Mac Security

Change SSH Port

I am getting so sick and tired of seeing brute force attempts against SSH traffic. Let’s just change the port that it listens on and then miraculously watch all those brute force attempts disappear. There are a few different ways to go about this in Mac OS X.

The first is to just change the port entries in /etc/services (mileage may vary). To do so open /etc/services in your favorite text editor and look for the lines that begin with ssh. These should look something like the following:

# Jon Postel
ssh 22/udp # SSH Remote Login Protocol
ssh 22/tcp # SSH Remote Login Protocol
# Tatu Ylonen

Just change the 22 to something else, like 2020 or even something that won’t be blocked by many firewalls like 80 or 443 (stateful or deep packet inspection notwithstanding) provided that those ports aren’t already in use. Now restart ssh and you should be listening on your new port (port scan to verify). You can then scan your localhost (127.0.0.1) and verify that you’re listening on the correct port.
That’s the most popular way to do this going back to the beginning of time, but Apple can just change things whenever they like in an OS update and blow out your SSH connectivity (given that /etc/services isn’t protected from such a thing). Therefore, you can also do this using launchd. To do so you’ll look at /System/Library/LaunchDaemons/ssh.plist. You can copy this to /Library/LaunchDaemons and rename it to something like CustomSSH.plist, providing a new label and SockServiceName. If you wanted to stick with port 443 you could do the SockServiceName of https. If you choose to go this route, the next step would be to load your new LaunchDaemon and then check that it is working (unloading your old sshd listener in the process). Oh, and you can remove the Bonjour key from listeners as well if you don’t want it out there…

If you are simply trying to protect against external threats and not internal then another method would be to remove access to SSH on the organization’s border firewall. Oh wait, many can’t do that. So then you could simply do a port redirect on the firewall appliance. Basically you would route port 443 to port 22 on the internal LAN for the IP in question. This is pretty basic and supported in even prosumer types of appliances these days. This would effectively make the traffic look like https traffic to the outside world and when you are behind the firewall it would be port 22.

These steps do not remove the need to edit sudoers and other steps many use to secure SSH, they’re just here to change the port so that the logs can show fewer invalid attempts.