News about our company, tutorials about IT and much more you will find in this page.
Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. Typical applications include remote command-line, login, and remote command execution, but any network service can be secured with SSH. (Courtesy: Wikipedia)
SSH provides a secure channel over an unsecured network by using a client–server architecture, connecting an SSH client application with an SSH server. The protocol specification distinguishes between two major versions, referred to as SSH-1 and SSH-2. The standard TCP port for SSH is 22. SSH is generally used to access Unix-like operating systems, but it can also be used on Microsoft Windows. Windows 10 uses OpenSSH as its default SSH client and SSH server.
SSH considered as the entry point to any Linux based server, therefore it is the most favorite target for attackers. Since, everyone is aware that the SSH runs on port 22, thus one can attempt different type of attacks on this port.
It is a best practice to change the default SSH port of your server. Although, doing so didn’t guarantees that one cannot find it. Because there are many port scanners, that can search and list down the open ports on a server. But changing default ssh port to someother port will make things a little bit more difficult for the attacker.
Verify current status of SSH service by using systemctl command.
root$ systemctl status sshd.service
â sshd.service - OpenSSH server daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2020-08-08 17:59:18 PKT; 2s ago
Docs: man:sshd(8)
man:sshd_config(5)
Main PID: 1564 (sshd)
Tasks: 1 (limit: 5916)
Memory: 1.2M
CGroup: /system.slice/sshd.service
ââ1564 /usr/sbin/sshd -D -oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,>
Aug 08 17:59:18 centos-8.evoluso.com systemd[1]: Starting OpenSSH server daemon...
Aug 08 17:59:18 centos-8.evoluso.com sshd[1564]: Server listening on 0.0.0.0 port 22.
Aug 08 17:59:18 centos-8.evoluso.com sshd[1564]: Server listening on :: port 22.
Aug 08 17:59:18 centos-8.evoluso.com systemd[1]: Started OpenSSH server daemon.You can see that the service is running on default SSH port number 22.
SSH daemon/service configurations are located in /etc/ssh/sshd_config file. We can tweak them to customize SSH service according to our requirements.
Initially there is no Port directive in this file, instead, the SSH service is using the default ssh port number 22.
Let’s add a Port directive in sshd_config file by using echo command.
root$ echo "Port 2222" >> /etc/ssh/sshd_configThis one shot setting is quiet enough to change the default ssh port number.
Default SELinux configuration does not allow any service to run on a non-default port. Therefore, we have to configure SElinux to allow SSH to use port 2222/tcp.
We need semanage command to configure SELinux settings. If you are using a minimal installed CentOS 8 system then it is not available on your system. Install policycoreutils-python-utils package to get semanage command.
Then use semanage command to add port 2222/tcp to type ssh_port_t.
root$ semanage port -a -t ssh_port_t -p tcp 2222List down allowed ports or services in Linux firewall.
root$ firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens33
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:SSH service is by default allowed in most distributions of Linux including CentOS / RHEL 8.
Now, we need to block this ssh service and allow our new ssh port in Linux firewall.
root$ firewall-cmd --permanent --remove-service=ssh
success
root$ firewall-cmd --permanent --add-port=2222/tcp
success
root$ firewall-cmd --reload
successRestart SSH Service to apply changes that we have made in sshd_config file.
root$ systemctl restart sshd.serviceVerify status of SSH Service.
root$ systemctl status sshd.service
â sshd.service - OpenSSH server daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2020-08-08 18:13:37 PKT; 14s ago
Docs: man:sshd(8)
man:sshd_config(5)
Main PID: 10376 (sshd)
Tasks: 1 (limit: 5916)
Memory: 1.2M
CGroup: /system.slice/sshd.service
ââ10376 /usr/sbin/sshd -D -oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc>
Aug 08 18:13:37 centos-8.evoluso.com systemd[1]: Stopped OpenSSH server daemon.
Aug 08 18:13:37 centos-8.evoluso.com systemd[1]: Starting OpenSSH server daemon...
Aug 08 18:13:37 centos-8.evoluso.com sshd[10376]: Server listening on 0.0.0.0 port 2222.
Aug 08 18:13:37 centos-8.evoluso.com sshd[10376]: Server listening on :: port 2222.
Aug 08 18:13:37 centos-8.evoluso.com systemd[1]: Started OpenSSH server daemon.You can see that the service is now running on non-default port 2222 instead of default ssh port number 22.
Try to access SSH service using ssh and sftp commands from the default ssh port.
root$ ssh root@centos-8.evoluso.com
ssh: connect to host centos-8.evoluso.com port 22: Connection refused
root$ sftp root@centos-8.evoluso.com
ssh: connect to host centos-8.evoluso.com port 22: Connection refused
Connection closed.
Connection closedIt confirms that Linux Firewall is not allowing the traffic through port 22.
Now, access the SSH service by using ssh command from the non-default ssh port.
root$ ssh root@centos-8.evoluso.com -p 2222
The authenticity of host '[centos-8.evoluso.com]:2222 ([192.168.116.206]:2222)' can't be established.
ECDSA key fingerprint is SHA256:skGj4xg0w+jIQtrfF8AOdfItgcXUQQu+bWUFfvws1Hk.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[centos-8.evoluso.com]:2222,[192.168.116.206]:2222' (ECDSA) to the list of known hosts.
root@centos-8.evoluso.com's password:
Last login: Sat Aug 8 17:59:01 2020
Similarly, for sftp.
root$ sftp -P 2222 root@centos-8.evoluso.com
root@centos-8.evoluso.com's password:
Connected to root@centos-8.evoluso.com.
sftp>You have successfully changed the default SSH port of CentOS / RHEL 8 Server.
