Switching SSH listening ports is an easy way to protect remote logins on Linux servers. However, if SELinux is involved, some additional steps need to be taken. Jack Warren explains how to do that.
SSH has many tricks for security. One is to configure the service to use non-standard ports. Out of the box, SSH uses port 22. If you need an easy way to perform a hacking attempt, you can configure the service to use a different port, such as 33000.
look: Security Incident Response Policy (TechRepublic Premium)
For Linux distributions that do not use SELinux, this process is very straightforward. However, if SELinux is involved, you cannot simply change the port without revealing the secret to the security system.
This is exactly what we do here. Configure Fedora 35 to use port 33000 for incoming SSH traffic. This same process works for all Linux distributions that use SELinux (RHEL, Alma Linux, Rocky Linux, etc.).
That said, let’s get to work.
To make this change, you need a running instance of your Linux distribution, including SELinux, an installed SSH server, and a user with sudo access.
How to change the default SSH port
The first thing to do is change the default port used by SSH. This is in the sshd_config file. Open the file for editing with the following command:
sudo nano /etc/ssh/sshd_config
In that file, look for the following line:
Change that line to:
Save and close the file.
Do not restart the daemon yet as you need to handle SELinux first.
How to warn SELinux of changes
The first thing to do is to make sure SELinux is SSH aware. Issue the following command:
sudo semanage port -l | grep ssh
A list is displayed:
ssh_port_t tcp 22
Therefore, SELinux allows SSH traffic to port 22. Change this to 33000 using the following command:
sudo semanage port -a -t ssh_port_t -p tcp 33000
Now, if you check the port being used, it will return:
ssh_port_t tcp 33000, 22
SELinux allows port 22, but SSH doesn’t listen on that port, so it doesn’t matter.
How to open a firewall to port 33000
Next, you need to open a firewall to allow SSH traffic over port 33000. To do this, issue the following command:
sudo firewall-cmd --add-port=33000/tcp --permanent
Then reload the firewall as follows:
sudo firewall-cmd --reload
Then disable the standard SSH port through the firewall.
sudo firewall-cmd --remove-service=ssh --permanent
Reload the firewall again as follows:
sudo firewall-cmd --reload
How to restart the SSH daemon and log in
You can now restart the SSH daemon as follows:
sudo systemctl restart sshd
Log in to the newly configured server using the following command:
ssh USER@SERVER -p 33000
Where USER is the remote username and SERVER is the IP address (or domain) of the remote server.
Here’s how to configure SSH to use non-standard ports on Linux distributions that utilize SELinux. You should consider switching all servers to use non-standard ports for SSH services. Combining this with other SSH enhancement tricks can greatly help prevent unwanted users from accessing your server.
Subscribe to Tech Republic How to make technology work on YouTube For all the latest technical advice for business professionals from Jack Warren.
How to configure SSH to use a non-standard port that SELinux is forced to
https://www.techrepublic.com/article/how-to-configure-ssh-to-use-a-non-standard-port-with-selinux-set-to-enforcing/#ftag=RSS56d97e7 How to configure SSH to use a non-standard port that SELinux is forced to