Save the file and restart your SSH service:
root@gnuadmin ~]# vi /etc/ssh/sshd_config
root@gnuadmin ~]# systemctl restart sshd.service
After that, you can use a tool like "netstat" or "ss" to check port. If you don't have netstat installed, you can install "net-tools" package to get it:
root@zion:~# netstat -tulpn
Aktif internet bağlantıları (sadece sunucular)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:445 0.0.0.0:* DİNLE 1547/smbd
tcp 0 0 127.0.0.1:8000 0.0.0.0:* DİNLE 30468/python3
tcp 0 0 0.0.0.0:139 0.0.0.0:* DİNLE 1547/smbd
tcp 0 0 127.0.0.53:53 0.0.0.0:* DİNLE 786/systemd-resolve
tcp 0 0 127.0.0.1:631 0.0.0.0:* DİNLE 28027/cupsd
tcp 0 0 127.0.0.1:9050 0.0.0.0:* DİNLE 995/tor
tcp 0 0 0.0.0.0:33333 0.0.0.0:* LISTEN 3388/sshd
tcp6 0 0 :::445 :::* DİNLE 1547/smbd
tcp6 0 0 :::139 :::* DİNLE 1547/smbd
tcp6 0 0 :::1716 :::* DİNLE 2005/kdeconnectd
tcp6 0 0 ::1:631 :::* DİNLE 28027/cupsd
udp 0 0 0.0.0.0:55263 0.0.0.0:* 824/avahi-daemon: r
udp 0 0 127.0.0.53:53 0.0.0.0:* 786/systemd-resolve
udp 0 0 192.168.0.255:137 0.0.0.0:* 1509/nmbd
udp 0 0 192.168.0.10:137 0.0.0.0:* 1509/nmbd
udp 0 0 0.0.0.0:137 0.0.0.0:* 1509/nmbd
udp 0 0 192.168.0.255:138 0.0.0.0:* 1509/nmbd
udp 0 0 192.168.0.10:138 0.0.0.0:* 1509/nmbd
udp 0 0 0.0.0.0:138 0.0.0.0:* 1509/nmbd
udp 0 0 0.0.0.0:631 0.0.0.0:* 28028/cups-browsed
udp 0 0 0.0.0.0:5353 0.0.0.0:* 824/avahi-daemon: r
udp6 0 0 :::58683 :::* 824/avahi-daemon: r
udp6 0 0 :::1716 :::* 2005/kdeconnectd
udp6 0 0 :::5353 :::* 824/avahi-daemon: r
As you can see, our "sshd" is now listening port 33333 instead of the default, 22.