Can the SSH port number be changed?

[securenet]

I was reviewing the sshd_config file and saw that Port 22 is commented out.

#Port 22
Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

For security reasons I would like to change it.
Will un-commenting it and changing the port number negatively affect the SSH Server?
In other words, Will It Break It?

[ppalias]

It is commented in order to use the default 22. You may comment it out, change it and restart sshd to make changes active. Don’t forget to allow the new port on firewall!

[Serilca]

Unfortunately this solution doesn’t work after a reboot, the config file is reseted to it’s default value.
Is there any permanent way to do it ? And also, is there a way to change the SYS_SSH port value in iptables ?

[ppalias]

You can make any change permanent if you add it in the pre-boot or post-boot scripts/
For your case put the change script in the pre-boot that will change the value 22 to the desired.

[Serilca]

This would probably be a good feature to add because from my experience changing the ssh port is a good way to add one more layer of security to a box. The only thing I run on their standard ports are the http and smtp servers, and only if they have to be publicly accessed.

[kawarmc]

Not only port 22 for ssh should be changed or at least permit the user to change it. There are other services that should be changed also, like http or https.

What happens when you run an web server on the LAN side and need to do a port redirection? Right now, the only solution is to change zeroshell web server using a cron job to execute after booting, and that is not a clear nor elegant way of doing it. It involves some knowledge of bash, linux and apache to perform that task.

It should’n be too dificult to implement that on the web interface and have the changes be permanent on the Database.

[JC]

@kawarmc
to run servers on ur LAN accessible from web;
-> Network – Router – Virtual Server
then fill in the fields as required. I run several forwarded servers – Web server, Email server, and remote access to one internal machine, all set thru virtual servers.

Hope this helps.
JC

[kawarmc]

Yes, I knew I can do that, but the you won’t be able to administer your zs box from outside if you don’t have a VPN connection available (which I don’t always have).

What I really do is to change zs http and https ports with a really simple postboot script.

What I do is copy the files httpd.conf and ssl.conf from /etc/httpd/conf to /Database/scripts

on those 2 files, I change the lines
on httpd.conf

Listen 80     --->   Listen 

on ssl.conf

Listen 443    --->   Listen 

I also usually change the following line on httpd.conf:

RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]

with

RewriteRule ^.*$ https://%{SERVER_NAME}:1443

After that, I create a postboot cron script with the following content:

rm -f /etc/httpd/conf/httpd.conf

rm -f /etc/httpd/conf/ssl.conf



cp -a /Database/scripts/httpd.conf /etc/httpd/conf/

cp -a /Database/scripts/ssl.conf /etc/httpd/conf/



/etc/init.d/httpd restart

That way, I know for sure the ports will never be used by zs’ apache, I’m still able to connect from outside, and keep unwanted people from trying to break into the machine…. (at least fewer of them will find the correct port)

[ppalias]

You could do the changes in preboot to avoid the httpd restart.

[kawarmc]

I prefer to do it in postboot just because I don’t really know what the bootstrapping process of zeroshell, so just in case I break something in the middle of the booting process, I prefer to let the system finish and then restart the HTTP server. It’s just a matter of a few more seconds… 🙂

[Author]

Posts