Practitioner Level

Change SSH Port from 22 to 61613

30 minutes

4 Learning Objectives

After you start any instance with public access, automated scripts will find you almost immediately and start conducting all sorts of scans and probing. There is no real way to completely stop this. You can confirm this is happening by looking at the log files of any public instance you create. However, we don’t need to make it easy for them. A standard scan will usually check for known standardized ports associated with known services. For example, SSH by default runs on port 22 and is the first port any script will check for an SSH service. Now, if we configure SSH service to run on port 61613, the scan script will need to make a broad port sweep to find our SSH service. This is extremely taxing in terms of bandwidth for the attacker, and generally scripts will not check for these ports. That is why it is very important for us to change the port at which SSH operates from 22 to something that is not standardized, making it much more difficult for any one script to find our SSH service.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Open `/etc/ssh/sshd_config`, Uncomment the `Port` Variable, and Change the Value from 22 to 61613

Note: Use a local terminal app with ssh support for this lab. The Instant Terminal can not be used for this specific lab.

Open configuration file:
```
sudo vim /etc/ssh/sshd_config
```
1. Change the value of Port:
```
Port 61613
```
2. Save and close:
```
ESC
:wq
ENTER
```

Open Port 61613 with firewalld

Open the port with firewalld:

sudo firewall-cmd --permanent --add-port=61613/tcp

Reload to apply the rules:

sudo firewall-cmd --reload

Configure SELinux to Allow Connections on Port 61613 for SSH

sudo semanage port -a -t ssh_port_t -p tcp 61613

Restart SSH, Log Out and Back in on Port 61613, and Close Port 22 with firewalld

Restart SSH:
```
sudo systemctl restart sshd
```
Log out:
```
exit
```

ssh cloud_user@<Server_IP_Address> -p 61613

Close port 22 with firewalld:

sudo firewall-cmd --permanent --remove-port=22/tcp

sudo firewall-cmd --reload

Additional Resources

Generally speaking, every time you have a front-facing server, that server in all likelihood will be probed by a large number of automated scans. One of the first things these scripts check is port 22 because it is a well-known port, and SSH usually works on this port. However, we have no reason to make their lives easier.

By changing the port of SSH from 22 to something highly unusual — like, let's say, port 61613 — a large number of those automated scans will fail to detect there is in fact SSH running on the server, as they do not expect this.

But simply changing the default port and not doing anything else is a sure way of locking yourself out of the server. So we need to configure SELinux to allow connections on port 61613 for SSH, and we need to instruct the firewall to allow traffic on port 61613. Furthermore, we can do some housekeeping and close port 22.

Note: Use a local terminal app with ssh support for this lab. The Instant Terminal can not be used for this specific lab.

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Get Started

Who’s going to be learning?

Myself My Organization

How many seats do you need?

$499 USD per seat per year
Billed Annually
Renews in 12 months

Ready to accelerate learning?

For over 25 licenses, a member of our sales team will walk you through a custom tailored solution for your business.

$2,495.00

Checkout

Welcome Back!

Psst…this one if you’ve been moved to ACG!