Some webmasters believe that changing SSH port number from the default 22 can enhance security. The notion is since SSH default port number is 22 and everyone knows it, including the hackers, it isn’t safe.

Changing the SSH port number to something other than 22 will enhance your server’s security in that the bad guys won’t know which port or ports SSH communicates on. This is a cool trick, but won’t stop someone who is determined to break into your servers.

Just by using simple port scanner or similar tools, hackers can figure out all the connecting ports on your servers. This is an old technique that probably isn’t applicable in our time today.

In my opinion, the best way to protect your SSH server is to implement password-less logon using certificates and encryption. Using this method, only machines that already have the encryption key will be allowed to sign on using SSH protocol.

Another way is to configure your firewall to only all SSH connections from a pre-defined machine whose IP address is white-listed in the firewall rules. Anything else will not enhance your server security any better.

If you still want to change the default SSH port number on your CentOS 7, then continue below to learn how. I am going to show you how to do that easily.

 

  • Changing the default SSH port on CentOS 7

To change the default SSH port, the first thing you want to do is backup the current SSH configuration on your system. To do that, run the commands below.

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

This creates a new named sshd_config.bak with the current settings of the sshd_config file. If something goes wrong, you can then restore the file from the backup.

Next, run the commands below to open the default SSH configuration file

sudo vi /etc/ssh/sshd_config

When the file opens, make the below change and save the file. Un-comment or remove the (#) before the line the reads Port and change the port number you want to use.

# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
Port 2244
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

Save the file.

After saving, don’t exit until you’ve completed these steps.

By default, SELinux only allows port 22 for SSH. What you need to do is enable the newly created port through SELinux. To do that, run the commands below

sudo semanage port -a -t ssh_port_t -p tcp 2244

If you run the commands above and get an error that semanage command not found, run the commands below to install it.

sudo yum -y install policycoreutils-python

Then go and run the semange commend again to allow the new port through SELinux.

After that, run the commands below to allow the new port through the firewall.

sudo firewall-cmd --permanent --zone=public --add-port=2244/tcp

Reload the firewall configurations

sudo firewall-cmd --reload

Restart SSH by  running the commands below.

sudo systemctl restart sshd.service

Verify that SSH is now running on the new port by running the commands below.

ss -tnlp | grep ssh
LISTEN          0                128                              *:2244 *:*                                     users:((“sshd”,10783,3))
LISTEN          0               128                              :::2244 :::*                                     users:((“sshd”,10783,4))

Exit and try signing in using the new port number.

ssh [email protected] -p 2244

Enjoy!

Frequently Asked Questions

Why should I change the OpenSSH port on CentOS 7 for security?

Changing the OpenSSH port from the default 22 can enhance security by making it harder for hackers to target your server since the default port is widely known.

Is changing the OpenSSH port number sufficient to protect my server?

While changing the port number adds a layer of security, it may not fully protect your server. Implementing additional security measures like password-less logon using certificates and encryption is recommended.

How can I backup the current SSH configuration on CentOS 7?

You can backup the current SSH configuration on CentOS 7 by running the command 'sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak'. This creates a backup file that can be restored if needed.

What is the recommended method to protect an SSH server?

Implementing password-less logon using certificates and encryption is a recommended method to protect an SSH server. This ensures that only machines with the encryption key can access the server.

Can changing the default SSH port number on CentOS 7 improve server security?

Changing the default SSH port number on CentOS 7 can improve server security by adding an extra layer of protection. However, it should be combined with other security measures for enhanced protection.

How can I configure my firewall to allow SSH connections from specific IP addresses?

You can configure your firewall to allow SSH connections from specific IP addresses by whitelisting those IPs in the firewall rules. This restricts SSH access to only the designated machines.

Is changing the default SSH port on CentOS 7 still effective in modern times?

Changing the default SSH port on CentOS 7 may not be as effective in modern times due to advanced hacking techniques. It is recommended to implement stronger security measures like encryption and firewall configurations.

What are the limitations of changing the default SSH port number on CentOS 7?

Changing the default SSH port number on CentOS 7 may not fully prevent unauthorized access, as hackers can still discover the new port using port scanning tools. It should be combined with other security practices for better protection.