Change the default SSH port and alter SELinux context to match

Security through obscurity is not something one would generally recommend. But to thwart the effort of automated scanners changing the default OpenSSH port will yield you less pain in every day life. This will not fend off directed attacks or nullify vulnerabilities or bad security design.

Should you see an error message such as

shd[14221]: error: Bind to port 9898 on 192.168.0.50 failed: Permission denied

it indicates that the system prevented the daemon to bind that port. Most likely SELinux.

The instructions provided will be valid on Fedora 14/15, CentOS 6, RHEL 6, Scientific Linux 6 and newer versions.

To change the default SSH port you need to do the following.

  • Stop the SSH daemon
  • Alter the /etc/ssh/sshd_config with your new port
  • Alter the SELinux context with semanage
  • Start the SSH daemon

Stop the SSH daemon

# service sshd stop

Alter the /etc/ssh/sshd_config with your new port

Alter the configuration file with your favorite editor, in my case “nano”.

# nano /etc/ssh/sshd_config

Alter the port configuration parameter change the following line

Port 22

to

Port 9898

Alter the SELinux context with semanage

# semanage port -a -t ssh_port_t -p tcp 9898

Initially you would think the following would work. But it will not. For it to work you would have to alter the policy in the selinux-policy package, rebuild and install it. So skip it, but now you know why.

# semanage port -d -t ssh_port_t -p tcp 22

Start the SSH daemon

# service sshd start

// CrashMAG

5 thoughts on “Change the default SSH port and alter SELinux context to match”

  1. I also want to give access to port 53 for dns port tunnel. when i type semanage port -a -t ssh_port_t -p tcp 53 i getting /usr/sbin/semanage: Port tcp/53 already defined what should i do ?

    1. Change the “-a” switch to “-m”, for “modify”. I had to do this with TCP 515 for syslog purposes (TCP 515 already defined for lpd/cups as “printer_port_t”). You’ll end up with both security context types being allowed for that port.

      Also remember to allow that port through iptables, if it isn’t already.

      –SYG

  2. I was stuck at this, thanks for the help. You might want to include Fedora in the title of this article since I’m sure most people would search that while reaching here.

Leave a Reply

Your email address will not be published. Required fields are marked *

*