Eren Can Uçar

Recent Notes

How To Change SSH Port on AlmaLinux

4 min read

How to Change SSH Port on AlmaLinux Server: Complete Security Guide

The default SSH port on AlmaLinux servers is port 22, but changing it to a different port is highly recommended to enhance security and reduce automated attack attempts.

Why Change the Default SSH Port?

  • Reduce automated attacks: Most bots scan port 22 by default
  • Security through obscurity: Makes your server less visible to casual attackers
  • Log noise reduction: Fewer failed connection attempts in your logs
  • Compliance requirements: Some security policies require non-standard ports

Prerequisites

Before proceeding, ensure you have:

  • Root access to your AlmaLinux server
  • A text editor installed (nano, vim, etc.)
  • Basic knowledge of SSH connections
  • A backup connection method (console access) in case of issues

Step-by-Step Instructions

Step 1: Edit SSH Configuration File

Open the SSH daemon configuration file:

sudo nano /etc/ssh/sshd_config

Step 2: Locate and Modify the Port Setting

  1. Find the Port directive: Look for the line containing #Port 22 or Port 22

  2. Uncomment and modify:

    • Remove the # character at the beginning of the line
    • Change 22 to your desired port number

    Example:

    Port 22984

Step 3: Save the Configuration File

Save and exit the file:

  • Press Ctrl+X
  • Press Y to confirm changes
  • Press Enter to save

Step 4: Configure SELinux for the New Port

AlmaLinux uses SELinux by default, so you need to allow the new SSH port:

sudo semanage port -a -t ssh_port_t -p tcp 22984

Note: Replace 22984 with your chosen port number.

If semanage command is not found, install the required package:

sudo dnf install policycoreutils-python-utils

Step 5: Configure Firewall

Add the new SSH port to the firewall rules:

sudo firewall-cmd --add-port=22984/tcp --permanent

Reload the firewall to apply changes:

sudo firewall-cmd --reload

Step 6: Restart SSH Service

Restart the SSH daemon to apply the configuration changes:

sudo systemctl restart sshd

Step 7: Verify the Configuration

Check if SSH is listening on the new port:

sudo ss -tlnp | grep :22984

You should see output similar to:

LISTEN 0 128 0.0.0.0:22984 0.0.0.0:* users:(("sshd",pid=1234,fd=3))

Testing the New Configuration

Test Before Closing Current Session

Important: Don’t close your current SSH session until you’ve verified the new configuration works.

  1. Open a new terminal window
  2. Connect using the new port: 
    ssh -p 22984 username@your-server-ip
  3. Verify successful connection

Remove Old Port (Optional)

Once you’ve confirmed the new port works, you can remove the old port from firewall rules:

sudo firewall-cmd --remove-port=22/tcp --permanent
sudo firewall-cmd --reload

Port Selection Best Practices

  • 1024-65535: User/registered ports (recommended)
  • Avoid: Well-known ports (1-1023)
  • Popular choices: 2222, 2022, 22222, or random high numbers

Port Selection Tips

  • Choose a port number between 1024-65535
  • Avoid commonly used ports (3389, 8080, 3306, etc.)
  • Use a random number generator for better security
  • Document your chosen port for future reference

Troubleshooting Common Issues

Connection Refused Error

If you can’t connect to the new port:

  1. Check if SSH is running:

    sudo systemctl status sshd

  2. Verify port binding:

    sudo ss -tlnp | grep sshd

  3. Check firewall rules:

    sudo firewall-cmd --list-ports

SELinux Denials

Check SELinux logs for denials:

sudo ausearch -m AVC -ts recent | grep ssh

Configuration Syntax Errors

Test SSH configuration syntax:

sudo sshd -t

Additional Security Measures

While changing the SSH port improves security, consider implementing these additional measures:

Disable Root Login

Add to /etc/ssh/sshd_config:

PermitRootLogin no

Use Key-Based Authentication

PasswordAuthentication no
PubkeyAuthentication yes

Limit User Access

AllowUsers username1 username2

Enable Fail2Ban

sudo dnf install epel-release
sudo dnf install fail2ban
sudo systemctl enable --now fail2ban

Reverting Changes

If you need to revert to the default port:

  1. Edit the SSH configuration:

    sudo nano /etc/ssh/sshd_config

  2. Change port back to 22:

    Port 22

  3. Update SELinux and firewall:

    sudo semanage port -d -t ssh_port_t -p tcp 22984
sudo firewall-cmd --remove-port=22984/tcp --permanent
sudo firewall-cmd --add-service=ssh --permanent
sudo firewall-cmd --reload

  4. Restart SSH:

    sudo systemctl restart sshd

Conclusion

Changing the SSH port on your AlmaLinux server is a simple yet effective security measure. While it’s not a complete security solution, it significantly reduces automated attacks and improves your server’s overall security posture.

Remember to:

  • Test thoroughly before closing your current session
  • Document your new port number
  • Update any automation scripts or monitoring tools
  • Consider implementing additional security measures for comprehensive protection

Always maintain a backup access method to your server in case of configuration issues.

Graph View