How to Change Apache, FTP, and SSH default port to a custom port – Part 1

Keeping your Linux server secure is the vital duty of a system administrator. While there are many ways to make sure your server is as secure as possible, there are few basic steps you must do first. It is changing the ports of frequently used services to custom ports. Here we will be seeing how to change the defaults ports of Apache, FTP and SSH to something different that is hard to guess.

Let us break down this topic in three small parts. First, we will see how to change the default port Apache web server.

Why do we need to change the default port?

Before get to the topic, you might ask changing port will increase the security? To be honest, No, it won’t. Changing the default port alone doesn’t provide any serious security defense. Yes, there are many port scanners which will find out which port you’re using eventually. But you can, at least, protect your servers from any amateur attacks, and also you can reduce the number of attacks. That’s why we need to change the default ports.

Change Apache default port to a custom port

1. Change Apache port on Debian/Ubuntu

Edit /etc/apache2/ports.conf file,

sudo vi /etc/apache2/ports.conf

Find the following line:

Listen 80

And change it to a random number of your choice, for example 8090.

Listen 8090

This entry make the server to accept connections on port 8090 on all interfaces. To make the server accept connections on port 8090 for a specific interface, just include the corresponding network interface’s IP address as shown below.

Listen 192.168.1.101:8090

This will be helpful if your server has multiple IP addresses or network interfaces.

Save and close the file.

Additionally, in Ubuntu and Debian, you will likely also have to change the port number in /etc/apache2/sites-enabled/000-default.conf file too.

sudo vi /etc/apache2/sites-enabled/000-default.conf

Find the following line and change the port number.

<VirtualHost *:8090>

Save and close the file.

Then, restart Apache service to take effect the changes.

sudo systemctl restart apache2

Or

sudo service apache2 restart

Now let us verify the port settings:

sudo netstat -tulpn | grep :8090

Sample output:

tcp6       0      0 :::8090                 :::*                    LISTEN      4066/apache2

Then, open your web browser and navigate to URL: http://IP-address:8090.

You should see the following screen:

Apache test page

Next we will see how to change Apache port in RHEL based systems.

2. Change Apache port on RHEL/CentOS

Make sure you have installed Apache webserver first.

Then, edit /etc/httpd/conf/httpd.conf file,

sudo vi /etc/httpd/conf/httpd.conf

Find the following line:

Listen 80

And change it to a random number of your choice, for example 8090.

Listen 8090

This entry make the server to accept connections on port 8090 on all interfaces. To make the server accept connections on port 8090 for a specific interface, just include the corresponding network interface’s IP address as shown below.

Listen 192.168.1.150:8090

This will be useful if your server has multiple IP addresses or network interfaces.

Save and close the file.

In RHEL/CentOS systems, make sure the new port number 8090 is not blocked in SELinux and Firewall.

sudo semanage port -a -t http_port_t -p tcp 8090

If semanage command is not found, install the following package:

sudo yum install policycoreutils-python

To allow port 8090 via firewall do the following steps.

In RHEL 7/ CentOS 7:

sudo firewall-cmd --permanent --add-port=8090/tcp
sudo firewall-cmd --reload

In RHEL 6/ CentOS 6:

sudo vi /etc/sysconfig/iptables

And add the new custom port line:

-A INPUT -m state --state NEW -m tcp -p tcp --dport 8090 -j ACCEPT

Save and exit the file and restart iptables service.

sudo service iptables restart

Finally restart Apache service.

sudo systemctl restart httpd

Or

sudo service httpd restart

Now verify the port using command:

sudo netstat -tulpn | grep :8090

Sample output:

tcp6       0      0 :::8090                 :::*                    LISTEN      17636/httpd

If netstat command is not found, install the following package.

sudo yum install net-tools

Then, verify the Apache test page from the browser using URL: http://IP-address:8090.

You should see the following screen:

Apache test page1

Congratulations! Apache default port has been changed.

In our next part, we will see how to how to change FTP default port.

Until then stay tuned with OSTechNix. If you find this article useful, please share this on your social networks and support us.

Thanks for reading. Cheers!

You may also like...

  • Kobina Amoany Snr

    Hi sk, the selinux command for Apache should be “semange port -a -r http_port_t -p tcp “.Please check and revise.

    Thanks

    • sk

      Corrected. Thank you. Much appreciated.