Sunday, November 23, 2014

Configuring SeLinux to Allow Secure Shell Service (SSHD) on Non-Default Port

The Secure Shell Service (SSHD) by default runs on TCP port 22. We sometimes want the Secure Shell Service (SSHD) to listen on a non-default port or to listen on more than one port. When the Security-Ehanced Linux (SeLinux) is turned on, we will have to configure both the Secure Shell Service and SeLinux because SeLinux by default has a policy that allows the Secure Shell Service to listen on TCP port 22 only.

Below are the steps for a recent release of the Fedora Linux distribution in which the Secure Shell Service (SSHD) is provided by OpenSSH and services are managed by systemd to allow the Secure Shell Service to listen on both TCP ports 22 and 64422.

  • Configure OpenSSH to listen on 64422.
    OpenSSH's configuration files in Fedora Linux is at /etc/ssh. Open /etc/ssh/sshd_config and add the following line to the file.
    
        Port 64422
        
  • Configure SeLinux to allow the Secure Shell Service to bind to TCP port 64422. We use semanager to configure SeLinux policies. First, let us look up what ports are allowed to bind to the Secure Shell Service.
    
        $ sudo semanage port -l | grep ssh
        ssh_port_t                     tcp      22
        
    which shows that the Secure Shell Service is allowed to bind to TCP port 22. We can now add a second port, 64422, to the list of ports that are allowed to bind to the Secure Shell Service.
    
        $ sudo semanage port -a -t ssh_port_t -p tcp 64422
        
    The above step usually takes a while to run. Upcon completion, we can now verify that the Secure Shell Service can now bind to both TCP ports 22 and 64422.
    
        $ sudo semanage port -l | grep ssh
        ssh_port_t                     tcp      64422, 22
        
  • Restart the Secure Shell Service using systemctl.
    
        $ sudo systemctl restart sshd.service
        
    Upon completion, we can verify that the service is now listenting to both TCP port 22 and 64422.
    
        $ sudo systemctl status sshd.service
        sshd.service - OpenSSH server daemon
              Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)
              Active: active (running) 
                      since Sun, 23 Nov 2014 00:34:31 -0500; 6s ago
             Process: 2311 ExecStartPre=/usr/sbin/sshd-keygen 
                           (code=exited, status=0/SUCCESS)
            Main PID: 2312 (sshd)
              CGroup: name=systemd:/system/sshd.service
                      └ 2312 /usr/sbin/sshd -D
    
        Nov 23 00:34:31 localhost.localdomain sshd[2312]: 
                        Server listening on 0.0.0.0 port 64422.
        Nov 23 00:34:31 localhost.localdomain sshd[2312]: 
                        Server listening on :: port 64422.
        Nov 23 00:34:31 localhost.localdomain sshd[2312]: 
                        Server listening on 0.0.0.0 port 22.
        Nov 23 00:34:31 localhost.localdomain sshd[2312]: 
                        Server listening on :: port 22.
       
        

2 comments: