Can you change my SSH port for me?

Linode Staff

I was wondering if you would be able to change my SSH port to something other than the default of port 22 for me.

4 Replies

Hello,

As we are primarily an infrastructure provider, we are not able to access your Linode and make these changes on your behalf. That being said, you can change your SSH port by editing the file '/etc/ssh/sshd_config' and changing the line that reads:

# Port 22

by removing the '#' sign, so that it now reads:

Port 22

You also want to change '22' to the preferred port number. You then want to save the file and restart the SSH service by running the following command:

sudo service sshd restart

Once you have done this, open your firewall for the new port (again replacing '22' with your newly assigned port number):

sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --dport 22 -m state --state ESTABLISHED -j ACCEPT

It is also worth mentioning that when making changes to iptables, while the changes do take effect immediately, by default they do not persist through a reboot, meaning that all of your iptables commands would need to be run again after shutting down/restarting your server if you did not take the necessary action(s) to save them. The methods used to save iptables changes through a reboot will vary based on the distribution that you're using, so I've attached our list of Firewall guides for your reference. To cover the 2 most common scenarios - if you're using Debian/Ubutnu, you would use iptables-persistent and if you're using CentOS 7 or above, use FirewallD. FirewallD does not apply to versions of CentOS prior to 7, so alternate methods would need to be used in that scenario.

Following these instructions, you should be able to quickly get this setup on your system.

I am getting these errors:

# service sshd restart
Redirecting to /bin/systemctl restart sshd.service
Job for sshd.service failed because the control process exited with error code.
See "systemctl status sshd.service" and "journalctl -xe" for details.

And then:

# systemctl status sshd.service
● sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
   Active: activating (auto-restart) (Result: exit-code) since Sun 2019-12-29 14:13:52 UTC; 21s ago
     Docs: man:sshd(8)
           man:sshd_config(5)
  Process: 3337 ExecStart=/usr/sbin/sshd -D $OPTIONS $CRYPTO_POLICY (code=exited, status=255)
 Main PID: 3337 (code=exited, status=255)

Dec 29 14:13:52 li865-91.members.linode.com systemd[1]: sshd.service: Main process exited, code=exited, status=255/n/a
Dec 29 14:13:52 li865-91.members.linode.com systemd[1]: sshd.service: Failed with result 'exit-code'.
Dec 29 14:13:52 li865-91.members.linode.com systemd[1]: Failed to start OpenSSH server daemon.
# journalctl -xe
...
-- Unit sshd.service has begun starting up.
Dec 29 14:19:27 li865-91.members.linode.com sshd[3383]: error: Bind to port 1004 on 0.0.0.0 failed: Permission denied.
Dec 29 14:19:27 li865-91.members.linode.com sshd[3383]: error: Bind to port 1004 on :: failed: Permission denied.
Dec 29 14:19:27 li865-91.members.linode.com sshd[3383]: fatal: Cannot bind any address.
Dec 29 14:19:27 li865-91.members.linode.com systemd[1]: sshd.service: Main process exited, code=exited, status=255/n/a
Dec 29 14:19:27 li865-91.members.linode.com systemd[1]: sshd.service: Failed with result 'exit-code'.
Dec 29 14:19:27 li865-91.members.linode.com systemd[1]: Failed to start OpenSSH server daemon.
-- Subject: Unit sshd.service has failed
-- Defined-By: systemd
-- Support: https://access.redhat.com/support
-- 
-- Unit sshd.service has failed.
-- 
-- The result is RESULT.
Linode Staff

This issue appears to be related to your SELinux configuration.

To troubleshoot the issue, first determine which package provides the semanage command for your system. You may need to look into your package manager's options to figure out how to search your distribution's packages for the right package. For the sake of this answer, I will be using CentOS because it enables SELinux by default:

$ yum provides /usr/sbin/semanage
Last metadata expiration check: 0:01:12 ago on Sun 29 Dec 2019 01:08:37 PM EST.
policycoreutils-python-utils-2.8-16.1.el8.noarch : SELinux policy core python utilities
Repo        : BaseOS
Matched from:
Filename    : /usr/sbin/semanage

This output indicates that the package providing this command on this system is called policycoreutils-python-utils. Your output may be different depending on your distribution and its version. Let's go ahead and install this package by running this command:

sudo yum install policycoreutils-python-utils

Once the semanage command is available on your Linode, you can now instruct SELinux to allow the SSH server daemon to bind to port 1004:

sudo semanage port --add --type ssh_port_t --proto tcp 1004

Naturally, you may replace port 1004 with any other available port you would like. Port numbers below 1024 require superuser privileges to bind, so if you run into issues with your SSH server port being unable to bind such ports, I would remove the changes provided above and choose a different port numbering 1024 or above:

sudo semanage port --delete --type ssh_port_t --proto tcp 1004  # remove above changes
sudo semanage port --add --type ssh_port_t --proto tcp 20130    # add changes for a different port

You may then check your configuration change using the semanage port -l command:

$ sudo semanage port -l | grep ssh
ssh_port_t                     tcp      1004, 22

As indicated by this output, SELinux now allowing your Linode's SSH server to bind to port 1004. Naturally, this output will differ if you selected a different port than 1004.

You should be able to successfully restart your SSH server process with its configuration changed to bind to your desired port:

sudo service sshd restart

Although SELinux is now allowing your SSH server process to bind to this port, it is also essential to change your Linode's firewall rules to allow connections over this port.

You may do so by using the firewall-cmd command on CentOS:

sudo firewall-cmd --add-port=1004/tcp
sudo firewall-cmd --add-port=1004/tcp --permanent
sudo firewall-cmd --reload

Be sure to change the port number in this setup depending on your configuration. You may also need to adapt these instructions to whatever firewall application your Linode uses. If it is not using FirewallD, it is most likely using UFW or iptables:

You may want to base your commands off of these examples for UFW:

sudo ufw allow 1004/tcp

For iptables:

sudo iptables -A INPUT -p tcp --dport 1004 -m state --state NEW -j ACCEPT

I would consult the above references for more information on how to customize all of these commands for your specific needs and how to make them permanent so that they will survive reboots.

Once your SELinux policy is updated, your SSH server process is rebooted, and your firewall is reconfigured to allow connections over your newly defined SSH port, you should be all set to connect to your Linode over your new SSH port!

Thank you! For some reason that install command fails for me:

# yum install policycoreutils-python-utils
No package policycoreutils-python-utils available.
Error: Nothing to do

But it works with the exact package version:

# yum install policycoreutils-python-2.5-33.el7.x86_64

The rest works as charm! Thank you again!

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct