Changing SSH Port in Firewall

[Lumpyone]

I'm new to Fedora, switching to it from Ubuntu recently because I've heard some good things about Fedora and wanted to give it a try.

I'm attempting to configure SSH to allow me to connect remotely with a different port, in this case, port 2222.

I encountered an error with SELinux when I attempted to change the port in the /etc/ssh/sshd_config file and after some research discovered how I could change that through the terminal with semanage port -a -t ssh_port_t -p tcp 2222. I then verified with semanage port -l | grep ssh

I restarted and when I check with SELinux, the port is added. However, I still am unable to SSH to the machine on port 2222. I'm curious if I've missed something or perhaps have done something wrong.

The only thing I can think I have missed is the Firewall. I check it and under the ssh service, only port 22 is listed. I can't seem to find a way to change that setting in the Firewall. Perhaps that is keeping me from ssh'ing into the machine?

Any and all help is appreciated.
-JW

[smr54]

something like


iptables -A --state NEW -m tcp -p tcp --dport 2222 -j ACCEPT

should work I think. (Not tested on Fedora)

Then, to save it, if it work

iptables-save > /etc/sysconfig/iptables

[Lumpyone]

With that command I get a 'Bad argument 'NEW'

[smr54]

Hrrm, OK, I was looking at a CentOS install.

Try with

iptables -A -p tcp --dport 2222 -j ACCEPT and see if that works.

[Lumpyone]

Again, I was getting a bad argument this time for 'tcp'

Thanks for the help, I decided to try the GUI and looks like I was able to add it there. However, it appears the problem is with SELinux. I either have not done something write with changing its settings or there is more I need to do.

I disabled SELinux and I'm curious if that is a good thing or not. Doing more reading on SELinux to find out how to get this to work, especially with wanting to access the desktop and applications remotely, and even setting the machine up as a proxy.

Thanks again for the assistance

[smr54]

Well, turns out I didn't help much, but glad you got it working. I'll have to play with the syntax on a Fedora box.

SELinux, if it's a home machine, is probably not necessary and some people disable it. However, it's gotten very easy to use, and I believe there are some good GUI tools, including a troubleshooter I think. Also, there are sometimes messages in /var/log/messages that will have instructions as to how to fix a problem.

It's best to leave it enabled if possible, and there are differing schools of thought about whether it's necessary, especially for a home machine, or not. There's also the option (in /etc/sysconfig/selinux) to set it to permissive (at least in CentOS--the syntax may be slightly different in Fedora) where it will just print a warning instead of enforcing.

[stevea]

Disabling SEL is not a great idea.
I'm not the SEL expert but the SEL troubleshooter usually gives good advice.

[bodhi.zazen]

IMO you are better off by far with ssh on the default port and selinux enabled then your current set up with ssh on an alternate port with selinux disabled.

After running ssh servers for many years I leave them on port 22 and use keys (disable password authentication).

If that is not sufficient, then add a "simple" rule(s) to iptables to rate limit new connections.

Code:

iptables -A INPUT -p tcp -m tcp --dport 22 -m tcp -m state --state NEW -m recent --set --name SSH --rsource

iptables -A INPUT -p tcp -m tcp --dport 22 -m recent --update --seconds 600 --hitcount 8 --rttl --name SSH --rsource -j DROP

iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

Keep in mind, order of your rules matters, so rather then -A you likely will need to use -I (insert) and put them in the correct location in your rule set.

The previous commands that failed were incomplete.

See : http://bodhizazen.net/Tutorials/iptables

or most any online iptables guide for further information.

Note: if you set your hit count too low you will have problems with scp and sftp as each file transfer counts as a new connection. If you find 8 to low , increase it to 10-20 .

[lightman47]

In Firewall, can't you just turn off SSH, then ad your 2222 in "other ports"?