Keeping the Linux server secure is the vital duty of a system administrator. While there are many ways to make sure your server is as secure as possible, there are a few basic steps you must do first. One of them is to change the default ports of frequently used services to custom ports. Here, we will be seeing how to change the defaults ports of Apache, FTP and SSH to something different which is hard to guess. Let us break down this topic in three small parts. In the first part, we are going to see how to change Apache default port to a custom port on Linux.
Why do we need to change the Apache2 default port?
Before get to the topic, you might ask changing port will increase the security? To be honest, No, it won’t secure your system completely. Changing the default port alone doesn’t provide any serious security defense. There are many port scanners which will find out which port you’re using eventually. But you can, at least, protect your servers from any amateur attacks, and also you can reduce the number of attacks. That’s why we need to change the default ports.
Change Apache default port to a custom port
1. Change Apache port on Debian/Ubuntu
Edit /etc/apache2/ports.conf
file:
$ sudo vi /etc/apache2/ports.conf
Find the following line:
Listen 80
And change it to a random number of your choice, for example 8090
.
Listen 8090
This entry make the server to accept connections on port 8090
on all interfaces. To make the server accept connections on port 8090
for a specific interface, just include the corresponding network interface’s IP address as shown below.
Listen 192.168.1.101:8090
This will be helpful if your server has multiple IP addresses or network interfaces.
Save and close the file.
Additionally, in Ubuntu and Debian, you also have to change the port number in /etc/apache2/sites-enabled/000-default.conf
file too.
$ sudo vi /etc/apache2/sites-enabled/000-default.conf
Find the following line and change the port number.
<VirtualHost *:8090>
Save and close the file.
Then, restart Apache service to take effect the changes.
$ sudo systemctl restart apache2
Now let us verify the port settings:
$ sudo netstat -tulpn | grep :8090
Sample output:
tcp6 0 0 :::8090 :::* LISTEN 4066/apache2
Then, open your web browser and navigate to URL: http://IP-address:8090.
You should see the following screen:
Next we will see how to change Apache port in RHEL based systems.
2. Change Apache port on RHEL, CentOS, AlmaLinux, Rocky Linux
Make sure you have installed Apache webserver first.
Then, edit /etc/httpd/conf/httpd.conf
file,
$ sudo vi /etc/httpd/conf/httpd.conf
Find the following line:
Listen 80
And change it to a random number of your choice, for example 8090
.
Listen 8090
This entry make the server to accept connections on port 8090
on all interfaces. To make the server accept connections on port 8090 for a specific interface, just include the corresponding network interface’s IP address as shown below.
Listen 192.168.1.150:8090
This will be useful if your server has multiple IP addresses or network interfaces.
Save and close the file.
In RHEL/CentOS systems, make sure the new port number 8090
is not blocked by SELinux and Firewall.
$ sudo semanage port -a -t http_port_t -p tcp 8090
If semanage command is not found, install the following package on CentOS 7 / RHEL 8:
$ sudo yum install policycoreutils-python
On CentOS 8 / RHEL 8:
$ sudo dnf install policycoreutils-python-utils
To allow port 8090 via firewall do the following steps.
In RHEL 7/8 and CentOS 7/8:
$ sudo firewall-cmd --permanent --add-port=8090/tcp
$ sudo firewall-cmd --reload
In RHEL 6 / CentOS 6:
$ sudo vi /etc/sysconfig/iptables
And add the new custom port line:
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8090 -j ACCEPT
Save and exit the file and restart iptables service.
$ sudo service iptables restart
Finally restart httpd service.
$ sudo systemctl restart httpd
On RHEL 6.x systems, restart httpd
service using the following command:
$ sudo service httpd restart
Now verify the listening port using command:
Sample output:
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
Drop-In: /usr/lib/systemd/system/httpd.service.d
└─php-fpm.conf
Active: active (running) since Mon 2020-02-10 17:08:21 IST; 1min 20s ago
Docs: man:httpd.service(8)
Main PID: 2126 (httpd)
Status: "Running, listening on: port 8090"
Tasks: 213 (limit: 11501)
Memory: 24.3M
CGroup: /system.slice/httpd.service
├─2126 /usr/sbin/httpd -DFOREGROUND
├─2127 /usr/sbin/httpd -DFOREGROUND
├─2128 /usr/sbin/httpd -DFOREGROUND
├─2129 /usr/sbin/httpd -DFOREGROUND
└─2130 /usr/sbin/httpd -DFOREGROUND
Feb 10 17:08:21 centos8.ostechnix.lan systemd[1]: Starting The Apache HTTP Server...
Feb 10 17:08:21 centos8.ostechnix.lan systemd[1]: Started The Apache HTTP Server.
Feb 10 17:08:21 centos8.ostechnix.lan httpd[2126]: Server configured, listening on: port 8090
Or using netstat
command:
$ sudo netstat -tulpn | grep :8090
Sample output:
tcp6 0 0 :::8090 :::* LISTEN 17636/httpd
If netstat command is not found, install the following package.
$ sudo yum install net-tools
Then, verify the Apache test page from the browser using URL: http://IP-address:8090.
You should see the following screen:
Congratulations! Apache default port has been changed.
Check the following link to know how to change FTP default port.
3 comments
Hi sk, the selinux command for Apache should be “semange port -a -r http_port_t -p tcp “.Please check and revise.
Thanks
Corrected. Thank you. Much appreciated.
Thanks for tutorial, this help me a lot!