introduction
SSH (Secure Shell) is the core tool for remote management of Linux servers, and its default listening port is 22. Since port 22 is well known, this also makes the server vulnerable to automated scanning and brute-force cracking attacks. Although changing the SSH default port is only an auxiliary tool for security hardening, it can effectively reduce the risk of being scanned by automated attack tools.
This article will systematically introduce how to safely change SSH ports in CentOS 7 systems, resolve SELinux and firewall-related configurations, and ensure remote access is not interrupted. At the same time, we will also discuss more effective matching solutions to improve SSH security.
Why change the SSH default port?
- Reduce automatic scanning attacks: A large number of malicious robots scan port 22 by default, and the probability of being scanned can be reduced by changing the port.
- Prevent large-scale violence and crack: Adjusting the SSH port to a non-standard port can effectively prevent brute-force cracking attacks against port 22.
- Cooperate with other security measures to improve the level of defense: While changing the port does not prevent determined attackers from scanning, it is part of a secure "defense in-depth" strategy.
hint:A safer SSH protection method is to use password-free login based on keys, limit IP whitelists, and enable two-step verification.
Steps detailed explanation: How to change the SSH default port of CentOS 7
1. Backup SSH configuration file
Before starting to modify, be sure to back up the current configuration to prevent the inability to log in to rescue due to incorrect modification.
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
2. Modify the SSH configuration file, add or change the port
Edit the SSH service configuration file:
sudo vi /etc/ssh/sshd_config
turn upPortRight, the default is:
Port 22
You can adopt the following two strategies:
- Add new ports, retain 22 ports(Safe Switching Period)
Port 22 Port 2244
- Modify it directly into a new port, disable 22
Port 2244
After modification, save and exit the editor.
Safety advice: It is recommended to add a new port for the first time to ensure that you can successfully log in through the new port, and then close 22 to avoid being locked.
3. Configure SELinux to allow new SSH ports
CentOS 7 is enabled by default, and only port 22 is open by default for SSH services. New ports need to be added:
sudo semanage port -a -t ssh_port_t -p tcp 2244
- If it appears
semanage: command not foundError, install the required package:
sudo yum -y install policycoreutils-python
- Repeat the Add Port command.
hint:
SELinux can also be temporarily shut down, but it is not recommended because it will reduce the overall security level of the system:
sudo setenforce 0
4. Configure the Firewall (Firewalld) to release the new port
Ensure that the new port is accessible through the firewall:
sudo firewall-cmd --permanent --zone=public --add-port=2244/tcp
If it appearsFirewallD is not running, start the firewall first:
sudo systemctl enable firewalld sudo systemctl start firewalld
Confirm the operating status of the firewall:
sudo firewall-cmd --state
Loading the new configuration:
sudo firewall-cmd --reload
5. Restart the SSH service and take effect
Effective changes:
sudo systemctl restart
Verify SSH service status:
sudo systemctl status
Test SSH new port connection
Try to connect to the server locally using a new port:
ssh root@serverIPaddress -p 2244
After confirming that you can log in successfully, if the dual-port is enabled before, you can remove port 22 from the configuration and firewall rules to complete port switching.
Close old port 22 (optional)
Revise
/etc/ssh/sshd_configComment out or deletePort 22, only new ports are retained.Delete the 22-port release rule on the firewall:
sudo firewall-cmd --permanent --zone=public --remove-port=22/tcp sudo firewall-cmd --reload
- Restart the SSH service.
Alibaba Cloud Server Special Note: Security Group Configuration
If the server is deployed on Alibaba Cloud ECS, in addition to the system firewall, the cloud platform security group rules also require new SSH ports to be allowed:
- Log in to Alibaba Cloud Console.
- Find the security group configuration for the corresponding instance.
- Add a new TCP port (such as 2244) to the Inbound Direction rule.
- Take effect after storage.
This configuration ensures that public network access can connect to new ports.
More advanced SSH security advice
Just changing the port is the beginning of the "Safe Passing Fuzzy" policy. It is recommended to cooperate with the following measures:
-
Passwordless login based on key: Generate an SSH key pair, only hosts with the key are allowed to log in, and password login is turned off.
Reference command:
ssh-keygen -t rsa -b 4096 ssh-copy-id -p 2244 user@server
Limit IP whitelist: Only trusted IP addresses are allowed to access SSH ports through the firewall.
Disable root login directly:Revise
/etc/ssh/sshd_config,set up
PermitRootLogin no
Turn on brute force cracking tools such as Fail2Ban: Automatically prohibit multiple failed login IPs.
Using Two-Factor Authentication (2FA): Increase the login authentication level.
Conclusion
Changing the SSH default port to non-standard port is one of the effective ways to improve server security, but never use this as the only security policy. Combining SSH key authentication, IP restriction, firewall hardening and system enhancement can create a solid server security line. Hope the steps in this article will help you successfully complete SSH port changes and security hardening!
The above is the detailed content of the CentOS7 change the default SSH port and configuration guide. For more information about CentOS7 changing the SSH port and configuration, please follow my other related articles!