Can the SSH port number be changed?

Home Page Forums Network Management ZeroShell Can the SSH port number be changed?

This topic contains 8 replies, has 0 voices, and was last updated by  securenet 9 years, 7 months ago.

Viewing 10 posts - 1 through 10 (of 10 total)
  • Author
    Posts
  • #41858

    securenet
    Member

    I was reviewing the sshd_config file and saw that Port 22 is commented out.

    #Port 22
    Protocol 2
    #AddressFamily any
    #ListenAddress 0.0.0.0
    #ListenAddress ::

    For security reasons I would like to change it.
    Will un-commenting it and changing the port number negatively affect the SSH Server?
    In other words, Will It Break It?

    #48609

    ppalias
    Member

    It is commented in order to use the default 22. You may comment it out, change it and restart sshd to make changes active. Don’t forget to allow the new port on firewall!

    #48610

    Serilca
    Member

    Unfortunately this solution doesn’t work after a reboot, the config file is reseted to it’s default value.
    Is there any permanent way to do it ? And also, is there a way to change the SYS_SSH port value in iptables ?

    #48611

    ppalias
    Member

    You can make any change permanent if you add it in the pre-boot or post-boot scripts/
    For your case put the change script in the pre-boot that will change the value 22 to the desired.

    #48612

    Serilca
    Member

    This would probably be a good feature to add because from my experience changing the ssh port is a good way to add one more layer of security to a box. The only thing I run on their standard ports are the http and smtp servers, and only if they have to be publicly accessed.

    #48613

    kawarmc
    Member

    Not only port 22 for ssh should be changed or at least permit the user to change it. There are other services that should be changed also, like http or https.

    What happens when you run an web server on the LAN side and need to do a port redirection? Right now, the only solution is to change zeroshell web server using a cron job to execute after booting, and that is not a clear nor elegant way of doing it. It involves some knowledge of bash, linux and apache to perform that task.

    It should’n be too dificult to implement that on the web interface and have the changes be permanent on the Database.

    #48614

    JC
    Member

    @kawarmc
    to run servers on ur LAN accessible from web;
    -> Network – Router – Virtual Server
    then fill in the fields as required. I run several forwarded servers – Web server, Email server, and remote access to one internal machine, all set thru virtual servers.

    Hope this helps.
    JC

    #48615

    kawarmc
    Member

    Yes, I knew I can do that, but the you won’t be able to administer your zs box from outside if you don’t have a VPN connection available (which I don’t always have).

    What I really do is to change zs http and https ports with a really simple postboot script.

    What I do is copy the files httpd.conf and ssl.conf from /etc/httpd/conf to /Database/scripts

    on those 2 files, I change the lines
    on httpd.conf

    Listen 80     --->   Listen 

    on ssl.conf

    Listen 443    --->   Listen 

    I also usually change the following line on httpd.conf:

    RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]

    with

    RewriteRule ^.*$ https://%{SERVER_NAME}:1443

    After that, I create a postboot cron script with the following content:

    rm -f /etc/httpd/conf/httpd.conf
    rm -f /etc/httpd/conf/ssl.conf

    cp -a /Database/scripts/httpd.conf /etc/httpd/conf/
    cp -a /Database/scripts/ssl.conf /etc/httpd/conf/

    /etc/init.d/httpd restart

    That way, I know for sure the ports will never be used by zs’ apache, I’m still able to connect from outside, and keep unwanted people from trying to break into the machine…. (at least fewer of them will find the correct port)

    #48616

    ppalias
    Member

    You could do the changes in preboot to avoid the httpd restart.

    #48617

    kawarmc
    Member

    I prefer to do it in postboot just because I don’t really know what the bootstrapping process of zeroshell, so just in case I break something in the middle of the booting process, I prefer to let the system finish and then restart the HTTP server. It’s just a matter of a few more seconds… 🙂

Viewing 10 posts - 1 through 10 (of 10 total)

You must be logged in to reply to this topic.