change ssh port - Page 3

jpollard · #31 25th October 2010, 11:12 PM

First of all, nmap did not scan port 1234. It stops (by default) at 1024
(-p option).

Since you were scanning localhost, it doesn't really matter about the
firewall.

AbbaP · #32 26th October 2010, 01:59 AM

Quote:

Originally Posted by jpollard

First of all, nmap did not scan port 1234. It stops (by default) at 1024
(-p option).

Since you were scanning localhost, it doesn't really matter about the
firewall.

Port 1234 is fictitious to be safe. The real port number is less than 1024.

AbbaP

Sicinthemind · #33 26th October 2010, 02:08 AM

Quote:

Originally Posted by AbbaP

Take a look at the output of nmap. It does not show port 22 or port 1234.??
Also, I temporarily disabled the firewall.

Code:

nmap -sT localhost

Starting Nmap 5.21 ( http://nmap.org ) at 2010-10-25 17:42 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00046s latency).
rDNS record for 127.0.0.1: localhost.localdomain
Not shown: 998 closed ports
PORT    STATE SERVICE
25/tcp  open  smtp
631/tcp open  ipp

Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds

Quote:

Originally Posted by AbbaP

Take a look at the output of nmap. It does not show port 22 or port 1234.??
Also, I temporarily disabled the firewall.

Code:

nmap -sT localhost

Starting Nmap 5.21 ( http://nmap.org ) at 2010-10-25 17:42 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00046s latency).
rDNS record for 127.0.0.1: localhost.localdomain
Not shown: 998 closed ports
PORT    STATE SERVICE
25/tcp  open  smtp
631/tcp open  ipp

Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds

Run This Command....

Code:

[root@server ~]$service sshd status

If you see, "sshd is not running" you need to run chkconfig commands to make it start on reboots.

Code:

[root@server ~]$chkconfig --list sshd
sshd      0:off     1:off     2:off     3:off     4:off     5:off     6:off
[root@server ~]$chkconfig --level 345 sshd on (or just $chkconfig sshd on)
[root@server ~]$chkconfig --list sshd
sshd      0:off     1:off     2:off     3:on     4:on      5:on     6:off
[root@server ~]$service sshd start

Then run nmap -sT localhost or the netstat commands mentioned above.

AbbaP · #34 26th October 2010, 12:52 PM

I did all of the above. Then nmap -sT output the same as before.
(ie. no mention of port 22 or of the other port xxxx which is less than 1024).

jpollard · #35 26th October 2010, 12:57 PM

That means that sshd is not running.

If you attempted to start it (service sshd start) then there should be
some error messages in /var/log/messages.

Sicinthemind · #36 26th October 2010, 02:39 PM

Quote:

Originally Posted by AbbaP

I did all of the above. Then nmap -sT output the same as before.
(ie. no mention of port 22 or of the other port xxxx which is less than 1024).

You might have bombed your ssh config... anyway... just perform this. Start from scratch...

Code:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Give SSH a clean slate
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[root@server ~]$ rm /etc/ssh/ssh_config
[root@server ~]$ yum reinstall sshd
OR
[root@server ~]$ yum remove sshd
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Make the single line configuration and reload it.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[root@server ~]$ yum -y install sshd
[root@server ~]$ echo port #### >> /etc/ssh/ssh_config
[root@server ~]$ chkconfig sshd on
[root@server ~]$ service sshd start

If you feel it necessary, you can change /etc/services back, but if you type your Iptables rules to allow "SSH", it uses that file as reference for the ports to open up. So you will need to put the port in manually. Replace the ### with your desired port number. The same one you inserted to the ssh_config file.

Code:

[root@server ~]$iptables -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport #### -j ACCEPT

Before you reply with additional questions if it fails to work this time... You have to provide some diag info. Post the output of the following commands.

