(Last Updated On: September 18, 2019)

In this guide we will see how you can change SSH service listen port on CentOS 7/8, RHEL 7/8 and Fedora 31/30/29 with SELinux running in Enforcing mode. When SELinux is running in enforcing mode, it enforces the SELinux policy and denies access based on SELinux policy rules. The standard SSH port on most Linux/Unix systems is TCP port 22. This can be changed easily to a custom port not used by other Applications in the system.

When SELinux is running in Enforcing mode, the port to be set will need relabeling so that Policy rules controlling access can accept ssh service to bind. Follow steps discussed below to change SSH port on CentOS / RHEL / Fedora server or Desktop with SELinux running in Enforcing mode.

Step 1: Backup Current SSH configuration

Login to your CentOS / RHEL / Fedora system and backup your current ssh daemon configuration file.

date_format=`date +%Y_%m_%d:%H:%M:%S`
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config_$date_format

Confirm:

$ ls /etc/ssh/sshd_config*
/etc/ssh/sshd_config  /etc/ssh/sshd_config_2019_09_05:21:40:10

Step 2: Change SSH service port

Open SSH service configuration file with your favorite text editor – vi, vim, nano e.t.c.

sudo vi /etc/ssh/sshd_config

Locate line that has:

#Port 22

Uncomment the Port line and set your new service port to be used. I’ll use port 33000.

Port 33000

Save the changes and close the file.

Step 3: Allow new SSH port on SELinux

The default port labelled for SSH is 22.

$ semanage port -l | grep ssh
ssh_port_t                     tcp      22

If you want to allow sshd to bind to network port configured, then you need to modify the port type to ssh_port_t.

sudo semanage port -a -t ssh_port_t -p tcp 33000

Confirm that the new port has been added to list of allowed ports for ssh.

$ semanage port -l | grep ssh
ssh_port_t                     tcp      33000, 22

Step 4: Open SSH port on Firewalld

It is always recommended to keep the Firewall service running and only allow trusted services.

sudo firewall-cmd --add-port=33000/tcp --permananet
sudo firewall-cmd --reload

If Firewalld is not installed, use yum to install it and start the service.

sudo yum -y install firewalld
sudo systemctl enable --now firewalld
sudo firewall-cmd --add-port=33000/tcp --permanent
sudo firewall-cmd --reload

You can now remove ssh service.

sudo firewall-cmd --remove-service=ssh --permanent
sudo firewall-cmd --reload

Step 5: Restart sshd service

Restart ssh service for the changes to take effect.

sudo systemctl restart sshd

Verify Listen address for ssh.

$ netstat -tunl | grep 33000
tcp        0      0 0.0.0.0:33000           0.0.0.0:*               LISTEN     
tcp6       0      0 :::33000                :::*                    LISTEN    

Other articles:

How To Disable SSH reverse DNS Lookups in Linux/Unix system

How To Set Up Two factor (2FA) Authentication for SSH on CentOS / RHEL

Easy way to Create SSH tunnels on Linux CLI

How to change or update SSH key Passphrase on Linux / Unix

ssh cheatsheet for Linux SysAdmins