Link to home
Start Free TrialLog in
Avatar of Cristi_E
Cristi_EFlag for Romania

asked on

Ssh port change on linux not working

Hi,
I'm running centos 5.5 and I changed the port (in the sshd_config) from 22 to random number (eg. 2222) and now I can't ssh into server. Keep in mind that i'm only accessing through putty only. Whenever I change the default port back to "22", I can then login via ssh on the server.

Please help!

Thanks!

Avatar of woolmilkporc
woolmilkporc
Flag of Germany image

1) Did you restart sshd after making changes in sshd_config?
2) Did you configure the new port in PuTTY?
3) Is there a firewall inbetween blocking ports other than port 22?

wmp
Avatar of Cristi_E

ASKER

1) Did you restart sshd after making changes in sshd_config?
A: Yes

2) Did you configure the new port in PuTTY?
A: Yes

3) Is there a firewall inbetween blocking ports other than port 22?
A: I don't know how to check!
check firewall setting. By default - firewall is on & accept ssh on port 22
On the ssh server ssh_hostname:

nc -l -p 2222

On Windowns cmdline:

telnet ssh_hostname 2222

If you don't get "Connected to ..." the port is most probably blocked.

wmp
To check your firewall:
service iptables status
iptables -L

Open in new window


To remove all rules from firewall
iptables -F
service iptables stop
chkconfig iptables off

Open in new window


Check TCP wrappers
vi /etc/hosts.allow

Add the following line at the top of the file
 
sshd : allow

Open in new window

Sorry for TCP Wrappers I meant


sshd : ALL

Open in new window

ASKER CERTIFIED SOLUTION
Avatar of mchkorg
mchkorg
Flag of France image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Hi,
It seems that if i stop the iptables with the command below it works just fine.
service iptables stop

Open in new window

So please help me to add a rule to allow me to connect even if the iptables is started!

You can list your IP tables and look at the rules.
Modified the line which supports SSH or add in a new rule to allow the packet traffic for port 2222.

just add rule for iptables
# iptables -A INPUT -m state -p tcp -d <your_ip> --sport 1024:65535 --dport <your_ssh_port> --state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -m state -p tcp -s <your_ip> --dport 1024:65535 --sport <your_ssh_port> --state ESTABLISHED -j ACCEPT

You may add this rules to /ets/sysconfig/iptables
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ALLOW => ACCEPT
mchkorg :
Your "iptables -I INPUT -p tcp --dport 2222 -j ACCEPT" works, but how can i make it persistent?
When i restart iptables it is gone!

Thanks!
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
The only thing you need to do to keep it persistent after reboot is

 
chkconfig iptables on

Open in new window

Firewall run

iptables -A INPUT -p tcp --dport ssh -j ACCEPT
iptables -A OUTPUT -p tcp --sport ssh -j ACCEPT

Open in new window


SSH server port is 22 not 2222

ACCEPT is used in iptables
ALLOW is used in TCP-Wrappers

Configure both.
In his case, he's trying to run sshd on 2222
So it's definitely 2222
About ALLOW : my mistake. That's why I corrected the message after
Didn't mean to offend.

>>  from 22 to random number (eg. 2222)

I take server is same old 22 and client as usual can be any random number.  This is my take.

Therefore, when you give your iptables rules, dport refers to the server port not the client.


Sorry to offend.
Looks like your rule works too.  So, great!
no pb
Thank you all for help!