How To Change SSH Port on CentOS / RHEL & Fedora With SELinux Enforcing

Cpanel/Whm License $3/mo Plesk License $10/mo Cloudlinux License $5/mo

(: September 18, 2019)

In this guide we will see how you can change SSH service listen port on CentOS 7/8, RHEL 7/8 and Fedora 31/30/29 with SELinux running in Enforcing mode. When SELinux is running in enforcing mode, it enforces the SELinux policy and denies access based on SELinux policy rules. The standard SSH port on most Linux/Unix systems is TCP port 22. This can be changed easily to a custom port not used by other Applications in the system.

When SELinux is running in Enforcing mode, the port to be set will need relabeling so that Policy rules controlling access can accept ssh service to bind. Follow steps discussed below to change SSH port on CentOS / RHEL / Fedora server or Desktop with SELinux running in Enforcing mode.

Step 1: Backup Current SSH configuration

Login to your CentOS / RHEL / Fedora system and backup your current ssh daemon configuration file.{text-align:left} img{margin:0 auto 0 0}
date_format=`date +%Y_%m_%d:%H:%M:%S`
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config_$date_format


$ ls /etc/ssh/sshd_config*
/etc/ssh/sshd_config  /etc/ssh/sshd_config_2019_09_05:21:40:10

Step 2: Change SSH service port

Open SSH service configuration file with your favorite text editor – vi, vim, nano e.t.c.

sudo vi /etc/ssh/sshd_config

Locate line that has:

#Port 22

Uncomment the Port line and set your new service port to be used. I’ll use port 33000.

Port 33000

Save the changes and close the file.

Step 3: Allow new SSH port on SELinux

The default port labelled for SSH is 22.

$ semanage port -l | grep ssh
ssh_port_t                     tcp      22

If you want to allow sshd to bind to network port configured, then you need to modify the port type to ssh_port_t.

sudo semanage port -a -t ssh_port_t -p tcp 33000

Confirm that the new port has been added to list of allowed ports for ssh.

$ semanage port -l | grep ssh
ssh_port_t                     tcp      33000, 22

Step 4: Open SSH port on Firewalld

It is always recommended to keep the Firewall service running and only allow trusted services.

sudo firewall-cmd --add-port=33000/tcp --permananet
sudo firewall-cmd --reload

If Firewalld is not installed, use yum to install it and start the service.

sudo yum -y install firewalld
sudo systemctl enable --now firewalld
sudo firewall-cmd --add-port=33000/tcp --permanent
sudo firewall-cmd --reload

You can now remove ssh service.

sudo firewall-cmd --remove-service=ssh --permanent
sudo firewall-cmd --reload

Step 5: Restart sshd service

Restart ssh service for the changes to take effect.

sudo systemctl restart sshd

Verify Listen address for ssh.

$ netstat -tunl | grep 33000
tcp        0      0 *               LISTEN     
tcp6       0      0 :::33000                :::*                    LISTEN    

Other articles:

How To Disable SSH reverse DNS Lookups in Linux/Unix system

How To Set Up Two factor (2FA) Authentication for SSH on CentOS / RHEL

Easy way to Create SSH tunnels on Linux CLI

How to change or update SSH key Passphrase on Linux / Unix

ssh cheatsheet for Linux SysAdmins{text-align:left} img{margin:0 auto 0 0}

Related posts

Singapore Airlines to Launch Blockchain-Based Loyalty Wallet


AlphaPoint to Secure Blockchain Assets with Intel’s SGX Tech


Microsoft Adds Ethereum to Windows Platform For Over 3 Million Developers


North Carolina Governor Signs Bitcoin Bill Into Law


Nginx: Custom Error 403 Page Not Working with IP Deny Configuration


‘Billions’ May Be Saved By Tokens Backed With Central Bank Money: BoE Chief


A ‘Howey Test’ for Blockchain? Why the SEC’s ICO Guidance Isn’t Enough


Polish Bitcoin Exchange Bitcurex Relaunches Following Hacking Attack


Trump Task Force to Aid Crypto Crime Investigations


This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More