SSH Daemon on Alternate Ports
Published: 2016-06-25
There comes a time in every sysadmin's life where they need to run SSH on an alternate port. Should be as simple as adding multiple Port <number>
directives to /etc/sshd/config
and issuing a restart to the daemon.
Except SELinux, as usual, finds a way to rain on the parade. But we don't want to disable it. Especially since reconfiguring it is so easy.
In this example we'll run SSH on it's usual 22/tcp
as well as 80+443/tcp
by adding the following lines to the configuration file.
Port 80
Port 443
Since we obviously won't be needing those ports for Apache, it's safe to go ahead and relabel them.
$ sudo semanage port -m -t ssh_port_t -p tcp 80
$ sudo semanage port -m -t ssh_port_t -p tcp 443
Make sure the ports are open in firewalld.
$ sudo firewall-cmd --add-port 80/tcp --add-port 443/tcp --permanent
$ sudo firewall-cmd --reload
Then restart the daemon and test it out. As usual make sure to have an active session running on standby in case you fubar your configuration.
Hint: some documentation will use port -a
but these ports may already be labeled and -a
will produce an error. Use -m
instead.