Part of the strategy to deter hackers is to reduce the information available to them. This is one of the reasons why for example, it’s a good idea to disable root logins into SSH, since attackers won’t have a ready made username to work with. Many well-known services have predictable points of entry that hackers can exploit to make their job easier. For example, if your server allows SSH connections onto widely used ports, it makes the job of a hacker that much more convenient. Changing the SSH port adds another layer to your standard security practices without compromising them. So while some may complain that the whole “security by obscurity” paradigm is flawed, there is no harm in creating an additional barrier against attacks.
In this article, let’s look at how to change the standard SSH port from 22 or 2222 to something arbitrary. At the start of this tutorial, here is what my SSH access via Putty looks like:
I’m going to carry this out entirely from within WHM itself. There are four different stages:
- Open a the new port through the firewall;
- Restart the firewall;
- Change the SSH port;
- Restart SSH.
Let’s see how to go through this list one by one.
Opening a New Port in WHM
First, make sure that you have the CSF firewall installed. Next, log into WHM and under the “ConfigServer Security&Firewall” option on the left-hand side, search for “Firewall Configuration”. This opens up a easy way to modify the main csf.config without making mistakes.
Once inside, search for “TCP_IN”. As shown in the screenshot below, we’re going to add our alternative SSH port to the list of those that are allowed to receive incoming connections. For purposes of this example, I’m going to use port number 5622 – purely at random. You can see that I’ve added it to the list at the end of all the others:
Once you save your changes, you can restart CSF and lfd on the following screen. We need to do this because the csf.config file has changed and the new environment variables have to be loaded into CSF.
Changing the SSH Port
Once the port has been opened, it’s time to switch SSH to it. Using a file manager of your choice, navigate to the following directory. In the example below, I’m using the ConfigServer File Explorer:
Find the sshd_config file, take a backup of it, and open it up for editing. The port number for SSH is visible near the top of the file and looks something like this:
As shown in the screenshot below, simply replace the existing number with the one we want to use – in this case, 5622.
Save the file and return to the previous screen. Now we have to restart SSH to make sure that this parameter is applied. On the left-hand side of the WHM screen, under the section called “Restart Services”, you will find the “SSH Server (OpenSSH)” option. Simply click the large blue button labeled “Yes”, and WHM will restart SSH for you.
Testing the New Port
Now that we’ve instructed SSH to accept connections through a new port, it’s time to test it and see if it works. In the screenshot below, I’ve tried to access SSH via Putty using the same parameters as in the very first screenshot – namely with port 2222. Here’s what I get:
So I modified the port number specified in Putty and changed it to 5622 instead.
This time as expected, a connection via SSH is successful.
The end result is that someone will have to first hit port number 5622 before proceeding to force their way in. While security experts rightly point out that obscurity isn’t good as a standalone practice, there’s no reason to not use it as an additional part of your arsenal.