Switching the SSH listening larboard is an casual mode to assistance unafraid distant login connected your Linux servers. But erstwhile SELinux is involved, you person to instrumentality a fewer other steps. Jack Wallen shows you how.
SSH has a batch of tricks up its sleeve for security, 1 of which is to configure the work to usage a non-standard port. Out of the box, SSH uses larboard 22. If you privation an casual mode to travel up would-be hacking attempts, you tin configure that work to usage a antithetic port, specified arsenic 33000.
SEE: Security incidental effect policy (TechRepublic Premium)
On Linux distributions that don't usage SELinux, this process is rather easy. However, if SELinux is involved, you can't simply alteration the port, without letting the information strategy successful connected your small secret.
And that's precisely what I'm going to bash here, configure Fedora 35 to usage larboard 33000 for incoming SSH traffic. This aforesaid process volition enactment connected immoderate Linux organisation that uses SELinux (such arsenic RHEL, Alma Linux and Rocky Linux).
With that said, let's get to work.
What you'll request
To marque this change, you'll request a moving lawsuit of a Linux organisation that includes SELinux arsenic good arsenic the SSH server installed and a idiosyncratic with sudo access.
How to alteration the default SSH larboard
The archetypal happening we're going to bash is alteration the default larboard SSH uses, which is recovered successful the sshd_config file. Open that record for editing with the command:
sudo nano /etc/ssh/sshd_configIn that file, look for the line:
#Port 22Change that enactment to read:
Port 33000Save and adjacent the file.
Don't restart the daemon conscionable yet, arsenic we archetypal request to woody with SELinux.
How to alert SELinux to the alteration
The archetypal happening we'll bash is cheque to marque definite SELinux is alert of SSH. Issue the command:
sudo semanage larboard -l | grep sshYou should spot listed:
ssh_port_t tcp 22So SELinux is allowing SSH postulation into larboard 22. We'll alteration that to 33000 with the command:
sudo semanage larboard -a -t ssh_port_t -p tcp 33000Now, if we cheque which larboard is being used, it should travel backmost as:
ssh_port_t tcp 33000, 22Although SELinux is allowing larboard 22, SSH won't beryllium listening to that port, truthful it's not an issue.
How to unfastened the firewall to larboard 33000
Next, we indispensable unfastened the firewall to let SSH postulation successful done larboard 33000. For this, we contented the command:
sudo firewall-cmd --add-port=33000/tcp --permanentNext, reload the firewall with:
sudo firewall-cmd --reloadNext, we'll disable the modular SHH larboard done the firewall with:
sudo firewall-cmd --remove-service=ssh --permanentOnce again, reload the firewall with:
sudo firewall-cmd --reloadHow to restart the SSH daemon and log successful
We tin present restart the SSH daemon with:
sudo systemctl restart sshdLog into the recently configured server with:
ssh USER@SERVER -p 33000Where USER is simply a distant username and SERVER is the IP code (or domain) of the distant server.
And that's however you configure SSH to usage a non-standard larboard connected a Linux organisation that makes usage of SELinux. You should see switching each of your servers to utilizing a non-standard larboard for the SSH service. When you mates that with different SSH hardening tricks, you'll spell a agelong mode to preventing unwanted users from gaining entree to your servers.
Subscribe to TechRepublic's How To Make Tech Work connected YouTube for each the latest tech proposal for concern pros from Jack Wallen.
Cybersecurity Insider Newsletter
Strengthen your organization's IT information defenses by keeping abreast of the latest cybersecurity news, solutions, and champion practices. Delivered Tuesdays and Thursdays
Sign up todayAlso spot
- Hackers are getting amended astatine their jobs, but radical are getting amended astatine prevention (TechRepublic)
- Stop utilizing your enactment laptop oregon telephone for idiosyncratic stuff, due to the fact that I cognize you are (TechRepublic)
- How to go a cybersecurity pro: A cheat sheet (TechRepublic)
- Security threats connected the horizon: What IT pro's request to cognize (free PDF) (TechRepublic)
- Checklist: Securing integer information (TechRepublic Premium)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic connected Flipboard)