SSH Daemon on Alternate Ports

There comes a time in every sysadmin's life where they need to run SSH on an alternate port. Should be as simple as adding multiple Port <number> directives to /etc/sshd/config and issuing a restart to the daemon.

Except SELinux, as usual, finds a way to rain on the parade. But we don't want to disable it. Especially since reconfiguring it is so easy.

In this example we'll run SSH on it's usual 22/tcp as well as 80+443/tcp by adding the following lines to the configuration file.

Port 80
Port 443

Since we obviously won't be needing those ports for Apache, it's safe to go ahead and relabel them.

$ sudo semanage port -m -t ssh_port_t -p tcp 80
$ sudo semanage port -m -t ssh_port_t -p tcp 443

Make sure the ports are open in firewalld.

$ sudo firewall-cmd --add-port 80/tcp --add-port 443/tcp --permanent
$ sudo firewall-cmd --reload

Then restart the daemon and test it out. As usual make sure to have an active session running on standby in case you fubar your configuration.

Hint: some documentation will use port -a but these ports may already be labeled and -a will produce an error. Use -m instead.