Configuring SSH to Listen on a Non-Default Port
SSH is a widely used protocol for secure remote access and management of servers and network devices. By default, SSH listens on port 22, but it can be configured to listen on a different port to enhance security and reduced risk of automated attacks.
However, it's essential to keep in mind that ports ranging from 0 to 1023 are reserved for system services, and therefore, it's recommended to choose a port number between 1024 and 65535.
To configure SSH to listen on a non-default port on the server, follow these steps:
1. Check SSH status:
Run the following command to check the SSH status, along with other relevant information, including the port number being used by SSH:
service ssh Status
OR
systemctl status sshd
If the SSH service is not active, run the following command to start it:
service ssh start
OR
systemctl start sshd
2. Check SSH Port Number:
After executin g the first step command, you would have already know the SSH port number. Nevertheless, it's also possible to directly check the port number by running the following command:
grep -i port /etc/ssh/sshd_config
Note: The location of the sshd_config file can differ based on the type of operating system you are using. In this instance, I am utilizing a Debian-based Linux system:
3. Change SSH Port Number:
If you want to modify the SSH port, you'll need to make changes to the SSH configuration file. To begin, open the configuration file in edit mode.
To modify the SSH port, you need to make changes to the SSH configuration file. To begin, open the configuration file in text edit mode.
nano /etc/ssh/sshd_config
Then, just change the SSH port number by uncommenting the line containing Port and specifying the new port number as below:
Port [NEW PORT]
where, [NEW PORT] is the desired port number.
Example: Port 2222
This will set the new port number as 2222.
After making the necessary changes, save the file and exit the text editor.
Now, restart the SSH services by running the following command:
service ssh restart
OR
systemctl restart sshd
4. Add New Rule on UFW
Next, you'll need to create a new rule on UFW (Uncomplicated Firewall) to allow incoming traffic on the newly specified SSH port.
To verify the status of the firewall and check the current set of firewall rules, execute the following command:
sudo ufw status
If UFW status is shown as inactive, run the following command to enable the firewall:
sudo ufw enable
After enabling the firewall, you can start adding rules to it. To add a new rule on UFW, you need to run the following command, specifying the port number and the protocol you want to use.
sudo ufw allow [Port Number]/protocol
Replace [Port Number] with the new SSH port number you set in the SSH configuration file, and [PROTOCOL] with the protocol you want to use (usually tcp)
Example: sudo ufw allow 2222/tcp
This will allow incoming traffic on port 2222 for the TCP protocol.
To confirm that the new rule has been added to the firewall, run ufw status
command again.
To reload the firewall rules, run the following command:
sudo ufw reload
To deny the rule, run the following command:
sudo ufw deny [port]/tcp
Example: sudo ufw deny 80/tcp
This will block incoming traffic on port 80 for HTTP.
5. Connect to the Server
You should now be able to connect to the server using the new SSH port.
Use the -p option to specify the port while connecting to the server from the SSH client terminal:
ssh user_name@remote_server_ip_address -p port_number
Example: ssh rabina@192.168.1.100 -p 2222
SSH to Server Using Public-Key Authentication
Additionally, enabling public-key authentication can further increase security by requiring a private key to authenticate rather than a password based authentication
Here are the steps to SSH server using public key authentication:
1. Update sshd Configuration
Update and uncomment following content in sshd configuration file(i.e. /etc/ssh/sshd_config)
PasswordAuthentication no
PubkeyAuthentication yes
Now, restart the SSH services in the server by running the following command.
service ssh restart
OR
systemctl restart sshd
2. Generate a Public-Private Key Pair
Generate a public-private key pair on your local machine using the ssh-keygen command. You will be prompted to choose a name and location for the key files, and to set a passphrase for the private key.
ssh-keygen -t rsa -b 4096 -C [user_name]
Example: ssh-keygen -t rsa -b 4096 -C rabina
3. Add client SSH Public Key to Server
Copy the public key and add it to the list of authorized keys on the server, allowing you to authenticate using the private key.
Run the below command to see where the AuthorizedKeysFile file is located:
grep AuthorizedKeysFile /etc/ssh/sshd_config
Then, open the AuthorizedKeysFile file in text edit mode.
nano [AuthorizedKeysFile]
Replace [AuthorizedKeysFile] with the actual authorized_key file path
Example: nano .ssh/authorized_keys
Then, add public-key in new line and save and exit the edit mode.
4. Connect to the Remote Server using SSH
If you generated the public-private key pair using the default path, you can use the following command to connect to the remote host on the new port:
ssh user_name@remote_server_ip_address -p port_number
If you generated the key pair in a custom location,, specify the location of your private key using the -i option
ssh -i /path/to/private_key username@remote_server_ip_address -p port_number
This will authenticate you using the private key instead of a password.
Top comments (0)