NS8 Change node SSH port 22 permanently

LayLow · November 6, 2023, 10:43pm

Hi all,

while kicking off from the easy of use of NS7, I am trying to change the default ssh service port 22 to let’s say 777.

firewall-cmd --help shows me a lot of info and also Documentation - Manual Pages - firewall-cmd | firewalld

But obviously I am overwhelmed

I now have changed the ssh config file (change port 22 to 777) and told firewall-cmd the following firewall-cmd --add-port=777/tcp --permanent
Then restarted the service (required to take the changes into effect).

It works, but still the firewall ssh service lists 22 as an open port and the firewall-cmd --list-ports show 777 as an open port.

Now it would be more elegant if I could change the ssh service port and not add addiotnal ports.

How to do this please AND are there consequences ?

TIA

LayLow · November 6, 2023, 11:10pm

Or is it as simple as editing this file?

/usr/lib/firewalld/services/ssh.xml and firewall-cmd --reload

It seems to work… but is it the ‘preferred’ way?

Now this has to be repeated on every node if you like correct?

pike · November 7, 2023, 9:14am

Feature request?

davidep · November 7, 2023, 11:05am

Why do you want to change the standard port? What is your goal?

As many system components are involved, carefully evaluate the pros and cons.

Do not edit Firewalld .xml files manually. Only firewall-cmd is needed to manage the firewall.

You’d need to change for every node:

sshd configuration
firewalld configuration
SELinux / Apparmor configuration, maybe

No please, I hope modules like Crowdsec will reduce the need of changing the SSH standard port.

LayLow · November 7, 2023, 11:32am

Avoiding attacks on well known ports.

Yep, hence my question

Ok, but it is a complete manual process then?

How will it prevent possible access to port 22?

Thanks for your time!

davidep · November 7, 2023, 2:16pm

Changing the port number is just obscuring the SSH service, and is not enough in that case.

Yes, NS8 does not manage the SSH service. Such service is usually already configured in the system, and it is not a requirement for NS8 to run.

It acts like Fail2Ban: it reads the system logs and bans nasty IP addresses.

For EL systems this is a brief procedure (tested on Rocky Linux 9) that opens port 2222 and restricts port 22 to trusted interfaces.

# Make sshd listen on :22 and :2222
printf "Port 22\nPort 2222\n" > /etc/ssh/sshd_config.d/10-ports.conf
# Authorize sshd to listen port 2222
semanage port -a -t ssh_port_t -p tcp 2222
# Change Firewalld SSH service configuration to use port 2222
firewall-cmd --permanent --service=ssh --add-port=2222/tcp
firewall-cmd --permanent --service=ssh --remove-port=22/tcp
# Restart service and apply new firewall configuration
systemctl restart sshd
firewall-cmd --reload

Some commands to check the above configuration status

# Print Firewalld configuration for SSH service
firewall-cmd --info-service=ssh
# Print locally customized SELinux ports
semanage port -l -C

Full node firewall status is available also from the Nodes page

pike · November 7, 2023, 5:31pm

And I don’t think Crowdsec should be the only answer for “increase host security” (which might be uncorrect as term for indicating the master node); not everyone will consider to install public-facing application servers.

It’s fine not considering this a viable feature, however… consider the effort to realize a “NS8 friendly” procedure for all suggested/supported underlying distros.

davidep · November 7, 2023, 6:04pm

I agree on that Crowdsec should be an add-on module.

Please help me with the procedure for Debian.

pike · November 7, 2023, 6:08pm

Which I dont’ use and install ?
Or as reapeatedly reported myself as linux noob?

Sorry, not the right dude

robb · November 7, 2023, 6:53pm

@davidep
Obscuring or not, i just can confirm from many years of running sshd on ns7 on a non standard port, it is minimizing login attempts by a factor 10 when using a non standard port under 1024 and by a factor 25 when using a non standard port above 1024.
I would say it is a no-brainer to change the sshd port to a (large) non standard port.
Fail2ban will take care of all those other attempts

davidep · November 7, 2023, 7:00pm

It seems so… Filed in Trello

LayLow · November 7, 2023, 8:25pm

And that is very kind. Thank you.

Andy_Wismer · November 7, 2023, 8:43pm

Some script kiddies out there are either too stupid to use a port scanner - or just too lazy!
But I’ll confirm the 10% / 25% stats (more or less!)…

LayLow · November 7, 2023, 9:09pm

It does indeed. Thanks for the lesson!

davidep · December 28, 2023, 2:03pm

This is a shorter alternative procedure based on firewall-cmd only:

firewall-cmd --permanent --add-forward-port=port=2222:proto=tcp:toport=22
firewall-cmd --permanent --service=ssh --add-port=2222/tcp
firewall-cmd --permanent --service=ssh --remove-port=22/tcp
firewall-cmd --reload

Check the configuration with

firewall-cmd --list-all

I didn’t test it, but It should work on Debian, too.

LayLow · December 28, 2023, 5:52pm

Thanks for remembering!