change ssh port

[AbbaP]

I'm trying to change the ssh port but I ran into a brick wall.

1. changed port in sshd_config to 34567
2. service sshd restart
3. from remote typed: ssh -p34567 xx.xxx.xxx.xx but nothing happened
4. sellinux is off.
5. from the firewall GUI, changed the port forwarding port to 34567
6. changed the router's port forwarding port to 34567
and then typed ssh -p34567 xx.xxx.xxx.xx but nothing happened.

Is there any kind of mistake with any of this? Or, is something missing?

thx.,
glen

Hello,

I put a user-name in the command not sure if it is always necessary. Something like:
ssh -p34567 username@xx.xxx.xxx.xx

Ky

[diamond_ramsey]

Quote:

Originally Posted by AbbaP

...6. changed the router's port forwarding port to 34567
and then typed ssh -p34567 xx.xxx.xxx.xx but nothing happened.

Is there any kind of mistake with any of this? Or, is something missing?...

Interesting...
========================================
Is there any useful information in the logs?

The following is my sample /var/log/secure file.

[root@localhost ~]# tail /var/log/secure
Sep 27 17:34:26 localhost userhelper[15018]: running '/sbin/reboot ' with root privileges on behalf of 'root'
Sep 27 17:34:27 localhost su: pam_unix(su:session): session closed for user root
Sep 27 17:34:27 localhost su: pam_unix(su:session): session closed for user root
Sep 27 17:34:29 localhost sshd[1266]: Received signal 15; terminating.
Sep 27 17:36:11 localhost sshd[1285]: Server listening on 0.0.0.0 port 22.
Sep 27 17:36:11 localhost sshd[1285]: Server listening on :: port 22.
========================================
Hope this helps.

[jpollard]

If you want to test your network you can always do:

sshd -p34567

Do this manually and see if it starts (the port is available), then from another
system try an nmap scan of the first system to see if the port is identified.
Alternatively, you can try "ssh -p34567 hostname" to see if it connects.

The advantage of an nmap scan is that it will help you determine if a firewall
somewhere is blocking ports. I remember that there was/is/are a Windows
worm(s) that uses ports between 32000 and 56000 that may be blocked by ISPs.

There are some security ramifications when using such ports. One is that the
port is not reserved by the system, which allows any application to start and
attach to the port before sshd. It would then have total control over the external
connections.

Your step "6. changed the router's port forwarding port to 34567" - I assume you
mean that the router is forwarding port 34567 to port 34567 on the server.

[AbbaP]

1. /var/log/secure showed no new entries since the port was changed.
2. check out the results from nmap, should I use a different option?

nmap -v -PN 11.222.333.44

Starting Nmap 5.21 ( http://nmap.org ) at 2010-09-28 08:58 EDT
Initiating Parallel DNS resolution of 1 host. at 08:58
Completed Parallel DNS resolution of 1 host. at 08:58, 0.01s elapsed
Initiating Connect Scan at 08:58
Scanning 11-222-333-44.myhost.com (11.222.333.44) [1000 ports]
Connect Scan Timing: About 15.50% done; ETC: 09:01 (0:02:49 remaining)
Connect Scan Timing: About 30.50% done; ETC: 09:01 (0:02:19 remaining)
Connect Scan Timing: About 45.50% done; ETC: 09:01 (0:01:49 remaining)
Connect Scan Timing: About 60.50% done; ETC: 09:01 (0:01:19 remaining)
Connect Scan Timing: About 75.50% done; ETC: 09:01 (0:00:49 remaining)
Completed Connect Scan at 09:01, 191.440s elapsed (1000 total ports)
Nmap scan report for 11-222-333-44.myhost.com (11.222.333.44)
Host is up (0.00043s latency).
All 1000 scanned ports on 11-222-333-44.myhost.com (11.222.333.44) are filtered

Have You used the "AllowUsers" directive in your sshd_config without a /ect/issue. That would mimic your results of nothing happening when you try to connect with the CLI "ssh -p34567 xx.xxx.xxx.xx ".

I may be missing something here, but why change the port of a server that is behind a nat router? Just set router to forward port 12345 to 192.168.xxx.xxx [or whatever ip your server has behind your router] port 22. Then when you are on your local lan you can access through port 22 and when away you can accessing through the internet and use port 12345.

Ky

[AbbaP]

I did follow the instructions from the previous post however
ssh me@111.22.333.444 -p34567 still does not connect.

This is what's going on:
1. /var/log/secure does not have any listing for today (the day I did the testing).
2. I did not see AllowUsers in my sshd_config.
3. I have previously been able to connect from a remote machine via ssh with port 22.
4. The router is set to port forwarding port 34567 on 192.168.xxx.xxx.
5. Port forwarding from the firewall (on the local machine) is set to port 22.
6. sshd_config has Port 22.
7. sshd is running.

