What you will read?
SSH, or Secure Shell, is a protocol designed for secure communication between computers over an unsecured network. It provides encrypted channels, ensuring that data transmitted is protected from eavesdropping or tampering. SSH is widely used for remote login, executing commands, and transferring files securely.
By default, SSH operates on port 22. This standard port allows seamless connections without specifying the port explicitly in commands. However, its default nature makes it a target for unauthorized access attempts, such as brute-force attacks. Therefore, understanding the role of the default port is essential for administrators aiming to balance convenience and security.
Configuring the New Port
sudo nano /etc/ssh/sshd_config
Locate the line that defines the Port
parameter. By default, this line might be commented out. Uncomment it or add the line if it doesn’t exist, and set it to the desired port number.
Port 2222
After saving the changes, update your firewall rules to allow traffic on the new port. For systems using firewalld
, execute the following commands:
sudo firewall-cmd --permanent --add-port=2222/tcp sudo firewall-cmd --reload
Next, restart the SSH service to apply the changes.
sudo systemctl restart sshd
To test the new configuration, attempt to connect to your server using the new port.
ssh -p 2222 username@your-server-ip
Ensure the new port is working correctly before closing your existing session. If SELinux is enabled, you may need to adjust its policies to allow the new port.
Updating Firewall Rules
After configuring a new SSH port, it is essential to update your firewall rules to allow connections on this port. Fedora uses firewalld
as its default firewall management tool. Here’s how you can adjust the rules:
First, add the new port to the firewall’s list of allowed ports:
sudo firewall-cmd --permanent --add-port=2222/tcp
The --permanent
flag ensures that the rule persists after a system reboot. Once the rule is added, reload the firewall to apply the changes:
sudo firewall-cmd --reload
To verify that the new port is correctly added, check the list of active ports:
sudo firewall-cmd --list-ports
If SELinux is enabled, confirm its policy allows traffic on the new port:
sudo semanage port -l | grep ssh
If needed, adjust SELinux rules by adding the new port:
sudo semanage port -a -t ssh_port_t -p tcp 2222
Why Change the SSH Port?
Changing the default SSH port offers several key advantages, primarily related to security and system management.
- Enhancing Security
The default SSH port (22) is a common target for automated attacks, such as brute-force login attempts. Many bots and scripts scan for open port 22 to exploit vulnerabilities. By switching to a non-standard port, you reduce the likelihood of such attacks, as most automated tools do not scan every possible port. - Reducing Log Noise
Changing the SSH port helps minimize unwanted login attempts and error messages in system logs. This makes it easier to monitor for legitimate security threats without sifting through a large volume of failed login attempts. - Custom Security Layers
While changing the port alone is not a foolproof security measure, it acts as an additional layer in a comprehensive security strategy. It works well when combined with other practices, such as using strong passwords, enabling firewalls, and implementing two-factor authentication. - Avoiding Port Conflicts
In some environments, administrators may need to change the SSH port to avoid conflicts with other services or adhere to organizational policies.
To change the SSH port on Fedora 40, you need to edit the SSH configuration file and specify the new port. This process involves updating the SSH daemon settings, ensuring the new port is not already in use, and configuring the firewall to allow connections on the new port. Follow these steps to configure a new SSH port:
First, open the SSH configuration file using a text editor such as nano
or vi
.
Testing the New SSH Port
After updating the SSH configuration and firewall rules, it’s crucial to test the new SSH port to ensure everything is working correctly. Follow these steps:
First, open a new terminal session without closing the current one. This allows you to revert the changes if something goes wrong.
Use the ssh
command to connect to the server using the new port. Specify the port number with the -p
option:
ssh -p 2222 username@your-server-ip
Replace username
with your actual username and your-server-ip
with your server’s IP address. If the connection is successful, it means the new SSH port is properly configured.
If the connection fails, ensure:
- The SSH service is running:
sudo systemctl status sshd
- The firewall is correctly configured.
- SELinux settings are updated if applicable.
Once confirmed, you can close the old session and use the new port moving forward.
Final Steps
After successfully testing the new SSH port, there are a few final tasks to complete to ensure a seamless transition and secure setup. First, update any automation scripts, such as backup systems or deployment tools, to use the new port. Failure to do so might lead to connection errors when these tools attempt to access the server.
Next, communicate the port change to any team members or administrators who need SSH access. Be sure to provide them with the updated connection details, including the new port number.
Consider disabling root login via SSH for enhanced security. This forces users to connect with a regular user account and use sudo
for administrative tasks. To do this, edit the sshd_config
file and set the PermitRootLogin
parameter to no
. Lastly, monitor your server logs for any unusual login attempts or errors to ensure the new configuration is functioning as intended.