There are a lot of reasons you could need to run sshd (the ssh server) on a port other than the standard port 22. These days the Internet is pretty convoluted. Sometimes you have too many hack attempts on port 22, sometimes you're trying to work through a restrictive or oppressive proxy/firewall. I moved my sshd to a high port number on one server for the first reason.
It's pretty easy to do on your Linux box. These instructions are tested on OpenSuse 10.1 but they should work equally well on any Linux. On the machine that's running sshd, the ssh server, edit /etc/ssh/sshd_config. In it you'll see one directive on each line. Here's a snippet:
GatewayPorts yes
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
In these lines, the ones that start with a # don't do anything - they're comments for your reference. Often sshd_config has default values for many of the most common options included with a # in front of them. So you might have a line like
With the # it doesn't do anything. Since 22 is the default value for Port, sshd will behave the same if you have no Port directive at all or if you have this comment.
The lines that have no # in front of them are directives. They tell sshd what you want it to do for any given option. So a line like
Tells sshd to listen for connections on Port 22. The ssh server accepts multiple Port directives and will listen on multiple ports if you want it to. If you want to have sshd listen on ports 22, 80 and 8122 you need lines like this
Port 80
Port 32022
Note that Port 80 is normally used by web servers - it's said to be a Well Known Port Number. Using Port 80 for ssh will let you use ssh to connect through most firewalls and proxies. If you decide to do this then make sure that you don't also have a web server trying to use port 80 for incoming connections. Port 32022 isn't reserved for anything (as far as I know) but a random hacker wouldn't connect to it as their first try for an ssh connection. Port numbers go up to sixty-something thousand.
After you edit sshd_config and save it, you have to restart the ssh server in order for your changes to take effect. If you're making the changes while logged in on an ssh shell (i.e. somewhere other than in front of the computer running sshd) be aware that you may lose your connection when you restart (you should also to the end of this post before restarting). I restart sshd like this:
Shutting down SSH daemon done
Starting SSH daemon done
Once you've made the change and restarted, test your new configuration either from the console or another machine on your LAN. Supposing you used port 32022 you could test it locally like this:
If you get a password prompt or a new shell then things are working, type "exit" to exit your ssh session. If you get an error like
ssh: connect to host localhost port 32022: Connection refused then sshd isn't listening on the port you configured. It could be that some other process is using the port (perhaps your firewall), it could be that you didn't change /etc/ssh/sshd_config correctly or it could be that sshd never restarted. To troubleshoot this, look at your logs. When you restart, several messages are written to /var/log/messages, look at the latest ones like this
In response to this you'll get the last 30 lines of the log file. In there you should see several lines with timestamps that mention sshd. You want to see something indicating that the server is listening on your new port number. Otherwise you should look for indications of an error that help you furthur troubleshoot the problem.
If you have a router between your Linux box and your Internet connection then you're going to need to set up port forwarding from a port on the router to the port you've configured on your Linux box. The external port (on the router) is the one that you'll have to type in to connect when you're away from home, so it's best to just set it to the same value as you use internally. That is, forward external port 22, 80, and/or 32022 to port 22, 80 and/or 32022 respectively. Be warned that exposing port 22 to the world with a weak root password is a good way to guarantee your box will get hacked.
Once you can connect to your Linux box from itself or somewhere else on your own network and you have your router configured, it's time to try connecting from outside. You don't actually have to go anywhere to do this. You can test it from your Linux box using your external IP. The site checkip.dyndns.org that will quickly show you what your external IP is. Once you get that address, use the ssh client from your Linux box to connect. It's the same command as earlier (ssh -p 32022 localhost) but use your external IP address instead of localhost. The difference here is that the route used to connect mimics the route you'd use to connect from elsewhere. If you can't connect with the external IP but can connect to localhost then this indicates a problem with your routing, most likely a port forwarding issue in your router.
So there it is in a nutshell. Now you can go on to run an ssh client on some machine far away and connect to your Linux box at home. Don't forget you'll need to use your external IP and specify your non-standard port number when connecting. If you haven't already got an ssh client, both PuTTY and OpenSSH do a great job, though I think PuTTY might be easier for a beginning user on Windows.
I found that editing /etc/sysconfig/ssh and adding "-p 32022" also worked (once the sshd was restarted as you mention above).
S'good, but I think /etc/sysconfig/ssh isn't always there (not sure why - I looked in a couple of my old installs tho).
Apparently in Ubuntu, to restart sshd, the ssh server, you use
or
Took me a while to get, since I want to restart sshd, not ssh.
And the ports you're talking about max out at 65000. Just FYI.
Sure that's not 65535 for 16 bit addressing?
For security reasons I'd also suggest not allowing a root login from ssh, and make sure your password is considered strong or best by this
http://www.microsoft.com/protect/yourself/password/checker.mspx
Then add a line
PermitRootLogin no
to your sshd_config file.
Make sure you've created a user with login privileges before you restart ssh because you won't be able to ssh in as root after this change.
Yes, the highest port number you can use is 65535 to be precise, and numbers below 1024 are expected to be used for specific services (like 443 is used for HTTPS).
I don't think everyone agrees on disallowing ssh access for root however. It's appropriate for some servers but may not be for others.
...and don't forget to open your new ssh port in your firewall on your server. I almost locked myself out completely from my server doing something similar a while ago - the only salvation would be a complete restart. not nice
thanks for the howto! its great!
Note that Port 80 is normally used by web servers - it's said to be a Well Known Port Number. Using Port 80 for ssh will let you use ssh to connect through most firewalls and proxies.
It's better to use Port 443 (HTTPS), because some proxies do not allow SSL connection on Port 80.
Note that https is on port 443 and ssh traffic appears very similar to https, so unless you run https on your server, it's always a good idea to run ssh on 443 as well as 22 - then with a command such as "ssh -D8080 -p443 " you can configure your browser to socks on localhost:8080 and bypass almost any proxy. Of course this should only be used for sensible purposes not for finding those flesh-coloured pictures on corporate networks, but filtered internet access is a common problem that this especially can avoid.
If you have untrusted users with shell access you should not have ssh on a port greater than 1024.
The reason why is that any user can set up a rouge ssh daemon on a port greater than 1024, but only someone with root privileges can setup a daemon to listen on 1024 or lower.
If you are the only one that logs into your machine this may not be an issue, but it is something to keep in mind, ssh on ports > 1024 is less secure.
AFAIK, you do not lose connectivity to the machine when you restart the SSh service. It's only when you restart the network services you might lose connectivity.
Regards,
Lego