Security through obscurity is not something one would generally recommend. But to thwart the effort of automated scanners changing the default OpenSSH port will yield you less pain in every day life. This will not fend off directed attacks or nullify vulnerabilities or bad security design.
Should you see an error message such as
shd: error: Bind to port 9898 on 192.168.0.50 failed: Permission denied
it indicates that the system prevented the daemon to bind that port. Most likely SELinux.
The instructions provided will be valid on Fedora 14/15, CentOS 6, RHEL 6, Scientific Linux 6 and newer versions.
To change the default SSH port you need to do the following.
- Stop the SSH daemon
- Alter the /etc/ssh/sshd_config with your new port
- Alter the SELinux context with semanage
- Start the SSH daemon
Stop the SSH daemon
# service sshd stop
Alter the /etc/ssh/sshd_config with your new port
Alter the configuration file with your favorite editor, in my case “nano”.
# nano /etc/ssh/sshd_config
Alter the port configuration parameter change the following line
Alter the SELinux context with semanage
# semanage port -a -t ssh_port_t -p tcp 9898
Initially you would think the following would work. But it will not. For it to work you would have to alter the policy in the selinux-policy package, rebuild and install it. So skip it, but now you know why.
# semanage port -d -t ssh_port_t -p tcp 22
Start the SSH daemon
# service sshd start