Science & Technology

How to configure SSH to use a non-standard port that SELinux is forced to

Switching SSH listening ports is an easy way to protect remote logins on Linux servers. However, if SELinux is involved, some additional steps need to be taken. Jack Warren explains how to do that.

Image: Funtap / Shutterstock

SSH has many tricks for security. One is to configure the service to use non-standard ports. Out of the box, SSH uses port 22. If you need an easy way to perform a hacking attempt, you can configure the service to use a different port, such as 33000.

look: Security Incident Response Policy (TechRepublic Premium)

For Linux distributions that do not use SELinux, this process is very straightforward. However, if SELinux is involved, you cannot simply change the port without revealing the secret to the security system.

This is exactly what we do here. Configure Fedora 35 to use port 33000 for incoming SSH traffic. This same process works for all Linux distributions that use SELinux (RHEL, Alma Linux, Rocky Linux, etc.).

That said, let’s get to work.

Things necessary

To make this change, you need a running instance of your Linux distribution, including SELinux, an installed SSH server, and a user with sudo access.

How to change the default SSH port

The first thing to do is change the default port used by SSH. This is in the sshd_config file. Open the file for editing with the following command:

sudo nano /etc/ssh/sshd_config

In that file, look for the following line:

#Port 22

Change that line to:

Port 33000

Save and close the file.

Do not restart the daemon yet as you need to handle SELinux first.

How to warn SELinux of changes

The first thing to do is to make sure SELinux is SSH aware. Issue the following command:

sudo semanage port -l | grep ssh

A list is displayed:

ssh_port_t   tcp   22

Therefore, SELinux allows SSH traffic to port 22. Change this to 33000 using the following command:

sudo semanage port -a -t ssh_port_t -p tcp 33000

Now, if you check the port being used, it will return:

ssh_port_t   tcp   33000, 22

SELinux allows port 22, but SSH doesn’t listen on that port, so it doesn’t matter.

How to open a firewall to port 33000

Next, you need to open a firewall to allow SSH traffic over port 33000. To do this, issue the following command:

sudo firewall-cmd --add-port=33000/tcp --permanent

Then reload the firewall as follows:

sudo firewall-cmd --reload

Then disable the standard SSH port through the firewall.

sudo firewall-cmd --remove-service=ssh --permanent

Reload the firewall again as follows:

sudo firewall-cmd --reload

How to restart the SSH daemon and log in

You can now restart the SSH daemon as follows:

sudo systemctl restart sshd

Log in to the newly configured server using the following command:

ssh USER@SERVER -p 33000

Where USER is the remote username and SERVER is the IP address (or domain) of the remote server.

Here’s how to configure SSH to use non-standard ports on Linux distributions that utilize SELinux. You should consider switching all servers to use non-standard ports for SSH services. Combining this with other SSH enhancement tricks can greatly help prevent unwanted users from accessing your server.

Subscribe to Tech Republic How to make technology work on YouTube For all the latest technical advice for business professionals from Jack Warren.

See also

How to configure SSH to use a non-standard port that SELinux is forced to

https://www.techrepublic.com/article/how-to-configure-ssh-to-use-a-non-standard-port-with-selinux-set-to-enforcing/#ftag=RSS56d97e7 How to configure SSH to use a non-standard port that SELinux is forced to

Back to top button