Title: Changing the default ssh port
Author: cc_skavenger
Keywords: ssh, sshd, port, firewall, remote
SME Releases Supported: 5.6 - 6.x
Problem: You want to prevent remote login attempts on default port 22
Solution: change default port
- Make the directories needed for the necessary template fragments.
mkdir –p /etc/e-smith/templates-custom/etc/ssh/sshd_config
mkdir –p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq
- Copy the template fragment that specifies the ssh port number.
cp –rip /etc/e-smith/templates/ssh/sshd_config/10port /etc/e-smith/templates-custom/etc/ssh/sshd_config/
- Edit the template fragment and change the port number to what you want.
- Now, expand the template with the following command:
/sbin/e-smith/expand-template /etc/ssh/sshd_config
- Edit the file /etc/ssh/sshd_config and make sure that the port number changed.
- Next, copy the template fragment that specifies port 22 to be open in the firewall.
cp –rip /etc/e-smith/templates/etc/rc.d/init.d/masq/45AllowSSH /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/
- Edit the file and change the number 22 to what ever number you specified above.
- Now, expand the template with the following command:
/sbin/e-smith/expand-template /etc/rc.d/init.d/masq
- Edit the file /etc/rc.d/init.d/masq and make sure that you see something like this starting at about line 311:
adjust_tcp_in 113 denylog $NEW_InboundTCP
adjust_tcp_in 21 ACCEPT $NEW_InboundTCP
adjust_tcp_in 80 denylog $NEW_InboundTCP
adjust_tcp_in 443 denylog $NEW_InboundTCP
adjust_tcp_in 143 denylog $NEW_InboundTCP
adjust_tcp_in 389 denylog $NEW_InboundTCP
adjust_tcp_in 110 denylog $NEW_InboundTCP
adjust_tcp_in 1723 ACCEPT $NEW_InboundTCP
adjust_tcp_in 25 denylog $NEW_InboundTCP
adjust_tcp_in 2222 ACCEPT $NEW_InboundTCP <--- Here is the new port
adjust_tcp_in 23 denylog $NEW_InboundTCP
- Now restart the ssh service:
service sshd restart
- Now restart the firewall service:
service masq restart
That’s it. Try connecting over ssh through the new port you specified. If it doesn’t work, check your files and make sure that ssh is enabled in the remote access section of the server manager.
Note1: D. May's webconsole contrib will not work if this modification is used.
Note2: I've followed these excellent instructions and built a rpm where the port is set with a db value. S. Noble
http://www.dungog.net/sme/files/backup-rsync/README-sshd.txt
http://www.dungog.net/sme/files/backup-rsync/ > dungog-sshd
Back to Howto