How to configure SSH to use a non-standard port with SELinux set to enforcing

Switching the SSH listening port is a straightforward manner to assist safe distant login in your Linux servers. However when SELinux is concerned, it’s important to take a number of additional steps. Jack Wallen reveals you ways.

SSH over servers

Picture: Funtap/Shutterstock

SSH has a whole lot of tips up its sleeve for safety, one among which is to configure the service to make use of a non-standard port. Out of the field, SSH makes use of port 22. If you would like a straightforward option to journey up would-be hacking makes an attempt, you’ll be able to configure that service to make use of a special port, reminiscent of 33000. 

SEE: Safety incident response coverage (TechRepublic Premium)

On Linux distributions that do not use SELinux, this course of is kind of straightforward. Nonetheless, if SELinux is concerned, you’ll be able to’t merely change the port, with out letting the safety system in in your little secret.

And that is precisely what I will do right here, configure Fedora 35 to make use of port 33000 for incoming SSH visitors. This similar course of will work on any Linux distribution that makes use of SELinux (reminiscent of RHEL, Alma Linux and Rocky Linux). 

With that mentioned, let’s get to work.

What you will want

To make this variation, you will want a working occasion of a Linux distribution that features SELinux in addition to the SSH server put in and a person with sudo entry.

Learn how to change the default SSH port

The very first thing we will do is change the default port SSH makes use of, which is discovered within the sshd_config file. Open that file for enhancing with the command:

sudo nano /and many others/ssh/sshd_config

In that file, search for the road:

#Port 22

Change that line to learn:

Port 33000

Save and shut the file. 

Do not restart the daemon simply but, as we first have to cope with SELinux.

Learn how to alert SELinux to the change

The very first thing we’ll do is examine to ensure SELinux is conscious of SSH. Difficulty the command:

sudo semanage port -l | grep ssh

You need to see listed:

ssh_port_t   tcp   22

So SELinux is permitting SSH visitors into port 22. We’ll change that to 33000 with the command:

sudo semanage port -a -t ssh_port_t -p tcp 33000

Now, if we examine which port is getting used, it ought to come again as:

ssh_port_t   tcp   33000, 22

Though SELinux is permitting port 22, SSH will not be listening to that port, so it is not a problem.

Learn how to open the firewall to port 33000

Subsequent, we should open the firewall to permit SSH visitors in via port 33000. For this, we concern the command:

sudo firewall-cmd --add-port=33000/tcp --permanent

Subsequent, reload the firewall with:

sudo firewall-cmd --reload

Subsequent, we’ll disable the usual SHH port via the firewall with:

sudo firewall-cmd --remove-service=ssh --permanent

As soon as once more, reload the firewall with:

sudo firewall-cmd --reload

Learn how to restart the SSH daemon and log in

We are able to now restart the SSH daemon with:

sudo systemctl restart sshd

Log into the newly configured server with:

ssh [email protected] -p 33000

The place USER is a distant username and SERVER is the IP handle (or area) of the distant server.

And that is the way you configure SSH to make use of a non-standard port on a Linux distribution that makes use of SELinux. You need to think about switching all your servers to utilizing a non-standard port for the SSH service. Once you couple that with different SSH hardening tips, you will go an extended option to stopping undesirable customers from getting access to your servers.

Subscribe to TechRepublic’s How To Make Tech Work on YouTube for all the newest tech recommendation for enterprise execs from Jack Wallen.

Additionally see

Recent Articles


Related Stories

Leave A Reply

Please enter your comment!
Please enter your name here

Stay on op - Ge the daily news in your inbox