Changing SSH port

Ryan Maxey

Member
Depending on your situation, changing your SSH port may be a decent option.

Use a text edit in SSH, or FTP. SSH is easiest. I won't explain in FTP, since it's obvious.
Open a SSH session to your server, logging in as root.
Use the command: nano /etc/ssh/sshd_config
If it says command unknown, it means you don't have nano installed.
In which case, if you're on CentOS, use: yum install nano
If you're on Debian, use apt-get install nano
Whichever one you normally use, the OS only has one. If you've never used either, try both. Only one will work.

Once you're in nano use control+w to search, or just locate "port"
By default, it should be 22. Change it to something of your liking. (Not something rediculous like 12592105)
Once you edit it, look over it to make sure you didn't edit anything you didn't mean to and use ctrl+o to save the file, once you hit ctrl+o just hit enter, and it'll save it in the location which it was opened (/etc/ssh/sshd_config)
Then use, service sshd restart

NOTE: Keep it under 4 digits. Such as 1250, would be fine. Also, be sure not to use something like port 80 which is the default port for web browsing, or 21 which is the default FTP port.

What will this protect myself from?
-Automated bots guessing passwords
-People who have somehow gotten your password. (If they're smart enough, they can port scan your box, if you don't have any kind of firewall that would prevent that)
 

MazinJunaid

New Member
You've explained this really well and the tutorial is really clear. I just had a question about the port. If we use one more than 4 digits long would it be outright rejected or would it actually just cause problems later on?
 

MazinJunaid

New Member
So using a larger post, say 5 digits long, won't be a problem and a 4 digit long port is just a matter of choice?
 

bearbin

New Member
You can also prevent people from guessing your password by installing denyhosts or fail2ban - they will ban people from logging in to your VPS if they get 10 bad logins in a row. It's as simple as sudo apt-get install denyhosts.
 

MazinJunaid

New Member
You can also prevent people from guessing your password by installing denyhosts or fail2ban - they will ban people from logging in to your VPS if they get 10 bad logins in a row. It's as simple as sudo apt-get install denyhosts.
That sounds interesting. Do they track the ip address of where the wrong login attempts came and ban that?
 

Quags

Administrator
Staff member
For denyhosts / fail2ban the logs are watched and failed attempts are blocked automatically, either using tcpwrappers (hosts.allow/deny) or iptables.
 

Yanz

New Member
If you do change your default port and are using a service such as fail2ban, make sure to edit the ssh jail to reflect the new port.

Also, normally any ports above 1000 are good for SSH, most default port scans only scan the first 1000
 

nonsiccus

New Member
You may want to verify that the arbitrary port that you selected is not also used for a different service/application. Aside from that, it's generally a pretty good idea (security-wise) to change your default ports so as to minimize the changes of people guessing their way in to your server/network.
 

Quags

Administrator
Staff member
To test if a service is listening on a port already you can use

lsof -i :portname

Of course ssh won't start if it can not bind to the port.

I did not mention, an easy firewall is: http://configserver.com/cp/csf.html

This includes login failure detection to automatically block things like bad ssh logins.
 
Top