Wed. Dec 8th, 2021

Switching the SSH listening port is a straightforward method to assist safe distant login in your Linux servers. However when SELinux is concerned, it’s a must to take a number of further steps. Jack Wallen exhibits you the way.

SSH over servers

Picture: Funtap/Shutterstock

SSH has a whole lot of tips up its sleeve for safety, certainly one of which is to configure the service to make use of a non-standard port. Out of the field, SSH makes use of port 22. If you would like a straightforward option to journey up would-be hacking makes an attempt, you possibly can configure that service to make use of a unique port, equivalent to 33000. 

SEE: Safety incident response coverage (TechRepublic Premium)

On Linux distributions that do not use SELinux, this course of is kind of straightforward. Nevertheless, if SELinux is concerned, you possibly can’t merely change the port, with out letting the safety system in in your little secret.

And that is precisely what I will do right here, configure Fedora 35 to make use of port 33000 for incoming SSH visitors. This identical course of will work on any Linux distribution that makes use of SELinux (equivalent to RHEL, Alma Linux and Rocky Linux). 

With that stated, let’s get to work.

What you will want

To make this transformation, you will want a working occasion of a Linux distribution that features SELinux in addition to the SSH server put in and a consumer with sudo entry.

Easy methods to change the default SSH port

The very first thing we’ll do is change the default port SSH makes use of, which is discovered within the sshd_config file. Open that file for modifying with the command:

sudo nano /and so forth/ssh/sshd_config

In that file, search for the road:

#Port 22

Change that line to learn:

Port 33000

Save and shut the file. 

Do not restart the daemon simply but, as we first have to cope with SELinux.

Easy methods to alert SELinux to the change

The very first thing we’ll do is verify to verify SELinux is conscious of SSH. Difficulty the command:

sudo semanage port -l | grep ssh

You must see listed:

ssh_port_t   tcp   22

So SELinux is permitting SSH visitors into port 22. We’ll change that to 33000 with the command:

sudo semanage port -a -t ssh_port_t -p tcp 33000

Now, if we verify which port is getting used, it ought to come again as:

ssh_port_t   tcp   33000, 22

Though SELinux is permitting port 22, SSH will not be listening to that port, so it isn’t a problem.

Easy methods to open the firewall to port 33000

Subsequent, we should open the firewall to permit SSH visitors in by way of port 33000. For this, we difficulty the command:

sudo firewall-cmd --add-port=33000/tcp --permanent

Subsequent, reload the firewall with:

sudo firewall-cmd --reload

Subsequent, we’ll disable the usual SHH port by way of the firewall with:

sudo firewall-cmd --remove-service=ssh --permanent

As soon as once more, reload the firewall with:

sudo firewall-cmd --reload

Easy methods to restart the SSH daemon and log in

We will now restart the SSH daemon with:

sudo systemctl restart sshd

Log into the newly configured server with:

ssh USER@SERVER -p 33000

The place USER is a distant username and SERVER is the IP tackle (or area) of the distant server.

And that is the way you configure SSH to make use of a non-standard port on a Linux distribution that makes use of SELinux. You must contemplate switching your entire servers to utilizing a non-standard port for the SSH service. Once you couple that with different SSH hardening tips, you will go a protracted option to stopping undesirable customers from having access to your servers.

Subscribe to TechRepublic’s How To Make Tech Work on YouTube for all the most recent tech recommendation for enterprise professionals from Jack Wallen.

Additionally see

Source link

By admin

Leave a Reply

Your email address will not be published. Required fields are marked *