updated 2016-07-26
how to change the FTP port (21) in Linux
The default port for FTP is # 21.
Don’t use FTP. (use SFTP)
FTP sends usernames and passwords in the clear, which isn’t secure. Instead, look at SFTP which uses the SSH protocol or vsFTPd (Very Secure FTP Deamon) or FTPS or SCP (Secure CoPy).
Anonymous FTP
Anonymous FTP service: when a person can simply download (or upload) a file without having to log on to a server.
Anonymous FTP is the worst. It does not even have a password. If you only need to let visitors download files, the safest way is to provide a-href links to the files on your website pages.
Warning
Administrators who allow anonymous users to read and write in directories often find that their servers become a repository of stolen software. Learn the best ways to control it.
However,
Your firewall should be on. Edit the file /etc/sysconfig/iptables and
comment out the old port 21 line
and clone and insert a new one for your new port. (example 841):
# -A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 841 -j ACCEPT
then restart your firewall:
# service iptables restart
check to see if you have /etc/pure-ftpd.conf (perhaps only if you have cPanel)
Edit /etc/pure-ftpd.conf and look for the following line:
Bind 21
and change 21 to your chosen alternative (example 841 or etc.).
Bind 841
also check to see if you have /etc/chkserv.d/ftpd (only if you have cPanel)
and, if so, near the front of the only line
change =21
to =841 (for example)
then, restart all your ftp (and cpanel) services:
/scripts/restartsrv_ftpserver
/etc/init.d/pure-ftpd restart
/etc/init.d/cpanel restart
Do a google search if necessary to
find out how to tell your ftp program to use SFTP, not ftp.
When you connect, tell it a different port number
Change the port – on the server
To use a unique, not the default port (which may be constantly hacked at, pounded on, by thugs),
1. Near the top of file /etc/ssh/sshd_config you will find these lines:
Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
under the line “Port 22”, add Port XXX … example: 841
Port 22
Port 841
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
If you or others use SSH to communicate with (login to) the server – spell out a new port #
(add a second one, one to replace 22 – example, port # 844)
port 22
Port 844
Port 841
for logging into the server.
ssh -p 844 user@website.com
rsync -avz -e 'ssh -p 844' *.php user@website.com:/var/www/html/mypath/
Before you restart or reload your sshd server. You may need to update the settings for these services also:
1. SELinux configuration
2. Firewall settings
3. fail2ban settings
1. If you are using SELinux, add your new port (# 844 in our example above) to port contexts for OpenSSH server:
root command #: semanage port -a -t ssh_port_t -p tcp 844
google search for more info.
2. Your firewall should be on. Edit the file /etc/sysconfig/iptables and
comment out the old port 22 and port 21 lines
and clone and insert a new one for (each of) your new port(s). (example 844 and 841):
# -A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
# -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 841 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 844 -j ACCEPT
restart your firewall:
# service iptables restart
3. if you installed fail2ban – which scans log files and bans IPs that show the malicious activity – you need to update it. google search for how if unsure.
tcp_wrappers support being dropped
official announcement for the ArchLinux distribution
tcp_wrappers support is being dropped from all packages and the package removed from [core]. This is due to upstream not having released a new version since April 1997. Additionally, newer daemons and applications are inconsistent in their support for libwrap, leading to confusion as to whether an application supports the library.
“The most important component within the package is the /lib/libwrap.so” – access.redhat.comIf you currently use “/etc/hosts.allow” or “/etc/hosts.deny” for security or logging purposes, you will need to adjust accordingly and use another tool such as iptables [firewall].
How To Set Up a Basic Iptables Firewall on Centos 6
see full article at
http://www.cyberciti.biz/faq/centos-change-ssh-port/