(: September 18, 2019)
In this guide we will see how you can change SSH service listen port on CentOS 7/8, RHEL 7/8 and Fedora 31/30/29 with SELinux running in Enforcing mode. When SELinux is running in enforcing mode, it enforces the SELinux policy and denies access based on SELinux policy rules. The standard SSH port on most Linux/Unix systems is TCP port 22. This can be changed easily to a custom port not used by other Applications in the system.
When SELinux is running in Enforcing mode, the port to be set will need relabeling so that Policy rules controlling access can accept ssh service to bind. Follow steps discussed below to change SSH port on CentOS / RHEL / Fedora server or Desktop with SELinux running in Enforcing mode.
Step 1: Backup Current SSH configuration
Login to your CentOS / RHEL / Fedora system and backup your current ssh daemon configuration file.
date_format=`date +%Y_%m_%d:%H:%M:%S` sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config_$date_format
$ ls /etc/ssh/sshd_config* /etc/ssh/sshd_config /etc/ssh/sshd_config_2019_09_05:21:40:10
Step 2: Change SSH service port
Open SSH service configuration file with your favorite text editor – vi, vim, nano e.t.c.
sudo vi /etc/ssh/sshd_config
Locate line that has:
Uncomment the Port line and set your new service port to be used. I’ll use port 33000.
Save the changes and close the file.
Step 3: Allow new SSH port on SELinux
The default port labelled for SSH is 22.
$ semanage port -l | grep ssh ssh_port_t tcp 22
If you want to allow sshd to bind to network port configured, then you need to modify the port type to ssh_port_t.
sudo semanage port -a -t ssh_port_t -p tcp 33000
Confirm that the new port has been added to list of allowed ports for ssh.
$ semanage port -l | grep ssh ssh_port_t tcp 33000, 22
Step 4: Open SSH port on Firewalld
It is always recommended to keep the Firewall service running and only allow trusted services.
sudo firewall-cmd --add-port=33000/tcp --permananet sudo firewall-cmd --reload
If Firewalld is not installed, use yum to install it and start the service.
sudo yum -y install firewalld sudo systemctl enable --now firewalld sudo firewall-cmd --add-port=33000/tcp --permanent sudo firewall-cmd --reload
You can now remove ssh service.
sudo firewall-cmd --remove-service=ssh --permanent sudo firewall-cmd --reload
Step 5: Restart sshd service
Restart ssh service for the changes to take effect.
sudo systemctl restart sshd
Verify Listen address for ssh.
$ netstat -tunl | grep 33000 tcp 0 0 0.0.0.0:33000 0.0.0.0:* LISTEN tcp6 0 0 :::33000 :::* LISTEN