Don't let those data center Linux servers use the default SSH port. Gain a bit of a security edge by configuring the daemon to use a non-standard port.
Chances are, you log into your data center Linux servers by way of Secure Shell (SSH). Out of the box, that remote entry protocol uses port 22—a well-known, exploitable fact. Because that port is so widely accepted as the default, it can become the target of attacks. To that end, you might want to change that default to make use of a different port. But how? Fortunately, this is Linux, so customization is the name of the game.
I'm going to walk you through the process of changing the default SSH port in Linux. I'll demonstrate on Ubuntu Server 18.04, but the process should be the same, regardless of the distribution you use for your servers.
SEEL Disaster recovery and business continuity plan (Tech Pro Research)
Choosing a port
The first thing you must do is choose a new port for SSH to listen on. You can choose any unused port, but I suggest you select one over 1024 (as those ports under that number are used for well-known services and could be more easily discovered). Say you want to use port 2112 (on the off-chance you're a Rush fan). What you must do is make sure that port is accessible on your network. If you plan on accessing your servers from outside your LAN, your network security will have to be adjusted to allow the routing of traffic to that port on any listening devices. How this is done will depend upon the hardware/software used on your network.
Opening the firewall
You will also need to open the firewall on your server(s). As I'll be demonstrating on Ubuntu Server 18.04, we'll be working with Uncomplicated Firewall (UFW). If you use a different Linux distribution, make sure to adjust the firewall accordingly.
The necessary command to open port 2112 with UFW would be:
sudo ufw allow 2112/tcp
Once you've update the firewall rules, you're ready to make the change to the default SSH port.
Changing the port
The necessary change is found in the /etc/ssh/sshd_config file. Open that file for editing with the command:
sudo nano /etc/ssh/sshd_config
Once open, look for the line:
Remove the comment (the # character) and change the line to:
Save and close that file. Restart the SSH daemon with the command:
sudo systemctl restart sshd
Once the daemon restarts, SSH is now listening on the new port.
Connecting to SSH
If you attempt to connect to SSH on the server, in the standard fashion, you'll have no luck (Figure A). Why? Because the SSH client assumes the default port of 22.
To get around that, run the SSH command with the -p option like so:
ssh -p 2112 USER@SERVER_IP
Where USER is the remote user and SERVER_IP is the remote server IP Address. With the -p option in place, the SSH connection will get through, and you can log into your data center Linux server on the newly configured, non-default port (Figure B).
A small, but mighty change
This is a small change to the SSH daemon that every Linux admin should complete. Altering the default SSH port might be a small change, but it is mighty. The last thing you want to do is make it easy for would-be attackers to gain access to your data center servers, simply because you stuck with the default SSH port. Make this change and enjoy a little security by obfuscation.
- How to copy a file between two remote SSH servers (TechRepublic)
- How to use SSH to proxy through a Linux jump host (TechRepublic)
- How to connect to VNC using SSH (TechRepublic)
- How to run remote commands on multiple Linux servers with Parallel-SSH (TechRepublic)
- Over 485,000 Ubiquiti devices vulnerable to new attack (ZDNet)
- The data center is dead: Here's what comes next (ZDNet)
- Best cloud services for small businesses (CNET)
- DevOps: More must-read coverage (TechRepublic on Flipboard)