Solved

Ssh port change on linux not working

Posted on 2011-02-16
22
494 Views
Last Modified: 2012-08-14
Hi,
I'm running centos 5.5 and I changed the port (in the sshd_config) from 22 to random number (eg. 2222) and now I can't ssh into server. Keep in mind that i'm only accessing through putty only. Whenever I change the default port back to "22", I can then login via ssh on the server.

Please help!

Thanks!

0
Comment
Question by:Cristi_E
  • 7
  • 6
  • 4
  • +3
22 Comments
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 34905696
1) Did you restart sshd after making changes in sshd_config?
2) Did you configure the new port in PuTTY?
3) Is there a firewall inbetween blocking ports other than port 22?

wmp
0
 
LVL 4

Author Comment

by:Cristi_E
ID: 34905715
1) Did you restart sshd after making changes in sshd_config?
A: Yes

2) Did you configure the new port in PuTTY?
A: Yes

3) Is there a firewall inbetween blocking ports other than port 22?
A: I don't know how to check!
0
 
LVL 2

Expert Comment

by:nimda7
ID: 34905744
check firewall setting. By default - firewall is on & accept ssh on port 22
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 34905754
On the ssh server ssh_hostname:

nc -l -p 2222

On Windowns cmdline:

telnet ssh_hostname 2222

If you don't get "Connected to ..." the port is most probably blocked.

wmp
0
 
LVL 31

Expert Comment

by:farzanj
ID: 34907531
To check your firewall:
service iptables status
iptables -L

Open in new window


To remove all rules from firewall
iptables -F
service iptables stop
chkconfig iptables off

Open in new window


Check TCP wrappers
vi /etc/hosts.allow

Add the following line at the top of the file
 
sshd : allow

Open in new window

0
 
LVL 31

Expert Comment

by:farzanj
ID: 34908678
Sorry for TCP Wrappers I meant


sshd : ALL

Open in new window

0
 
LVL 7

Accepted Solution

by:
mchkorg earned 400 total points
ID: 34914550
Hi,
To be sure you can contact your ssh server on another port:

1) check if it's really running where you think on the server :
locally, "telnet localhost 2222". It should give you a standard sshd reply, like:
telnet localhost 2222
Trying 127.0.0.1...
Connected to localhost.localdomain.
Escape character is '^]'.
SSH-2.0-OpenSSH_5.1p1 Debian-5

Open in new window


2) From your windows computer (ssh/putty client), do the same remotely :
telnet your_server 2222
You'll see if it answers.
If not, you have some firewall blocking between your client and server.
Check with iptables as mentionned above
Provided you don't have some firewall between them
Check also if your local windows pc client don't have a firewall blocking outgoing trafic.

I hope it helps
0
 
LVL 4

Author Comment

by:Cristi_E
ID: 34914688
Hi,
It seems that if i stop the iptables with the command below it works just fine.
service iptables stop

Open in new window

So please help me to add a rule to allow me to connect even if the iptables is started!

0
 
LVL 12

Expert Comment

by:asidu
ID: 34914794
You can list your IP tables and look at the rules.
Modified the line which supports SSH or add in a new rule to allow the packet traffic for port 2222.

0
 
LVL 2

Expert Comment

by:nimda7
ID: 34914798
just add rule for iptables
# iptables -A INPUT -m state -p tcp -d <your_ip> --sport 1024:65535 --dport <your_ssh_port> --state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -m state -p tcp -s <your_ip> --dport 1024:65535 --sport <your_ssh_port> --state ESTABLISHED -j ACCEPT

You may add this rules to /ets/sysconfig/iptables
0
 
LVL 7

Assisted Solution

by:mchkorg
mchkorg earned 400 total points
ID: 34914830
In my memories :
iptables -I INPUT -p tcp --dport 2222 -j ALLOW
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 7

Expert Comment

by:mchkorg
ID: 34914901
ALLOW => ACCEPT
0
 
LVL 4

Author Comment

by:Cristi_E
ID: 34915138
mchkorg :
Your "iptables -I INPUT -p tcp --dport 2222 -j ACCEPT" works, but how can i make it persistent?
When i restart iptables it is gone!

Thanks!
0
 
LVL 7

Assisted Solution

by:mchkorg
mchkorg earned 400 total points
ID: 34915321
You could
iptables-save > some_etc_file

Open in new window

and when rebooting/restarting,
iptables-restore < some_etc_file

Open in new window

You could restore your iptables rules in a script started with your net interface, like in /etc/network/if-up.d

Regards,

I don't exactly remember all this because I use shorewall instead of iptables. Shorewall is a higher-level tool with a simple syntax. It calls iptables at the end, of course.
If you have to manage a complicated firewall, it's much much easier
You write stuff like :
ALLOW loc $FW tcp 2222 # allows incoming from your LOCal network to your FireWall for tcp/2222
0
 
LVL 31

Assisted Solution

by:farzanj
farzanj earned 100 total points
ID: 34915479
TO save your iptables rules issue the following command
service iptables save

Open in new window

0
 
LVL 31

Expert Comment

by:farzanj
ID: 34915757
The only thing you need to do to keep it persistent after reboot is

 
chkconfig iptables on

Open in new window

0
 
LVL 31

Expert Comment

by:farzanj
ID: 34915841
Firewall run

iptables -A INPUT -p tcp --dport ssh -j ACCEPT
iptables -A OUTPUT -p tcp --sport ssh -j ACCEPT

Open in new window


SSH server port is 22 not 2222

ACCEPT is used in iptables
ALLOW is used in TCP-Wrappers

Configure both.
0
 
LVL 7

Expert Comment

by:mchkorg
ID: 34916415
In his case, he's trying to run sshd on 2222
So it's definitely 2222
About ALLOW : my mistake. That's why I corrected the message after
0
 
LVL 31

Expert Comment

by:farzanj
ID: 34916487
Didn't mean to offend.

>>  from 22 to random number (eg. 2222)

I take server is same old 22 and client as usual can be any random number.  This is my take.

Therefore, when you give your iptables rules, dport refers to the server port not the client.


Sorry to offend.
0
 
LVL 31

Expert Comment

by:farzanj
ID: 34916522
Looks like your rule works too.  So, great!
0
 
LVL 7

Expert Comment

by:mchkorg
ID: 34916687
no pb
0
 
LVL 4

Author Closing Comment

by:Cristi_E
ID: 34924487
Thank you all for help!
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Suggested Solutions

How many times have you wanted to quickly do the same thing to a list but found yourself typing it again and again? I first figured out a small time saver with the up arrow to recall the last command but that can only get you so far if you have a bi…
I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension (http://www.experts-exchange.com/discussions/210281/Attachments-with-no-extension.html). This reminded me of questions tha…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now