One of the things you should do when first setting up your new server is changing the SSH port. This is not because it will actually stop a real attacker but because your server will be hammered with automated random login attempts, so the real reason why we will change the default ssh port is so that when the automated attacks can’t even connect to port 22 then usually it just stops and moves on to the next server. If you are using a cloud droplet or VPS that supports snapshots, now is the time to take one just incase you get locked out if something goes terribly wrong (never hurts to be safe!).
Check For Failed SSH Login Attempts
You can check for failed login attempts with the following command to see if your ssh is being attacked/bruteforced.
root@teachmelinux:/home/mike# grep fail /var/log/auth.log Oct 12 07:14:16 teachmelinux sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=188.8.131.52 user=root
Check Current SSH Port
If you are unsure of whether or not your ssh service is running on port 22, you can check it with plenty of different methods, Here are 3 different ways. The first one is by checking the /etc/ssh/sshd_config file.
root@teachmelinux:/home/mike# cat /etc/ssh/sshd_config | grep Port Port 22
If you don’t want to check it with the above way, the official Ubuntu guide says to check it with the following command.
root@teachmelinux:/home/mike# ss -lnp | grep sshd u_dgr UNCONN 0 0 * 304125 * 8968 users:(("sshd",pid=27289,fd=4)) tcp LISTEN 0 128 *:22 *:* users:(("sshd",pid=1517,fd=3)) tcp LISTEN 0 128 :::22 :::* users:(("sshd",pid=1517,fd=4))
The other way you can check your ssh port number is by scanning your server with nmap (this is why just changing your port won’t stop a real attacker). You can do this from either a Linux desktop or another Linux server.
root@teachmelinux:/home/mike# nmap -p1-65535 teachmelinux.com Starting Nmap 7.01 ( https://nmap.org ) at 2017-10-12 07:35 UTC Nmap scan report for teachmelinux.com (127.0.1.1) Host is up (0.000016s latency). Not shown: 65532 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https Nmap done: 1 IP address (1 host up) scanned in 8.53 seconds
Change Default SSH Port
So lets get down to business and actually change our ssh port. To do this you will need to modify your sshd_config file. You can do this with whatever text editor you prefer, although I will be using vi for this guide.
sudo vi /etc/ssh/sshd_config
You next you need to scroll down to where the Port setting is located and change it to your desired port, to change the text you will need to enter “insert mode” by pressing the i button on your keyboard. I will be using port 2222, its easy to remember and its just to stop bots anyway. Now that we have changed the setting, we still need to save the changes by pressing the following keys in order :wq.
Update Firewall To Allow New SSH Port
Next you need to change your firewall/iptables settings to allow connections on your newly assigned port. We will also be closing port 22 because we are no longer using it for ssh.
sudo ufw allow 2222 sudo ufw deny 22
CentOS / Red Hat
sudo firewall-cmd --zone=public --add-port=2222/tcp --permanent sudo firewall-cmd --reload
sudo iptables -I INPUT -p tcp -m tcp --dport 2222 -j ACCEPT sudo iptables -A INPUT -p tcp -m tcp --dport 22 -j DROP sudo service iptables save
Restart SSHD Service
Last but not least you will need to restart your sshd service for the changes to take effect. You can do so using the service command below.
sudo service sshd restart
I hope this guide has helped you, please don’t forget to like/share/comment. Thanks for the support!