2

I am new to linux server management and want to move my OpenSSH ufw profile to listen on port 4444 instead of port 22 when I enable the firewall.

So I am acomplishing this by updating the profile at
/etc/ufw/applications.d/openssh-server

to 

[OpenSSH]
title=Secure shell server, an rshd replacement
description=OpenSSH is a free implementation of the Secure Shell protocol.
ports=4444/tcp

Is it okay to just do this manually? I'm afraid I might accidentally initiate some sort of firewall update in the future and it might change it back to port 22 originally, which will lock me out (as I'm also setting the ssh config to 4444).

Also is it normal practice to edit these standard profile files or just create a new profile entirely for the firewall?

Wale Adeniji
  • 345
Jonathan002
  • 133

1 Answers1

4

From ArchLinux Wiki:

Warning: If users modify any of the PKG provided rule sets, these will be overwritten the first time the ufw package is updated. This is why custom app definitions need to reside in a non-PKG file as recommended above!

I could not find similar statement within Ubuntu documentation. The only thing, connected with this topic, that I found there is in the article Firewall:

Applications that open ports can include an ufw profile, which details the ports needed for the application to function properly. The profiles are kept in /etc/ufw/applications.d, and can be edited if the default ports have been changed.

To be sure your edits will not be overwritten, you can create your own application profile file, for example:

sudo cp /etc/ufw/applications.d/openssh-server /etc/ufw/applications.d/openssh-server-custom

Then modify /etc/ufw/applications.d/openssh-server-custom in this way:

[CustomSSH]
title=Secure shell server, an rshd replacement
description=OpenSSH is a free implementation of the Secure Shell protocol.
ports=4444/tcp

After that you will be able to create rules as this:

sudo ufw limit CustomSSH

The main advantage of profile usage is that you can change the application's port and just reload UFW's configuration without need to delete rules and type new ones. If you don't intend to do that often, then you can type a rule for the custom port and leave a comment to be clear what is the rule's purpose:

sudo ufw limit 4444/tcp comment 'SSH Custom port'
pa4080
  • 29,831