This discussion is archived
6 Replies Latest reply: Oct 17, 2012 5:42 AM by BillyVerreynne RSS

Change ssh port from default 22...

user312242 Newbie
Currently Being Moderated
Anyone have some success stories on changing the default SSH port from 22 to XXXX?

I've made the changes to the sshd_config file for the new port number but am not able to make a connection...

Thanks,
  • 1. Re: Change ssh port from default 22...
    Avi Miller Guru
    Currently Being Moderated
    Adam M wrote:
    Anyone have some success stories on changing the default SSH port from 22 to XXXX?
    Yes.
    I've made the changes to the sshd_config file for the new port number but am not able to make a connection...
    Have you opened that port on the firewall?
  • 2. Re: Change ssh port from default 22...
    user312242 Newbie
    Currently Being Moderated
    Yes, could it be the actual port? Port 2995...

    Thanks for the reply.
  • 3. Re: Change ssh port from default 22...
    Dude! Guru
    Currently Being Moderated
    <pre>
    cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup
    sed -i 's:#Port 22:Port 2000:g' /etc/ssh/sshd_config

    service sshd restart

    service iptables stop

    $ ssh -p 2000 root@10.0.1.4
    root@10.0.1.4's password:
    Last login: Wed Oct 17 08:01:59 2012 from 10.0.0.1

    # lsof -i TCP:2000
    COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
    sshd 8435 root 3u IPv4 36137 0t0 TCP *:sieve-filter (LISTEN)
    sshd 8435 root 4u IPv6 36139 0t0 TCP *:sieve-filter (LISTEN)
    sshd 8612 root 3r IPv4 36628 0t0 TCP 10.0.1.4:sieve-filter->10.0.0.1:62685 (ESTABLISHED)
    </pre>

    The name "sieve-filter" comes from /etc/services:

    # grep -w 2000/tcp /etc/services
    sieve-filter 2000/tcp cisco-sccp # Sieve Mail Filter Daemon
  • 4. Re: Change ssh port from default 22...
    BillyVerreynne Oracle ACE
    Currently Being Moderated
    Adam M wrote:
    Anyone have some success stories on changing the default SSH port from 22 to XXXX?
    Why on earth would you want to do that?

    It does not even remotely address any kind of security issue.

    What it does do, is make network and router management, administration, and security, significantly more complex. There are very valid reasons for having a fixed well known port range - and not mucking about with it.
  • 5. Re: Change ssh port from default 22...
    user312242 Newbie
    Currently Being Moderated
    OK, thanks for the reply's.

    I've come to the conclusion the problem I was experiencing was due to the fact that port 2995 was being used already by the OS. After I changed the port to 7995 and added the exception to the firewall things worked as planned.

    Also, the reasoning behind this is not for security purposes but due to the fact my router only allows me to forward port 22 to a single computer, hence the need for a second SSH port.

    Thanks for the help and suggestions.
  • 6. Re: Change ssh port from default 22...
    BillyVerreynne Oracle ACE
    Currently Being Moderated
    Adam M wrote:

    Also, the reasoning behind this is not for security purposes but due to the fact my router only allows me to forward port 22 to a single computer, hence the need for a second SSH port.
    I would rather look at using NAT on that server - only allowing access to the 2nd port from the router. And then nat'ing that connection to localhost on port 22.

    This makes the 2nd port a pure network administration issue - and not a network service issue. I.e. you will face the same issue if you want to run web servers and access these via the router, requiring the router to forward secondary port connections to port 80 on different servers on your private subnet. So instead of also having to mess with the httpd config (different config files than the sshd service), it would be easier to deal with this via a single iptables script. And in a secure fashion.

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points