To increase the security of Linux servers, especially those exposed to the internet, one of the best practices is to change the default SSH port from port 22 to a non-standard port. This helps avoid facing a large number of failed login attempts. Additionally, access to the root user via SSH should be disabled, and access to the server should only be allowed through regular users with limited privileges. In this article, we will explain the necessary changes in detail.
1. Changing the SSH Port to a Non-Standard Port
1.1. Editing the SSH Configuration File
First, we need to edit the SSH configuration file to use the new port instead of port 22. To do this, enter the following command:
vi /etc/ssh/sshd_config
In this file, add port 22022 and remove the # comment symbol before port 22. This is a precautionary step because, in case you don't have access to ILO or console on a virtual server and a mistake occurs during the process, your server might become unreachable. If this access is available, you can directly enter your desired port and remove port 22 in this step.
Port 22022
Port 22
Then save and exit the file.
1.2. Restart the SSH Service
To apply the changes, restart the SSH service:
systemctl restart sshd
1.3. Adding the New Port to the Firewall
Now, we need to add the new port 22022 to the server’s firewall to allow connections through this port. To do this, enter the following commands:
firewall-cmd --permanent --add-port=22022/tcp
firewall-cmd --reload
1.4. Checking the Status of the New Port
To check if port 22022 is properly open, use the following command:
ss -tuln | grep 22022
Initially, you might not get any result, so we need to configure SELinux.
2. Configuring SELinux for the New Port
2.1. Adding the Port to SELinux
To allow SELinux to permit the new port, we need to add it to the list of allowed ports for SSH. Enter the following command:
semanage port -a -t ssh_port_t -p tcp 22022
2.2. Restart the SSH Service
After configuring SELinux, restart the SSH service again for the new configuration to take effect:
systemctl restart sshd
2.3. Re-checking the Port Status
Now, re-run the ss command to check the status of the new port:
ss -tuln | grep 22022
At this stage, you should see an output similar to the following, indicating that port 22022 is properly listening:
tcp LISTEN 0 128 0.0.0.0:22022 0.0.0.0:*
tcp LISTEN 0 128 [::]:22022 [::]:*
3. Creating a New User for Server Access
3.1. Creating a New User
At this stage, we need to create a new user that will be used instead of the root user. Enter the following command:
useradd sshuser
Then set a password for the new user:
passwd sshuser
The system will prompt you to enter a new password. Note that the password must be at least 8 characters long.
3.2. Editing the SSH Configuration File to Disable Root Access
At this stage, we need to disable root access via SSH. To do this, edit the /etc/ssh/sshd_config file again:
vi /etc/ssh/sshd_config
Then find the line below and change it to no:
PermitRootLogin no
Save and exit the file.
3.3. Restart the SSH Service
To apply the changes, restart the SSH service again:
systemctl restart sshd
4. Checking the Status of the Changes
4.1. Checking Listening Ports
To ensure that port 22022 is properly enabled and port 22 is no longer active, use the following command:
ss -tuln | grep 22
This concludes the process of changing the SSH port and disabling root access.