Fedora Linux Support Community & Resources Center

Go Back   FedoraForum.org > Fedora 19/20 > Security and Privacy
FedoraForum Search

Forgot Password? Join Us!

Security and Privacy Sadly, malware, spyware, hackers and privacy threats abound in today's world. Let's be paranoid and secure our penguins, and slam the doors on privacy exploits.

Reply
 
Thread Tools Search this Thread Display Modes
  #31  
Old 25th October 2010, 11:12 PM
jpollard Online
Registered User
 
Join Date: Aug 2009
Location: Waldorf, Maryland
Posts: 6,814
linuxfedorafirefox
Re: change ssh port

First of all, nmap did not scan port 1234. It stops (by default) at 1024
(-p option).

Since you were scanning localhost, it doesn't really matter about the
firewall.
Reply With Quote
  #32  
Old 26th October 2010, 01:59 AM
AbbaP Offline
Registered User
 
Join Date: Sep 2010
Posts: 34
linuxfedorafirefox
Re: change ssh port

Quote:
Originally Posted by jpollard View Post
First of all, nmap did not scan port 1234. It stops (by default) at 1024
(-p option).

Since you were scanning localhost, it doesn't really matter about the
firewall.
Port 1234 is fictitious to be safe. The real port number is less than 1024.

AbbaP
Reply With Quote
  #33  
Old 26th October 2010, 02:08 AM
Sicinthemind Offline
Registered User
 
Join Date: May 2009
Location: Tampa, FL, previously Chicago, IL
Posts: 137
windows_7ie
Re: change ssh port

Quote:
Originally Posted by AbbaP View Post
Take a look at the output of nmap. It does not show port 22 or port 1234.??
Also, I temporarily disabled the firewall.

Code:
nmap -sT localhost

Starting Nmap 5.21 ( http://nmap.org ) at 2010-10-25 17:42 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00046s latency).
rDNS record for 127.0.0.1: localhost.localdomain
Not shown: 998 closed ports
PORT    STATE SERVICE
25/tcp  open  smtp
631/tcp open  ipp

Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds
Quote:
Originally Posted by AbbaP View Post
Take a look at the output of nmap. It does not show port 22 or port 1234.??
Also, I temporarily disabled the firewall.

Code:
nmap -sT localhost

Starting Nmap 5.21 ( http://nmap.org ) at 2010-10-25 17:42 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00046s latency).
rDNS record for 127.0.0.1: localhost.localdomain
Not shown: 998 closed ports
PORT    STATE SERVICE
25/tcp  open  smtp
631/tcp open  ipp

Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds
Run This Command....
Code:
[root@server ~]$service sshd status
If you see, "sshd is not running" you need to run chkconfig commands to make it start on reboots.
Code:
[root@server ~]$chkconfig --list sshd
sshd      0:off     1:off     2:off     3:off     4:off     5:off     6:off
[root@server ~]$chkconfig --level 345 sshd on (or just $chkconfig sshd on)
[root@server ~]$chkconfig --list sshd
sshd      0:off     1:off     2:off     3:on     4:on      5:on     6:off
[root@server ~]$service sshd start
Then run nmap -sT localhost or the netstat commands mentioned above.
__________________
Steve Kline - RHCSA, MCITP: Server Admin
Reply With Quote
  #34  
Old 26th October 2010, 12:52 PM
AbbaP Offline
Registered User
 
Join Date: Sep 2010
Posts: 34
linuxfedorafirefox
Re: change ssh port

I did all of the above. Then nmap -sT output the same as before.
(ie. no mention of port 22 or of the other port xxxx which is less than 1024).
Reply With Quote
  #35  
Old 26th October 2010, 12:57 PM
jpollard Online
Registered User
 
Join Date: Aug 2009
Location: Waldorf, Maryland
Posts: 6,814
linuxfedorafirefox
Re: change ssh port

That means that sshd is not running.

If you attempted to start it (service sshd start) then there should be
some error messages in /var/log/messages.
Reply With Quote
  #36  
Old 26th October 2010, 02:39 PM
Sicinthemind Offline
Registered User
 
Join Date: May 2009
Location: Tampa, FL, previously Chicago, IL
Posts: 137
windows_98_nt_2000ie
Re: change ssh port

Quote:
Originally Posted by AbbaP View Post
I did all of the above. Then nmap -sT output the same as before.
(ie. no mention of port 22 or of the other port xxxx which is less than 1024).
You might have bombed your ssh config... anyway... just perform this. Start from scratch...

Code:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Give SSH a clean slate
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[root@server ~]$ rm /etc/ssh/ssh_config
[root@server ~]$ yum reinstall sshd
OR
[root@server ~]$ yum remove sshd
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Make the single line configuration and reload it.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[root@server ~]$ yum -y install sshd
[root@server ~]$ echo port #### >> /etc/ssh/ssh_config
[root@server ~]$ chkconfig sshd on
[root@server ~]$ service sshd start
If you feel it necessary, you can change /etc/services back, but if you type your Iptables rules to allow "SSH", it uses that file as reference for the ports to open up. So you will need to put the port in manually. Replace the ### with your desired port number. The same one you inserted to the ssh_config file.
Code:
[root@server ~]$iptables -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport #### -j ACCEPT
Before you reply with additional questions if it fails to work this time... You have to provide some diag info. Post the output of the following commands.
Code:
[root@server ~]$ service sshd status"
[root@server ~]$ iptables --list
[root@server ~]$ nmap -sT rhs1 | grep open
__________________
Steve Kline - RHCSA, MCITP: Server Admin

Last edited by Sicinthemind; 26th October 2010 at 02:51 PM.
Reply With Quote
  #37  
Old 27th October 2010, 02:30 PM
AbbaP Offline
Registered User
 
Join Date: Sep 2010
Posts: 34
linuxfedorafirefox
Re: change ssh port

I had a few problems obtaining the requested info:
Quote:
Originally Posted by Sicinthemind View Post

If you feel it necessary, you can change /etc/services back, but if you type your Iptables rules to allow "SSH", it uses that file as reference for the ports to open up. So you will need to put the port in manually. Replace the ### with your desired port number. The same one you inserted to the ssh_config file.
Code:
[root@server ~]$iptables -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport #### -j ACCEPT
Code:
iptables -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 206 -j ACCEPT
iptables: No chain/target/match by that name.

Code:
service sshd status
openssh-daemon (pid  3143) is running...

Code:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     ah   --  anywhere             anywhere
ACCEPT     esp  --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:isakmp
ACCEPT     udp  --  anywhere             ###.0.0.###         state NEW udp dpt:mdns
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:ipp
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:netbios-ns
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:netbios-dgm
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             ####-PC           state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Code:
nmap -sT rhs1 | grep open
Failed to resolve given hostname/IP: rhs1.  Note that you can't use '/mask' AND '1-4,7,100-' style IP ranges

Last edited by AbbaP; 27th October 2010 at 02:34 PM. Reason: improper quoting
Reply With Quote
  #38  
Old 27th October 2010, 04:00 PM
Sicinthemind Offline
Registered User
 
Join Date: May 2009
Location: Tampa, FL, previously Chicago, IL
Posts: 137
windows_98_nt_2000ie
Re: change ssh port

Quote:
Originally Posted by AbbaP View Post
I had a few problems obtaining the requested info:




Code:
service sshd status
openssh-daemon (pid  3143) is running...

Code:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     ah   --  anywhere             anywhere
ACCEPT     esp  --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:isakmp
ACCEPT     udp  --  anywhere             ###.0.0.###         state NEW udp dpt:mdns
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:ipp
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:netbios-ns
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:netbios-dgm
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             ####-PC           state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Code:
nmap -sT rhs1 | grep open
Failed to resolve given hostname/IP: rhs1.  Note that you can't use '/mask' AND '1-4,7,100-' style IP ranges
Very thorough but, I meant to put localhost instead of rhs1... that was my mistake. I sometimes type about what I'm thinking! lol.
After seeing your firewall... you should enter this instead and it should work. Your IP chain names are just input. Mine are RH-... yada.
Code:
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 206 -j ACCEPT
Code:
nmap -sT localhost | grep open
Also... you may need to remove that ssh line... it serves no purpose if /etc/services isn't updated to match your ssh_config except to open port 22 for you. Which is not listening anyway.

