Change SSH Port on AlmaLinux 8/9 with SELinux Enforcing

  • November 28, 2023
  • 0 Comments

Thanks to Josphat Mutai for writing the original guide this KB article is based on.
Parts have been updated by us.

 

PLEASE READ THIS COMPLETE GUIDE FIRST!

If you are uncomfortable making the changes, or have any questions, open a support ticket and we will make the change for you.


In this guide we will see how you can change SSH service port on AlmaLinux 8/9 with SELinux running in Enforcing mode.

When SELinux is running in enforcing mode, it enforces the SELinux policy and denies access based on SELinux policy rules.
The standard SSH port on most Linux/Unix systems is TCP port 22.
This can be changed easily to a custom port not used by other Applications in the system.

When SELinux is running in Enforcing mode, the port to be set will need relabeling so that Policy rules controlling access can accept ssh service to bind.

Follow steps discussed below to change SSH port on AlmaLinux server with SELinux running in Enforcing mode.

 

Step 1: Backup Current SSH configuration

Login to your AlmaLinux system and change to the SSH directory to backup your current SSH daemon configuration file:

# cd /etc/ssh

# date_format=`date +%Y_%m_%d:%H:%M:%S`

# cp sshd_config sshd_config_$date_format


Confirm:

# ls sshd_config*
sshd_config        sshd_config_2019_09_05:21:40:10

 

Step 2: Change SSH service port

Open SSH service configuration file with your favorite text editor – vi, vim, nano etc. (we use nano in the example):

# nano sshd_config


Locate line that has:

#Port 22


Uncomment the Port line and set your new service port to be used.
The example use port 33000:

Port 33000

 

Step 3: Allow new SSH port on SELinux

The default port labelled for SSH is 22:

# semanage port -l | grep ssh
ssh_port_t            tcp        22


If you want to allow sshd to bind to network port configured, then you need to modify the port type to ssh_port_t:

# semanage port -a -t ssh_port_t -p tcp 33000


Confirm that the new port has been added to list of allowed ports for SSH:

# semanage port -l | grep ssh
ssh_port_t            tcp        33000, 22

 

Step 4: Open SSH port on Firewalld

Based on your servers individual configuration , the Firewall service may or may not be running.
If you receive an error saying the service is not running when you run the below command, do not worry.

# firewall-cmd --add-port=33000/tcp --permanent

# firewall-cmd --reload


You can now remove SSH service:

# firewall-cmd --remove-service=ssh --permanent

# firewall-cmd --reload

 

Step 5: Restart sshd service


Restart SSH service for the changes to take effect:

# systemctl restart sshd


Verify Listen address for SSH:

# netstat -tunl | grep 33000
tcp          0        0 0.0.0.0:33000        0.0.0.0:*            LISTEN
tcp6        0        0 :::33000                :::*                    LISTEN

 

KB Article Written: 2023 January 15

How helpful was this article to you?

Posting has been disabled.