Changing the Default SSH Port on Linux

Establishing an encrypted connection to your online server is very smart. Especially if you are doing administrative tasks. This article does not prevent users from abusing the sshd service running on your linux box, but by changing the default port you prevent scripts from attacking on it.

If you are still using telnet or a control panel. I sort of hope you will use the year 2010 to reconsider and move on. Convert to ssh to not only be more secure, but also to improve your system administrator skills as well as understanding the operating system better, and of course to be more in control of your linux box.

Using an SSH client you can connect to your linux box if there is an sshd service running. This should be the case by default (otherwise install it first). And by default the port is 22.

And that’s what I have a problem with. This allows automated malicious scripts to mass scan online for IP ranges on port 22 and fingerprint it to know what it’s dealing with. This is quite easy to do, and quite fast. You know the port and you can go through an IP range rather quick.

If you change the default port from 22 to something else, and much higher up the port range chain, they will need to port scan the whole IP to find it. Automated scripts usually stay below 1024, if they even scan at all. So as an additional security layer you could change it from 22 to something over 1024, an available port of course that’s not already in use by something else. And those scripts will run into ‘connection refused’ error message on port 22, perhaps do a quick scan. Can’t find sshd running, and more on. Yay. Deflected a potential brute force attack – for example.

So, on say CentOS or Ubuntu, how do we go about changing the sshd service default port from 22 to something higher?

Obviously, we need to log into the box as a root / super user and edit the configuration file. Then restart the sshd for the changes to be in effect.

ssh into your box, and type:

cd /etc/ssh

then type the following, to confirm that sshd_conf (notice the d?) is in fact there:

ls -all

if so, we can use pico or nano text editor to open the file so we can edit it:

nano -w sshd_config

(see screenshot) you can see near the top:

#Port 22

By the way, note how there’s a # character commenting out the line sometimes? Remove the # character first.

And what I usually do is add a triple number behind it:

Port 22555

With Control+o I first save the file, and then Control-x to exit the editor.

Now that we’re done editing the port from 22 to 22555 we have to restart sshd, so type:

service ssh restart

This should not come back with an error.

At this point the changes are live. So open a new terminal window without closing the current one, and type:

ssh floris@example.com -p 22555

Normally you should use default port 22, but if you use a CLI (command line interface) you have to add -p 22555 (or whatever number you changed it to).

And a normal ssh established connection should occur.

Testing port 22 should fail, like this

floris@iMac ~ % ssh floris@example.com -p 22
ssh: connect to host xample.com port 22: Connection refused
floris@iMac ~ %

 


Posted

in

by