CentOS 7 / RHEL 7 : change OpenSSH port number with SELINUX enabled

The tutorial will explain about how to change default ssh port number in OpenSSH Server on CentOS 7 and RHEL 7 . We will change the SSH default port no. 22 to our desired number and we will keep SELINUX enabled. We will also add new firewalld rule with respect to new ssh port number.

Generally for security point of view , we change the default ssh port number 22 to any other port number. Always be careful while selecting new port number. We should select the number above the “well known port number” that is above port number 1024 . Also we should not use same application /Utility specific default port number, for example just as we use in tomcat port 8080, MySQL 3306. In simple words, select the port number above 1024 as well as should not conflict with any application/utility/program etc.

First take the backup of sshd_config file.And then go for edit.

cp -Rfa /etc/ssh/sshd_config /etc/ssh/sshd_config.orig.$(date +%F)

Now edit the file /etc/ssh/sshd_config. Search for line #Port 22 or Port 22 .

Note: The # is used for commenting the line. But because ssh has well known port number 22 (below 1024). It will by default listen on port number 22.

Remove # from line Port 22. And the change 22 to new port number, here we have selected 2292 .

vi /etc/ssh/sshd_config
[...]
Port 2292

By default SELINUX only allow port no. 22 for ssh. Now add new port context 2292.

Note: Replace 2292 in case you have selected different port number

semanage port -a -t ssh_port_t -p tcp 2292

Now check once the port context for ssh

semanage port -l | grep ssh

Below given is output from our server

semanage port -l | grep ssh
ssh_port_t                     tcp      2292, 22

Now Restart the SSH service

systemctl restart sshd.service

Now allow port number 2292 for ssh. Run the below given command. It will permanently add the new firewalld rule in public zone for port 2292 with TCP protocol.

firewall-cmd --permanent --zone=public --add-port=2292/tcp

Reload firewalld

firewall-cmd --reload

With ss command, you can find the listening port for ssh. Use below command for this

ss -tnlp|grep ssh

Below given output is reference from our server

ss -tnlp|grep ssh
LISTEN     0      128                       *:2292                     *:*      users:(("sshd",2786,3))
LISTEN     0      128                      :::2292                    :::*      users:(("sshd",2786,4))

Try to do ssh access to server by using port no. 2292 from remote client.

ssh -p 2292 root@192.168.56.101
  • Change 192.168.56.101 with your server ip address.
  • Change 2292 with your new ssh port number as you set while reading this post.
  • Change root with user name which is allowed to get ssh access in your server.

References