CentOS 7 / RHEL 7 : change OpenSSH port number ( SELINUX enabled )

The tutorial will explain about how to change default ssh port number in OpenSSH Server on CentOS 7 and RHEL 7 . We will change the SSH default port no. 22 to our desired number and we will keep SELINUX enabled. We will also add new firewalld rule with respect to new ssh port number.

Generally for security point of view , we change the default ssh port number 22 to any other port number. Always be careful while selecting new port number. We should select the number above the “well known port number” that is above port number 1024 . Also we should not use same application /Utility specific default port number, for example just as we use in tomcat port 8080, MySQL 3306. In simple words, select the port number above 1024 as well as should not conflict with any application/utility/program etc.

Change SSH port number

First take the backup of sshd_config file.And then go for edit.

cp -p /etc/ssh/sshd_config /etc/ssh/sshd_config.orig.$(date +%F)

Now edit the file /etc/ssh/sshd_config. Search for line #Port 22 or Port 22 .
Note: The # is used for commenting the line. But because ssh has well known port number 22 (below 1024). It will by default listen on port number 22.

Remove # from line Port 22. And the change 22 to new port number, here we have selected 2292 .

vi /etc/ssh/sshd_config

Port 2292

SELINUX for SSH

By default SELINUX only allow port no. 22 for ssh. Now add new port context 2292.
Note: Replace 2292 in case you have selected different port number

semanage port -a -t ssh_port_t -p tcp 2292

Now check once the port context for ssh

semanage port -l | grep ssh

Below given is output from our server

[root@localhost ~]# semanage port -l | grep ssh
ssh_port_t                     tcp      2292, 22
[root@localhost ~]#

Now Restart the SSH service

systemctl restart sshd.service

Allow port 2292 with firewalld

Now allow port number 2292 for ssh. Run the below given command. It will permanently add the new firewalld rule in public zone for port 2292 with TCP protocol.

firewall-cmd --permanent --zone=public --add-port=2292/tcp

Reload firewalld

firewall-cmd --reload

Check listening ssh port with ss command

With ss command, you can find the listening port for ssh. Use below command for this

ss -tnlp|grep ssh

Below given output is reference from our server

[root@localhost ~]# ss -tnlp|grep ssh
LISTEN     0      128                       *:2292                     *:*      users:(("sshd",2786,3))
LISTEN     0      128                      :::2292                    :::*      users:(("sshd",2786,4))
[root@localhost ~]#

Try to do ssh access to server by using port no. 2292 from remote client.

ssh -p 2292 root@192.168.56.101

* Change 192.168.56.101 with your server ip address.
* Change 2292 with your new ssh port number as you set while reading this post.
* Change root with user name which is allowed to get ssh access in your server.

12 thoughts on “CentOS 7 / RHEL 7 : change OpenSSH port number ( SELINUX enabled )”

  1. Hi,

    When i try and do the above, i get an errror when restarting sshd – Failed to start Open ssh server daemon?

    Thanks
    Mason64

  2. I did same for AWS EC2 redhat instance, ssh is working on my desired port that is 20022 but still i am not able to login into it. Any idea, thanks in advance

    • Hello Navdeep,

      Check the logs for exact reason. Or while doing ssh use parameter -vvvv . example ssh -vvvv username@server-address. In verbose mode,you may also get error.

      Regards
      Sharad

  3. Thank you sooo much, that was most helpful example for remote(over internet) connection. 🙂

  4. Nice thnkz!

    Dont know why, but this is so hard to find in the oficial docs, and may sites dont have this command. I have a fresh minimal centos7 and even sshd comes installed, the port (yes, even the default) was close.

    Thnkz again.

  5. nice article. can we do the same for telnet. i would like to change the default 23 port to 2323 in centos 7 with 3.10 kernel. can you please let me know the steps.

Comments are closed.