Changing the default SSH port is a recommended security measure that can help protect your system from unauthorized access. By default, SSH servers listen on port 22, which is known to be a common target for attackers. Changing the SSH port can make it more difficult for attackers to find and exploit your system.
In this guide, I will show you how to change the default SSH port on Rocky Linux. The process involves editing the SSH server configuration file and restarting the SSH service. This tutorial assumes you have root access to your Rocky Linux system and some familiarity with using the command line. So, let’s dive in and change the default SSH port on Rocky Linux.
Why Change Default SSH Port in Rocky Linux?
Secure Shell (SSH) is a widely used protocol for remotely accessing and managing servers. By default, SSH listens on port 22, which is a well-known port and is the target of frequent attacks by malicious actors. Changing the default SSH port can significantly improve the security of your Rocky Linux server.
Here are some reasons why you should consider changing the default SSH port:
- Enhanced Security: One of the primary benefits of changing the default SSH port is that it makes it harder for attackers to target your server. By using a non-standard port, you can reduce the risk of automated bots and scanners identifying SSH running on port 22 and launching a brute-force attack.
- Avoiding Log Clutter: When your server is being attacked by bots and scanners, your server logs can become cluttered and hard to read. Changing the default SSH port will help reduce the noise in your log files and make it easier to identify legitimate login attempts.
- Compliance with Policies: Some organizations have security policies in place that require changing the default SSH port. If your organization falls under such policies, changing the default SSH port in Rocky Linux is a must.
While changing the default SSH port can improve server security, it is essential to note that it is not a silver bullet and should be combined with other best practices, such as using strong passwords, disabling root login, and using public key authentication.
Checking the Current SSH Port Number
Before changing the default SSH port on your Rocky Linux machine, it’s essential to identify the current port number to avoid any possible conflicts. The default SSH port number is 22, and most users don’t bother changing it. However, it can be a security threat since attackers often target this port to launch their attacks.
Here’s how you can check the current SSH port number on your Rocky Linux machine:
- Open a terminal on your Rocky Linux system.
- Type the following command to open the SSH configuration file:
sudo nano /etc/ssh/sshd_config
- Look for the line with the following text:
# Port 22
. The line might be commented out with a hash symbol (#) at the beginning. If the line is not commented out, the current port number is 22, which means you need to change it. If there is a hash symbol at the beginning of the line, remove it, and you will see the port number on the same line. - Alternatively, you can use the grep command to check the SSH port number without opening the configuration file. Type the following terminal command:
sudo grep -i port /etc/ssh/sshd_config
The output will display the current SSH port number configured on your Rocky Linux machine.
Please note that the default SSH port should not be changed to a port number already in use or a reserved port number (ports 0-1023). Also, pick a random port number above 1023 that is easy to remember but not too common.
Changing the Default SSH Port
Changing the default SSH port is a simple yet effective strategy to enhance the security posture of your Rocky Linux system. The default SSH port is 22, but this is commonly targeted by attackers and bots looking for exploitable systems. Changing the SSH port adds an extra layer of security because an attacker would need to scan for open ports before attempting an attack – a time-consuming process.
To change the default SSH port in Rocky Linux, follow these steps:
- Connect to your Rocky Linux server using SSH.
- Open the main SSH configuration file
/etc/ssh/sshd_config
using your preferred text editor. For example, run the following command:nano /etc/ssh/sshd_config
. - Locate the line
#Port 22
. - Uncomment the line by removing the
#
symbol at the beginning. - Change the port number to a value between 1024 and 65535. For example, you could use
8888
,88888
, or any other unused port. Ensure that the port you choose doesn’t conflict with any other services. - Save the file by pressing
Ctrl+X
, typingy
to confirm, and pressingEnter
. - Reload the SSH daemon to apply the changes. Run the command:
systemctl reload sshd
.
That’s it! You have successfully changed the default SSH port in Rocky Linux. Now, when you try to connect to the server, you must specify the new port number. For example, if you chose port 8888
, run the command:
ssh user@server_ip -p 8888
It’s important to note that changing the default SSH port alone does not guarantee complete security. It’s just one of the many steps you can take to secure your system. You should also consider disabling password authentication and enabling key-based authentication, using a firewall, and keeping your system up to date with security patches.
After changing the default SSH port on Rocky Linux, it’s important to update the firewall rules to allow SSH traffic on the new port.
To do this, you can use the firewall-cmd command with the –add-port option and specify your new SSH port. For example, if you changed your SSH port to 22000, you can run the following command:
sudo firewall-cmd --permanent --add-port=8888/tcp
This command will add a new firewall rule to allow incoming TCP traffic on port 8888.
After adding the new rule, you need to reload the firewall to apply the changes:
sudo firewall-cmd --reload
This command will reload the firewall and enable the new SSH port.
To verify that the new rule has been added successfully, you can run:
sudo firewall-cmd --list-all | grep ssh
This command will show all the firewall rules related to SSH. You should see the new port listed in the output.
It’s also important to note that if you have an external firewall, such as the one provided by your cloud provider, you’ll need to update its rules to allow traffic on the new SSH port as well.
Testing SSH Connection on the New Port
Now that the default SSH port has been successfully changed in Rocky Linux, it’s time to test the SSH connection on the new port to ensure that it is functioning properly.
To do this, first, make sure that the firewall is configured to allow traffic through the new SSH port. Then, open your terminal application and use the following command to connect to your server using the new port number:
ssh username@domain_name_or_IP_address -p NEW_PORT_NUMBER
Replace username
with your username on the server, domain_name_or_IP_address
with the domain name or IP address of your server, and NEW_PORT_NUMBER
with the number of the new port that you have set up to replace the default port.
If you are asked to enter the password, do so and press enter. If everything worked correctly, you should now be connected to your server via SSH.
Another way to test SSH connectivity on the new port is to use a port scanner tool like Nmap. To do this, run the following command:
nmap -p NEW_PORT_NUMBER domain_name_or_IP_address
Replace NEW_PORT_NUMBER
with the number of your new SSH port and domain_name_or_IP_address
with your server’s domain name or IP address. After running the command, you should see the new port listed as open if it’s functioning properly.
In case of any issues connecting via SSH, make sure to check the following:
- Firewall settings and whether the new port is allowed through the firewall
- Whether you’ve correctly entered the new port number in the ssh command
- Verify that your SSH server is running on the new port via
sudo netstat -ntlp | grep sshd
By following these steps, you can confirm that your SSH connection is working correctly on the new port that you’ve set up in Rocky Linux.
Changing the SSH port from the default number is a recommended practice to harden the security of your system. With tools such as port scanners, attackers can easily identify systems using default ports and launch attacks. Changing the SSH port can deter automated attacks and malware from easily penetrating your system.
Overall, it is essential to take such security measures, including changing the default SSH port, to safeguard your system and data. As someone who has learned to take security seriously, I cannot overemphasize the importance of these steps in securing your system. In short, changing the SSH port is a simple step that can go a long way toward fortifying your system and providing an effective security defense.