Linux Setup Notes

name and address
created aug 10, 2012

Setting the default port for ssh and sftp

Problem

There are many reasons to change the default port for ssh from 22 to something else. If you're running sshd (the ssh server), you've undoubtedly seen the long lists of junk in the logs created by script kiddies (also known as "really stupid people") who try to log in using common passwords like '12345' and 'password.' These attacks are more annoying than dangerous, because all they do is clog up the system logs. Often, small sites find it's easier just to change the port number than to deal with it.

Another reason is that in many organizations, the IT department is run by Windows people who have never heard of Secure Shell. These guys tend to know little or nothing about security—their idea of a firewall is a $10,000 box that blocks every port except 80, 25, and 443. Sometimes, if they're particularly clueful, they will also leave 53 open. The CEO, who only uses email and a Web browser, doesn't complain. So as far as IT is concerned, that makes it correct.

So you may need to change the default port. In Openssh, it can be done on the command line (or, for programs like Putty, in the menus), but it's easier to set a system-wide default to set the appropriate port for each server. That eliminates the need to explain to your users why they have to remember a different port number for each server. If you make it too complicated, they're liable to give up and switch to telnet instead. You don't want that.

Server

  1. Find which config file you need to edit. Usually it's in /etc/ssh, but I've also seen it in many other random places, depending on how sshd was compiled. I've even seen systems that had two or three different sshd_config files in different places. Editing the wrong one would be an exercise in frustration.
    which sshd
    /usr/sbin/sshd
    strings /usr/sbin/sshd | grep sshd_config
    /etc/ssh/sshd_config
  2. Edit the sshd_config file, and add the port numbers you want to listen on, one on each line, like this:
    Port 22
    Port 443
  3. Re-start sshd
    cd /etc/init.d
    ./sshd restart
    It's safe to re-start sshd even while you're logged in over sshd. Of course, if you killed sshd first you'd be logged out. A sensible precaution if you're just starting out would be to start up telnetd, just in case.

Client

  1. Find which config file you need to edit. It's not always in /etc/ssh.
    which ssh
    /usr/bin/ssh
    strings /usr/bin/ssh | grep ssh_config
    /etc/ssh/ssh_config
  2. Edit the ssh_config file, and add a section for each server, like this:
    Host cholera
        Port 443
        ForwardX11 yes
    Host diphtheria
        Port 80
        ForwardX11 yes
    Host diarrhea
        Port 22
        ForwardX11 yes
    Host *
        Port 22
        ForwardX11 yes
  3. Set the permissions of the path to ssh_config. The user must have execute permission for each directory in the path, and the ssh_config file must be world-readable. Otherwise, the port assignments will only work for root.
    chmod a+x /etc/ssh
    chmod a+r /etc/ssh/ssh_config
  4. There is no need to re-start sshd.

Back