In this article, we will see how to change the standard SSH connection port to a non-standard one, and disable password authentication.
!!! IMPORTANT !!!
Make sure you have already created SSH keys before doing this, and successfully connected to the server using them. Or you have access to the server via VNC to enable password authorization back and return the default settings.
And so, first you need to edit the sshd_config file:
vim /etc/ssh/sshd_config
In the line Port 22 (Uncomment if commented out) and change port 22 to the desired port, for example 22333:
Port 22333
Restart the sshd service:
systemctl restart sshd
Check if the installed port 22333 is listening:
netstat -tupln | grep ssh
If we see that the sshd service listens to the port we need 22333 or another one that you set, then in order for us to connect already using it, you need to allow its use from outside.
To do this, you need to add a rule to the iptables list:
iptables -A INPUT -p tcp --dport 22333 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
or like this:
iptables -I INPUT -p tcp --dport 22333 -m state --state NEW -j ACCEPT
With the iptables -L command, we can see that the rule has been added.
After that, you need to save the rules so that after the restart the installed port remains available.
For Centos 7 use this command:
service iptables save
For Ubuntu, we use a different command. To do this, you need to install iptables-persistent.
apt-get install iptables-persistent
If you get an error that there is no suitable package or repository, update the repositories. After that, install the updates.
apt update
apt upgrade
If this package is installed and you want to save the rules:
dpkg-reconfigure iptables-persistent
During reconfiguration, answer YES to both questions.
After that, you can save the rules for ipv4:
iptables-save | sudo tee /etc/iptables/rules.v4
For ipv6:
ip6tables-save | sudo tee /etc/iptables/rules.v6
If the firewall is enabled, add a rule for it:
firewall-cmd --permanent --add-port=22333/tcp
And also restart the firewalld service:
systemctl restart firewalld
To do this, edit the /etc/ssh/sshd_config file:
vim /etc/ssh/sshd_config
Looking for the line:
PasswordAuthentication yes
And change it to:
PasswordAuthentication no
If there is a # symbol (commented out) at the beginning of this line, remove it. Save the file after making these changes and restart the sshd service:
systemctl restart ssh
Now you can restart the server and make sure you did everything right.
reboot
If everything is done correctly, then the connection to the server with the new port will pass without "dancing" incidents.