The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SSH Port

Discussion in 'General Discussion' started by Chriz1977, Nov 14, 2006.

  1. Chriz1977

    Chriz1977 Well-Known Member

    Joined:
    Sep 18, 2006
    Messages:
    191
    Likes Received:
    0
    Trophy Points:
    16
    Hi

    Does anyone know a quick way to change your SSH port through WHM?

    Cheers
     
  2. mickalo

    mickalo Well-Known Member

    Joined:
    Apr 16, 2002
    Messages:
    765
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    N.W. Iowa
    open the /etc/ssh/sshd_config file and edit the following, the "Port" maybe commented out, you'll need to uncomment it first then edit. if you have a firewall running besure to open up the new port being used, and close the old port(IE: 22)
    Code:
    Port NEW_PORT_NUMBER
    
    then restart sshd

    Mickalo
     
  3. matthewdavis

    matthewdavis Well-Known Member

    Joined:
    Jun 26, 2003
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    NC, USA
    Considering changing the default ssh port can sometimes lead to a lot of support tickets on servers. "I can't login via ssh" "How do I set ssh to use a different port" The solution I've come up with is, keep ssh open on port 22 but deny root on port 22. But open a 2nd ssh port for root logins.

    The instructions are posted on my web site: but they're also provided below.

    1 - Copy /etc/ssh/sshd_config -> /etc/ssh/sshd_config.root
    2 - Lock down the current sshd. Uncomment the following line in /etc/ssh/sshd_config

    PermitRootLogin no

    3 - Specify a port in /etc/ssh/sshd_config.root other than port 22 and make sure you have PermitRootLogin set to yes or commented out.
    4 - Make the following changes to /etc/rc.d/init/sshd (highlighted in red).

    Code:
    # Some functions to make the below more readable
    KEYGEN=/usr/bin/ssh-keygen
    SSHD=/usr/sbin/sshd
    [COLOR="Red"]OPTIONS="-f /etc/ssh/sshd_config.root"[/COLOR]
    RSA1_KEY=/etc/ssh/ssh_host_key
    RSA_KEY=/etc/ssh/ssh_host_rsa_key
    DSA_KEY=/etc/ssh/ssh_host_dsa_key
    PID_FILE=/var/run/sshd.pid
    
    Code:
    start()
    {
            # Create keys if necessary
            do_rsa1_keygen
            do_rsa_keygen
            do_dsa_keygen
    
            echo -n $"Starting $prog:"
            [COLOR="Red"]initlog -c "$SSHD" && success || failure[/COLOR]
            initlog -c "$SSHD $OPTIONS" && success || failure
            RETVAL=$?
            [ "$RETVAL" = 0 ] && touch /var/lock/subsys/sshd
            echo
    }
    
    You can even take this to the next step and block the new port unless you knock on the right port. Described here http://www.soloport.com/iptables.html. And even block dictionary attacks
     
  4. jayh38

    jayh38 Well-Known Member

    Joined:
    Mar 3, 2006
    Messages:
    1,215
    Likes Received:
    0
    Trophy Points:
    36
    Install Chirpy's script CSE and you can modify files via whm. That would be
    the only way to change a port via whm, otherise you need to use a shell
    scp or sftp. Also check out winscp.
     
  5. Chriz1977

    Chriz1977 Well-Known Member

    Joined:
    Sep 18, 2006
    Messages:
    191
    Likes Received:
    0
    Trophy Points:
    16
    I now have a server (different one) with an ssh port other than 22, i want to change it back but the above method was not used to change the port, all that appears to have been done is etc/ssh/sshd_config has had the port changed. What else should i look for?

    Cheers
     
  6. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    Make sure any firewall running is open to the port you're changing back to (22). You should open the port in the firewall, change the port in ssh config file, then restart ssh - in that order. Your current ssh session will stay intact, not to worry! Next try opening ssh over the new port in another ssh session. If it works, you can then block the old port via firewall and you are good to go.
     
  7. Chriz1977

    Chriz1977 Well-Known Member

    Joined:
    Sep 18, 2006
    Messages:
    191
    Likes Received:
    0
    Trophy Points:
    16
    As ive inherited this new server i dont know what firewall is running on it, any idea how to find out?
     
  8. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Thanks for your detailed and clear instructions!

    Just as a personal opinion, some might regard the lack of ssh service on port 22 as a security feature, though I fully understand that it depends on what sort of hosting you are offering.

    Anytime ssh is offered on port 22, you're offering another active service which can be attacked. Even if it only creates noise in your logs it's still a nuisance.
     
  9. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    What OS is the server running?
     
  10. matthewdavis

    matthewdavis Well-Known Member

    Joined:
    Jun 26, 2003
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    NC, USA
    I agree fully. However, IMO, there are 2 paths.

    1 - Provide instructions to users to use a different ssh port. Then answer support tickets for users who don't read the instructions nor search the knowledge base.
    2 - Keep your system updated and limit ssh access as much as possible.

    I found the path of least resistance to be #1. If people really want to find the ssh port, they can.
     
  11. Chriz1977

    Chriz1977 Well-Known Member

    Joined:
    Sep 18, 2006
    Messages:
    191
    Likes Received:
    0
    Trophy Points:
    16
    CentOS 4.3
     
  12. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    I tend to dissuade ssh access unless they can provide enough ID to sink a small ship. Then I know they're not a spammer or hacker. :) If I allowed port 22 access I'd do exactly what you've done! Of course the other alternative is to disallow root-over-ssh completely and allow the users to use sudo. Most datacenter staff can handle that. Well maybe. ;)

    Ssh ports can always be found, they're obvious (the reply when you open the port contains the string ssh) so I'm not suggesting ever relying on a port change alone to hide ssh. It just reduces your vulnerability to scans looking for port 22 ssh hits, which may save your bacon in the unlikely event of a major exploit and subsequent port 22 scans; and reduces log noise.
     
Loading...

Share This Page