Code:

[root@server ~]$ service sshd status"
[root@server ~]$ iptables --list
[root@server ~]$ nmap -sT rhs1 | grep open

AbbaP · #37 27th October 2010, 02:30 PM

I had a few problems obtaining the requested info:

Quote:

Originally Posted by Sicinthemind

If you feel it necessary, you can change /etc/services back, but if you type your Iptables rules to allow "SSH", it uses that file as reference for the ports to open up. So you will need to put the port in manually. Replace the ### with your desired port number. The same one you inserted to the ssh_config file.

Code:

[root@server ~]$iptables -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport #### -j ACCEPT

Code:

iptables -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 206 -j ACCEPT
iptables: No chain/target/match by that name.

Code:

service sshd status
openssh-daemon (pid  3143) is running...

Code:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     ah   --  anywhere             anywhere
ACCEPT     esp  --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:isakmp
ACCEPT     udp  --  anywhere             ###.0.0.###         state NEW udp dpt:mdns
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:ipp
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:netbios-ns
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:netbios-dgm
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             ####-PC           state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Code:

nmap -sT rhs1 | grep open
Failed to resolve given hostname/IP: rhs1.  Note that you can't use '/mask' AND '1-4,7,100-' style IP ranges

Sicinthemind · #38 27th October 2010, 04:00 PM

Quote:

Originally Posted by AbbaP

I had a few problems obtaining the requested info:

Code:

service sshd status
openssh-daemon (pid  3143) is running...

Code:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     ah   --  anywhere             anywhere
ACCEPT     esp  --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:isakmp
ACCEPT     udp  --  anywhere             ###.0.0.###         state NEW udp dpt:mdns
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:ipp
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:netbios-ns
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:netbios-dgm
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             ####-PC           state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Code:

nmap -sT rhs1 | grep open
Failed to resolve given hostname/IP: rhs1.  Note that you can't use '/mask' AND '1-4,7,100-' style IP ranges

Very thorough but, I meant to put localhost instead of rhs1... that was my mistake. I sometimes type about what I'm thinking! lol.
After seeing your firewall... you should enter this instead and it should work. Your IP chain names are just input. Mine are RH-... yada.

Code:

iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 206 -j ACCEPT

Code:

nmap -sT localhost | grep open

Also... you may need to remove that ssh line... it serves no purpose if /etc/services isn't updated to match your ssh_config except to open port 22 for you. Which is not listening anyway.

Code:

[root@server ~]$ service iptables stop

Test your ssh and make sure you can access it without iptables in the way now. If so.. move to next... if not, troubleshoot!

Code:

[root@server ~]$ nano /etc/sysconfig/iptables

Remove that ssh line if it specifies 22 or SSH, you can modify it directly to put your set port number. Once you've fixed the line... you have to start Iptables. You cannot modify and restart Ip tables, it's very finicky with file modifcation. It must be a stop and start.

Code:

[root@server ~]$ service iptables start

Final SSH test... hopefully its FTW.

AbbaP · #39 28th October 2010, 01:05 AM

Sorry for all the back and forth. I guess some issues are not easy to see right away.
-----------------------------------------------------------------------------------------------------

Code:

nmap -sT localhost

Starting Nmap 5.21 ( http://nmap.org ) at 2010-10-27 19:49 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00045s latency).
rDNS record for 127.0.0.1: localhost.localdomain
Not shown: 998 closed ports
PORT    STATE SERVICE
25/tcp  open  smtp
631/tcp open  ipp

Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds

I did do:

Code:

iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport #### -j ACCEPT

Looks as though somehow it didn't update the port.

Code:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     ah   --  anywhere             anywhere            
ACCEPT     esp  --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:isakmp 
ACCEPT     udp  --  anywhere             ###.0.0.###         state NEW udp dpt:mdns 
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:ipp 
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:netbios-ns 
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:netbios-dgm 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:22 
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere            ######-PC           state NEW tcp dpt:ssh 
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Sicinthemind · #40 28th October 2010, 09:05 AM

Quote:

Originally Posted by AbbaP

Sorry for all the back and forth. I guess some issues are not easy to see right away.
-----------------------------------------------------------------------------------------------------

Code:

nmap -sT localhost

Starting Nmap 5.21 ( http://nmap.org ) at 2010-10-27 19:49 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00045s latency).
rDNS record for 127.0.0.1: localhost.localdomain
Not shown: 998 closed ports
PORT    STATE SERVICE
25/tcp  open  smtp
631/tcp open  ipp

Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds

I did do:

Code:

iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport #### -j ACCEPT

Looks as though somehow it didn't update the port.

