Want more timely Centmin Mod News Updates?
Become a Member

Sysadmin Change default SSH port 22

Discussion in 'System Administration' started by Sunka, Mar 11, 2017.

  1. Sunka

    Sunka Active Member

    932
    243
    43
    Oct 31, 2015
    Rijeka, Croatia
    Ratings:
    +394
    Local Time:
    4:11 AM
    Nginx 1.13.3
    MariaDB 10.1.24
    I have backup server on ramnode.
    Installed centos 7, openVZ

    I can not change server time (Operation not permitted), but that it is not main problem, I can live with that.
    Main problem is changing default ssh port 22 to another.

    I can change it directly in /etc/ssh/sshd_config. I did that.
    All tutorials for second step suggest to enable the newly created port through SELinux.
    If get an error that semanage command not found, we shold install policycoreutils-python.

    OK, i installed policycoreutils-python but still error show up.

    As far as I know, there is not installed csf on server, but also there is not even default centos firewall cmd.

    So I could not enable that new port anywhere.

    I run "ss -tnlp|grep ssh" after I restart sshd service "systemctl restart sshd.service"

    And I see that ssh goes through new port, but I can not login with li nor sftp application with that new ssh port.

    So, my queston is how to secure that server which is without any firewall (even default one in centos)? Only thing I know is to change ssh port 22 to another number, but can not do that too.

