Changing SSH Port

Notes:

  • Port 2000 will be used during this guide as an example
  • You may choose any port greater than 1024
    • This is to avoid conflicts with most other services
    • Always double-check your exposed ports before proceeding

Setting Up Your Oracle Cloud Environment

Login to Oracle Cloud:

  • Access your instance and select the subnet under the Primary VNIC
  • Choose the Default Security List

 

Add Ingress Rule:

  • Add SSH connection
    • Source CIDR: 0.0.0.0/0
    • Protocol: TCP
    • Destination Port Range: 2000

Accessing Your Web Server

  • SSH into your web server
  • Use your private key to connect securely

Check the Status of Firewalld

  • This command checks if the firewalld service is active and running
  • systemctl is the system management tool used to control system services, and status shows whether the service is running, inactive, or failed
sudo systemctl status firewalld

Start Firewalld (if not started)

  • This command checks if the firewalld service is active and running
  • systemctl is the system management tool used to control system services, and status shows whether the service is running, inactive, or failed
sudo systemctl start firewalld

Enable Firewalld to Start on Boot (if not enabled)

  • This command ensures that the firewalld service starts automatically when the system boots. This is useful for ensuring the firewall remains active across reboots
  • By enabling firewalld to start on boot, you ensure that firewall rules are applied consistently when the server reboots
sudo systemctl enable firewalld

Add a New Port to Firewalld

  • This command adds port 2000 to the list of allowed ports in the public zone of firewalld
  • Without adding port 2000 to firewalld, the firewall would block SSH access on this new port
sudo firewall-cmd --zone=public --add-port=2000/tcp --permanent

Reload Firewalld to Apply Changes

  • After making changes to the firewall configuration (such as adding or removing ports), reloading firewalld is necessary for the changes to take effect
sudo firewall-cmd --reload

List All Open Ports in Firewalld

  • Verify that port 2000 is indeed open and accessible for SSH
sudo firewall-cmd --list-ports

Add Port 2000 in iptables (direct rule)

  • This iptables command directly inserts a rule into the INPUT chain to accept incoming TCP traffic on port 2000
  • This rule allows SSH traffic on the custom port 2000 through the iptables firewall
sudo iptables -I INPUT 6 -m state --state NEW -p tcp --dport 2000 -j ACCEPT

Save iptables Rules (persistent rules)

  • This command saves the current iptables rules so they persist after a reboot. The netfilter-persistent tool ensures the rules are loaded again when the system starts
  • Without saving the iptables configuration, any rules you add will be lost after a reboot
sudo netfilter-persistent save

List Current iptables Rules

  • This command lists all the current iptables rules in the INPUT, OUTPUT, and FORWARD chains. It shows which ports are open and how traffic is being handled

  • It helps you verify that the rule for port 2000 has been added successfully

sudo iptables -L

Backup the sshd_config File

  • This command creates a backup of the SSH configuration file (/etc/ssh/sshd_config) before making any changes to it
  • Creating a backup allows you to revert to the original configuration if something goes wrong
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup

Edit the sshd_config File to Change the Port

  • Opens the SSH daemon configuration file in the nano text editor. You’ll modify this file to change the default SSH port from 22 to 2000. You may need to uncomment the line the port is listed on
  • You need to specify that SSH should listen on port 2000 instead of the default port 22. This allows SSH connections on the new port
sudo nano /etc/ssh/sshd_config

Restart the SSH Service to Apply the Changes

  • Restarting the SSH service applies your new settings, allowing SSH to start listening on port 2000
sudo systemctl restart ssh

Remove Port 22 from Firewalld (block SSH on default port)

  • Since you’re no longer using port 22 for SSH, you need to block it to prevent unauthorized access via the default port
sudo firewall-cmd --zone=public --remove-port=22/tcp --permanent

Reload Firewalld to Apply Changes

  • This reloads firewalld to apply the changes (removing port 22) made to the configuration
sudo firewall-cmd --reload

Verify Open Ports in Firewalld

  • It helps you confirm that port 22 has been successfully closed and port 2000 is the only open port for SSH
sudo firewall-cmd --list-ports

Block Incoming Connections on Port 22 via iptables

  • This step ensures that even if the firewall doesn’t block port 22, iptables will reject any incoming connections on port 22, adding an extra layer of protection
sudo iptables -A INPUT -p tcp --dport 22 -j REJECT

Save iptables Rules Again

  • This command saves the updated iptables configuration (including the rule to reject port 22) so it persists after reboot
sudo netfilter-persistent save

List Current iptables Rules Again

  • It provides a final check to verify that your firewall and iptables settings are correctly applied.
sudo iptables -L

Final Thoughts

This guide offers a detailed approach to securing SSH access and configuring firewall rules for optimal server security. By following each step, SSH access is successfully moved to a custom port, and port 22 is closed to reduce exposure. The firewall is configured to allow only the new port while blocking the default SSH port. Ensure all changes are tested and saved for persistence across reboots. Stay secure and configure with confidence!

Scroll to Top