DEV Community

Rabina Twayana
Rabina Twayana

Posted on • Edited on

Enhance Server Security: Configuring SSH to Listen on a Non-Default Port and Enabling Public-Key Authentication

Configuring SSH to Listen on a Non-Default Port

SSH is a widely used protocol for secure remote access and management of servers and network devices. By default, SSH listens on port 22, but it can be configured to listen on a different port to enhance security and reduced risk of automated attacks.

However, it's essential to keep in mind that ports ranging from 0 to 1023 are reserved for system services, and therefore, it's recommended to choose a port number between 1024 and 65535.

To configure SSH to listen on a non-default port on the server, follow these steps:

1. Check SSH status:

Run the following command to check the SSH status, along with other relevant information, including the port number being used by SSH:

service ssh Status
Enter fullscreen mode Exit fullscreen mode

OR

systemctl status sshd
Enter fullscreen mode Exit fullscreen mode

If the SSH service is not active, run the following command to start it:

service ssh start
Enter fullscreen mode Exit fullscreen mode

OR

systemctl start sshd
Enter fullscreen mode Exit fullscreen mode

2. Check SSH Port Number:

After executin g the first step command, you would have already know the SSH port number. Nevertheless, it's also possible to directly check the port number by running the following command:

grep -i port /etc/ssh/sshd_config
Enter fullscreen mode Exit fullscreen mode

Note: The location of the sshd_config file can differ based on the type of operating system you are using. In this instance, I am utilizing a Debian-based Linux system:

3. Change SSH Port Number:

If you want to modify the SSH port, you'll need to make changes to the SSH configuration file. To begin, open the configuration file in edit mode.

To modify the SSH port, you need to make changes to the SSH configuration file. To begin, open the configuration file in text edit mode.

nano /etc/ssh/sshd_config
Enter fullscreen mode Exit fullscreen mode

Then, just change the SSH port number by uncommenting the line containing Port and specifying the new port number as below:

Port [NEW PORT]
where, [NEW PORT] is the desired port number.

Example: Port 2222
This will set the new port number as 2222.

After making the necessary changes, save the file and exit the text editor.

Now, restart the SSH services by running the following command:

service ssh restart
Enter fullscreen mode Exit fullscreen mode

OR

systemctl restart sshd
Enter fullscreen mode Exit fullscreen mode

4. Add New Rule on UFW

Next, you'll need to create a new rule on UFW (Uncomplicated Firewall) to allow incoming traffic on the newly specified SSH port.

To verify the status of the firewall and check the current set of firewall rules, execute the following command:

sudo ufw status
Enter fullscreen mode Exit fullscreen mode

If UFW status is shown as inactive, run the following command to enable the firewall:

sudo ufw enable
Enter fullscreen mode Exit fullscreen mode

After enabling the firewall, you can start adding rules to it. To add a new rule on UFW, you need to run the following command, specifying the port number and the protocol you want to use.

sudo ufw allow [Port Number]/protocol
Enter fullscreen mode Exit fullscreen mode

Replace [Port Number] with the new SSH port number you set in the SSH configuration file, and [PROTOCOL] with the protocol you want to use (usually tcp)

Example: sudo ufw allow 2222/tcp

This will allow incoming traffic on port 2222 for the TCP protocol.

To confirm that the new rule has been added to the firewall, run ufw status command again.

To reload the firewall rules, run the following command:

sudo ufw reload
Enter fullscreen mode Exit fullscreen mode

To deny the rule, run the following command:

sudo ufw deny [port]/tcp
Enter fullscreen mode Exit fullscreen mode

Example: sudo ufw deny 80/tcp
This will block incoming traffic on port 80 for HTTP.

5. Connect to the Server

You should now be able to connect to the server using the new SSH port.

Use the -p option to specify the port while connecting to the server from the SSH client terminal:

ssh user_name@remote_server_ip_address -p port_number
Enter fullscreen mode Exit fullscreen mode

Example: ssh rabina@192.168.1.100 -p 2222

SSH to Server Using Public-Key Authentication

Additionally, enabling public-key authentication can further increase security by requiring a private key to authenticate rather than a password based authentication

Here are the steps to SSH server using public key authentication:
1. Update sshd Configuration

Update and uncomment following content in sshd configuration file(i.e. /etc/ssh/sshd_config)

PasswordAuthentication no
PubkeyAuthentication yes
Enter fullscreen mode Exit fullscreen mode

Now, restart the SSH services in the server by running the following command.

service ssh restart 
Enter fullscreen mode Exit fullscreen mode

OR

systemctl restart sshd
Enter fullscreen mode Exit fullscreen mode

2. Generate a Public-Private Key Pair

Generate a public-private key pair on your local machine using the ssh-keygen command. You will be prompted to choose a name and location for the key files, and to set a passphrase for the private key.

ssh-keygen -t rsa -b 4096 -C [user_name]
Enter fullscreen mode Exit fullscreen mode

Example: ssh-keygen -t rsa -b 4096 -C rabina

3. Add client SSH Public Key to Server

Copy the public key and add it to the list of authorized keys on the server, allowing you to authenticate using the private key.

Run the below command to see where the AuthorizedKeysFile file is located:

grep AuthorizedKeysFile /etc/ssh/sshd_config
Enter fullscreen mode Exit fullscreen mode

Then, open the AuthorizedKeysFile file in text edit mode.

nano [AuthorizedKeysFile]
Enter fullscreen mode Exit fullscreen mode

Replace [AuthorizedKeysFile] with the actual authorized_key file path

Example: nano .ssh/authorized_keys

Then, add public-key in new line and save and exit the edit mode.

4. Connect to the Remote Server using SSH

If you generated the public-private key pair using the default path, you can use the following command to connect to the remote host on the new port:

ssh user_name@remote_server_ip_address -p port_number
Enter fullscreen mode Exit fullscreen mode

If you generated the key pair in a custom location,, specify the location of your private key using the -i option

ssh -i /path/to/private_key username@remote_server_ip_address -p port_number
Enter fullscreen mode Exit fullscreen mode

This will authenticate you using the private key instead of a password.

Top comments (0)