How to change ssh port on fedora 40

SSH, or Secure Shell, is a protocol designed for secure communication between computers over an unsecured network. It provides encrypted channels, ensuring that data transmitted is protected from eavesdropping or tampering. SSH is widely used for remote login, executing commands, and transferring files securely.

By default, SSH operates on port 22. This standard port allows seamless connections without specifying the port explicitly in commands. However, its default nature makes it a target for unauthorized access attempts, such as brute-force attacks. Therefore, understanding the role of the default port is essential for administrators aiming to balance convenience and security.

Configuring the New Port

sudo nano /etc/ssh/sshd_config

Locate the line that defines the Port parameter. By default, this line might be commented out. Uncomment it or add the line if it doesn’t exist, and set it to the desired port number.

Port 2222

After saving the changes, update your firewall rules to allow traffic on the new port. For systems using firewalld, execute the following commands:

sudo firewall-cmd --permanent --add-port=2222/tcp
sudo firewall-cmd --reload

Next, restart the SSH service to apply the changes.

sudo systemctl restart sshd

To test the new configuration, attempt to connect to your server using the new port.

ssh -p 2222 username@your-server-ip

Ensure the new port is working correctly before closing your existing session. If SELinux is enabled, you may need to adjust its policies to allow the new port.

Updating Firewall Rules

After configuring a new SSH port, it is essential to update your firewall rules to allow connections on this port. Fedora uses firewalld as its default firewall management tool. Here’s how you can adjust the rules:

First, add the new port to the firewall’s list of allowed ports:

sudo firewall-cmd --permanent --add-port=2222/tcp

The --permanent flag ensures that the rule persists after a system reboot. Once the rule is added, reload the firewall to apply the changes:

sudo firewall-cmd --reload

To verify that the new port is correctly added, check the list of active ports:

sudo firewall-cmd --list-ports

If SELinux is enabled, confirm its policy allows traffic on the new port:

sudo semanage port -l | grep ssh

If needed, adjust SELinux rules by adding the new port:

sudo semanage port -a -t ssh_port_t -p tcp 2222

Why Change the SSH Port?

Changing the default SSH port offers several key advantages, primarily related to security and system management.

  1. Enhancing Security
    The default SSH port (22) is a common target for automated attacks, such as brute-force login attempts. Many bots and scripts scan for open port 22 to exploit vulnerabilities. By switching to a non-standard port, you reduce the likelihood of such attacks, as most automated tools do not scan every possible port.
  2. Reducing Log Noise
    Changing the SSH port helps minimize unwanted login attempts and error messages in system logs. This makes it easier to monitor for legitimate security threats without sifting through a large volume of failed login attempts.
  3. Custom Security Layers
    While changing the port alone is not a foolproof security measure, it acts as an additional layer in a comprehensive security strategy. It works well when combined with other practices, such as using strong passwords, enabling firewalls, and implementing two-factor authentication.
  4. Avoiding Port Conflicts
    In some environments, administrators may need to change the SSH port to avoid conflicts with other services or adhere to organizational policies.

To change the SSH port on Fedora 40, you need to edit the SSH configuration file and specify the new port. This process involves updating the SSH daemon settings, ensuring the new port is not already in use, and configuring the firewall to allow connections on the new port. Follow these steps to configure a new SSH port:

First, open the SSH configuration file using a text editor such as nano or vi.

Testing the New SSH Port

After updating the SSH configuration and firewall rules, it’s crucial to test the new SSH port to ensure everything is working correctly. Follow these steps:

First, open a new terminal session without closing the current one. This allows you to revert the changes if something goes wrong.

Use the ssh command to connect to the server using the new port. Specify the port number with the -p option:

ssh -p 2222 username@your-server-ip

Replace username with your actual username and your-server-ip with your server’s IP address. If the connection is successful, it means the new SSH port is properly configured.

If the connection fails, ensure:

  • The SSH service is running:
    sudo systemctl status sshd
    
  • The firewall is correctly configured.
  • SELinux settings are updated if applicable.

Once confirmed, you can close the old session and use the new port moving forward.

Final Steps

After successfully testing the new SSH port, there are a few final tasks to complete to ensure a seamless transition and secure setup. First, update any automation scripts, such as backup systems or deployment tools, to use the new port. Failure to do so might lead to connection errors when these tools attempt to access the server.

Next, communicate the port change to any team members or administrators who need SSH access. Be sure to provide them with the updated connection details, including the new port number.

Consider disabling root login via SSH for enhanced security. This forces users to connect with a regular user account and use sudo for administrative tasks. To do this, edit the sshd_config file and set the PermitRootLogin parameter to no. Lastly, monitor your server logs for any unusual login attempts or errors to ensure the new configuration is functioning as intended.

Share:

More Posts

Subscribe
Notify of
guest
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments