Fedora Linux Support Community & Resources Center

Go Back   FedoraForum.org > Fedora 19/20 > Security and Privacy
FedoraForum Search

Forgot Password? Join Us!

Security and Privacy Sadly, malware, spyware, hackers and privacy threats abound in today's world. Let's be paranoid and secure our penguins, and slam the doors on privacy exploits.

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 28th September 2010, 02:00 AM
AbbaP Offline
Registered User
 
Join Date: Sep 2010
Posts: 34
linuxfedorafirefox
change ssh port

I'm trying to change the ssh port but I ran into a brick wall.

1. changed port in sshd_config to 34567
2. service sshd restart
3. from remote typed: ssh -p34567 xx.xxx.xxx.xx but nothing happened
4. sellinux is off.
5. from the firewall GUI, changed the port forwarding port to 34567
6. changed the router's port forwarding port to 34567
and then typed ssh -p34567 xx.xxx.xxx.xx but nothing happened.

Is there any kind of mistake with any of this? Or, is something missing?

thx.,
glen
Reply With Quote
  #2  
Old 28th September 2010, 02:10 AM
kyryder
Guest
 
Posts: n/a
linuxfirefox
Re: change ssh port

Hello,

I put a user-name in the command not sure if it is always necessary. Something like:
ssh -p34567 username@xx.xxx.xxx.xx

Ky
Reply With Quote
  #3  
Old 28th September 2010, 02:25 AM
diamond_ramsey Offline
Registered User
 
Join Date: Aug 2009
Posts: 784
linuxfedorafirefox
Re: change ssh port

Quote:
Originally Posted by AbbaP View Post
...6. changed the router's port forwarding port to 34567
and then typed ssh -p34567 xx.xxx.xxx.xx but nothing happened.

Is there any kind of mistake with any of this? Or, is something missing?...
Interesting...
========================================
Is there any useful information in the logs?

The following is my sample /var/log/secure file.

[root@localhost ~]# tail /var/log/secure
Sep 27 17:34:26 localhost userhelper[15018]: running '/sbin/reboot ' with root privileges on behalf of 'root'
Sep 27 17:34:27 localhost su: pam_unix(su:session): session closed for user root
Sep 27 17:34:27 localhost su: pam_unix(su:session): session closed for user root
Sep 27 17:34:29 localhost sshd[1266]: Received signal 15; terminating.
Sep 27 17:36:11 localhost sshd[1285]: Server listening on 0.0.0.0 port 22.
Sep 27 17:36:11 localhost sshd[1285]: Server listening on :: port 22.
========================================
Hope this helps.
__________________
2 dual cores, 11 GB RAM, F18 Spherical Cow - 3.11.10-100.fc18.x86_64 / i686
2 dual cores, 11 GB RAM, F19 Schrödinger's Cat - 3.13.6-100.fc19.x86_64 / i686
2 dual cores, 11 GB RAM, F20 Heisenbug - 3.13.6-200.fc20.x86_64 / i686
16 x86_64 computing cores, 80 GB RAM & 8 SATA Seagate 7200.12 500 GB harddisks
Reply With Quote
  #4  
Old 28th September 2010, 02:35 AM
jpollard Online
Registered User
 
Join Date: Aug 2009
Location: Waldorf, Maryland
Posts: 6,663
linuxfedorafirefox
Re: change ssh port

If you want to test your network you can always do:

sshd -p34567

Do this manually and see if it starts (the port is available), then from another
system try an nmap scan of the first system to see if the port is identified.
Alternatively, you can try "ssh -p34567 hostname" to see if it connects.

The advantage of an nmap scan is that it will help you determine if a firewall
somewhere is blocking ports. I remember that there was/is/are a Windows
worm(s) that uses ports between 32000 and 56000 that may be blocked by ISPs.

There are some security ramifications when using such ports. One is that the
port is not reserved by the system, which allows any application to start and
attach to the port before sshd. It would then have total control over the external
connections.

Your step "6. changed the router's port forwarding port to 34567" - I assume you
mean that the router is forwarding port 34567 to port 34567 on the server.
Reply With Quote
  #5  
Old 28th September 2010, 07:51 PM
AbbaP Offline
Registered User
 
Join Date: Sep 2010
Posts: 34
windows_7ie
Re: change ssh port

1. /var/log/secure showed no new entries since the port was changed.
2. check out the results from nmap, should I use a different option?

nmap -v -PN 11.222.333.44

Starting Nmap 5.21 ( http://nmap.org ) at 2010-09-28 08:58 EDT
Initiating Parallel DNS resolution of 1 host. at 08:58
Completed Parallel DNS resolution of 1 host. at 08:58, 0.01s elapsed
Initiating Connect Scan at 08:58
Scanning 11-222-333-44.myhost.com (11.222.333.44) [1000 ports]
Connect Scan Timing: About 15.50% done; ETC: 09:01 (0:02:49 remaining)
Connect Scan Timing: About 30.50% done; ETC: 09:01 (0:02:19 remaining)
Connect Scan Timing: About 45.50% done; ETC: 09:01 (0:01:49 remaining)
Connect Scan Timing: About 60.50% done; ETC: 09:01 (0:01:19 remaining)
Connect Scan Timing: About 75.50% done; ETC: 09:01 (0:00:49 remaining)
Completed Connect Scan at 09:01, 191.440s elapsed (1000 total ports)
Nmap scan report for 11-222-333-44.myhost.com (11.222.333.44)
Host is up (0.00043s latency).
All 1000 scanned ports on 11-222-333-44.myhost.com (11.222.333.44) are filtered
Reply With Quote
  #6  
Old 29th September 2010, 12:23 AM
kyryder
Guest
 
Posts: n/a
linuxfirefox
Re: change ssh port

Have You used the "AllowUsers" directive in your sshd_config without a /ect/issue. That would mimic your results of nothing happening when you try to connect with the CLI "ssh -p34567 xx.xxx.xxx.xx ".

I may be missing something here, but why change the port of a server that is behind a nat router? Just set router to forward port 12345 to 192.168.xxx.xxx [or whatever ip your server has behind your router] port 22. Then when you are on your local lan you can access through port 22 and when away you can accessing through the internet and use port 12345.

Ky

Last edited by kyryder; 29th September 2010 at 03:31 PM.
Reply With Quote
  #7  
Old 29th September 2010, 10:27 PM
AbbaP Offline
Registered User
 
Join Date: Sep 2010
Posts: 34
linuxfedorafirefox
Re: change ssh port

I did follow the instructions from the previous post however
ssh me@111.22.333.444 -p34567 still does not connect.

This is what's going on:
1. /var/log/secure does not have any listing for today (the day I did the testing).
2. I did not see AllowUsers in my sshd_config.
3. I have previously been able to connect from a remote machine via ssh with port 22.
4. The router is set to port forwarding port 34567 on 192.168.xxx.xxx.
5. Port forwarding from the firewall (on the local machine) is set to port 22.
6. sshd_config has Port 22.
7. sshd is running.

Glen
Reply With Quote
  #8  
Old 29th September 2010, 11:48 PM
kurtdriver Offline
Registered User
 
Join Date: Jul 2005
Location: Vancouver Canada
Posts: 1,348
linuxfedorafirefox
Re: change ssh port

Quote:
Originally Posted by AbbaP View Post
3. I have previously been able to connect from a remote machine via ssh with port 22.
4. The router is set to port forwarding port 34567 on 192.168.xxx.xxx.
5. Port forwarding from the firewall (on the local machine) is set to port 22.
6. sshd_config has Port 22.
Hi, notice the number 22 just above? The machines must be using the same port.
Reply With Quote
  #9  
Old 30th September 2010, 10:35 PM
AbbaP Offline
Registered User
 
Join Date: Sep 2010
Posts: 34
linuxfedorafirefox
Re: change ssh port

Hi all,

I'm puzzled.
??I just attempted exactly what kurtdriver suggested but this did not work for me??

Is there anyway I can diagnose at what point router, firewall, or the sshd service something's
not working correctly? Does sshd have a verbose option?

On the local machine /var/log/secure does not have any entries for today.
On the remote machine ssh -v -p34567 me@xx.xxx.xxx.xx
show only "connecting to xx.xxx.xxx.xx"

-GS
Reply With Quote
  #10  
Old 30th September 2010, 11:26 PM
kurtdriver Offline
Registered User
 
Join Date: Jul 2005
Location: Vancouver Canada
Posts: 1,348
linuxfedorafirefox
Re: change ssh port

Hi AbbaP, I didn't see that you were portforwarding at the router, my mistake, I'm sorry. I thought you were trying to connect to port 34567. Again, sorry for the mix up. Kurt
Reply With Quote
  #11  
Old 2nd October 2010, 02:39 PM
AbbaP Offline
Registered User
 
Join Date: Sep 2010
Posts: 34
linuxfedorafirefox
Re: change ssh port

I've done the method that 'kyryder' suggested but this did not work.
1. So, is there anyway to find out if ssh me@xxx.xxx.xxx.xxx -p34567
actually gets past the router?
2. gets past the local machine's firewall?
3. tries to make a connection with sshd?

Does this make any kind of sense?

thx.,
GS
Reply With Quote
  #12  
Old 2nd October 2010, 04:45 PM
kyryder
Guest
 
Posts: n/a
linuxfirefox
Re: change ssh port

Hello AbbaP,

Reading back through this thread a few things jump out at me that may be causing your issue. The XX.XXX.XXX.XXX and 192.168.XXX.XXX is kind of confusing and makes me wonder if the correct ip is being used. Lets start referring to them as Wan ip and Lan ip. You are probably using the right ip's but lets just make sure.

Try this from your local network"Lan"

Are you using the Wan ip of the router in your ssh command? like : ssh -p2345 user@Routers Wan ip. If all is well this should work from your local Lan or remotely on a Wan.

If that fails try this from your local Lan : ssh user@servers Lan ip .

If that fails check your /var/log/secure log of the server you are trying to connect to. Make sure it shows sshd is listening and on what port as diamond_ramsey shows in post #3.

If all the above tests fail : Make sure sshd is running on the server with "service sshd status" if it is not running start it with: su -c 'service sshd start' and repeat above tests.

Just looked at your nmap scan and it shows no open ports. Was that ran from the Wan or Lan side of your router and with Wan or Lan server ip? If that was from your Lan side with the local lan ip of the server, then it looks like you might need to adjust your iptables on the server. Take a look at your iptables with su -c 'cat /etc/sysconfig/iptables' and make sure there is a line allowing port 22 through the firewall. The line should look something like:-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT If from the Wan side it is a router port forward issue.

I would try to connect using the local Lan ip of the server, while using the local Lan first. Once you can connect locally, then try to get the routers port forward from Wan to work. That will make it easier to figure out what is causing the issue.

Hope this helps and makes sense,

Ky

Last edited by kyryder; 2nd October 2010 at 05:38 PM.
Reply With Quote
  #13  
Old 2nd October 2010, 05:29 PM
jpollard Online
Registered User
 
Join Date: Aug 2009
Location: Waldorf, Maryland
Posts: 6,663
linuxfedorafirefox
Re: change ssh port

You may also need to do a "service sshd start" after doing a chkconfig. "chkconfig
sshd on" only flags it to be started.
Reply With Quote
  #14  
Old 2nd October 2010, 05:35 PM
kyryder
Guest
 
Posts: n/a
linuxfirefox
Re: change ssh port

Quote:
Originally Posted by jpollard View Post
You may also need to do a "service sshd start" after doing a chkconfig. "chkconfig
sshd on" only flags it to be started.
Thanks jpollard,

I had used chkconfig when I should have used service. Thanks for the correction. I have edited my above post to reflect the correct commands.

Thanks again,

Ky
Reply With Quote
  #15  
Old 3rd October 2010, 03:11 PM
AbbaP Offline
Registered User
 
Join Date: Sep 2010
Posts: 34
linuxfedorafirefox
Re: change ssh port

Hello all,
I had the following result:

Quote:
Reading back through this thread a few things jump out at me that may be causing your issue. The XX.XXX.XXX.XXX and 192.168.XXX.XXX is kind of confusing and makes me wonder if the correct ip is being used. Lets start referring to them as Wan ip and Lan ip. You are probably using the right ip's but lets just make sure.

Try this from your local network"Lan"

Are you using the Wan ip of the router in your ssh command? like : ssh -p2345 user@Routers Wan ip. If all is well this should work from your local Lan or remotely on a Wan.
This did not work.


Quote:
If that fails try this from your local Lan : ssh user@servers Lan ip .
ssh user@server's lan ip -p2345 does connect.

Quote:
If that fails check your /var/log/secure log of the server you are trying to connect to. Make sure it shows sshd is listening and on what port as diamond_ramsey shows in post #3.

If all the above tests fail : Make sure sshd is running on the server with "service sshd status" if it is not running start it with: su -c 'service sshd start' and repeat above tests.

Just looked at your nmap scan and it shows no open ports. Was that ran from the Wan or Lan side of your router and with Wan or Lan server ip? If that was from your Lan side with the local lan ip of the server, then it looks like you might need to adjust your iptables on the server. Take a look at your iptables with su -c 'cat /etc/sysconfig/iptables' and make sure there is a line allowing port 22 through the firewall. The line should look something like:-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT If from the Wan side it is a router port forward issue.
This was from the wan side.

AP
Reply With Quote
Reply

Tags
change, port, ssh

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
vsftpd port change dysphorichermit Servers & Networking 9 27th October 2010 02:25 PM
why I don't change the port about ssh beyond911 Using Fedora 6 18th August 2007 03:53 AM
how to change printer port newusermike Using Fedora 4 15th June 2006 07:43 PM
VSFTPD Change port blueflowers Servers & Networking 1 21st August 2005 04:53 PM
FC2: <3> hub 1-0:1.0: over-current change on port 2 Borjo EOL (End Of Life) Versions 2 22nd December 2004 08:44 PM


Current GMT-time: 09:16 (Wednesday, 23-04-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat