How to configure SSH to use a non-standard port with SELinux set to enforcing


Switching the SSH listening port is an easy way to help secure remote login on your Linux servers. But when SELinux is involved, you have to take a few extra steps. Jack Wallen shows you how.

SSH over servers

Image: Funtap/Shutterstock

More about cybersecurity

SSH has a lot of tricks up its sleeve for security, one of which is to configure the service to use a non-standard port. Out of the box, SSH uses port 22. If you want an easy way to trip up would-be hacking attempts, you can configure that service to use a different port, such as 33000. 

SEE: Security incident response policy (TechRepublic Premium)

On Linux distributions that don’t use SELinux, this process is quite easy. However, if SELinux is involved, you can’t simply change the port, without letting the security system in on your little secret.

And that’s exactly what I’m going to do here, configure Fedora 35 to use port 33000 for incoming SSH traffic. This same process will work on any Linux distribution that uses SELinux (such as RHEL, Alma Linux and Rocky Linux). 

With that said, let’s get to work.

What you’ll need

To make this change, you’ll need a running instance of a Linux distribution that includes SELinux as well as the SSH server installed and a user with sudo access.

How to change the default SSH port

The first thing we’re going to do is change the default port SSH uses, which is found in the sshd_config file. Open that file for editing with the command:

sudo nano /etc/ssh/sshd_config

In that file, look for the line:

#Port 22

Change that line to read:

Port 33000

Save and close the file. 

Don’t restart the daemon just yet, as we first need to deal with SELinux.

How to alert SELinux to the change

The first thing we’ll do is check to make sure SELinux is aware of SSH. Issue the command:

sudo semanage port -l | grep ssh

You should see listed:

ssh_port_t tcp 22

So SELinux is allowing SSH traffic into port 22. We’ll change that to 33000 with the command:

sudo semanage port -a -t ssh_port_t -p tcp 33000

Now, if we check which port is being used, it should come back as:

ssh_port_t tcp 33000, 22

Although SELinux is allowing port 22, SSH won’t be listening to that port, so it’s not an issue.

How to open the firewall to port 33000

Next, we must open the firewall to allow SSH traffic in through port 33000. For this, we issue the command:

sudo firewall-cmd --add-port=33000/tcp --permanent

Next, reload the firewall with:

sudo firewall-cmd --reload

Next, we’ll disable the standard SSH port through the firewall with:

sudo firewall-cmd --remove-service=ssh --permanent

Once again, reload the firewall with:

sudo firewall-cmd --reload

How to restart the SSH daemon and log in

We can now restart the SSH daemon with:

sudo systemctl restart sshd

Log into the newly configured server with:

ssh [email protected] -p 33000

Where USER is a remote username and SERVER is the IP address (or domain) of the remote server.

And that’s how you configure SSH to use a non-standard port on a Linux distribution that makes use of SELinux. You should consider switching all of your servers to using a non-standard port for the SSH service. When you couple that with other SSH hardening tricks, you’ll go a long way to preventing unwanted users from gaining access to your servers.

Subscribe to TechRepublic’s How To Make Tech Work on YouTube for all the latest tech advice for business pros from Jack Wallen.

Also see