openSUSE

How To Change SSH Default Port on OpenSUSE

Change SSH Default Port on OpenSUSE

Securing your server is paramount in today’s digital landscape. One crucial step you can take is changing the default SSH port. The Secure Shell (SSH) protocol is a vital tool for remote server access, allowing administrators to securely manage their systems from anywhere in the world. However, its ubiquitous nature also makes it a prime target for malicious actors. By default, SSH listens on port 22, a well-known entry point that attackers frequently scan for vulnerabilities. This guide provides a comprehensive walkthrough on how to change the SSH default port on OpenSUSE, enhancing your server’s security posture against brute-force attacks and unauthorized access attempts. You’ll learn to modify SSH configuration files, adjust firewall settings, and verify the new port to ensure seamless connectivity.

Understanding SSH Ports and Security

The default SSH port, TCP port 22, is the standard listening port for SSH daemons. While convenient for initial setup, it’s also a significant security risk. Attackers know this default port and often use automated scripts to scan for open SSH services, attempting to gain access through brute-force attacks, dictionary attacks, or exploiting known vulnerabilities. Changing the default port makes your server less visible to these automated attacks. It’s not a silver bullet, but it adds a layer of obscurity, increasing the attacker’s effort required to find and exploit your SSH service.

Think of it like this: leaving your SSH port at the default is like leaving your front door unlocked. Changing it is like locking the door; it doesn’t guarantee complete safety, but it deters casual intruders. This measure should be complemented with other security best practices, such as key-based authentication, disabling root login, and using a strong firewall. Remember, security is a multi-layered approach, and changing the SSH port is one valuable component.

When attackers target the default SSH port, they often employ techniques like brute-force attacks, where they try numerous username and password combinations until they find a match. Port scanning is another common method, where automated tools scan a range of IP addresses looking for open port 22 connections. Once an open port is found, attackers can then probe for vulnerabilities or attempt to gain unauthorized access.

Prerequisites and Preparation

Before diving into the configuration process, ensure you have the necessary prerequisites in place. You’ll need a server running OpenSUSE with SSH already installed. It’s also crucial to have sudo or root access to modify system configuration files and restart services. Backing up your current SSH configuration is essential to revert to the original settings if something goes wrong. You should also have an active terminal session during the procedure to avoid being locked out during changes.

Consider these preparations before proceeding:

  • System Requirements: A running OpenSUSE instance with SSH installed.
  • Backup Recommendations: Back up the /etc/ssh/sshd_config file.
  • Current SSH Status Verification: Use systemctl status sshd to verify the service status.
  • Port Selection Considerations: Choose a port number above 1024 and not already in use.
  • Required Permissions and Access: Ensure you have sudo or root privileges.

Choosing a new port is more than just picking a random number. It’s advisable to select a port number above 1024 to avoid conflicts with well-known ports used by other services. Check the /etc/services file to ensure your chosen port isn’t already assigned. Ensure you select a port that isn’t commonly associated with other services to prevent confusion and potential conflicts.

Step-by-Step Configuration Process

This section details how to modify the SSH configuration file, a crucial step in changing the SSH port on OpenSUSE. The primary file you’ll be working with is /etc/ssh/sshd_config, which controls the behavior of the SSH daemon. This involves locating the configuration file, backing it up, and modifying the port settings. Always proceed with caution and double-check your syntax to avoid errors.

  1. Accessing SSH Configuration:Open a terminal with sudo or root privileges.
  2. Locating Configuration Files:The main SSH configuration file is located at /etc/ssh/sshd_config.
  3. Backing Up Existing Configuration:Create a backup of the file using the following command:
    sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup
  4. Modifying Port Settings:Open the sshd_config file with a text editor, such as nano or vim:
    sudo nano /etc/ssh/sshd_config

    or

    sudo vim /etc/ssh/sshd_config

    Locate the line that reads #Port 22. Remove the # symbol to uncomment the line and change the port number to your desired port. For example, to change the port to 2222, modify the line to:

    Port 2222
  5. Syntax Requirements and Validation:Ensure the configuration file’s syntax is correct. Incorrect syntax can prevent the SSH service from starting. After making changes, save the file. In nano, press Ctrl + O to save, then Ctrl + X to exit. In vim, press Esc, then type :wq and press Enter to save and exit.

It’s also possible to specify multiple ports for SSH to listen on. Add multiple Port directives in the sshd_config file. This can be useful as a temporary measure during the transition to the new port, allowing connections on both the old and new ports until you’ve verified the new configuration.

Firewall Configuration

OpenSUSE uses a firewall to control network traffic, and you’ll need to adjust the firewall rules to allow connections on the new SSH port. This typically involves adding a new rule to allow TCP traffic on the selected port. The default firewall on OpenSUSE is SuSEfirewall2, but firewalld is also commonly used. Depending on which firewall solution you use, the commands to allow the new port will differ.

Adjusting firewall rules ensures that external connections on the new SSH port are permitted. Otherwise, you might find yourself locked out of your server. Testing the firewall configuration after making changes is crucial.

If you are using firewalld, follow these steps:

  1. Adding New Port Rules:Add the new port to the firewall using the following command, replacing 2222 with your chosen port:
    sudo firewall-cmd --permanent --add-port=2222/tcp
  2. Reloading Firewall:Reload the firewall to apply the changes:
    sudo firewall-cmd --reload

If you are using SuSEfirewall2, follow these steps:

  1. Configuring SuSEfirewall2:Edit the /etc/sysconfig/SuSEfirewall2.d/services/sshd file:
    sudo nano /etc/sysconfig/SuSEfirewall2.d/services/sshd

    Change TCP="ssh" to TCP="2222", replacing 2222 with your chosen port. Alternatively, use TCP="ssh 2222" to allow both the default and new ports.

