How to configure SSH to use a non-standard port with SELinux set to enforcing

3 years ago 381

Switching the SSH listening larboard is an casual mode to assistance unafraid distant login connected your Linux servers. But erstwhile SELinux is involved, you person to instrumentality a fewer other steps. Jack Wallen shows you how.

SSH has a batch of tricks up its sleeve for security, 1 of which is to configure the work to usage a non-standard port. Out of the box, SSH uses larboard 22. If you privation an casual mode to travel up would-be hacking attempts, you tin configure that work to usage a antithetic port, specified arsenic 33000.

SEE: Security incidental effect policy (TechRepublic Premium)

On Linux distributions that don't usage SELinux, this process is rather easy. However, if SELinux is involved, you can't simply alteration the port, without letting the information strategy successful connected your small secret.

And that's precisely what I'm going to bash here, configure Fedora 35 to usage larboard 33000 for incoming SSH traffic. This aforesaid process volition enactment connected immoderate Linux organisation that uses SELinux (such arsenic RHEL, Alma Linux and Rocky Linux).

With that said, let's get to work.

What you'll request

To marque this change, you'll request a moving lawsuit of a Linux organisation that includes SELinux arsenic good arsenic the SSH server installed and a idiosyncratic with sudo access.

How to alteration the default SSH larboard

The archetypal happening we're going to bash is alteration the default larboard SSH uses, which is recovered successful the sshd_config file. Open that record for editing with the command:

sudo nano /etc/ssh/sshd_config

In that file, look for the line:

#Port 22

Change that enactment to read:

Port 33000

Save and adjacent the file.

Don't restart the daemon conscionable yet, arsenic we archetypal request to woody with SELinux.

How to alert SELinux to the alteration

The archetypal happening we'll bash is cheque to marque definite SELinux is alert of SSH. Issue the command:

sudo semanage larboard -l | grep ssh

You should spot listed:

ssh_port_t tcp 22

So SELinux is allowing SSH postulation into larboard 22. We'll alteration that to 33000 with the command:

sudo semanage larboard -a -t ssh_port_t -p tcp 33000

Now, if we cheque which larboard is being used, it should travel backmost as:

ssh_port_t tcp 33000, 22

Although SELinux is allowing larboard 22, SSH won't beryllium listening to that port, truthful it's not an issue.

How to unfastened the firewall to larboard 33000

Next, we indispensable unfastened the firewall to let SSH postulation successful done larboard 33000. For this, we contented the command:

sudo firewall-cmd --add-port=33000/tcp --permanent

Next, reload the firewall with:

sudo firewall-cmd --reload

Next, we'll disable the modular SHH larboard done the firewall with:

sudo firewall-cmd --remove-service=ssh --permanent

Once again, reload the firewall with:

sudo firewall-cmd --reload

How to restart the SSH daemon and log successful

We tin present restart the SSH daemon with:

sudo systemctl restart sshd

Log into the recently configured server with:

ssh USER@SERVER -p 33000

Where USER is simply a distant username and SERVER is the IP code (or domain) of the distant server.

And that's however you configure SSH to usage a non-standard larboard connected a Linux organisation that makes usage of SELinux. You should see switching each of your servers to utilizing a non-standard larboard for the SSH service. When you mates that with different SSH hardening tricks, you'll spell a agelong mode to preventing unwanted users from gaining entree to your servers.

Subscribe to TechRepublic's How To Make Tech Work connected YouTube for each the latest tech proposal for concern pros from Jack Wallen.

Cybersecurity Insider Newsletter

Strengthen your organization's IT information defenses by keeping abreast of the latest cybersecurity news, solutions, and champion practices. Delivered Tuesdays and Thursdays