Can you change my SSH port for me?
I was wondering if you would be able to change my SSH port to something other than the default of port 22 for me.
As we are primarily an infrastructure provider, we are not able to access your Linode and make these changes on your behalf. That being said, you can change your SSH port by editing the file '/etc/ssh/sshd_config' and changing the line that reads:
# Port 22
by removing the '#' sign, so that it now reads:
You also want to change '22' to the preferred port number. You then want to save the file and restart the SSH service by running the following command:
sudo service sshd restart
Once you have done this, open your firewall for the new port (again replacing '22' with your newly assigned port number):
sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT sudo iptables -A OUTPUT -p tcp --dport 22 -m state --state ESTABLISHED -j ACCEPT
It is also worth mentioning that when making changes to iptables, while the changes do take effect immediately, by default they do not persist through a reboot, meaning that all of your iptables commands would need to be run again after shutting down/restarting your server if you did not take the necessary action(s) to save them. The methods used to save iptables changes through a reboot will vary based on the distribution that you're using, so I've attached our list of Firewall guides for your reference. To cover the 2 most common scenarios - if you're using Debian/Ubutnu, you would use iptables-persistent and if you're using CentOS 7 or above, use FirewallD. FirewallD does not apply to versions of CentOS prior to 7, so alternate methods would need to be used in that scenario.
Following these instructions, you should be able to quickly get this setup on your system.
I am getting these errors:
# service sshd restart Redirecting to /bin/systemctl restart sshd.service Job for sshd.service failed because the control process exited with error code. See "systemctl status sshd.service" and "journalctl -xe" for details.
# systemctl status sshd.service ● sshd.service - OpenSSH server daemon Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled) Active: activating (auto-restart) (Result: exit-code) since Sun 2019-12-29 14:13:52 UTC; 21s ago Docs: man:sshd(8) man:sshd_config(5) Process: 3337 ExecStart=/usr/sbin/sshd -D $OPTIONS $CRYPTO_POLICY (code=exited, status=255) Main PID: 3337 (code=exited, status=255) Dec 29 14:13:52 li865-91.members.linode.com systemd: sshd.service: Main process exited, code=exited, status=255/n/a Dec 29 14:13:52 li865-91.members.linode.com systemd: sshd.service: Failed with result 'exit-code'. Dec 29 14:13:52 li865-91.members.linode.com systemd: Failed to start OpenSSH server daemon.
# journalctl -xe ... -- Unit sshd.service has begun starting up. Dec 29 14:19:27 li865-91.members.linode.com sshd: error: Bind to port 1004 on 0.0.0.0 failed: Permission denied. Dec 29 14:19:27 li865-91.members.linode.com sshd: error: Bind to port 1004 on :: failed: Permission denied. Dec 29 14:19:27 li865-91.members.linode.com sshd: fatal: Cannot bind any address. Dec 29 14:19:27 li865-91.members.linode.com systemd: sshd.service: Main process exited, code=exited, status=255/n/a Dec 29 14:19:27 li865-91.members.linode.com systemd: sshd.service: Failed with result 'exit-code'. Dec 29 14:19:27 li865-91.members.linode.com systemd: Failed to start OpenSSH server daemon. -- Subject: Unit sshd.service has failed -- Defined-By: systemd -- Support: https://access.redhat.com/support -- -- Unit sshd.service has failed. -- -- The result is RESULT.
This issue appears to be related to your SELinux configuration.
To troubleshoot the issue, first determine which package provides the
semanage command for your system. You may need to look into your package manager's options to figure out how to search your distribution's packages for the right package. For the sake of this answer, I will be using CentOS because it enables SELinux by default:
$ yum provides /usr/sbin/semanage Last metadata expiration check: 0:01:12 ago on Sun 29 Dec 2019 01:08:37 PM EST. policycoreutils-python-utils-2.8-16.1.el8.noarch : SELinux policy core python utilities Repo : BaseOS Matched from: Filename : /usr/sbin/semanage
This output indicates that the package providing this command on this system is called
policycoreutils-python-utils. Your output may be different depending on your distribution and its version. Let's go ahead and install this package by running this command:
sudo yum install policycoreutils-python-utils
semanage command is available on your Linode, you can now instruct SELinux to allow the SSH server daemon to bind to port 1004:
sudo semanage port --add --type ssh_port_t --proto tcp 1004
Naturally, you may replace port 1004 with any other available port you would like. Port numbers below 1024 require superuser privileges to bind, so if you run into issues with your SSH server port being unable to bind such ports, I would remove the changes provided above and choose a different port numbering 1024 or above:
sudo semanage port --delete --type ssh_port_t --proto tcp 1004 # remove above changes sudo semanage port --add --type ssh_port_t --proto tcp 20130 # add changes for a different port
You may then check your configuration change using the
semanage port -l command:
$ sudo semanage port -l | grep ssh ssh_port_t tcp 1004, 22
As indicated by this output, SELinux now allowing your Linode's SSH server to bind to port 1004. Naturally, this output will differ if you selected a different port than 1004.
You should be able to successfully restart your SSH server process with its configuration changed to bind to your desired port:
sudo service sshd restart
Although SELinux is now allowing your SSH server process to bind to this port, it is also essential to change your Linode's firewall rules to allow connections over this port.
You may do so by using the
firewall-cmd command on CentOS:
sudo firewall-cmd --add-port=1004/tcp sudo firewall-cmd --add-port=1004/tcp --permanent sudo firewall-cmd --reload
Be sure to change the port number in this setup depending on your configuration. You may also need to adapt these instructions to whatever firewall application your Linode uses. If it is not using FirewallD, it is most likely using UFW or iptables:
You may want to base your commands off of these examples for UFW:
sudo ufw allow 1004/tcp
sudo iptables -A INPUT -p tcp --dport 1004 -m state --state NEW -j ACCEPT
I would consult the above references for more information on how to customize all of these commands for your specific needs and how to make them permanent so that they will survive reboots.
Once your SELinux policy is updated, your SSH server process is rebooted, and your firewall is reconfigured to allow connections over your newly defined SSH port, you should be all set to connect to your Linode over your new SSH port!
Thank you! For some reason that install command fails for me:
# yum install policycoreutils-python-utils No package policycoreutils-python-utils available. Error: Nothing to do
But it works with the exact package version:
# yum install policycoreutils-python-2.5-33.el7.x86_64
The rest works as charm! Thank you again!