Code:
[root@server ~]$ service iptables stop
Test your ssh and make sure you can access it without iptables in the way now. If so.. move to next... if not, troubleshoot!

Code:
[root@server ~]$ nano /etc/sysconfig/iptables
Remove that ssh line if it specifies 22 or SSH, you can modify it directly to put your set port number. Once you've fixed the line... you have to start Iptables. You cannot modify and restart Ip tables, it's very finicky with file modifcation. It must be a stop and start.
Code:
[root@server ~]$ service iptables start
Final SSH test... hopefully its FTW.
__________________
Steve Kline - RHCSA, MCITP: Server Admin

Last edited by Sicinthemind; 27th October 2010 at 04:11 PM.
Reply With Quote
  #39  
Old 28th October 2010, 01:05 AM
AbbaP Offline
Registered User
 
Join Date: Sep 2010
Posts: 34
linuxfedorafirefox
Re: change ssh port

Sorry for all the back and forth. I guess some issues are not easy to see right away.
-----------------------------------------------------------------------------------------------------
Code:
nmap -sT localhost

Starting Nmap 5.21 ( http://nmap.org ) at 2010-10-27 19:49 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00045s latency).
rDNS record for 127.0.0.1: localhost.localdomain
Not shown: 998 closed ports
PORT    STATE SERVICE
25/tcp  open  smtp
631/tcp open  ipp

Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds
I did do:
Code:
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport #### -j ACCEPT
Looks as though somehow it didn't update the port.
Code:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     ah   --  anywhere             anywhere            
ACCEPT     esp  --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:isakmp 
ACCEPT     udp  --  anywhere             ###.0.0.###         state NEW udp dpt:mdns 
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:ipp 
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:netbios-ns 
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:netbios-dgm 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:22 
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere            ######-PC           state NEW tcp dpt:ssh 
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Reply With Quote
  #40  
Old 28th October 2010, 09:05 AM
Sicinthemind Offline
Registered User
 
Join Date: May 2009
Location: Tampa, FL, previously Chicago, IL
Posts: 137
windows_7ie
Re: change ssh port

Quote:
Originally Posted by AbbaP View Post
Sorry for all the back and forth. I guess some issues are not easy to see right away.
-----------------------------------------------------------------------------------------------------
Code:
nmap -sT localhost

Starting Nmap 5.21 ( http://nmap.org ) at 2010-10-27 19:49 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00045s latency).
rDNS record for 127.0.0.1: localhost.localdomain
Not shown: 998 closed ports
PORT    STATE SERVICE
25/tcp  open  smtp
631/tcp open  ipp

Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds
I did do:
Code:
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport #### -j ACCEPT
Looks as though somehow it didn't update the port.
Code:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     ah   --  anywhere             anywhere            
ACCEPT     esp  --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:isakmp 
ACCEPT     udp  --  anywhere             ###.0.0.###         state NEW udp dpt:mdns 
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:ipp 
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:netbios-ns 
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:netbios-dgm 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:22 
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere            ######-PC           state NEW tcp dpt:ssh 
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
I see you have ssh forwarding instead of accepting.
__________________
Steve Kline - RHCSA, MCITP: Server Admin
Reply With Quote
  #41  
Old 28th October 2010, 10:27 PM
AbbaP Offline
Registered User
 
Join Date: Sep 2010
Posts: 34
linuxfedorafirefox
Re: change ssh port

I realize this may be obvious to some of you out there. But I want to be sure I'm doing the right thing.
So, could someone pls inform me with the steps to use the fc13 firewall config GUI to enable an
ACCEPT of sshd on port ####.

thx.,
Abba P.
Reply With Quote
  #42  
Old 28th October 2010, 11:55 PM
Sicinthemind Offline
Registered User
 
Join Date: May 2009
Location: Tampa, FL, previously Chicago, IL
Posts: 137
windows_7ie
Re: change ssh port

Quote:
Originally Posted by AbbaP View Post
I realize this may be obvious to some of you out there. But I want to be sure I'm doing the right thing.
So, could someone pls inform me with the steps to use the fc13 firewall config GUI to enable an
ACCEPT of sshd on port ####.

thx.,
Abba P.
#### is a just a representation of enter your number here since you did not specify a port. You'll receive a syntax error that the port is invalid.

