Change SSH Port on AlmaLinux 8/9 with SELinux Enforcing


Thanks to Josphat Mutai for writing the original guide this KB article is based on.
Parts have been updated by us.


READ ME FIRST

This article is provided as a courtesy.
Installing, configuring, and troubleshooting third-party applications is outside the scope of basic support provided by Starburst Services.


PLEASE READ THIS COMPLETE GUIDE FIRST!

If you are uncomfortable making the changes, or have any questions, open a support ticket and we will make the change for you.


In this guide we will see how you can change SSH service port on AlmaLinux 8/9 with SELinux running in Enforcing mode.

When SELinux is running in enforcing mode, it enforces the SELinux policy and denies access based on SELinux policy rules.
The standard SSH port on most Linux/Unix systems is TCP port 22.
This can be changed easily to a custom port not used by other Applications in the system.

When SELinux is running in Enforcing mode, the port to be set will need relabeling so that Policy rules controlling access can accept ssh service to bind.

Follow steps discussed below to change SSH port on AlmaLinux server with SELinux running in Enforcing mode.


STEP 1 – Backup Current SSH Configuration

Login to your AlmaLinux system and change to the SSH directory to backup your current SSH daemon configuration file:

cd /etc/ssh
date_format=`date +%Y_%m_%d:%H:%M:%S`
cp sshd_config sshd_config_$date_format

Confirm:

ls sshd_config*
sshd_config        sshd_config_2019_09_05:21:40:10

STEP 2 – Change SSH Service Port

Open SSH service configuration file with your favorite text editor – vi, vim, nano etc. (we use nano in the example):

nano sshd_config

Locate line that has:
#Port 22

Uncomment the Port line and set your new service port to be used.
The example use port 33000:

Port 33000


STEP 3 – Allow New SSH Port On SELinux

The default port labeled for SSH is 22:

semanage port -l | grep ssh
ssh_port_t            tcp        22

If you want to allow sshd to bind to network port configured, then you need to modify the port type to ssh_port_t:

Confirm that the new port has been added to list of allowed ports for SSH:

semanage port -l | grep ssh
ssh_port_t            tcp        33000, 22

STEP 4 – Open SSH Port in Firewalld

Based on your servers individual configuration, the Firewall service may or may not be running.
If you receive an error saying the service is not running when you run the below command, do not worry.

firewall-cmd --add-port=33000/tcp --permanent
firewall-cmd --reload

You can now remove SSH service:

firewall-cmd --remove-service=ssh --permanent
firewall-cmd --reload

STEP 5 – Restart SSHD Service

Restart SSH service for the changes to take effect:

systemctl restart sshd

Verify Listen address for SSH:

netstat -tunl | grep 33000
tcp          0        0 0.0.0.0:33000        0.0.0.0:*            LISTEN
tcp6        0        0 :::33000                :::*                    LISTEN

Did you found this Knowledge Base Article useful?

Please considering thanking our SysOp Team.


KB Article Written: 2023-01-15

people found this article helpful. What about you?