How to Change default port to a custom port
Keeping your Linux server secure is the
vital duty of a system administrator. While there are many ways to make
sure your server is as secure as possible, there are few basic steps you
must do first. It is changing the ports of frequently used services to
custom ports. Here we will be seeing how to change the defaults ports of
Apache, FTP and SSH to something different that is hard to guess.
Let us break down this topic in three small parts. First, we will see how to change the default port Apache web server.
Why do we need to change the default port?
Before get to the topic, you might ask
changing port will increase the security? To be honest, No, it won’t.
Changing the default port alone doesn’t provide any serious security
defense. Yes, there are many port scanners which will find out which
port you’re using eventually. But you can, at least, protect your
servers from any amateur attacks, and also you can reduce the number of
attacks. That’s why we need to change the default ports.
Change Apache default port to a custom port
1. Change Apache port on Debian/Ubuntu
Edit /etc/apache2/ports.conf file,
sudo vi /etc/apache2/ports.conf
Find the following line:
Listen 80
And change it to a random number of your choice, for example 8090.
Listen 8090
This entry make the server to accept
connections on port 8090 on all interfaces. To make the server accept
connections on port 8090 for a specific interface, just include the
corresponding network interface’s IP address as shown below.
Listen 192.168.1.101:8090
This will be helpful if your server has multiple IP addresses or network interfaces.
Save and close the file.
Additionally, in Ubuntu and Debian, you will likely also have to change the port number in /etc/apache2/sites-enabled/000-default.conf file too.
sudo vi /etc/apache2/sites-enabled/000-default.conf
Find the following line and change the port number.
<VirtualHost *:8090>
Save and close the file.
Then, restart Apache service to take effect the changes.
sudo systemctl restart apache2
Or
sudo service apache2 restart
Now let us verify the port settings:
sudo netstat -tulpn | grep :8090
Sample output:
tcp6 0 0 :::8090 :::* LISTEN 4066/apache2
Then, open your web browser and navigate to URL: http://IP-address:8090.
You should see the following screen:
Next we will see how to change Apache port in RHEL based systems.
2. Change Apache port on RHEL/CentOS
Make sure you have installed Apache webserver first.
Then, edit /etc/httpd/conf/httpd.conf file,
sudo vi /etc/httpd/conf/httpd.conf
Find the following line:
Listen 80
And change it to a random number of your choice, for example 8090.
Listen 8090
This entry make the server to accept
connections on port 8090 on all interfaces. To make the server accept
connections on port 8090 for a specific interface, just include the
corresponding network interface’s IP address as shown below.
Listen 192.168.1.150:8090
This will be useful if your server has multiple IP addresses or network interfaces.
Save and close the file.
In RHEL/CentOS systems, make sure the new port number 8090 is not blocked in SELinux and Firewall.
sudo semanage port -a -t http_port_t -p tcp 8090
If semanage command is not found, install the following package:
sudo yum install policycoreutils-python
To allow port 8090 via firewall do the following steps.
In RHEL 7/ CentOS 7:
sudo firewall-cmd --permanent --add-port=8090/tcp
sudo firewall-cmd --reload
In RHEL 6/ CentOS 6:
sudo vi /etc/sysconfig/iptables
And add the new custom port line:
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8090 -j ACCEPT
Save and exit the file and restart iptables service.
sudo service iptables restart
Finally restart Apache service.
sudo systemctl restart httpd
Or
sudo service httpd restart
Now verify the port using command:
sudo netstat -tulpn | grep :8090
Sample output:
tcp6 0 0 :::8090 :::* LISTEN 17636/httpd
If netstat command is not found, install the following package.
sudo yum install net-tools
Then, verify the Apache test page from the browser using URL: http://IP-address:8090.
You should see the following screen:
Congratulations! Apache default port has been changed.
In this brief tutorial, let us see how to change FTP default port 21 to any custom port.
Change FTP default port to a custom port
Make sure you have installed VSFTPD server and started the appropriate services.
Then, we need to edit VSFTPD configuration file and change the default port.
On Debian / Ubuntu :
Edit /etc/vsftpd.conf file,
sudo vi /etc/vsftpd.conf
On RHEL / CentOS / Fedora / Scientific Linux:
Edit /etc/vsftpd/vsftpd.conf file,
sudo vi /etc/vsftpd/vsftpd.conf
Find the following line. If it is not found, add it.
listen_port=21
And change the FTP default port 21 to a custom port, for example 210.
listen_port=210
Save and close the file. Restart vsftpd service to take effect the changes.
