上QQ阅读APP看书，第一时间看更新

Changing the default port

We're going to start with a simple one, that is, changing the default port on which the SSH daemon runs:

# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

Change the preceding code so that the Port line is uncommented and now reads 2222:

#
Port 2222
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

As the handy note before this block informs us, we also have to modify SELinux so that it's aware that the SSH daemon will be trying to use a different port.

This file suggests that we use semanage, so let's do just that.

First, we'll find which package provides semanage:

[vagrant@centos2 ~]$ sudo yum whatprovides semanage
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirror.vorboss.net
 * extras: mozart.ee.ic.ac.uk
 * updates: mozart.ee.ic.ac.uk
base/7/x86_64/filelists_db                                                    | 6.9 MB  00:00:01     
extras/7/x86_64/filelists_db                                                  | 588 kB  00:00:00     
updates/7/x86_64/filelists_db                                                 | 2.4 MB  00:00:00     
policycoreutils-python-2.5-22.el7.x86_64 : SELinux policy core python utilities
Repo        : base
Matched from:
Filename    : /usr/sbin/semanage

Then, we'll install it:

[vagrant@centos2 ~]$ sudo yum install -y policycoreutils-python

Finally, we'll run the recommended command with our new port:

[vagrant@centos2 ~]$ sudo semanage port -a -t ssh_port_t -p tcp 2222

Once done, we can safely restart the SSH daemon:

[vagrant@centos2 ~]$ sudo systemctl restart sshd

This shouldn't kick you off the VM, as sshd is designed so that changes won't cause a loss of access, even if those changes will stop you from logging on again (once you've voluntarily disconnected.)

Try logging out now, and then logging back in again.

A forewarning: this should fail!

Fear not! Instead, connect to centos1 on your second Terminal (you should have two connections open to centos1 at this point) and SSH back onto centos2 like so:

[vagrant@centos1 ~]$ ssh 192.168.33.11 -p2222

Congratulations! SSH is now running on a different port!

You can confirm this from within the OS with the following command (which we'll cover in greater detail later on:)

[vagrant@centos2 ~]$ ss -nl sport = :2222
Netid State      Recv-Q Send-Q   Local Address:Port                  Peer Address:Port              
tcp   LISTEN     0      128                  *:2222                             *:*                  
tcp   LISTEN     0      128                 :::2222                            :::*

Note that in the preceding code, we're printing both the IPv4 and IPv6 values.