VMware Cloud Community
PRWeb
Contributor
Contributor
‎08-13-2019 08:45 AM

Change VCSA 6.7 SSH port

We usually change the SSH port number on our devices to avoid common scans to port 22. In case it is of use to others, below are the steps for this change on VCSA 6.7 using port 10022 as an example. Note that a VCSA update to the SSH or firewall services may overwrite this change.

1. Enable console CLI via VAMI Access menu (https://vcenter_url:5480/) and login as root (VM console, Alt-F1).

2. Add rule for port 10022 and remove rule for port 22.

iptables -I port_filter -p tcp --dport 10022 -j ACCEPT

iptables -D port_filter -p tcp --dport 22 -j ACCEPT

Confirm ACCEPT rule on new port appears on iptables list.

iptables -L port_filter -n --line-numbers|grep 10022

1    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:10022

3. Change /etc/vmware/appliance/services.conf so firewall reloads use the new port.

----------

             "direction": "inbound",

             "protocol": "tcp",

             "porttype": "dst",

             "port": "22"

----------

to

----------

             "direction": "inbound",

             "protocol": "tcp",

             "porttype": "dst",

             "port": "10022"

----------

4. Change /etc/ssh/sshd_config so SSH service uses the new port.

----------

#Port 22

#AddressFamily any

----------

to

----------

Port 10022

#AddressFamily any

----------

5. Enable SSH via VAMI Access menu (https://vcenter_url:5480/)

These steps are optional.

1. Change /etc/services to display the correct service name on commands that use it.

----------

ssh              22/tcp    # SSH Remote Login Protocol

ssh              22/udp    # SSH Remote Login Protocol

#                          Tatu Ylonen <ylo&cs.hut.fi>

ssh              22/sctp   # SSH

----------

to

----------

ssh              10022/tcp # SSH Remote Login Protocol

ssh              10022/udp # SSH Remote Login Protocol

#                          Tatu Ylonen <ylo&cs.hut.fi>

ssh              10022/sctp # SSH

----------

2. Change /etc/systemd/scripts/iptables. This doesn't seem to be used by VCSA.

----------

#Enable ssh connections

iptables -A INPUT -p tcp --dport 22 -j ACCEPT

----------

to

----------

#Enable ssh connections

iptables -A INPUT -p tcp --dport 10022 -j ACCEPT

----------

References

----------

https://www.virtuallyghetto.com/2017/07/quick-tip-list-all-open-ports-on-the-vcsa-psc.html

Quick Tip – List all open ports on the VCSA / PSC

https://icebow.ru/portal/display/VMWKB/vCSA+6.0+Firewall

vCSA 6.0 Firewall

0 Kudos
1 Reply
Alex_Romeo
Leadership
Leadership
‎08-13-2019 10:23 AM

Hi,

Thank you! it's very useful.

Alessandro Romeo

Blog: https://www.aleadmin.it/
0 Kudos