SELinux remove or leave the old SSH port label?
There's no significant reason to remove the port type label from port 22 (nor is relocating your ssh server to another port necessarily going to make you more secure). If you do remove the label, then sshd will not be able to bind to port 22 and listen for connections.
Related videos on Youtube
12 : 01
17 : 22
05 : 28
57 : 08
01 : 33
Florian Mertens
Software Freelancer +44/(0)7594 815 778 florian_mrt [at] hotmail.com Diplomas BSc Information Systems MSc Robotics Competencies Programming: Visual Basic 4.0 5.0 6.0 .Net, C#, .Net 1.1 2.0 3.5, Java, C++, PHP 4 & 5, XHTML, CSS 3.0, Javascript, VBscript, Smarty, jQuery, ActionScript 2 & 3 Operating Systems: WinXP, WinVista, Win2003 Enterprise Server, Win2008 Datacenter Server, Linux Red Hat Fedora Core, Linux Gentoo, Linux Debian, Linux Slackware, Linux Ubuntu Software Studios: MS Office 2010, 3D Studio Max, MatLab, Eclipse, MS Visual Studio 2005, Dreamweaver, Vectorworks 2009, Adobe Studio CS5, Solr, Red5 Management Systems: IIS 5.0 6.0 7.5, Apache, Squirrelmail, Joomla, PHPbb, Drupal, DirectX 9.0, MS SQL Server 2005, Oracle 10g, MySQL 5.0, SQLite, SVN, Git Languages Dutch Writing/fluently speaking. Mother tongue. English Writing/fluently speaking. French Writing/fluently speaking. German Writing/fluently speaking.
Updated on September 18, 2022Comments
-
Florian Mertens almost 2 years
I am following this (basic) security guide to change my Server's SSH port to something else.
It says:
$ semanage port -a -t ssh_port_t -p tcp 2345 #Change me...which would add a new label on top of port 2345 to say that this is relevant for SSH, and that the SSH process can access this port.
What bugs me, is that this does NOT remove the label on the old port 22.
Is it safer to leave the old label in place, or is it safer to remove it? I don't know if the default setting for ports are within confined or unconfined space, and I think this may matter.
Please correct me if I am wrong, but the command for removing the old port is:
# semanage port -d -p tcp 22 -
Florian Mertens almost 11 yearsOut of curiosity, you mentioned
(nor is relocating your ssh server to another port necessarily going to make you more secure). Why not? I would have thought thatFor a hacker to determine ssh is running on your machine, he'll most likely scan port 22 to determine this. An effective method is to run ssh on a non-standard port.would apply? -
Michael Hampton almost 11 yearsThis only "protects" you from drive-by scanners who just try a large number of default usernames and passwords. Not allowing root logins with a password, and making sure you have strong passwords for all users, is sufficient there. Moving the port is not sufficient for a targeted attack, as the attacker can find the new port number in a few seconds with a port scan. -
Florian Mertens almost 11 yearsOk. Thank you !
-
Ilia almost 9 years@MichaelHampton What if you use port scan detection and block such attempts. (blacklisting ips that trying to get to undefined ports)? Why it's not possible to run the following command
semanage port -d -t ssh_port_t -p tcp 22and delete default port? I get error like this:Port tcp/22 is defined in policy, cannot be deleted -
Achilles over 8 years@MichaelHampton Did you find a way around this policy thing?
-
Michael Hampton over 8 years@Achilles You could add a port, but you cannot delete the default port from the SELinux policy.
