██FR█████ █INTELL███████████

Securing AWS EC2: Change SSH Port 22 to a Custom Port


This content originally appeared on DEV Community and was authored by Ashraf Minhaj

Introduction

When you deploy an ec2 instance or any server instance, it defaults to SSH in port 22. You already know it, so do the whole world and all of the hackers. So, most of the automated attacks start by scanning the known ports, say 22 for SSH.
Rick & Morty: real fake doors

One of the many ways to mitigate that is to change the port to a different port. Yes it won’t make it bulletproof, but it will surely reduce the chances of brute force attacks.
Let’s start.

This method is applicable for all kinds of servers, including your Virtual Machines, but since I have an aws cloud account, I will use that, you can just use GCP Compute instance, Azure VM as well.

what is Security by Obscurity

In simple words, it means hiding something from the attackers, believing if the attackers can’t see they can’t exploit.

Kind of removing your door to an unexpected location so that thieves don’t find a way to enter from known places… say you removed the front door completely.

Deploy an ec2 instance

We will deploy an ec2 instance like how we usually do. In the security group, open port 22 for ssh and add a key (or generate one, save it), my key name is test-min-keys.pem.

Create ec2

Change the port

1. Connect to the server/instance

Ok for that we need to access the VM first, let’s ssh into it normally –

Change key file permission and ssh –

chmod 400 "test-min-keys.pem"

# your key, sever IP or hostname will be different, use that
ssh -i "test-min-keys.pem" ec2-user@ec2-13-228-72-54.ap-southeast-1.compute.amazonaws.com

Terminal view

2. Update SSH configuration

Open the ssh config file –

sudo nano /etc/ssh/sshd_config

And look for this portion –

We will change it from 22 to 2222 – that’s our door change –

change port

Now we can just restart the ssh service and use the new port to ssh.

sudo systemctl restart sshd

But.. if you are using Selinux enabled systems like RHEL/CentOS/Amazon Linux machines then you have to run this command to tell Selinux about the change as well.

sudo semanage port -a -t ssh_port_t -p tcp 2222

If you see this error then use a different port (headache? remove the head) –

port already in use

Now restart ssh service –

sudo systemctl restart sshd

Now, update your firewall, or in aws, the security group inbound rule and open port 2222 instead of 22.

sec group rule

3. Access the server with new ssh port

Hold your horses, just in case, test the new port before closing the old session, open another terminal tab and try to ssh with the port tag -p <port>

# ssh -p 2222 ec2-user@<your-public-ip>

ssh -p 2222 -i "test-min-keys.pem" ec2-user@ec2-13-228-72-54.ap-southeast-1.compute.amazonaws.com

And voila! We are in!

SSH

Let’s close all the sessions and try again –

ssh again

Conclusion

In practice, you should never put instances in public subnet when you don’t need to. Also harden the security by not allowing password based SSH access.
For ec2 instances, there’s numerous ways to get access to private ec2 instances which is more secure.

Happy Coding!


This content originally appeared on DEV Community and was authored by Ashraf Minhaj