Servers are often attacked by automated bots. In the case of Linux servers, they try (in almost all cases) to penetrate as root users via SSH port 22 by means of brute force attacks.
We, therefore, recommend changing your SSH port and disabling access to SSH as root user on your VPS. The latter has already been automatically applied to our DirectAdmin, Plesk and cPanel VPSs.
In this article, we show you how to change your SSH port. Changing your SSH port is a form of 'security through obscurity'; you make your VPS (partially) untraceable for most of the attacking bots. An additional advantage is that your log files remain more organized and you get a clearer picture when your VPS is attacked.
Do you use DirectAdmin, Plesk, or cPanel? Then, for changing your SSH port, check out our articles about securing these control panels:
Follow the steps in this article as a user with root privileges
Step 1
Connect to your VPS via the VPS console. If you connect via SSH, your connection will disconnect while you process the changes.
Step 2
Check your ports used with the command:
netstat -tulpn | lessAn overview as shown in the screenshot below appears. In this overview, the port numbers are the numbers in the row 'Local Address' behind the colon.
Step 3
Choose a random port number between 0 and 65535 that is not shown in the overview (for example 47592) and press 'q' to stop netstat.
Step 4
Open the SSH configuration file with the command below. You can also use vim for this.
nano /etc/ssh/sshd_config
Step 5
The configuration file opens, and, amongst other things, you will see the code below.
# If you want to change the port on a SELinux system, you have to tell # SELinux about this change. # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER # #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress ::
Uncomment / delete the # in front of '#Port 22' and change the number to the number you chose under step 2, for example:
Port 47592Save the file and close the file by pressing ctrl + x> y> enter.
Step 6
Add the chosen port to your firewall and connect port 22 to your firewall. Below, we have examples of some commonly used firewalls. Replace 47592 with the port number you selected in step 2.
Voeg de gekozen poort toe aan je firewall en sluit poort 22 in je firewall. Hieronder hebben wij voorbeelden van enkele veelgebruikte firewalls. Vervang 47592 door het poortnummer dat je in stap 2 hebt gekozen.
The VPS Firewall in the control panel
Step 1
Log in to your control panel and navigate to the relevant VPS.
Step 2
Click the cogwheel behind 'Network' (directly under the VPS console) and click 'VPS Firewall'.
Step 3
Remove the current SSH rule, if present, and add a custom rule for your new SSH port. Finally, click 'Save' to process the changes.
FirewallD
firewall-cmd --permanent --zone=public --add-port=47592/tcp
firewall-cmd --permanent --zone=public --remove-port=22/tcp
firewall-cmd --reloadOptionally you can open up SSH only for specific IP addresses or IP ranges in FirewallD as follows:
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="123.123.123.123" port protocol="tcp" port="1234" accept'firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="123.123.123.0/24" port protocol="tcp" port="1234" accept' firewall-cmd --reload
Ufw
ufw allow 47592/tcp
ufw deny 22/tcpOptionally you can open up SSH only for specific IP addresses or IP ranges in UFW as follows:
ufw allow from 123.123.123.123 to any port 47592 proto tcpufw allow from 123.123.123.0/24 to any port 22 proto tcp
Nftables
Debian is switching to nftables instead of iptables. Since most Debian users use ufw or iptables and nftables is a lot more complicated than these solutions, it now falls outside the scope of this manual. We will include a separate article on the use of nftables in our knowledge base in the future.
Step 7
Finally, restart SSH with the command below.
systemctl restart sshd
Optional: Step 8 - Selinux
Do you use Selinux (you can check if you do using the command 'sestatus')? Add the selected port to Selinux as well:
semanage port -a -t ssh_port_t -p tcp 47592Are you getting an error that the semanage command cannot be found? Install the required package using:
yum install policycoreutils-python
Your SSH port has now been changed and your SSH connection can no longer be easily attacked by automated bots!
Should you have any questions left regarding this article, do not hesitate to contact our support department. You can reach them via the ‘ContactUs’ button at the bottom of this page.
If you want to discuss this article with other users, please leave a message under 'Comments'.