It’s always reassuring to log into a system and see endless failed SSH login attempts:
login as: root email@example.com's password: Last failed login: Wed Oct 30 22:45:53 CDT 2019 from ip102.ip-192-99-208.net on ssh:notty There were 88135 failed login attempts since the last successful login. Last login: Mon Sep 30 16:45:46 2019 from 220.127.116.11
This is a standard example of what happens when the default SSH port is left to 22. Automated bots will consistently attempt brute forcing your system. It’s not too critical if the password is lengthy and secure, or if SSH keys are being used instead. If this worries you however, changing the SSH port can certainly reduce the number of bot login attempts.
Changing the default SSH port on any public server is generally a highly debated practice between administrators. Many believe that by changing the port, their server can become invisible to hackers that may be attempting to break in. Of course, changing the port number will help, but it isn’t something that a simple port scan won’t reveal again. This is commonly known as “security through obscurity”.
Changing the port is like changing the numbers on the front of your home. It will temporarily throw someone off track, but not for long. So yes, changing the port will help prevent tens of thousands of automated login attempts, but any human with a port scanner will find the new port.
Changing the port in CentOS 7 requires a few steps, if you’re changing the SSH port through SSH itself, be careful to not lock yourself out.
Step 1: Change The SSH Port in The Configuration:
Open /etc/ssh/sshd_config with your favorite text editor, we’ll use nano in this case:
Edit and un-comment the line that contains the port number, then change it to the desired port. Be sure to not use a port number already in use on the system. We’ll use 34804 in this example:
# This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/local/bin:/usr/bin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options override the # default value. # If you want to change the port on a SELinux system, you have to tell # SELinux about this change. # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER # Port 34804 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress ::
That’s it for that file, save the configuration and exit the editor.
Step 2: Tell SELinux About Your New Port Number:
semanage port -a -t ssh_port_t -p tcp 34804
If this is not done, SSH will be denied on the new port.
Step 3: Allow the port in firewall-cmd:
firewall-cmd --permanent --zone=public --add-port=34804/tcp firewall-cmd --reload
After this, run the following command, and SSH in by using the new port number:
service sshd restart
That’s it, your system’s SSH access should now be more obscure, but do not confuse this with being more secure. The number of login attempts should be much smaller after making these changes.
In our next guide, we’ll configure a system for SSH key-based authentication.