SIGN IN / UP
    opened image

    In this article, we will see how to change the standard SSH connection port to a non-standard one, and disable password authentication.

    !!! IMPORTANT !!!

    Make sure you have already created SSH keys before doing this, and successfully connected to the server using them. Or you have access to the server via VNC to enable password authorization back and return the default settings.

    And so, first you need to edit the sshd_config file:
     

    vim /etc/ssh/sshd_config


    In the line Port 22 (Uncomment if commented out) and change port 22 to the desired port, for example 22333:

     

     

     

    Port 22333

     



    Restart the sshd service:

     

     

     

     

    systemctl restart sshd

     


    Check if the installed port 22333 is listening:

     

     

     

     

    netstat -tupln | grep ssh

     




    If we see that the sshd service listens to the port we need 22333 or another one that you set, then in order for us to connect already using it, you need to allow its use from outside.

    To do this, you need to add a rule to the iptables list:

     

     

     

     

    iptables -A INPUT -p tcp --dport 22333 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

     


    or like this:

     

     

     

     

    iptables -I INPUT -p tcp --dport 22333 -m state --state NEW -j ACCEPT

     


    With the iptables -L command, we can see that the rule has been added.


    After that, you need to save the rules so that after the restart the installed port remains available.

    For Centos 7 use this command:

     

     

     

     

    service iptables save

     


    For Ubuntu, we use a different command. To do this, you need to install iptables-persistent.

     

     

     

     

    apt-get install iptables-persistent

     


    If you get an error that there is no suitable package or repository, update the repositories. After that, install the updates.

     

     

     

     

    apt update
    apt upgrade

     


    If this package is installed and you want to save the rules:

     

     

     

     

    dpkg-reconfigure iptables-persistent

     


    During reconfiguration, answer YES to both questions.

    After that, you can save the rules for ipv4:

     

     

     

     

    iptables-save | sudo tee /etc/iptables/rules.v4

     


    For ipv6:

     

     

     

     

    ip6tables-save | sudo tee /etc/iptables/rules.v6

     


    If the firewall is enabled, add a rule for it:

     

     

     

     

    firewall-cmd --permanent --add-port=22333/tcp

     


    And also restart the firewalld service:

     

     

     

     

    systemctl restart firewalld

     

    Disable SSH password authentication

     

     


    To do this, edit the /etc/ssh/sshd_config file:

     

     

     

     

     

     

    vim /etc/ssh/sshd_config

     


    Looking for the line:

     

     

     

     

    PasswordAuthentication yes

     



    And change it to:

     

     

     

     

    PasswordAuthentication no

     


    If there is a # symbol (commented out) at the beginning of this line, remove it. Save the file after making these changes and restart the sshd service:

     

     

     

     

    systemctl restart ssh

     


    Now you can restart the server and make sure you did everything right.

     

     

     

     

    reboot

     



    If everything is done correctly, then the connection to the server with the new port will pass without "dancing" incidents.