SElinux and alternative ssh ports

It is quite common, and can be very effective, to use alternative/non-standard ssh ports to avoid port scans. Normally ssh listens for incoming connections on port 22. As this is its published port number it is easy for people and software to connect to this port and try random or typical user names and passwords (e.g. "root" user with password "password"). To make this more difficult ssh can be set up to listen to a non-standard port so that only those who know which port it is can connect quickly and easily. This technique is one I have used successfully for many years. With the release of Fedora 9 and the expansion of its SElinux policy, getting ssh to listen on alternative ports requires an additional step.

The general approach to setting up an alternative port is simply to change or add a "Port" option in the sshd configuration file (usually /etc/ssh/sshd_config) and make appropriate changes to the firewall infrastructure. In Fedora 9 the ssh daemon is more fully confined by the default targeted SELinux policy. In particular, the ssh daemon (called sshd) is only able to connect to ports labelled with the ssh_port_t security type. You can see the SElinux policy labelling of ports using the SElinux command:

#/usr/sbin/semanage port -l

This will list all the SElinux type labels that have been associated with ports.

When the ssh daemon first starts up (usually at boot time) and if it is configured to listen to ports other than port 22, an access violation will be logged in the audit logs:

#ausearch -ts 10:00 | grep AVC | grep ssh type=AVC msg=audit(1213176066.658:74): avc: denied { name_bind } for pid=17021 comm="sshd" src=1234 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket ...

Here ssh is trying to access port 1234 and is being denied (note, this port number is just used for demonstration purposes). The solution is to label port 1234 with the SElinux type ssh_port_t using the semanage command:

#/usr/sbin/semanage port -a -t ssh_port_t -p tcp 1234

Upon restarting, sshd will now be granted access to the alternative port.