Rate this page del.icio.us  Digg slashdot StumbleUpon

How do I change the default port that OpenSSH server uses?

by The editorial team

Contributed by Isauro Michael Balod Napolis

Release Found: All Red Hat Enterprise Linux

OpenSSH by default listens to port 22 of all local addresses. To provide additional
security to the OpenSSH server, the ListenAdress and Port
directives in /etc/ssh/sshd_config file can be used.

ListenAddress – List the ip address or hosts that sshd will listen on.

Port – Specifies the port that sshd will listen to.

Example /etc/ssh/sshd_config file:

Port 40
ListenAddress 127.0.0.1
ListenAddress 172.16.45.0

Restart sshd daemon in the OpenSSH server for the changes to take effect.

# service sshd restart

Now the command below can be used to connect a client from 172.16.44.0 network to the OpenSSH server:

# ssh 172.16.44.1 -p 40

Red Hat’s customer service and support teams receive technical support questions from users all over the world. Red Hat technicians add the questions and answers to Red Hat Knowledgebase on a daily basis. Access to Red Hat Knowledgebase is free. Every month, Red Hat Magazine offers a preview into the Red Hat Knowledgebase by highlighting some of the most recent entries.

This entry was posted by The editorial team on Monday, April 16th, 2007 at 5:18 am and is filed under tips and tricks. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

7 responses to “How do I change the default port that OpenSSH server uses?”

  1. Harry Sutton says:
    April 17th, 2007 at 1:49 pm

    There’s a well-known argument against ’security by obscurity’, and an equally compelling argument could be made that this article suggests just such an approach. Personally, I prefer an approach that locks out root access via ssh (by use of the ‘PermitRootLogin no’ stanza in /etc/ssh/sshd_config), coupled with restricting ssh access to only a selected few accounts (by use of the ‘AllowUsers ‘ stanza in the same config file), over this ‘try to guess which non-standard port I’m using for my ssh daemon’ approach.

  2. Karsten Wade says:
    April 17th, 2007 at 7:09 pm

    I don’t disagree about the security-through-obscurity arguments, per se, but there is value in changing the default port beyond that.

    Anyone who hosts an Internet-facing SSH server probably receives dozens or hundreds of probes against ssh on port 22, from cracker hosts or compromised/bots around the world. Changing to a non-default port makes these probes get dropped silently. You cannot prevent the probing, but you can make it less annoying.

  3. Kelsie Flynn says:
    April 18th, 2007 at 5:07 am

    All of these measures are of great value. Taking the time to reconfigure sshd_config, then blocking unauthorized netblocks with iptables are first steps I would recommend any admin to reduce undesired traffic. IMHO, sshd_config should be shipped by default with no root login, with specific AllowUsers automatically appended during setup.

    Thanks Redhat for the opportunity for us to voice these opinions in this way. And a big thank you to all the ssh developers for providing us with the best remote control access software on the planet….

  4. Oisin Feeley says:
    April 19th, 2007 at 6:10 am

    On the other hand, if sshd is configured to use shared keys and password authentication is turned off there’s very little risk of compromise and your machine gets to collect a list of hostile IP addresses which can be added to one or more of /etc/hosts.deny or iptables rules.

  5. Jeffrey Huckaby says:
    April 25th, 2007 at 3:22 am

    We’ve never really found the need to obscure the SSH port.

    In situations where it would help the most, such as a shared hosting server, obscuring the port creates numerous end-user support issues. Many web publishing tools, SFTP/SCP clients, and other programs expect the default port. Walking 100’s of users through changing their defaults is a time-consuming process. You have to evaluate if this time would be better spent on other administration and security tasks.

    In situations where only a limited number of users access the system, firewalls, TCP wrappers and internal SSH controls provide layers of security that mitigate mindless brute force attacks.

    The major issue I have with obscuring the SSH port is that it is often done “in-place” of proper password security rather than as an extension to it.

  6. anonymous dot gov says:
    May 1st, 2007 at 10:12 am

    another very useful application of changing the ssh port is to allow inside the firewall users to get out to a well-known address, an address that you can change to say 80. Sometimes the business need is there, but the firewall administrator cannot allow anything out of any port but 80.

  7. Nathan says:
    June 6th, 2007 at 11:11 am

    A firewall allowing only port 80 is not allowing a port but allowing a protocol. It is very likely that anyone slipping an ssh server through the firewall by making it use port 80 is still violating the security policies of the company that has that firewall in place.

Links

Tags

Archives