I’m working with Red Hat Enterprise Linux (RHEL) VMs on Azure and one of the best practices that Microsoft recommends is to change the default SSH port from 22 to something else. I was looking for a consolidated set of instructions to do this and I couldn’t find one, so I thought I’d do a quick post on it.
The steps that need to be performed are:
- Allow the new port in the RHEL firewall
- Change the SSH daemon to listen on the new port
- Add an incoming rule in the VM network security group for the new port
- Remove the rule that allows port 22
Changing the SSH port has to be done after creating the VM, as the SSH daemon is set up to listen on port 22 by default, so as part of the VM configuration, make sure to allow port 22 to be opened. Once the VM is created and running, connect to it using your favorite SSH client.
Let’s choose port 52019 to use instead of 22.
To allow the port in the RHEL firewall:
sudo firewall-cmd --permanent --zone=public --add-port=52019/tcp sudo firewall-cmd --reload
You should see a ‘Success’ message after each of these commands, and you can double check that the firewall rule was added using:
sudo iptables-save | grep '52019'
And you should see:
-A IN_public_allow -p tcp -m tcp --dport 52019 -m conntrack --ctstate NEW -j ACCEPT
To change the SSH daemon to use port 52019 we need to change it’s configuration and restart it. Edit the config file using:
sudo vi /etc/ssh/sshd_config
Now vi is not very user friendly, but it’s easy once you learn it. Use the down arrow so your cursor is over the # at the start of the line that says:
Hit your Insert key until the word REPLACE shows at the bottom of the SSH window. Then type:
Now hit Esc then :w and then Esc then :q to write the file and exit.
To restart the SSH daemon:
sudo service sshd restart
Now go into the Azure Portal and for that VM:
- Click Networking in the Settings pane and click the blue ‘Add inbound port rule’ button on the right
- In the wizard that comes up, change the ‘Destination port ranges’ to 52019 and the ‘Name’ to something like ‘IncomingSSH’
- Click the blue ‘Add’ button
Once the rule has been added, you should be able to create a new SSH connection to the VM using port 52019. Once you’ve done that, drop the initial SSH connection that’s still using port 22 by going back to the Networking tab in the Azure Portal, finding the existing rule for port 22, click the ‘…’ on the right and selecting Delete.
Hope this helps anyone else looking for concise instructions.