Skip to main content

How to change SSH port when SELinux policy is enabled

How to change SSH port when SELinux policy is enabled

How to change SSH port when SELinux policy is enabled

In this tutorial, you will learn how to change SSH port when SELinux policy is enabled in CentOS or RedHat or Fedora flavour. When SELinux is operating in enforcing mode, the SELinux policy is enforced and access is denied based on SELinux policy rules. TCP port 22 is the standard SSH port on the majority of Linux and Unix systems. This is readily modifiable to a port not used by any other applications on the system.

When SELinux is operating in Enforcing mode, the to-be-set port must be relabeled so that Policy rules controlling access will permit the ssh service to bind.

Prerequisites:

  • Super user or any normal user with SUDO privileges
  • Any utility to edit a file such as vi, vim or nano

Steps to change the port when SeLinux policy is enforced

Step 1: Check the current port of ssh service and selinux mode

netstat -tunlp | grep ssh
getenforce

Default port of ssh and selinux policy

Default port of ssh and selinux policy

Step 2: Now goto the SSH configuration file and navigate to keyword- "Port" and if the existing line is commented then make a new entry in next line like as shown in below picture

vim /etc/ssh/sshd_config

Configuration file of SSH

Configuration file of SSH

Here, we want to change our default port from 22 to 5353. If you want to change the default port to any other port number, just mention after "Port".

Now if your restart the SSH services, The service will not restart and will give you the below error in journalctl -xe

SSh sevices restart without changing the labeling in semanage

SSh sevices restart without changing the labeling in semanage

Step 3: Now check the labeled port for SSH service in SELinux policy

semanage port -l | grep ssh

SSH port labeled in SELinux policy

SSH port labeled in SELinux policy

Step 4: Now add another port lable in selinux policy for SSh service. This will enable you to run your SSH service in either 22 or 5353 port number.

semanage port -a -p tcp -t ssh_port_t 5353

Step 5: Now restart the SSH service by using systemctl command as below

systemctl restart sshd

Service restarted successfully after enabeling the port in selinux policy

Service restarted successfully after enabeling the port in selinux policy

Step 6: To crosscheck the listening port of SSH, after follow the above steps, you can check this using netstat command.

netstat -tunlp | grep ssh

Port changed successfully when selinux policy is enabled

Port changed successfully when selinux policy is enabled

Step 7: If you want to delete the port label from Selinux, you can do so using below command. But remember that, after executing the next command you will not be able to restart the service without change the port number in SSH configuration file.

semanage port -d -t ssh_port_t -p tcp 5353

And this is how you can change the port number of SSH when Selinux policy is enabled.