Centos6.4 modify ssh default port 22 to other ports detailed security tutorial (including SELinux, iptables settings)

This is currently the safest tutorial. if you are a newbie, strictly follow the steps in this tutorial. if you have a certain foundation, you can skip this tutorial.

This is currently the safest tutorial. if you are a newbie, follow the steps in this tutorial. if you have a certain foundation, you can skip some paragraphs.

Modify port configurations

Run

vim /etc/ssh/sshd_config

Find the line # Port 22, remove the comment, and add a line of Port 1234 below.

Port 22Port 1234

In many tutorials, 22 is directly changed to another port. it is recommended that you do not do this. in case the modified port is unavailable, you will not be able to log on completely, so leave a back path to modify the firewall configuration.

Modify the iptables (linux firewall) File:

vim /etc/sysconfig/iptables

Add a row

iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 1813 -j ACCEPT

Disable firewall

Disable the firewall.

service iptables stop

Disable SELinux

Important: disable SELinux first. this is not mentioned in many tutorials because SElinux has a high default protection level. if SElinux is not disabled, many problems may occur.

vim /etc/sysconfig/selinux

Change SELINUX = enforcing to SELINUX = disabled and restart the test connection.

After restart, run the following command:

netstat -tpnl | grep ssh

Two ports are opened at the same time.

[root@localhost ~]# netstat -tpnl | grep sshtcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      1497/sshd           tcp        0      0 0.0.0.0:1234                 0.0.0.0:*                   LISTEN      1497/sshd           tcp        0      0 :::22                       :::*                        LISTEN      1497/sshd           tcp        0      0 :::1234                      :::*                        LISTEN      1497/sshd    

Important: test whether the new port can be connected by modifying SELinux configuration.

If it is normal, perform the following steps: modify selinux

The installed centos does not have the semanage command. Therefore, check whether the semanage command exists. if not, install the semanage command in the following tutorial.

# rpm -qa | grep semanaglibsemanage-2.0.43-4.2.el6.x86_64# which semanage/usr/bin/which: no semanage in (/usr/lib64/qt-3.3/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin)# yum provides /usr/sbin/semanagepolicycoreutils-python-2.0.83-19.30.el6.x86_64 : SELinux policy core python utilitiesRepo        : baseMatched from:Filename    : /usr/sbin/semanage# yum whatprovides /usr/sbin/semanageLoaded plugins: fastestmirror, refresh-packagekit, securityLoading mirror speeds from cached hostfile * base: mirrors.prometeus.net * epel: mirror.switch.ch * extras: mirrors.prometeus.net * rpmfusion-free-updates: rpmfusion.famillecollet.com * rpmfusion-nonfree-updates: rpmfusion.famillecollet.com * updates: mirrors.prometeus.netpolicycoreutils-python-2.0.83-19.30.el6.x86_64 : SELinux policy core python utilitiesRepo        : baseMatched from:Filename    : /usr/sbin/semanage# yum -y install policycoreutils-python

Then, run the following command to view the ssh ports allowed by SElinux:

semanage port -l | grep ssh

Output

ssh_port_t                     tcp      22

Add port 1234 to SELinux

semanage port -a -t ssh_port_t -p tcp 1234

Important: then confirm whether to add it.

semanage port -l | grep ssh

If it is successful

ssh_port_t                     tcp      1234, 22

Enable SELinux's low security level

Then modify the SELinux policy and re-open it. However, if we modify the policy to permissive, the security level will not intercept your modification, but will only prompt a warning.

vim /etc/sysconfig/selinux

Modify security level

SELINUX=permissive

Then restart reboot.

Important: use the new port to test the remote connection again after restart.

Enable normal security level of SELinux

Test the connection with a new port after restart.

If SELINUX = enforcing is modified in the test and then restarted, the code will not be pasted here because of the many modifications mentioned above.

After the restart, use the new port to test the remote connection again.

Subsequent cleanup steps

If yes, congratulations. you have successfully configured a new port. then you can delete port 22 from sshd_config, delete port 22 from the firewall, and perform other steps.