The default SSH port number for each CentOS release is 22. To improve security, you need to modify the default SSH port number to prevent the password from being compromised. Some VPS providers may be fined or temporarily terminate services if your VPS server SSH has been cracked for multiple times. Therefore, it is necessary to modify the default SSH port.
To put it bluntly, log in through the current SSH port (default: 22.
1. Modify the configuration file:/etc/ssh/sshd_config and find
# Port 22
2. Remove the # sign before Port 22 and start another line. If the SSH port number is 33322, enter
We recommend that you set the custom port to a port of bits (for example, between listen-65535)
Maybe you want to ask why to remove the # before port 22 first? Because in the configuration file, # Is the annotation character of Linux. The code program after the annotation character is not executed. The default SSH port (not manually specified) is 22, so the configuration file is annotated by default. When you need to specify other ports or multiple ports for simultaneous access, you need to delete the annotator to inform the program to perform the response operation as you wish.
In the preceding operations, manually specify the SSH ports as 22 and 33322 (dual port number). Retain 22 to prevent other ports from being blocked by some firewalls from connecting to the VPS (if 22 is not specified separately, the newly specified port 33322 firewall is not allowed, so it may not be able to connect to the VPS or server through SSH ). In order to prevent unnecessary problems, you need to keep a "back-to-back" for yourself ".
3. After modification, restart the SSH service and exit the SSH port of the current connection. (As shown in the figure)
Service sshd restart
4. After the restart is completed, try to use the new port to log on.
Connection successful, you need to re-add SSH-RSA verification, click Yes (or Yes.
5. If the access is normal, return to step 1, comment or delete the entire segment of the original port 22 according to step 2, and then restart SSH in step 3.
After the preceding steps are restarted, the default port 22 cannot be used to access SSH.
If you have enabled the firewall iptables, you must first add the newly opened Port 33322.
Supplement: iptables open port example
For the convenience of examples, you can directly use the iptables content of the firewall running on my existing server.
Note: note the following text:
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
: Input accept [0: 0]
: Forward accept [0: 0]
: Output accept [0: 0]
-A input-m state -- state ESTABLISHED, RELATED-j ACCEPT
-A input-p icmp-j ACCEPT
-A input-I lo-j ACCEPT
-A input-m state -- state NEW-m tcp-p tcp -- dport 22-j ACCEPT # (ssh port)
-A input-m state -- state NEW-m tcp-p tcp -- dport 80-j ACCEPT # (web port)
-A input-m state -- state NEW-m tcp-p tcp -- dport 21-j ACCEPT # (ftp port)
-A input-m state -- state NEW-m tcp-p tcp -- dport 20000:30000-j ACCEPT # (ftp passive mode port range)
-A input-m state -- state NEW-m tcp-p tcp -- dport 3306-j ACCEPT # (mysql port)
-A input-j REJECT -- reject-with icmp-host-prohibited
-A forward-j REJECT -- reject-with icmp-host-prohibited
After modifying the firewall iptables, you need to restart it:
/Etc/init. d/iptables restart
Service iptables restart
Note: the storage location of the iptables configuration file is/etc/sysconfig/iptables.
Save command: service iptables save
Run the command iptables-L-n to view the open ports of the current iptables.
The iptables service is automatically started upon startup:
Chkconfig iptables on
Check the iptables service:
# Chkconfig -- list iptables
Iptables 0: off 1: off 2: on 3: on 4: on 5: on 6: off
Note that the port opened above is the FTP port. The default port 21 of FTP must be opened, however, the ftp software usually tries the passive mode PASV connection several times by default. The active mode PORT connection will be performed only when the PASV mode connection fails.
If we only open port 21, there is a problem. In ftp pasv mode, a random idle port is also used. The port range is between and. Therefore, we need to add the port range to the firewall:
-A input-m state -- state NEW-m tcp-p tcp -- dport 20000:30000-j ACCEPT
Description of PASV passive mode and PORT active mode of FTP:
The FTP protocol uses two TCP connections. One is the command link used to transmit commands between the FTP client and the server, and the other is the data link used to upload or download data.
The FTP protocol can work in two ways: PORT mode (active) and PASV mode (passive). The Chinese meaning is active and passive.
Ftp server: tcp 21 <------ client: dynamic
Ftp server: tcp 20 ------> client: dynamic
Ftp server: tcp 21 <---- client: dynamic
Ftp server: tcp dynamic <---- client: dynamic
Difference between port mode and pasv mode:
1. port mode: FTP network administrators in this mode are relatively easy, but have poor compatibility. For example, if the client is in a LAN, it will not be able to log on to the FTP server. If someone cannot log on to FTP in port mode, it is useless as an FTP administrator no matter how hard you work. At this time, the problem lies in the firewall or gateway of the other client. Therefore, pasv mode is recommended for an FTP server.
2. pasv mode: This mode has good FTP compatibility, but it is challenging for FTP administrators and complicated to set up. The following examples show the situation with a firewall:
We only use the server on the Internet as an example:
This is the ideal situation. Port 21 must be enabled first, and then set as follows:
Server serv-u in windows:
Local Server -- settings -- advanced, enter a range that does not conflict with other ports in "pasv port range", for example, 3001-3020, and then open the-port in the firewall.
PureFTPd server in Linux:
Add port 20000-30000 to the allowed Port range of iptables.
If you have not set a firewall to allow the port in ftp pasv mode, the following connection process will appear when the client uses ftp software to connect to the server:
[Right] 227 Entering Passive Mode (, 51)
[Right] enabling data connection IP: 18.104.22.168 Port: 28243
[Right] data Socket Error: No connection to the host
[Right] list error
[Right] 227 Entering Passive Mode (, 51, 60)
[Right] enabling data connection IP: 22.214.171.124 Port: 29756
[Right] data Socket Error: No connection to the host
[Right] list error
[Right] PASV mode failed. The PORT mode is being tried.
[Right] listening on Port: 16585, waiting for connection.
[Right] PORT 192,168, 64,201
[To the right] 200 PORT command successful
[Right] 150 Connecting to port 16585
[To the right] 226 3 matches total
[Right] list completed: 316 bytes in 0.11 seconds (2.7 KB/second)
[Right] PORT mode is successful. Update the data connection in the site configuration file.
From the information returned by the ftp, we can easily see that ftp has established two pasv passive mode connections first. Because the port range between 20000-30000 and 20000-30000 is not open, the pasv mode connection fails, finally, the port connection in active mode is successful.
But as we mentioned above, the ftp port mode has poor compatibility. If the client is in the LAN, it will not be able to log on to the FTP server. Therefore, we should configure the pasv passive mode port on the ftp server.