Changing the SSH Port Safely
Changing the SSH port is a common security measure, but it’s crucial to proceed with caution. A misstep can lock you out of your remote server. In this guide, we’ll walk you through the steps to change the SSH port safely.
Plan of Action
- Backup Configuration.
- Edit the SSH Configuration (using sed or manually).
- Change the Port.
- Save and Close.
- Adjust Firewall Rules.
- Adjust SELinux for the New Port.
- Restart SSHD.
- Test the New Configuration.
Step-by-Step Guide
1. Backing up the SSHD Configuration
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup
2. Changing the SSH Port
You can manually edit the /etc/ssh/sshd_config
file using your favorite editor and find the record “Port 22” to replace it with your desired port. Alternatively, use the following sed command:
sudo sed -i '/^#Port 22$/s/^#//;s/Port 22/Port "YOUR_PORT_HERE"/' /etc/ssh/sshd_config || echo "Port "YOUR_PORT_HERE"" >> /etc/ssh/sshd_config
For those unfamiliar with sed, we offer a comprehensive guide:
“sed commands for Linux System Administration”.
This command ensures that the SSH port is changed to “YOUR_PORT_HERE” regardless of its initial state in the configuration file.
Remember to replace ‘YOUR_PORT_HERE’ with choice of the port you want to use instead of default port “22”.
3. Adjusting Firewall Rules
If you have a firewall enabled, you’ll need to allow traffic on the new port:
sudo firewall-cmd --permanent --add-port="YOUR_PORT_HERE"/tcp
sudo firewall-cmd --reload
sudo systemctl restart sshd
4. Adjusting SELinux for the New Port
First, check if SELinux is enabled:
sestatus
If SELinux is enabled, add the new port:
sudo semanage port -a -t ssh_port_t -p tcp "YOUR_PORT_HERE"
Verify the change:
sudo semanage port -l | grep ssh
5. Restarting SSHD
sudo systemctl restart sshd
By following this guide, you’ve safely changed the SSH port on your server. Always remember to test the new configuration by trying to SSH into the server using the new port. This ensures that you can still access your server after the changes.
Testing and Finalizing the SSH Port Change on our Plesk Server
IMPORTANT!
Initially, changing the SSH port is a sensitive operation. Furthermore, it’s crucial to ensure that the new configuration works as expected. Therefore, let’s walk through the steps to test and finalize the SSH port change.
Before you even think of closing your current SSH session, initiate a new connection. Firstly, open a new terminal or SSH client. Then, attempt to connect to the server using the new port. Consequently, this step is vital to ensure that the new configuration is working correctly. By keeping the current session active, you maintain access to the server in case there’s a need to rectify any issues with the new setup.
Rolling Back Changes if Needed
If, for any reason, the port change wasn’t successful, you can revert to the previous configuration using the backup file we created earlier on our Plesk Server:
sudo cp /etc/ssh/sshd_config.backup /etc/ssh/sshd_config
Removing the Default SSH Port
Once you’ve confirmed that the new port configuration is successful, it’s a good security measure to remove the default SSH port (22) from the allowed ports in firewalld:
sudo firewall-cmd --list-services
When you execute the above command, you’ll see that the ‘ssh’ service, by default, enables port 22:
dhcpv6-client dns http https plesk ssh
To remove it, execute the following:
sudo firewall-cmd --permanent --remove-service=ssh
sudo firewall-cmd --reload
Checking SELinux Configuration
SELinux, by default, allows SSH on port 22. To verify this, run:
sudo semanage port -l | grep ssh
The output will show:
ssh_port_t tcp "YOUR_PORT_HERE", 22
The default SELinux policy for SSH defines port 22 for TCP, so no SELinux adjustments for port 22 are necessary. Even though the default policy permits SSH on port 22, since you’ve altered the SSH port and removed port 22 from the firewall, no connections will be possible on port 22.
By following this guide, you’ve safely changed the SSH port, tested the new configuration, and ensured that the default SSH port is no longer accessible. Always remember to test any new configurations to avoid potential access issues.
Conclusion
Initially, we embarked on the installation process, understanding the nuances of setting it up on CentOS 7. Furthermore, we navigated the intricacies of managing ports, emphasizing the importance of security in every step. Additionally, the role of tools and configurations, from firewalld to SELinux, showcased the depth of server management. Moreover, the article highlighted the significance of testing and verification, ensuring that every change made is both effective and safe. In essence, mastering PLESK Server is not just about following steps but understanding the rationale behind each decision. Finally, as we wrap up, remember that the world of IT is ever-evolving. Therefore, continuous learning and adaptation are the keys to staying ahead. With the knowledge gained from this article, you’re well on your way to mastering PLESK Server and ensuring optimal server performance and security.