Code:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     ah   --  anywhere             anywhere            
ACCEPT     esp  --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:isakmp 
ACCEPT     udp  --  anywhere             ###.0.0.###         state NEW udp dpt:mdns 
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:ipp 
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:netbios-ns 
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:netbios-dgm 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:22 
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere            ######-PC           state NEW tcp dpt:ssh 
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

I see you have ssh forwarding instead of accepting.

AbbaP · #41 28th October 2010, 10:27 PM

I realize this may be obvious to some of you out there. But I want to be sure I'm doing the right thing.
So, could someone pls inform me with the steps to use the fc13 firewall config GUI to enable an
ACCEPT of sshd on port ####.

thx.,
Abba P.

Sicinthemind · #42 28th October 2010, 11:55 PM

Quote:

Originally Posted by AbbaP

I realize this may be obvious to some of you out there. But I want to be sure I'm doing the right thing.
So, could someone pls inform me with the steps to use the fc13 firewall config GUI to enable an
ACCEPT of sshd on port ####.

thx.,
Abba P.

#### is a just a representation of enter your number here since you did not specify a port. You'll receive a syntax error that the port is invalid.

---------- Post added at 04:55 PM GMT ---------- Previous post was at 04:51 PM GMT ----------

Quote:

Originally Posted by AbbaP

I realize this may be obvious to some of you out there. But I want to be sure I'm doing the right thing.
So, could someone pls inform me with the steps to use the fc13 firewall config GUI to enable an
ACCEPT of sshd on port ####.

thx.,
Abba P.

By Command Line

Code:

iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport #### -j ACCEPT

http://docs.fedoraproject.org/en-US/...uide-en-US.pdf

This link will take you to the Fedora Docs page. Basically.. open system-config-firewall, Click on other ports and add the port that you want to open. Obviously SSH is TCP, you just need to enter the port that you want open.

For your future reference, all of these instructions for configuration and management can be found at http://docs.fedoraproject.org/en-US/index.html .

AbbaP · #43 29th October 2010, 07:04 PM

good news.! With iptables stopped, I was able to connect from the remote to the local via port ####.
On the other hand, with iptables started, I was not able to do the same. So, iptables must be
incorrect somehow. Can you find the offending issue with this iptables:

Code:

iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport #### -j ACCEPT
iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     ah   --  anywhere             anywhere            
ACCEPT     esp  --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:isakmp 
ACCEPT     udp  --  anywhere             ###.0.0.###         state NEW udp dpt:mdns 
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:ipp 
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:netbios-ns 
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:netbios-dgm 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:22 
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere            name-PC           state NEW tcp dpt:ssh 
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Sicinthemind · #44 29th October 2010, 07:45 PM

Quote:

Originally Posted by AbbaP

good news.! With iptables stopped, I was able to connect from the remote to the local via port ####.
On the other hand, with iptables started, I was not able to do the same. So, iptables must be
incorrect somehow. Can you find the offending issue with this iptables:

I know your IP tables is incorrect because you did not enter your port number for those hashes. You probably got an error for entering those hashes... Use the syntax I provided and replace the #### with the port number you opened.

Obviously #### is not a real number...

AbbaP · #45 29th October 2010, 09:31 PM

Quote:

Originally Posted by Sicinthemind

I know your IP tables is incorrect because you did not enter your port number for those hashes. You probably got an error for entering those hashes... Use the syntax I provided and replace the #### with the port number you opened.

Obviously #### is not a real number...

Understood. When I ran the command I replaced #### with a real number, and the result is
what I just posted (only with #### replaced with a real number).
Sorry about the confusion.