OpenSSH defaults to listening on port 22 when receiving SSH connections. This is a well-known port, so it’s a common target for automated attacks. It is easy to reduce your vulnerability by changing the SSH port number to something less popular. This blog post will explain how to change the SSH Port on CentOS 10 or a future version, including editing the configuration and adjusting firewall settings, handling SELinux, and validating your setup.
Table of Content
- Why Change the Default SSH Port on CentOS 10?
- How to Change the SSH Port on CentOS 10?
- Common Issues & Troubleshooting
- Conclusion
Why Change the Default SSH Port on CentOS 10?
- The default port 22 is widely scanned by bots looking for vulnerable servers. Changing it reduces noise and brute-force attempts.
- It’s not a substitute for good security (strong passwords and key-based authentication) or disabling root login, but it does add a modest level of mitigation.
- You must tell SELinux the new port on CentOS/RHEL with SELinux activated to allow SSH to bind to it.
How to Change the SSH Port on CentOS 10?
It’s easy to change the SSH port in CentOS 10, but you must do it carefully so as not to lock yourself out. You can reduce the risk of automated attacks by choosing a port that isn’t standard, updating SELinux if necessary, restarting your service, and thoroughly testing. This isn’t an alternative to strong authentication, frequent upgrades, and secure configuration. However, it can be a useful step towards hardening your server.
Here’s how to safely make the change.
1. Choose a new port
Choose a port outside the range of well-known services (greater than 1004) and that is not in use by anyone else. This will reduce the risk of conflict and also avoid obvious scanning targets.
2. Backup existing configuration
Create a backup before making any changes so that you can restore it if anything goes wrong.
|
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak |
|---|
3. Edit the SSH daemon configuration
Open the main configuration file:
|
sudo nano /etc/ssh/sshd_config |
|---|
Find the line:
|
#Port 22 |
|---|
Change the port to what you prefer, for example.
|
Port 2222 |
|---|
Save and exit.
4. Open the new port in the firewall
If you use firewalld (typically on CentOS/RHEL), then:
|
sudo firewall-cmd –add-port=2222/tcp –permanent sudo firewall-cmd –remove-service=ssh –permanent sudo firewall-cmd –reload |
|---|
This opens TCP Port 2222 and removes the default SSH service port rule.
5. Update SELinux policy (if enabled)
You must allow SSH to bind to the port if SELinux enforces mode:
|
sudo yum install policycoreutils-python-utils -y # if semanage missing sudo semanage port -a -t ssh_port_t -p tcp 2222 |
|---|
You may need to use -m if a rule exists already for the port:
|
sudo semanage port -m -t ssh_port_t -p tcp 2222 |
|---|
5. Restart the SSH service
Start the sshd to apply the changes.
|
sudo systemctl restart sshd |
|---|
Check the status of your account:
|
sudo systemctl status sshd |
|---|
6. Verify the new port is listening
Verify that the SSH daemon listens on your new port.
|
netstat -tlpn | grep ssh |
|---|
The listing should look like this: 0.0.0.0 : 2222
7. Test SSH connection
Start an SSH session from your local machine using the new port:
|
ssh -p 2222 username@your-server-ip |
|---|
Before you log out of an existing SSH session, make sure that the connection was successful (to avoid locking yourself out).
8. Remove or block the old port (optional)
After you’ve verified that the new port is working, remove or comment out the Port 22 directive from sshd_config. Update firewall rules to block port 22 or remove it.
Common Issues & Troubleshooting
- The firewall is not up to date: This leads to many failed attempts because the new ports aren’t being allowed through.
- SSH enforcement: If you do not update semanage after changing the SSH port, SSH might fail to bind and restart.
- When using SSH, remember to include the -p newport option.
- Keep at least one SSH session open. Don’t shut down your SSH session before you have confirmed that the new port is working. This will prevent you from being locked out.
- Update any tools, scripts, or automation that use port 22.
Conclusion
To change the SSH port in CentOS 10, first open the SSH configuration file using sudo vi /etc/ssh/sshd_config, find the line #Port 22, and replace it with your desired port number (e.g., Port 2222). Then, add the port to the firewall with sudo firewall-cmd -add-port=2222/tcp -permanent. Reload the firewall by running sudo firewall-cmd -reload. If SELinux has been enabled, run sudo semanage -a ssh_port_t tcp 22222. grep ssh. Finally, connect to your server using ssh -p 2222 username@your_server_ip to confirm the new port works before closing your existing session.
Leave feedback about this