Linux SSH Server Hardening and Linux Firewall for SSH port

Linux SSH Server Hardening – Change SSH Port or Add allowed user or computers.

 

Change SSH port number

First take the backup of sshd_config file.And then go for edit.

cp -p /etc/ssh/sshd_config /etc/ssh/sshd_config.orig.$(date +%F)

Now edit the file /etc/ssh/sshd_config. Search for line #Port 22 or Port 22 .
Note: The # is used for commenting the line. But because ssh has well known port number 22 (below 1024). It will by default listen on port number 22.

Remove # from line Port 22. And the change 22 to new port number, here we have selected 2292 .

vim /etc/ssh/sshd_config

Port 2292

TIP: You may add additional conditions to file sshd_config to add allowed user or allowed machine.

SELINUX for SSH

By default SELINUX only allow port no. 22 for ssh. Now add new port context 2292.
Note: Replace 2292 in case you have selected different port number

semanage port -a -t ssh_port_t -p tcp 2292

Now check once the port context for ssh

semanage port -l | grep ssh

Below given is output from our server

[root@localhost ~]# semanage port -l | grep ssh

ssh_port_t tcp 2292, 22

[root@localhost ~]#

Now Restart the SSH service

systemctl restart sshd.service

Allow port 2292 with firewalld

Now allow port number 2292 for ssh. Run the below given command. It will permanently add the new firewalld rule in public zone for port 2292 with TCP protocol.

firewall-cmd –permanent –zone=public –add-port=2292/tcp

Reload firewalld

firewall-cmd –reload

Check listening ssh port with ss command

With ss command, you can find the listening port for ssh. Use below command for this

ss -tnlp|grep ssh

Below given output is reference from our server

[root@localhost ~]# ss -tnlp|grep ssh

LISTEN 0 128 *:2292 *:* users:((“sshd”,2786,3))

LISTEN 0 128 :::2292 :::* users:((“sshd”,2786,4))

[root@localhost ~]#

Try to do ssh access to server by using port no. 2292 from remote client.

ssh -p 2292 root@192.168.56.101

Reference : http://sharadchhetri.com/2014/10/15/centos-7-rhel-7-change-openssh-port-number-selinux-enabled/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s