    Code:
    [root@backup ~]# rpm -qa
    acl-2.2.51-12.el7.x86_64
    apr-1.4.8-3.el7.x86_64
    apr-util-1.5.2-6.el7.x86_64
    attr-2.4.46-12.el7.x86_64
    audit-libs-2.6.5-3.el7_3.1.x86_64
    audit-libs-python-2.6.5-3.el7_3.1.x86_64
    authconfig-6.2.8-14.el7.x86_64
    avahi-libs-0.6.31-17.el7.x86_64
    basesystem-10.0-7.el7.centos.noarch
    bash-4.2.46-21.el7_3.x86_64
    bind-9.9.4-38.el7_3.2.x86_64
    bind-libs-9.9.4-38.el7_3.2.x86_64
    bind-libs-lite-9.9.4-38.el7_3.2.x86_64
    bind-license-9.9.4-38.el7_3.2.noarch
    binutils-2.25.1-22.base.el7.x86_64
    bzip2-1.0.6-13.el7.x86_64
    bzip2-libs-1.0.6-13.el7.x86_64
    ca-certificates-2015.2.6-73.el7.noarch
    centos-logos-70.0.6-3.el7.centos.noarch
    centos-release-7-3.1611.el7.centos.x86_64
    checkpolicy-2.5-4.el7.x86_64
    chkconfig-1.7.2-1.el7.x86_64
    coreutils-8.22-18.el7.x86_64
    cpio-2.11-24.el7.x86_64
    cracklib-2.9.0-11.el7.x86_64
    cracklib-dicts-2.9.0-11.el7.x86_64
    cronie-1.4.11-14.el7_2.1.x86_64
    cronie-noanacron-1.4.11-14.el7_2.1.x86_64
    crontabs-1.11-6.20121102git.el7.noarch
    cryptsetup-libs-1.7.2-1.el7.x86_64
    cups-libs-1.6.3-26.el7.x86_64
    curl-7.29.0-35.el7.centos.x86_64
    cyrus-sasl-2.1.26-20.el7_2.x86_64
    cyrus-sasl-lib-2.1.26-20.el7_2.x86_64
    dbus-1.6.12-17.el7.x86_64
    dbus-libs-1.6.12-17.el7.x86_64
    device-mapper-1.02.135-1.el7_3.3.x86_64
    device-mapper-libs-1.02.135-1.el7_3.3.x86_64
    dhclient-4.2.5-47.el7.centos.x86_64
    dhcp-common-4.2.5-47.el7.centos.x86_64
    dhcp-libs-4.2.5-47.el7.centos.x86_64
    diffutils-3.3-4.el7.x86_64
    dracut-033-463.el7.x86_64
    e2fsprogs-1.42.9-9.el7.x86_64
    e2fsprogs-libs-1.42.9-9.el7.x86_64
    ed-1.9-4.el7.x86_64
    elfutils-0.166-2.el7.x86_64
    elfutils-libelf-0.166-2.el7.x86_64
    elfutils-libs-0.166-2.el7.x86_64
    epel-release-7-9.noarch
    ethtool-4.5-3.el7.x86_64
    expat-2.1.0-10.el7_3.x86_64
    fetchmail-6.3.24-5.el7.x86_64
    file-libs-5.11-33.el7.x86_64
    filesystem-3.2-21.el7.x86_64
    findutils-4.5.11-5.el7.x86_64
    finger-0.17-52.el7.x86_64
    finger-server-0.17-52.el7.x86_64
    fipscheck-1.4.1-5.el7.x86_64
    fipscheck-lib-1.4.1-5.el7.x86_64
    ftp-0.17-67.el7.x86_64
    gawk-4.0.2-4.el7.x86_64
    gdbm-1.10-8.el7.x86_64
    GeoIP-1.5.0-11.el7.x86_64
    glib2-2.46.2-4.el7.x86_64
    glibc-2.17-157.el7_3.1.x86_64
    glibc-common-2.17-157.el7_3.1.x86_64
    gmp-6.0.0-12.el7_1.x86_64
    gnupg2-2.0.22-4.el7.x86_64
    gpgme-1.3.2-5.el7.x86_64
    gpg-pubkey-352c64e5-52ae6884
    gpg-pubkey-f4a80eb5-53a7ff4b
    gpm-libs-1.20.7-5.el7.x86_64
    grep-2.20-2.el7.x86_64
    groff-base-1.22.2-8.el7.x86_64
    gzip-1.5-8.el7.x86_64
    hardlink-1.0-19.el7.x86_64
    hesiod-3.2.1-3.el7.x86_64
    hostname-3.13-3.el7.x86_64
    httpd-2.4.6-45.el7.centos.x86_64
    httpd-tools-2.4.6-45.el7.centos.x86_64
    hunspell-1.3.2-15.el7.x86_64
    hunspell-en-0.20121024-5.el7.noarch
    hunspell-en-GB-0.20121024-5.el7.noarch
    hunspell-en-US-0.20121024-5.el7.noarch
    info-5.1-4.el7.x86_64
    initscripts-9.49.37-1.el7.x86_64
    iproute-3.10.0-74.el7.x86_64
    iptables-1.4.21-17.el7.x86_64
    iptables-services-1.4.21-17.el7.x86_64
    iputils-20160308-8.el7.x86_64
    json-c-0.11-4.el7_0.x86_64
    keyutils-libs-1.5.8-3.el7.x86_64
    kmod-20-9.el7.x86_64
    kmod-libs-20-9.el7.x86_64
    kpartx-0.4.9-99.el7_3.1.x86_64
    krb5-libs-1.14.1-27.el7_3.x86_64
    less-458-9.el7.x86_64
    libacl-2.2.51-12.el7.x86_64
    libaio-0.3.109-13.el7.x86_64
    libarchive-3.1.2-10.el7_2.x86_64
    libassuan-2.1.0-3.el7.x86_64