In RHEL / CentOS /Scientific Linux systems, make sure the port number 210 is not blocked in SELinux and Firewall.
sudo semanage port -a -t ftp_port_t -p tcp 210
If semanage command is not found, install the following package:
sudo yum install policycoreutils-python
To allow port 210 via firewall do the following steps.
In RHEL 7/ CentOS 7 /Scientific Linux 7:
sudo firewall-cmd --permanent --add-port=210/tcp
sudo firewall-cmd --reload
In RHEL 6/ CentOS 6 /Scientific Linux 6:
sudo vi /etc/sysconfig/iptables
And add the new custom port line:
-A INPUT -m state --state NEW -m tcp -p tcp --dport 210 -j ACCEPT
Save and exit the file and restart iptables service.
sudo service iptables restart
Finally restart vsftpd service.
sudo systemctl restart vsftpd
Or
sudo service vsftpd restart
Now verify the port using command:
sudo netstat -tulpn | grep :210
Sample output:
tcp6 0 0 :::210 :::* LISTEN 2610/vsftpd
If netstat command is not found in CentOS/RHEL, install the following package.
sudo yum install net-tools
Now, you can access the FTP server from all clients using URL: ftp <ftp-server-ip> <port-number>
Example:
$ ftp 192.168.1.150 210
Here, 192.168.1.150 is my FTP server’s IP address and 210 is the FTP custom port.
Sample output:
Connected to 192.168.1.150 (192.168.1.150). 220 (vsFTPd 3.0.2) Name (192.168.1.150:root): ostechnix 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp>
As you see in the above output, we have
accessed the ftp server using the custom port 210. You can use any port
number of your choice. But, just make sure that custom port is not used
by any other services.
Access FTP server using FTP client or Web browser
Similar to CLI method, you need to
mention the custom port number while accessing the FTP server via a FTP
client or a web browser.
The following screenshots shows how to access the FTP server from a FTP client or browser.
Access FTP server from a FTP client called FileZilla:
Access FTP server from a web browser using a custom port:
To access the FTP server from a browser, the URL must be:
ftp://<IP-Address>:<port-number>
Or
ftp://<login>:<passwd>@IP-Address:<port-number>/
In this tutorial, we will discuss how to
change SSH default port to any random port. Similar to part 1 and part
2, It is also easy to implement. Read on.
Change SSH default port to a custom port
Changing ssh default port is pretty easy and it is almost same on all modern Linux operating systems.
To change the SSH default port, edit /etc/ssh/sshd_config file,
sudo vi /etc/ssh/sshd_config
As you probably know, the SSH default port is 22. So, we will change it to any random number, for example 2022.
To do so, edit or add the following line:
Port 2022
Save and close the file. Restart ssh service.
sudo systemctl restart sshd
Or
sudo service sshd restart
In RHEL/CentOS systems, adjust SELinux and Firewall settings to allow the new port.
sudo semanage port -a -t ssh_port_t -p tcp 2022
If semanage command is not found, install the following package:
sudo yum install policycoreutils-python
In RHEL 7 / CentOS 7:
sudo firewall-cmd --permanent --add-port=2022/tcp
sudo firewall-cmd --reload
In RHEL 6 / CentOS 6:
sudo vi /etc/sysconfig/iptables
Comment out the default port 22 line:
# -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
And add the new custom port line:
-A INPUT -m state --state NEW -m tcp -p tcp --dport 2022 -j ACCEPT
Save and close the file.
Restart iptables to take effect the changes.
sudo service iptables restart
Finally, restart ssh service:
sudo service sshd restart
Verify the port settings using command:
sudo netstat -tulpn | grep :2022
Sample output:
tcp 0 0 0.0.0.0:2022 0.0.0.0:* LISTEN 18680/sshd tcp6 0 0 :::2022 :::* LISTEN 18680/sshd
Now, try to SSH from any client systems using the port number as shown below.
ssh -p 2022 ostechnix@192.168.1.150
Sample Output:
ostechnix@192.168.1.150's password: Last login: Wed Jan 20 15:45:16 2016 [ostechnix@server ~]$
Conclusion
Like I said in the first part, these
methods alone will not keep your server safe and secure. There are many
tasks you need to consider such as firewall implementation, DDoS,
Brute-force attacks prevention, installing security patches, updating
your server and applications regularly etc. But these are the first and
foremost things you should do before implementing any security methods.
Now, your Linux server is bit more secure than before.
No comments:
Post a Comment