Glen

[kurtdriver]

Quote:

Originally Posted by AbbaP

3. I have previously been able to connect from a remote machine via ssh with port 22.
4. The router is set to port forwarding port 34567 on 192.168.xxx.xxx.
5. Port forwarding from the firewall (on the local machine) is set to port 22.
6. sshd_config has Port 22.

Hi, notice the number 22 just above? The machines must be using the same port.

[AbbaP]

Hi all,

I'm puzzled.
??I just attempted exactly what kurtdriver suggested but this did not work for me??

Is there anyway I can diagnose at what point router, firewall, or the sshd service something's
not working correctly? Does sshd have a verbose option?

On the local machine /var/log/secure does not have any entries for today.
On the remote machine ssh -v -p34567 me@xx.xxx.xxx.xx
show only "connecting to xx.xxx.xxx.xx"

-GS

[kurtdriver]

Hi AbbaP, I didn't see that you were portforwarding at the router, my mistake, I'm sorry. I thought you were trying to connect to port 34567. Again, sorry for the mix up. Kurt

[AbbaP]

I've done the method that 'kyryder' suggested but this did not work.
1. So, is there anyway to find out if ssh me@xxx.xxx.xxx.xxx -p34567
actually gets past the router?
2. gets past the local machine's firewall?
3. tries to make a connection with sshd?

Does this make any kind of sense?

thx.,
GS

Hello AbbaP,

Reading back through this thread a few things jump out at me that may be causing your issue. The XX.XXX.XXX.XXX and 192.168.XXX.XXX is kind of confusing and makes me wonder if the correct ip is being used. Lets start referring to them as Wan ip and Lan ip. You are probably using the right ip's but lets just make sure.

Try this from your local network"Lan"

Are you using the Wan ip of the router in your ssh command? like : ssh -p2345 user@Routers Wan ip. If all is well this should work from your local Lan or remotely on a Wan.

If that fails try this from your local Lan : ssh user@servers Lan ip .

If that fails check your /var/log/secure log of the server you are trying to connect to. Make sure it shows sshd is listening and on what port as diamond_ramsey shows in post #3.

If all the above tests fail : Make sure sshd is running on the server with "service sshd status" if it is not running start it with: su -c 'service sshd start' and repeat above tests.

Just looked at your nmap scan and it shows no open ports. Was that ran from the Wan or Lan side of your router and with Wan or Lan server ip? If that was from your Lan side with the local lan ip of the server, then it looks like you might need to adjust your iptables on the server. Take a look at your iptables with su -c 'cat /etc/sysconfig/iptables' and make sure there is a line allowing port 22 through the firewall. The line should look something like:-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT If from the Wan side it is a router port forward issue.

I would try to connect using the local Lan ip of the server, while using the local Lan first. Once you can connect locally, then try to get the routers port forward from Wan to work. That will make it easier to figure out what is causing the issue.

Hope this helps and makes sense,

Ky

[jpollard]

You may also need to do a "service sshd start" after doing a chkconfig. "chkconfig
sshd on" only flags it to be started.

Quote:

Originally Posted by jpollard

You may also need to do a "service sshd start" after doing a chkconfig. "chkconfig
sshd on" only flags it to be started.

Thanks jpollard,

I had used chkconfig when I should have used service. Thanks for the correction. I have edited my above post to reflect the correct commands.

Thanks again,

Ky

[AbbaP]

Hello all,
I had the following result:

Quote:

Reading back through this thread a few things jump out at me that may be causing your issue. The XX.XXX.XXX.XXX and 192.168.XXX.XXX is kind of confusing and makes me wonder if the correct ip is being used. Lets start referring to them as Wan ip and Lan ip. You are probably using the right ip's but lets just make sure.

Try this from your local network"Lan"

Are you using the Wan ip of the router in your ssh command? like : ssh -p2345 user@Routers Wan ip. If all is well this should work from your local Lan or remotely on a Wan.

This did not work.

Quote:

If that fails try this from your local Lan : ssh user@servers Lan ip .

ssh user@server's lan ip -p2345 does connect.

Quote:

If that fails check your /var/log/secure log of the server you are trying to connect to. Make sure it shows sshd is listening and on what port as diamond_ramsey shows in post #3.

If all the above tests fail : Make sure sshd is running on the server with "service sshd status" if it is not running start it with: su -c 'service sshd start' and repeat above tests.

Just looked at your nmap scan and it shows no open ports. Was that ran from the Wan or Lan side of your router and with Wan or Lan server ip? If that was from your Lan side with the local lan ip of the server, then it looks like you might need to adjust your iptables on the server. Take a look at your iptables with su -c 'cat /etc/sysconfig/iptables' and make sure there is a line allowing port 22 through the firewall. The line should look something like:-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT If from the Wan side it is a router port forward issue.

This was from the wan side.

AP