Centos6.4 modify ssh default port 22 to other ports detailed security tutorial (including SELinux, iptables settings)

Source: Internet
Author: User
This is currently the safest tutorial. if you are a newbie, strictly follow the steps in this tutorial. if you have a certain foundation, you can skip this tutorial.

This is currently the safest tutorial. if you are a newbie, follow the steps in this tutorial. if you have a certain foundation, you can skip some paragraphs.

Modify port configurations

Run

vim /etc/ssh/sshd_config

Find the line # Port 22, remove the comment, and add a line of Port 1234 below.

Port 22Port 1234
In many tutorials, 22 is directly changed to another port. it is recommended that you do not do this. in case the modified port is unavailable, you will not be able to log on completely, so leave a back path to modify the firewall configuration.

Modify the iptables (linux firewall) File:

vim /etc/sysconfig/iptables
Add a row
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 1813 -j ACCEPT
Disable firewall

Disable the firewall.

service iptables stop
Disable SELinux

Important: disable SELinux first. this is not mentioned in many tutorials because SElinux has a high default protection level. if SElinux is not disabled, many problems may occur.

vim /etc/sysconfig/selinux
Change SELINUX = enforcing to SELINUX = disabled and restart the test connection.

After restart, run the following command:

netstat -tpnl | grep ssh
Two ports are opened at the same time.
[root@localhost ~]# netstat -tpnl | grep sshtcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      1497/sshd           tcp        0      0 0.0.0.0:1234                 0.0.0.0:*                   LISTEN      1497/sshd           tcp        0      0 :::22                       :::*                        LISTEN      1497/sshd           tcp        0      0 :::1234                      :::*                        LISTEN      1497/sshd    
Important: test whether the new port can be connected by modifying SELinux configuration.

If it is normal, perform the following steps: modify selinux

The installed centos does not have the semanage command. Therefore, check whether the semanage command exists. if not, install the semanage command in the following tutorial.

# rpm -qa | grep semanaglibsemanage-2.0.43-4.2.el6.x86_64# which semanage/usr/bin/which: no semanage in (/usr/lib64/qt-3.3/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin)# yum provides /usr/sbin/semanagepolicycoreutils-python-2.0.83-19.30.el6.x86_64 : SELinux policy core python utilitiesRepo        : baseMatched from:Filename    : /usr/sbin/semanage# yum whatprovides /usr/sbin/semanageLoaded plugins: fastestmirror, refresh-packagekit, securityLoading mirror speeds from cached hostfile * base: mirrors.prometeus.net * epel: mirror.switch.ch * extras: mirrors.prometeus.net * rpmfusion-free-updates: rpmfusion.famillecollet.com * rpmfusion-nonfree-updates: rpmfusion.famillecollet.com * updates: mirrors.prometeus.netpolicycoreutils-python-2.0.83-19.30.el6.x86_64 : SELinux policy core python utilitiesRepo        : baseMatched from:Filename    : /usr/sbin/semanage# yum -y install policycoreutils-python
Then, run the following command to view the ssh ports allowed by SElinux:
semanage port -l | grep ssh
Output
ssh_port_t                     tcp      22
Add port 1234 to SELinux
semanage port -a -t ssh_port_t -p tcp 1234
Important: then confirm whether to add it.
semanage port -l | grep ssh
If it is successful
ssh_port_t                     tcp      1234, 22
Enable SELinux's low security level

Then modify the SELinux policy and re-open it. However, if we modify the policy to permissive, the security level will not intercept your modification, but will only prompt a warning.

vim /etc/sysconfig/selinux
Modify security level
SELINUX=permissive
Then restart reboot.

Important: use the new port to test the remote connection again after restart.

Enable normal security level of SELinux

Test the connection with a new port after restart.

If SELINUX = enforcing is modified in the test and then restarted, the code will not be pasted here because of the many modifications mentioned above.

After the restart, use the new port to test the remote connection again.

Subsequent cleanup steps

If yes, congratulations. you have successfully configured a new port. then you can delete port 22 from sshd_config, delete port 22 from the firewall, and perform other steps.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.