Change SSH Port on AlmaLinux 8/9 with SELinux Enforcing
Thanks to Josphat Mutai for writing the original guide this KB article is based on.
Parts have been updated by us.
READ ME FIRST
This article is provided as a courtesy.
Installing, configuring, and troubleshooting third-party applications is outside the scope of basic support provided by Starburst Services.
PLEASE READ THIS COMPLETE GUIDE FIRST!
If you are uncomfortable making the changes, or have any questions, open a support ticket and we will make the change for you.
In this guide we will see how you can change SSH service port on AlmaLinux 8/9 with SELinux running in Enforcing mode.
When SELinux is running in enforcing mode, it enforces the SELinux policy and denies access based on SELinux policy rules.
The standard SSH port on most Linux/Unix systems is TCP port 22.
This can be changed easily to a custom port not used by other Applications in the system.
When SELinux is running in Enforcing mode, the port to be set will need relabeling so that Policy rules controlling access can accept ssh service to bind.
Follow steps discussed below to change SSH port on AlmaLinux server with SELinux running in Enforcing mode.
STEP 1 – Backup Current SSH Configuration
Login to your AlmaLinux system and change to the SSH directory to backup your current SSH daemon configuration file:
cd /etc/ssh
date_format=`date +%Y_%m_%d:%H:%M:%S`
cp sshd_config sshd_config_$date_format
Confirm:
ls sshd_config*
sshd_config sshd_config_2019_09_05:21:40:10
STEP 2 – Change SSH Service Port
Open SSH service configuration file with your favorite text editor vi, vim, nano etc. (we use nano in the example):
nano sshd_config
Locate line that has:
#Port 22
Uncomment the Port line and set your new service port to be used.
The example use port 33000:
Port 33000
STEP 3 – Allow New SSH Port On SELinux
The default port labeled for SSH is 22:
semanage port -l | grep ssh
ssh_port_t tcp 22
If you want to allow sshd to bind to network port configured, then you need to modify the port type to ssh_port_t:
Confirm that the new port has been added to list of allowed ports for SSH:
semanage port -l | grep ssh
ssh_port_t tcp 33000, 22
STEP 4 – Open SSH Port in Firewalld
Based on your servers individual configuration, the Firewall service may or may not be running.
If you receive an error saying the service is not running when you run the below command, do not worry.
firewall-cmd --add-port=33000/tcp --permanent
firewall-cmd --reload
You can now remove SSH service:
firewall-cmd --remove-service=ssh --permanent
firewall-cmd --reload
STEP 5 – Restart SSHD Service
Restart SSH service for the changes to take effect:
systemctl restart sshd
Verify Listen address for SSH:
netstat -tunl | grep 33000
tcp 0 0 0.0.0.0:33000 0.0.0.0:* LISTEN
tcp6 0 0 :::33000 :::* LISTEN
Did you found this Knowledge Base Article useful?
Please considering thanking our SysOp Team.
KB Article Written: 2023-01-15