    libattr-2.4.46-12.el7.x86_64
    libblkid-2.23.2-33.el7.x86_64
    libcap-2.22-8.el7.x86_64
    libcap-ng-0.7.5-4.el7.x86_64
    libcgroup-0.41-11.el7.x86_64
    libcom_err-1.42.9-9.el7.x86_64
    libcurl-7.29.0-35.el7.centos.x86_64
    libdb-5.3.21-19.el7.x86_64
    libdb-utils-5.3.21-19.el7.x86_64
    libedit-3.0-12.20121213cvs.el7.x86_64
    libestr-0.1.9-2.el7.x86_64
    libffi-3.0.13-18.el7.x86_64
    libgcc-4.8.5-11.el7.x86_64
    libgcrypt-1.5.3-13.el7_3.1.x86_64
    libgpg-error-1.12-3.el7.x86_64
    libidn-1.28-4.el7.x86_64
    libldb-1.1.26-1.el7.x86_64
    libmnl-1.0.3-7.el7.x86_64
    libmount-2.23.2-33.el7.x86_64
    libnetfilter_conntrack-1.0.4-2.el7.x86_64
    libnfnetlink-1.0.1-4.el7.x86_64
    libpcap-1.5.3-8.el7.x86_64
    libpipeline-1.2.3-3.el7.x86_64
    libpwquality-1.2.3-4.el7.x86_64
    libselinux-2.5-6.el7.x86_64
    libselinux-python-2.5-6.el7.x86_64
    libselinux-utils-2.5-6.el7.x86_64
    libsemanage-2.5-5.1.el7_3.x86_64
    libsemanage-python-2.5-5.1.el7_3.x86_64
    libsepol-2.5-6.el7.x86_64
    libsmbclient-4.4.4-12.el7_3.x86_64
    libss-1.42.9-9.el7.x86_64
    libssh2-1.4.3-10.el7_2.1.x86_64
    libstdc++-4.8.5-11.el7.x86_64
    libtalloc-2.1.6-1.el7.x86_64
    libtasn1-3.8-3.el7.x86_64
    libtdb-1.3.8-1.el7_2.x86_64
    libtevent-0.9.28-1.el7.x86_64
    libtirpc-0.2.4-0.8.el7.x86_64
    libuser-0.60-7.el7_1.x86_64
    libutempter-1.1.6-4.el7.x86_64
    libuuid-2.23.2-33.el7.x86_64
    libverto-0.2.5-4.el7.x86_64
    libwbclient-4.4.4-12.el7_3.x86_64
    libxml2-2.9.1-6.el7_2.3.x86_64
    lm_sensors-libs-3.4.0-4.20160601gitf9185e5.el7.x86_64
    logrotate-3.8.6-12.el7.x86_64
    lsof-4.87-4.el7.x86_64
    lua-5.1.4-15.el7.x86_64
    lzo-2.06-8.el7.x86_64
    m4-1.4.16-10.el7.x86_64
    mailcap-2.1.41-2.el7.noarch
    mailx-12.5-12.el7_0.x86_64
    make-3.82-23.el7.x86_64
    man-db-2.6.3-9.el7.x86_64
    man-pages-3.53-5.el7.noarch
    mariadb-libs-5.5.52-1.el7.x86_64
    mlocate-0.26-6.el7.x86_64
    nano-2.3.1-10.el7.x86_64
    ncompress-4.2.4.4-3.el7.x86_64
    ncurses-5.9-13.20130511.el7.x86_64
    ncurses-base-5.9-13.20130511.el7.noarch
    ncurses-libs-5.9-13.20130511.el7.x86_64
    net-snmp-5.7.2-24.el7_2.1.x86_64
    net-snmp-agent-libs-5.7.2-24.el7_2.1.x86_64
    net-snmp-libs-5.7.2-24.el7_2.1.x86_64
    net-snmp-utils-5.7.2-24.el7_2.1.x86_64
    newt-0.52.15-4.el7.x86_64
    newt-python-0.52.15-4.el7.x86_64
    nscd-2.17-157.el7_3.1.x86_64
    nspr-4.11.0-1.el7_2.x86_64
    nss-3.21.3-2.el7_3.x86_64
    nss-softokn-3.16.2.3-14.4.el7.x86_64
    nss-softokn-freebl-3.16.2.3-14.4.el7.x86_64
    nss-sysinit-3.21.3-2.el7_3.x86_64
    nss-tools-3.21.3-2.el7_3.x86_64
    nss-util-3.21.3-1.1.el7_3.x86_64
    ntsysv-1.7.2-1.el7.x86_64
    openldap-2.4.40-13.el7.x86_64
    openssh-6.6.1p1-33.el7_3.x86_64
    openssh-clients-6.6.1p1-33.el7_3.x86_64
    openssh-server-6.6.1p1-33.el7_3.x86_64
    openssl-1.0.1e-60.el7_3.1.x86_64
    openssl-libs-1.0.1e-60.el7_3.1.x86_64
    p11-kit-0.20.7-3.el7.x86_64
    p11-kit-trust-0.20.7-3.el7.x86_64
    pam-1.1.8-18.el7.x86_64
    passwd-0.79-4.el7.x86_64
    pcre-8.32-15.el7_2.1.x86_64
    perl-5.16.3-291.el7.x86_64
    perl-Carp-1.26-244.el7.noarch
    perl-constant-1.27-2.el7.noarch
    perl-Data-Dumper-2.145-3.el7.x86_64
    perl-Encode-2.51-7.el7.x86_64
    perl-Exporter-5.68-3.el7.noarch
    perl-File-Path-2.09-2.el7.noarch
    perl-File-Temp-0.23.01-3.el7.noarch
    perl-Filter-1.49-3.el7.x86_64
    perl-Getopt-Long-2.40-2.el7.noarch
    perl-HTTP-Tiny-0.033-3.el7.noarch
    perl-libs-5.16.3-291.el7.x86_64
