Change Red Hat 7.x/CentOS 7.x SSH Default Port (SELinux Involved)

This article describes how to change your SSH port on Linux system (in this excercise we use CentOS 7.3) to listen to non default SSH port (TCP Port 22). We will involve SELinux modification to accomodate this change.

1. At the first time let’s verify default configuration and output of sshd service.

    1.1 Verify sshd_config for port configuration.

[root@system1 ~]# cat /etc/ssh/sshd_config | grep "Port 22"  
#Port 22

          Even port 22 is being commented, By default it will use port 22.

    1.2 Confirm that system is now listening on port 22.

[[root@server ~]# ss -tulpn | grep sshd
tcp    LISTEN     0      128       *:22            *:*                   users:(("sshd",pid=5485,fd=3))
tcp    LISTEN     0      128      :::22           :::*                   users:(("sshd",pid=5485,fd=4))

    1.3 SELinux should on Enforcing mode. If not go to /etc/sysconfig/selinux and change the SELinux mode.

[root@system1 ~]# getenforce 
Enforcing

2. Change the default SSH port and restart the service.

    2.1 Modify sshd_config file to use port 20002 as the default port.

[root@system1 ~]# vim /etc/ssh/sshd_config  
...........
Port 20002
...........

    2.2 Restart sshd service.

[root@server ~]# systemctl restart -l sshd
Job for sshd.service failed because a configured resource limit was exceeded. See "systemctl status sshd.service" and "journalctl -xe" for details.
[root@server ~]# systemctl status -l sshd
● sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
   Active: activating (auto-restart) (Result: resources) since Sun 2017-02-26 23:43:51 WIB; 6s ago
     Docs: man:sshd(8)
           man:sshd_config(5)
  Process: 5534 ExecStart=/usr/sbin/sshd $OPTIONS (code=exited, status=0/SUCCESS)
 Main PID: 5485 (code=exited, status=0/SUCCESS)

Feb 26 23:43:51 server.mylab.com systemd[1]: sshd.service never wrote its PID file. Failing.
Feb 26 23:43:51 server.mylab.com systemd[1]: Failed to start OpenSSH server daemon.
Feb 26 23:43:51 server.mylab.com systemd[1]: Unit sshd.service entered failed state.
Feb 26 23:43:51 server.mylab.com systemd[1]: sshd.service failed.

          You may see the service was failed to start. The easiest thing to troubleshoot this issue is to disable the SELinux (setenforce 0) to get an idea whether it is the reason why it block the sshd service. In this excercise we are going to identify using sealert to get more information regarding it.

    2.3 Check if SELinux is blocking sshd from binding to port 20002/TCP.

[root@server ~]# sealert -a /var/log/audit/audit.log 
100% done
found 3 alerts in /var/log/audit/audit.log
...
SELinux is preventing /usr/sbin/sshd from name_bind access on the tcp_socket port 20002.

*****  Plugin bind_ports (92.2 confidence) suggests   ************************

If you want to allow /usr/sbin/sshd to bind to network port 20002
Then you need to modify the port type.
Do
# semanage port -a -t PORT_TYPE -p tcp 20002
    where PORT_TYPE is one of the following: ssh_port_t, vnc_port_t, xserver_port_t.

*****  Plugin catchall_boolean (7.83 confidence) suggests   ******************

If you want to allow nis to enabled
Then you must tell SELinux about this by enabling the 'nis_enabled' boolean.

Do
setsebool -P nis_enabled 1

*****  Plugin catchall (1.41 confidence) suggests   **************************

If you believe that sshd should be allowed name_bind access on the port 20002 tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'sshd' --raw | audit2allow -M my-sshd
# semodule -i my-sshd.pp


Additional Information:
Source Context                system_u:system_r:sshd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:unreserved_port_t:s0
Target Objects                port 20002 [ tcp_socket ]
Source                        sshd
Source Path                   /usr/sbin/sshd
Port                          20002
Host                          
Source RPM Packages           openssh-server-6.6.1p1-33.el7_3.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-102.el7_3.13.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     server.mylab.com
Platform                      Linux server.mylab.com 3.10.0-514.6.1.el7.x86_64
                              #1 SMP Wed Jan 18 13:06:36 UTC 2017 x86_64 x86_64
Alert Count                   5
First Seen                    2017-02-26 23:43:47 WIB
Last Seen                     2017-02-26 23:44:33 WIB
Local ID                      b4e40db1-4036-4c63-b35e-6ea5f7bb01c8
...

          sealert output gives us a complete information regarding the issue we are facing. Several important information we have highlighted above can be the clue to fix the issue.

    2.4 Verify SELinux port for ssh and do a necessary changes.

[root@server ~]# semanage port -l | grep ssh
ssh_port_t                     tcp      22

          by default SELinux port for ssh is bind to port 22. Add non default port on it.

[root@server ~]# semanage port -a -t ssh_port_t -p tcp 20002
[root@server ~]# semanage port -l | grep ssh
ssh_port_t                     tcp      20002, 22

    2.5 Restart sshd service.

[root@server ~]# systemctl restart sshd
[root@server ~]# systemctl status sshd
● sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
   Active: active (running) since Sun 2017-02-26 23:46:43 WIB; 5s ago
     Docs: man:sshd(8)
           man:sshd_config(5)
  Process: 5689 ExecStart=/usr/sbin/sshd $OPTIONS (code=exited, status=0/SUCCESS)
 Main PID: 5690 (sshd)
   CGroup: /system.slice/sshd.service
           └─5690 /usr/sbin/sshd

Feb 26 23:46:43 server.mylab.com systemd[1]: Starting OpenSSH server daemon...
Feb 26 23:46:43 server.mylab.com systemd[1]: PID file /var/run/sshd.pid not readable (yet?) after start.
Feb 26 23:46:43 server.mylab.com sshd[5690]: Server listening on 0.0.0.0 port 20002.
Feb 26 23:46:43 server.mylab.com sshd[5690]: Server listening on :: port 20002.
Feb 26 23:46:43 server.mylab.com systemd[1]: Started OpenSSH server daemon.

4. Confirm that system is now listening on port 20002.

[root@server ~]# ss -tulpn | grep sshd
tcp    LISTEN     0      128       *:20002                 *:*              users:(("sshd",pid=5690,fd=3))
tcp    LISTEN     0      128      :::20002                :::*              users:(("sshd",pid=5690,fd=4))

5. Add firewall rule to allow other system accessing this system on port 20002/TCP.

    5.1 Verify current firewall rule.

[root@server ~]# firewall-cmd  --permanent --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client https samba ssh
  ports: 3260/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  sourceports: 
  icmp-blocks: 
  rich rules:

          You may see ssh service already allowed, but do notice that this is for ssh with default TCP port ( port 22). Hence you need to add port 20002.

    5.2 Add port 20002 on the firewall and verify it.

[root@server ~]# firewall-cmd --permanent --add-port=20002/tcp
success
[root@server ~]# firewall-cmd --reload
success
[root@server ~]# firewall-cmd  --permanent --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client https samba ssh
  ports: 20002/tcp 3260/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  sourceports: 
  icmp-blocks: 
  rich rules:

Happy labbing!!!

Source: Red Hat System Administration III

Contributor:

Ananto Yudi Hendrawan
Network Engineer - CCIE Service Provider #38962, RHCE, VCP6-DCV
nantoyudi@gmail.com
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s