---------- Post added at 04:55 PM GMT ---------- Previous post was at 04:51 PM GMT ----------

Quote:
Originally Posted by AbbaP View Post
I realize this may be obvious to some of you out there. But I want to be sure I'm doing the right thing.
So, could someone pls inform me with the steps to use the fc13 firewall config GUI to enable an
ACCEPT of sshd on port ####.

thx.,
Abba P.
By Command Line
Code:
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport #### -j ACCEPT
http://docs.fedoraproject.org/en-US/...uide-en-US.pdf

This link will take you to the Fedora Docs page. Basically.. open system-config-firewall, Click on other ports and add the port that you want to open. Obviously SSH is TCP, you just need to enter the port that you want open.

For your future reference, all of these instructions for configuration and management can be found at http://docs.fedoraproject.org/en-US/index.html .
__________________
Steve Kline - RHCSA, MCITP: Server Admin
Reply With Quote
  #43  
Old 29th October 2010, 07:04 PM
AbbaP Offline
Registered User
 
Join Date: Sep 2010
Posts: 34
linuxfedorafirefox
Re: change ssh port

good news.! With iptables stopped, I was able to connect from the remote to the local via port ####.
On the other hand, with iptables started, I was not able to do the same. So, iptables must be
incorrect somehow. Can you find the offending issue with this iptables:

Code:
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport #### -j ACCEPT
iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     ah   --  anywhere             anywhere            
ACCEPT     esp  --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:isakmp 
ACCEPT     udp  --  anywhere             ###.0.0.###         state NEW udp dpt:mdns 
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:ipp 
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:netbios-ns 
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:netbios-dgm 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:22 
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere            name-PC           state NEW tcp dpt:ssh 
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Reply With Quote
  #44  
Old 29th October 2010, 07:45 PM
Sicinthemind Offline
Registered User
 
Join Date: May 2009
Location: Tampa, FL, previously Chicago, IL
Posts: 137
windows_98_nt_2000ie
Re: change ssh port

Quote:
Originally Posted by AbbaP View Post
good news.! With iptables stopped, I was able to connect from the remote to the local via port ####.
On the other hand, with iptables started, I was not able to do the same. So, iptables must be
incorrect somehow. Can you find the offending issue with this iptables:
I know your IP tables is incorrect because you did not enter your port number for those hashes. You probably got an error for entering those hashes... Use the syntax I provided and replace the #### with the port number you opened.

Obviously #### is not a real number...
__________________
Steve Kline - RHCSA, MCITP: Server Admin
Reply With Quote
  #45  
Old 29th October 2010, 09:31 PM
AbbaP Offline
Registered User
 
Join Date: Sep 2010
Posts: 34
linuxfedorafirefox
Re: change ssh port

Quote:
Originally Posted by Sicinthemind View Post
I know your IP tables is incorrect because you did not enter your port number for those hashes. You probably got an error for entering those hashes... Use the syntax I provided and replace the #### with the port number you opened.

Obviously #### is not a real number...
Understood. When I ran the command I replaced #### with a real number, and the result is
what I just posted (only with #### replaced with a real number).
Sorry about the confusion.
Reply With Quote
Reply

Tags
change, port, ssh

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
vsftpd port change dysphorichermit Servers & Networking 9 27th October 2010 02:25 PM
why I don't change the port about ssh beyond911 Using Fedora 6 18th August 2007 03:53 AM
how to change printer port newusermike Using Fedora 4 15th June 2006 07:43 PM
VSFTPD Change port blueflowers Servers & Networking 1 21st August 2005 04:53 PM
FC2: <3> hub 1-0:1.0: over-current change on port 2 Borjo EOL (End Of Life) Versions 2 22nd December 2004 08:44 PM


Current GMT-time: 06:19 (Thursday, 21-08-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat