The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Change SSH Port

Discussion in 'Security' started by polkocholo, Mar 10, 2011.

  1. polkocholo

    polkocholo Active Member

    Joined:
    Nov 22, 2010
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
  2. LinuxTechie

    LinuxTechie Well-Known Member

    Joined:
    Jan 22, 2011
    Messages:
    502
    Likes Received:
    2
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Hey,

    So are telling you not able to login as root now? If you are able to login, do post the ssd_config's first lines for a check on it. After changing the port, the port also needs to be opened in the firewall. O/w such issues may cause.
     
  3. crazyaboutlinux

    crazyaboutlinux Well-Known Member

    Joined:
    Nov 3, 2007
    Messages:
    938
    Likes Received:
    0
    Trophy Points:
    16
    Here is the steps to change SSH port which works fine for me

    To change the SSH port number login as root, and edit /etc/ssh/sshd_config

    Find the line that says Port 22 and change 22 to any number between 1024->65535 (above 30000 is best) and save the file.

    Once done, run:

    /etc/init.d/sshd restart

    Now start a new SSH session (don’t close your existing one), to make sure that you can get in.

    And as per cPtechie the new port must be opened in the firewall e.g CSF firewall
     
  4. polkocholo

    polkocholo Active Member

    Joined:
    Nov 22, 2010
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    I have done all these things
    But the port did not change!
     
  5. crazyaboutlinux

    crazyaboutlinux Well-Known Member

    Joined:
    Nov 3, 2007
    Messages:
    938
    Likes Received:
    0
    Trophy Points:
    16
    Is your server on VPS ? if so then then don't remove line of existing port & enter the new one & save the file then restart sshd
    service sshd restart

    see below
    Code:
    # The strategy used for options in the default sshd_config shipped with
    # OpenSSH is to specify options with their default value where
    # possible, but leave them commented.  Uncommented options change a
    # default value.
    
    #Port 22
    Port xxxx (replace with your port)
    Protocol 2
    #AddressFamily any
    #ListenAddress 0.0.0.0
    #ListenAddress ::
    
     
  6. polkocholo

    polkocholo Active Member

    Joined:
    Nov 22, 2010
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    Dear crazyaboutlinux
    i have dedicated server > ttp://www.hetzner.de/en/hosting/produkte_rootserver/eq4
     
  7. crazyaboutlinux

    crazyaboutlinux Well-Known Member

    Joined:
    Nov 3, 2007
    Messages:
    938
    Likes Received:
    0
    Trophy Points:
    16
    same setting is working on my both dedicated & VPS server

    please provide us error message so that other people can assist you better

    ensure that ther port is opened in firewall

    telnet localhost your port
     
  8. k-planethost

    k-planethost Well-Known Member

    Joined:
    Sep 22, 2009
    Messages:
    199
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    Athens Greece
    At command prompt type: pico /etc/ssh/sshd_config

    Scroll down to the section of the file that looks like this:

    Code:

    #Port 22
    #Protocol 2, 1
    #ListenAddress 0.0.0.0
    #ListenAddress ::


    Uncomment and change

    #Port 22

    to look like

    Port 5678 (choose your own 4 to 5 digit port number (49151 is the highest port number)


    Uncomment and change

    #Protocol 2, 1

    to look like

    Protocol 2


    Uncomment and change

    #ListenAddress 0.0.0.0

    to look like

    ListenAddress 123.123.123.15 (use one of your own IP Addresses that has been assigned to your server)


    Note 1: If you would like to disable direct Root Login, scroll down until you find

    #PermitRootLogin yes

    and uncomment it and make it look like

    PermitRootLogin no

    Save by pressing Ctrl o on your keyboard, and then exit by pressing Ctrl x on your keyboard.


    Note 2: You can also create a custome nameserver specifically for your new SSH IP address. Just create one called something like ssh.xyz.com or whatever. Be sure to add an A address to your zone file for the new nameserver.
    Note: If you should have any problems, just Telnet into your server, fix the problem, then SSH in again. Telnet is a very unsecure protocol, so change your root password after you use it.if everything ok disable telnet after
    make sure you know what you doing and not lock yourself out
     
    #8 k-planethost, Mar 14, 2011
    Last edited: Mar 14, 2011
  9. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    I would not suggest editing core files such as SSH configuration ones in pico or nano, which can corrupt lines and cause the file to not function any longer. Additionally, using pico or nano will not tell you if another user on the system has the file opened, while vi will create a swap file (.swp) for anyone else with the file opened to warn you that another user on the system is editing the file at the same time.

    Basically, please use vi instead to edit the file. Any important files that risk corruption and can cause the system to cease working upon editing need to be a) copied before editing them, b) edited in vi
     
  10. JeffP.

    JeffP. Well-Known Member

    Joined:
    Sep 28, 2010
    Messages:
    164
    Likes Received:
    9
    Trophy Points:
    18
    Another important thing to take into consideration is the choice of port. Any non-root users with access to your server can start a service that listens on a port above 1023. Let's say you've configured sshd to listen on port 12345. Now let's say that someone has figured out a way to stop the sshd process (this doesn't necessarily have to be due to a bug in the ssh daemon, or even be due to a bug at all). With ssh no longer listening on port 12345, any local user can run their own sshd on that port for the purpose of collecting usernames and passwords. This is especially dangerous on servers where root logins are permitted via ssh.

    Use a port below 1024 that is not already in use, as those are ports that only the root user should be able to listen on (hence why ssh listens on port 22 by default, httpd on port 80, DNS on 53, FTP on 21, and so on). You can obtain a list of ports currently being used via the "netstat" command:

    Code:
    [user@host ~]$ netstat -nl
     
Loading...

Share This Page