    perl-macros-5.16.3-291.el7.x86_64
    perl-parent-0.225-244.el7.noarch
    perl-PathTools-3.40-5.el7.x86_64
    perl-Pod-Escapes-1.04-291.el7.noarch
    perl-podlators-2.5.1-3.el7.noarch
    perl-Pod-Perldoc-3.20-4.el7.noarch
    perl-Pod-Simple-3.28-4.el7.noarch
    perl-Pod-Usage-1.63-3.el7.noarch
    perl-Scalar-List-Utils-1.27-248.el7.x86_64
    perl-Socket-2.010-4.el7.x86_64
    perl-Storable-2.45-3.el7.x86_64
    perl-Text-ParseWords-3.29-4.el7.noarch
    perl-threads-1.87-4.el7.x86_64
    perl-threads-shared-1.43-6.el7.x86_64
    perl-Time-HiRes-1.9725-3.el7.x86_64
    perl-Time-Local-1.2300-2.el7.noarch
    pinentry-0.8.1-17.el7.x86_64
    pkgconfig-0.27.1-4.el7.x86_64
    policycoreutils-2.5-11.el7_3.x86_64
    popt-1.13-16.el7.x86_64
    procmail-3.22-35.el7.x86_64
    procps-ng-3.3.10-10.el7.x86_64
    psmisc-22.20-11.el7.x86_64
    pth-2.0.7-23.el7.x86_64
    pygpgme-0.3-9.el7.x86_64
    pyliblzma-0.5.3-11.el7.x86_64
    pytalloc-2.1.6-1.el7.x86_64
    python-2.7.5-48.el7.x86_64
    python-iniparse-0.4-9.el7.noarch
    python-IPy-0.75-6.el7.noarch
    python-libs-2.7.5-48.el7.x86_64
    python-pycurl-7.19.0-19.el7.x86_64
    python-urlgrabber-3.10-8.el7.noarch
    pyxattr-0.5.1-5.el7.x86_64
    qrencode-libs-3.4.1-3.el7.x86_64
    quota-4.01-14.el7.x86_64
    quota-nls-4.01-14.el7.noarch
    readline-6.2-9.el7.x86_64
    rootfiles-8.1-11.el7.noarch
    rpcbind-0.2.0-38.el7.x86_64
    rpm-4.11.3-21.el7.x86_64
    rpm-build-libs-4.11.3-21.el7.x86_64
    rpm-libs-4.11.3-21.el7.x86_64
    rpm-python-4.11.3-21.el7.x86_64
    rsnapshot-1.4.2-2.el7.noarch
    rsync-3.0.9-17.el7.x86_64
    rsyslog-7.4.7-16.el7.x86_64
    samba-4.4.4-12.el7_3.x86_64
    samba-client-4.4.4-12.el7_3.x86_64
    samba-client-libs-4.4.4-12.el7_3.x86_64
    samba-common-4.4.4-12.el7_3.noarch
    samba-common-libs-4.4.4-12.el7_3.x86_64
    samba-common-tools-4.4.4-12.el7_3.x86_64
    samba-libs-4.4.4-12.el7_3.x86_64
    screen-4.1.0-0.23.20120314git3c2946.el7_2.x86_64
    sed-4.2.2-5.el7.x86_64
    sendmail-8.14.7-4.el7.x86_64
    sendmail-cf-8.14.7-4.el7.noarch
    setools-libs-3.3.8-1.1.el7.x86_64
    setup-2.8.71-7.el7.noarch
    setuptool-1.19.11-8.el7.x86_64
    shadow-utils-4.1.5.1-24.el7.x86_64
    shared-mime-info-1.1-9.el7.x86_64
    slang-2.2.4-11.el7.x86_64
    sqlite-3.7.17-8.el7.x86_64
    stunnel-4.56-6.el7.x86_64
    sudo-1.8.6p7-21.el7_3.x86_64
    systemd-219-30.el7_3.7.x86_64
    systemd-libs-219-30.el7_3.7.x86_64
    systemd-sysv-219-30.el7_3.7.x86_64
    sysvinit-tools-2.88-14.dsf.el7.x86_64
    talk-0.17-46.el7.x86_64
    talk-server-0.17-46.el7.x86_64
    tar-1.26-31.el7.x86_64
    tcp_wrappers-7.6-77.el7.x86_64
    tcp_wrappers-libs-7.6-77.el7.x86_64
    tcpdump-4.5.1-3.el7.x86_64
    tcsh-6.18.01-13.el7_3.1.x86_64
    telnet-0.17-60.el7.x86_64
    time-1.7-45.el7.x86_64
    tmpwatch-2.11-5.el7.x86_64
    traceroute-2.0.22-2.el7.x86_64
    tzdata-2016j-1.el7.noarch
    unzip-6.0-16.el7.x86_64
    usermode-1.111-5.el7.x86_64
    ustr-1.0.4-16.el7.x86_64
    util-linux-2.23.2-33.el7.x86_64
    vim-common-7.4.160-1.el7_3.1.x86_64
    vim-enhanced-7.4.160-1.el7_3.1.x86_64
    vim-filesystem-7.4.160-1.el7_3.1.x86_64
    vim-minimal-7.4.160-1.el7_3.1.x86_64
    vzdummy-systemd-el7-1.0-2.noarch
    wget-1.14-13.el7.x86_64
    which-2.20-7.el7.x86_64
    xinetd-2.3.15-13.el7.x86_64
    xz-5.2.2-1.el7.x86_64
    xz-libs-5.2.2-1.el7.x86_64
    yum-3.4.3-150.el7.centos.noarch
    yum-metadata-parser-1.1.4-10.el7.x86_64
    yum-plugin-fastestmirror-1.1.31-40.el7.noarch
    zlib-1.2.7-17.el7.x86_64
    20-27-30.png
     
