SSH Port

[Chriz1977]

Hi

Does anyone know a quick way to change your SSH port through WHM?

Cheers

 

[mickalo]

Hi

Does anyone know a quick way to change your SSH port through WHM?

Cheers

open the /etc/ssh/sshd_config file and edit the following, the "Port" maybe commented out, you'll need to uncomment it first then edit. if you have a firewall running besure to open up the new port being used, and close the old port(IE: 22)

Port NEW_PORT_NUMBER

then restart sshd

Mickalo

 

[matthewdavis]

Considering changing the default ssh port can sometimes lead to a lot of support tickets on servers. "I can't login via ssh" "How do I set ssh to use a different port" The solution I've come up with is, keep ssh open on port 22 but deny root on port 22. But open a 2nd ssh port for root logins.

The instructions are posted on my web site: but they're also provided below.

1 - Copy /etc/ssh/sshd_config -> /etc/ssh/sshd_config.root
2 - Lock down the current sshd. Uncomment the following line in /etc/ssh/sshd_config

PermitRootLogin no

3 - Specify a port in /etc/ssh/sshd_config.root other than port 22 and make sure you have PermitRootLogin set to yes or commented out.
4 - Make the following changes to /etc/rc.d/init/sshd (highlighted in red).

# Some functions to make the below more readable
KEYGEN=/usr/bin/ssh-keygen
SSHD=/usr/sbin/sshd
[COLOR="Red"]OPTIONS="-f /etc/ssh/sshd_config.root"[/COLOR]
RSA1_KEY=/etc/ssh/ssh_host_key
RSA_KEY=/etc/ssh/ssh_host_rsa_key
DSA_KEY=/etc/ssh/ssh_host_dsa_key
PID_FILE=/var/run/sshd.pid

start()
{
        # Create keys if necessary
        do_rsa1_keygen
        do_rsa_keygen
        do_dsa_keygen

        echo -n $"Starting $prog:"
        [COLOR="Red"]initlog -c "$SSHD" && success || failure[/COLOR]
        initlog -c "$SSHD $OPTIONS" && success || failure
        RETVAL=$?
        [ "$RETVAL" = 0 ] && touch /var/lock/subsys/sshd
        echo
}

You can even take this to the next step and block the new port unless you knock on the right port. Described here http://www.soloport.com/iptables.html. And even block dictionary attacks

 

[jayh38]

Hi

Does anyone know a quick way to change your SSH port through WHM?

Cheers

Install Chirpy's script CSE and you can modify files via whm. That would be
the only way to change a port via whm, otherise you need to use a shell
scp or sftp. Also check out winscp.

 

[Chriz1977]

I now have a server (different one) with an ssh port other than 22, i want to change it back but the above method was not used to change the port, all that appears to have been done is etc/ssh/sshd_config has had the port changed. What else should i look for?

Cheers

 

[mctDarren]

Make sure any firewall running is open to the port you're changing back to (22). You should open the port in the firewall, change the port in ssh config file, then restart ssh - in that order. Your current ssh session will stay intact, not to worry! Next try opening ssh over the new port in another ssh session. If it works, you can then block the old port via firewall and you are good to go.

 

[Chriz1977]

As ive inherited this new server i dont know what firewall is running on it, any idea how to find out?

 

[brianoz]

Considering changing the default ssh port can sometimes lead to a lot of support tickets on servers. "I can't login via ssh" "How do I set ssh to use a different port" The solution I've come up with is, keep ssh open on port 22 but deny root on port 22. But open a 2nd ssh port for root logins.

Thanks for your detailed and clear instructions!

Just as a personal opinion, some might regard the lack of ssh service on port 22 as a security feature, though I fully understand that it depends on what sort of hosting you are offering.

Anytime ssh is offered on port 22, you're offering another active service which can be attacked. Even if it only creates noise in your logs it's still a nuisance.

 

[mctDarren]

As ive inherited this new server i dont know what firewall is running on it, any idea how to find out?

What OS is the server running?

 

[matthewdavis]

Thanks for your detailed and clear instructions!

Just as a personal opinion, some might regard the lack of ssh service on port 22 as a security feature, though I fully understand that it depends on what sort of hosting you are offering.

Anytime ssh is offered on port 22, you're offering another active service which can be attacked. Even if it only creates noise in your logs it's still a nuisance.

I agree fully. However, IMO, there are 2 paths.

1 - Provide instructions to users to use a different ssh port. Then answer support tickets for users who don't read the instructions nor search the knowledge base.
2 - Keep your system updated and limit ssh access as much as possible.

I found the path of least resistance to be #1. If people really want to find the ssh port, they can.

 

[Chriz1977]

What OS is the server running?

CentOS 4.3

 

[brianoz]

2 - Keep your system updated and limit ssh access as much as possible.

I tend to dissuade ssh access unless they can provide enough ID to sink a small ship. Then I know they're not a spammer or hacker. If I allowed port 22 access I'd do exactly what you've done! Of course the other alternative is to disallow root-over-ssh completely and allow the users to use sudo. Most datacenter staff can handle that. Well maybe.

Ssh ports can always be found, they're obvious (the reply when you open the port contains the string ssh) so I'm not suggesting ever relying on a port change alone to hide ssh. It just reduces your vulnerability to scans looking for port 22 ssh hits, which may save your bacon in the unlikely event of a major exploit and subsequent port 22 scans; and reduces log noise.