How to Deny and Redirect SSH Port in CSF on Rocky Linux 8.6

To Deny and Redirect SSH Port in CSF on Rocky Linux 8.6

Introduction:

CSF configures the firewall on the server to lock down public access to services and only allow certain connections, including FTP, email, or accessing websites. It is a free and advanced firewall for most Linux distributions and Linux based VPS.

Installation Procedure:

Step 1: Check the OS version by using the below command

[root@linuxhelp ~]# cat /etc/os-release 
NAME="Rocky Linux"
VERSION="8.6 (Green Obsidian)"
ID="rocky"
ID_LIKE="rhel centos fedora"
VERSION_ID="8.6"
PLATFORM_ID="platform:el8"
PRETTY_NAME="Rocky Linux 8.6 (Green Obsidian)"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:rocky:rocky:8:GA"
HOME_URL="https://rockylinux.org/"
BUG_REPORT_URL="https://bugs.rockylinux.org/"
ROCKY_SUPPORT_PRODUCT="Rocky Linux"
ROCKY_SUPPORT_PRODUCT_VERSION="8"
REDHAT_SUPPORT_PRODUCT="Rocky Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="8"

Step 2: Disable Selinux by using the below command

[root@linuxhelp ~]# setenforce 0 

Step3: Check the Selinux status by using the below command

[root@linuxhelp ~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33

Step 4: Install the OpenSSH server and client package’s by using the below command

[root@linuxhelp ~]# yum install openssh-server openssh-clients
Last metadata expiration check: 0:21:25 ago on Wed 31 Aug 2022 06:24:51 PM EDT.
Package openssh-server-8.0p1-13.el8.x86_64 is already installed.
Package openssh-clients-8.0p1-13.el8.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete!

Step 5: Change the SSH port number in ssh_config file in this case am changing into 222 by using the below command

[root@linuxhelp ~]# vim /etc/ssh/sshd_config
#If you want to change the port on a SELinux system, you have to tell
#SELinux about this change.
#semanage port -a -t ssh_port_t -p tcp #PORTNUMBER

Port 222
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

Step 6: Restart the SSH services by using the below command

[root@linuxhelp ~]# systemctl restart sshd

Step 7: Redirect the SSH port in csf.redirect file by using the below command

[root@linuxhelp ~]# vim /etc/csf/csf.redirect
See readme.txt for more information
192.168.6.101|222|*|223|tcp
192.168.6.101|223|*|222|tcp

Step 8: Now add the SSH port on csf.conf file by using the below command

[root@linuxhelp ]# vim /etc/ssh/ csf/csf.conf
This option should be set to "1" in all other circumstances
LF_SPI = "1"
 Allow incoming TCP ports
TCP_IN = "222,20,21,22,25,53,80,110,143,443,465,587,993,995"  

 Allow outgoing TCP ports
TCP_OUT = "222,20,21,22,25,53,80,110,113,443,587,993,995"
 Allow incoming UDP ports

Step 9: Reload the CSF by using the below command

[root@linuxhelp ~]# csf -r
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `LOGDROPIN'
Flushing chain `LOGDROPOUT'
Flushing chain `DENYIN'
Flushing chain `DENYOUT'
Flushing chain `ALLOWIN'
Flushing chain `ALLOWOUT'
Flushing chain `LOCALINPUT'
Flushing chain `LOCALOUTPUT'
Flushing chain `INVDROP'
Flushing chain `INVALID'
Deleting chain `LOGDROPIN'
Deleting chain `LOGDROPOUT'
Deleting chain `DENYIN'
Deleting chain `DENYOUT'

Step 10: Login SSH using Port 222 will be denied and Port 223 redirects to Port 222 by using the below command

Conclusion:

We have reached the end of this article. In this guide, we have walked you through the steps required to Deny and Redirect SSH Port in CSF on Rocky Linux 8.6. Your feedback is much welcome.