  2. Restarting Firewall:Restart the firewall to apply the changes:
    sudo SuSEfirewall2 restart

Ensure that the firewall is enabled and running. Use the appropriate commands to check its status and start it if necessary. Testing the firewall settings can involve using tools like nmap to scan the server’s ports from an external machine.

Service Management

After modifying the SSH configuration and adjusting the firewall, you need to restart the SSH service for the changes to take effect. Verifying the service status after restarting ensures that the service is running correctly and listening on the new port. You should also monitor system logs for any errors that might occur during the restart process.

  1. Restarting SSH Service:Restart the SSH service using the following command:
    sudo systemctl restart sshd
  2. Verifying Service Status:Check the status of the SSH service to ensure it’s running without errors:
    sudo systemctl status sshd
  3. Handling Service Errors:If the service fails to start, check the system logs for error messages. Common errors include syntax errors in the sshd_config file or port conflicts.
  4. System Logs Monitoring:Monitor system logs using journalctl -u sshd to identify any issues.

If the SSH service fails to restart, review your changes to the sshd_config file for syntax errors. Use the command sshd -t to test the configuration file for syntax errors before restarting the service. Correct any identified errors and try restarting the service again.

Testing and Verification

After changing the SSH port and restarting the service, it’s crucial to test the new configuration. This ensures that you can still connect to your server using the new port and that the changes haven’t introduced any connectivity issues. This involves attempting to connect to the server using the new port from a different terminal or machine. Verify port accessibility using tools like nmap.

  1. Connection Testing Procedures:Open a new terminal and attempt to connect to the server using the new port. Specify the port using the -p option:
    ssh username@your_server_ip -p 2222

    Replace username with your username, your_server_ip with your server’s IP address, and 2222 with your new port number.

  2. Troubleshooting Common Issues:If you can’t connect, check the following:
    • Ensure the SSH service is running.
    • Verify the firewall is configured correctly.
    • Double-check the port number in the sshd_config file.
    • Check for typos in the connection command.
  3. Verifying Port Accessibility:Use nmap from another machine to verify that the new port is open:
    nmap -p 2222 your_server_ip

    Replace 2222 with your new port number and your_server_ip with your server’s IP address.

  4. Security Validation:After confirming that the new port is working, consider closing the default port (22) in your firewall to enhance security. This prevents attackers from targeting the default port.

If you encounter connection issues, double-check your firewall rules to ensure that the new port is allowed. Also, verify that the SSH service is indeed listening on the new port by using the command netstat -tulnp | grep sshd. This command shows the ports on which the SSH daemon is listening.

Best Practices and Security Considerations

While changing the default SSH port adds a layer of security, it’s not a complete solution. Combining this measure with other security best practices is crucial for robust server protection. Implement additional security measures. This includes using key-based authentication, disabling root login, using strong passwords, and keeping your system updated.

Port selection should follow these guidelines:

  • Port Selection Guidelines:Choose a port number above 1024 to avoid conflicts with well-known ports. Avoid commonly used port numbers. Select a port that is not easily guessable.
  • Additional Security Measures:
    • Implement key-based authentication.
    • Disable root login.
    • Use strong passwords.
    • Keep your system updated.
  • Logging and Monitoring:Enable logging and regularly monitor SSH logs for suspicious activity. Use tools like fail2ban or sshguard to automatically block malicious IPs.
  • Backup Connection Methods:Always have a backup plan in case you get locked out of your server. This might involve having a console access or another trusted user who can log in and fix the configuration.

Logging and monitoring are essential for detecting and responding to security incidents. Regularly review your SSH logs for unusual activity, such as failed login attempts or connections from unknown IP addresses. Consider using intrusion detection systems to automate this process and alert you to potential threats.

Troubleshooting Guide

Even with careful planning, you might encounter issues when changing the SSH port. This section provides guidance on troubleshooting common configuration errors, connection problems, firewall issues, and service failures. Addressing these problems quickly ensures minimal downtime and maintains your server’s security.

  • Common Configuration Errors:Syntax errors in the sshd_config file are a common cause of problems. Use the command sshd -t to test the configuration file for syntax errors.
  • Connection Issues:If you can’t connect after changing the port, check the following:
    • Ensure the SSH service is running.
    • Verify the firewall is configured correctly.
    • Double-check the port number in the sshd_config file.
    • Check for typos in the connection command.
  • Firewall Problems:Ensure that the firewall is allowing traffic on the new port. Use the appropriate commands to add the new port to the firewall rules.
  • Service Failures:If the SSH service fails to start, check the system logs for error messages. Use journalctl -u sshd to view the logs.

If you are locked out of your server, you may need to use a console connection or another trusted user to log in and fix the configuration. Always have a backup plan in place to handle such situations.

Congratulations! You have successfully changed the SSH port. Thanks for using this tutorial to change the change default SSH port on the openSUSE system. For additional help or useful information, we recommend you check the official Manjaro website.

VPS Manage Service Offer
If you don’t have time to do all of this stuff, or if this is not your area of expertise, we offer a service to do “VPS Manage Service Offer”, starting from $10 (Paypal payment). Please contact us to get the best deal!

r00t

r00t is an experienced Linux enthusiast and technical writer with a passion for open-source software. With years of hands-on experience in various Linux distributions, r00t has developed a deep understanding of the Linux ecosystem and its powerful tools. He holds certifications in SCE and has contributed to several open-source projects. r00t is dedicated to sharing her knowledge and expertise through well-researched and informative articles, helping others navigate the world of Linux with confidence.
Back to top button