  2. eva2000

    eva2000 Administrator Staff Member

    31,022
    6,925
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,431
    Local Time:
    1:11 PM
    Nginx 1.13.x
    MariaDB 5.5
    Reverse all changes you did manually and just use centmin.sh menu option 16 to change sshd port, it will ask you first for the default sshd port and then ask you for the new port number you want to change to. Then it will automatically make the change and update CSF Firewall whitelisted port setting for sshd. Then start a new sshd session with new sshd port to test if it's working all while keeping existing sshd session alive

    But if this is non-centmin mod based server, you'd need to do that yourself and whitelist it via iptables or firewalld (if on centos 7)
     
  3. Sunka

    Sunka Active Member

    932
    243
    43
    Oct 31, 2015
    Rijeka, Croatia
    Ratings:
    +394
    Local Time:
    4:11 AM
    Nginx 1.13.3
    MariaDB 10.1.24
    centmin is not installed because there is only 128 MB Ram server.
    As I said, firewalld is not installed also, I do not know why, because I think that it is installed by default with centos, but not in my case.

    So I have only iptables.

    Should I do this than:
    • edit /etc/ssh/sshd_config and change port 22 to xxx
    • restart sshd service "systemctl restart sshd.service"
    • edit IPTables "iptables -A INPUT -p tcp --dport xxx -j ACCEPT"
    • service iptables save
    That would be all than?

    Any suggest to secure server more?
    P.S. Server is just backup server with 128 MB ram
     
  4. Sunka

    Sunka Active Member

    932
    243
    43
    Oct 31, 2015
    Rijeka, Croatia
    Ratings:
    +394
    Local Time:
    4:11 AM
    Nginx 1.13.3
    MariaDB 10.1.24
    Or this for IPtables
    Code:
    iptables -I INPUT -p tcp --dport xxxx --syn -j ACCEPT
     
  5. Sunka

    Sunka Active Member

    932
    243
    43
    Oct 31, 2015
    Rijeka, Croatia
    Ratings:
    +394
    Local Time:
    4:11 AM
    Nginx 1.13.3
    MariaDB 10.1.24
    Got it working.
    I have installed centos 7 but for unknown reason it comes without firewalld, so it is only matter of IP tables.

    If anyone need right steps:

    Edit port 22 to XXX port (number of port you want) and uncomment that line
    Code (Text):
    nano /etc/ssh/sshd_config


    Make rule for wanted port in IPTables
    Code (Text):
    iptables -I INPUT -p tcp --dport XXX --syn -j ACCEPT


    Restart sshd service
    Code (Text):
    systemctl restart sshd.service


    Check to what port sshd is connected
    Code (Text):
    ss -tnlp | grep ssh
     
    • Informative Informative x 2