Secure Shell (SSH) uses port “22” by default. With this common information, lots of tools can knock your public server’s door and sometimes you may find this disturbing.
As much as changing default port number for SSH reduces the amount of login tries, it’s not a complete security solution. Because, you know, a simple nmap scan can find information about your open ports. However, most script kiddies won’t bother with that.
Changing Default SSH Port
The default location of SSH daemon configuration is “/etc/ssh/sshd_config“. Notice the “d” after “ssh”. With this file, you can change your SSH daemon configuration as well as the listening port. However, if you’re running behind a firewall, make sure you open that port before changing your SSH configuration. Otherwise, you may lock yourself out!
Opening Related Port
In my CentOS 7 machine, I’m using “firewall-cmd” as firewall. Therefore, I’ll show opening port permanently on firewall-cmd.
First, let’s check our zones. Note this command. We’ll use this to be sure that we’ve opened the port:
[root@gnuadmin ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: enp0s3
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
Seems like we only have one active zone. If you’ve multiple zones, you can check the active zone by:
[root@gnuadmin ~]# firewall-cmd --get-active-zones
public
interfaces: enp0s3
And our firewall uses this zone as default:
[root@gnuadmin ~]# firewall-cmd --get-default-zone
public
Let’s open the port number “33333”. Be sure that no other application using the port you’d like to use for SSH:
[root@gnuadmin ~]# firewall-cmd --permanent --zone=public --add-port=33333/tcp
success
With this command, we’ve permanently opened a TCP port, numbered 33333 in our “public” zone. After changing port states, you’ve to reload settings:
[root@gnuadmin ~]# firewall-cmd --reload
success
Now let’s see what we got:
[root@gnuadmin ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: enp0s3
sources:
services: dhcpv6-client ssh
ports: 33333/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@gnuadmin ~]# firewall-cmd --list-ports
33333/tcp
Since we’ve opened the desired port, let’s change the SSH daemon configuration.
Changing SSH Daemon Listen Port
Simply, open “/etc/ssh/sshd_config” file and find the “#Port 22” line. Uncomment it by removing the “#” character and change the line as “Port 33333”. Save the file and restart your SSH service:
[root@gnuadmin ~]# vi /etc/ssh/sshd_config
[root@gnuadmin ~]# systemctl restart sshd.service
After that, you can use a tool like “netstat” or “ss” to check port. If you don’t have netstat installed, you can install “net-tools” package to get it:
[root@gnuadmin ~]# netstat -tlpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:33333 0.0.0.0:* LISTEN 1703/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1223/master
tcp6 0 0 :::33333 :::* LISTEN 1703/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1223/master
As you can see, our sshd is now listening port 33333 instead of the default, 22.
