CentOS Icon CentOS Logo
CentOS Text
   
  
www.centos.org Forum Index
   CentOS 6 - General Support
  SSH port will not change.

 

 Bottom   Previous Topic   Next Topic
  •  Rate Thread
      Rate this Thread
      Excellent
      Good
      Average
      Bad
      Terrible
Poster Thread
  •  youknowme
      youknowme
SSH port will not change.
#1
Peeking in the Member Window
Joined: 2011/11/20
From
Posts: 16
I take the "#" out from before the port. Change the port number to 1879 ... and am unable to connect. I set up 2 new servers today ... and was unable successfully change the port on either of these servers.

I have been able to do this on all my other servers just these 2 new ones. I did an os re install and that didn't change anything.
Posted on: 2012/5/28 2:56
Create PDF from Post Print
Top
  •  sarmed
      sarmed
Re: SSH port will not change.
#2
Peeking in the Member Window
Joined: 2012/3/27
From Dhaka, Bangladesh
Posts: 16
Check out the output of the following command

netstat -tulpn


Check whether your service is listening to the ssh port i.e. 1879.

If your server is in fact listening, check whether your firewall is blocking the connection with 

iptables -L
Posted on: 2012/5/28 3:06
Create PDF from Post Print
Top
  •  youknowme
      youknowme
Re: SSH port will not change.
#3
Peeking in the Member Window
Joined: 2011/11/20
From
Posts: 16
This is what I get.
s
# netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name
tcp        0      0 0.0.0.0:111                 0.0.0.0:*                   LISTEN      1522/rpcbind
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      7288/sshd
tcp        0      0 127.0.0.1:631               0.0.0.0:*                   LISTEN      1685/cupsd
tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN      1903/master
tcp        0      0 0.0.0.0:47654               0.0.0.0:*                   LISTEN      1540/rpc.statd
tcp        0      0 :::111                      :::*                        LISTEN      1522/rpcbind
tcp        0      0 :::44946                    :::*                        LISTEN      1540/rpc.statd
tcp        0      0 :::22                       :::*                        LISTEN      7288/sshd
tcp        0      0 ::1:631                     :::*                        LISTEN      1685/cupsd
tcp        0      0 ::1:25                      :::*                        LISTEN      1903/master
udp        0      0 0.0.0.0:43314               0.0.0.0:*                               1540/rpc.statd
udp        0      0 0.0.0.0:849                 0.0.0.0:*                               1522/rpcbind
udp        0      0 0.0.0.0:868                 0.0.0.0:*                               1540/rpc.statd
udp        0      0 0.0.0.0:111                 0.0.0.0:*                               1522/rpcbind
udp        0      0 0.0.0.0:631                 0.0.0.0:*                               1685/cupsd
udp        0      0 :::42942                    :::*                                    1540/rpc.statd
udp        0      0 :::849                      :::*                                    1522/rpcbind
udp        0      0 :::111                      :::*                                    1522/rpcbind


And this 

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination


Still can not seem to figure out why it is not changing.
Posted on: 2012/5/29 2:41
Create PDF from Post Print
Top
  •  vonskippy
      vonskippy
Re: SSH port will not change.
#4
Professional Board Member
Joined: 2006/12/30
From Colorado, USA
Posts: 455
 
tcp        0      0 0.0.0.0:22                0.0.0.0:*                   LISTEN      7288/sshd


Did your restart sshd after editing the config file?
Posted on: 2012/5/29 5:02
Create PDF from Post Print
Top
  •  youknowme
      youknowme
Re: SSH port will not change.
#5
Peeking in the Member Window
Joined: 2011/11/20
From
Posts: 16
I did ... I changed it back to 22 since it was not working. Let me try again.
Posted on: 2012/6/2 0:05
Create PDF from Post Print
Top
  •  leo_qiiq
      leo_qiiq
Re: SSH port will not change.
#6
Newbie
Joined: 2012/7/12
From
Posts: 2
Hi,

I got same problem, installing a new DELL R-310 server,
default ssh port 22 works fine. when changed to 486, after service sshd restart, I cannot see port 486 is there listening.
When changed to port 1486, netstat can see it is listening but cannot connect it.
I checked IPTABLES no special access list there.

Afterwards I need to put it back to port 22 and everything is ok. not sure what is the problem.
Posted on: 2012/7/12 23:00
Create PDF from Post Print
Top
  •  nomad
      nomad
Re: SSH port will not change.
#7
Newbie
Joined: 2012/7/4
From
Posts: 6
All that much that needs done here edit /etc/ssh/sshd_config adding the 'Port' variable.

In CentOS 6 sshd_config line 13 is the Port variable, by default it is commented out and if so SSH runs on the default of port 22. To change it just un-comment the line and edit the port number such as this:

was:
# Port 22

to:
Port 7777

Then save and restart SSHd with 'server sshd restart'

Then a quick 'netstat -ntpl' will show it listening on the new port:

# netstat -ntpl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 18144/varnishd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1007/master
tcp 0 0 0.0.0.0:7777 0.0.0.0:* LISTEN 5977/sshd
tcp 0 0 127.0.0.1:6082 0.0.0.0:* LISTEN 18142/varnishd
tcp 0 0 :::80 :::* LISTEN 18144/varnishd
tcp 0 0 :::8080 :::* LISTEN 18269/httpd
tcp 0 0 ::1:25 :::* LISTEN 1007/master
tcp 0 0 :::443 :::* LISTEN 18269/httpd
tcp 0 0 :::7777 :::* LISTEN 5977/sshd


Next you do have to remember to make the firewall changes. I recommend going into /etc/sysconfig/iptables and changing it there vice trying to do new command line rules, but whatever works best for you.

No-Mad
_________________
- Linux Cloud Ninja -
www.thisisnotsupported.com
Posted on: 2012/7/12 23:26
Create PDF from Post Print
Top
  •  AlanBartlett
      AlanBartlett
Re: SSH port will not change.
#8
Moderator
Joined: 2007/10/22
From ~/Earth/UK/England/Suffolk
Posts: 9138
What does the following, executed as root, return?

netstat -tulpn | grep sshd
_________________
Alan

100% Unix & Linux. Co-founder of the ELRepo Project.
Posted on: 2012/7/12 23:30
Create PDF from Post Print
Top
  •  Ideal
      Ideal
Re: SSH port will not change.
#9
Peeking in the Member Window
Joined: 2009/7/17
From
Posts: 16
Quote:

youknowme wrote:
I take the "#" out from before the port. Change the port number to 1879 ... and am unable to connect. I set up 2 new servers today ... and was unable successfully change the port on either of these servers.

I have been able to do this on all my other servers just these 2 new ones. I did an os re install and that didn't change anything.


If you have selinux enabled you may need to do this too:

# semanage port -a -t sshd_port_t -p tcp 1879
Posted on: 2012/7/13 3:00
Create PDF from Post Print
Top
  •  leo_qiiq
      leo_qiiq
Re: SSH port will not change.
#10
Newbie
Joined: 2012/7/12
From
Posts: 2
I found my problem is exactly like the old post:

https://www.centos.org/modules/newbb/print.php?form=1&topic_id=33750&forum=38&order=ASC&start=0


no matter what I did, just port 22 is ok

/etc/ssh/sshd_config is fine, I opened port 3022 with port 22, even I tried no port 22 it is same. believe it, I restart and reload it after change.



I setup the selinux semanage to allow port 3022 ( other ports that showed are what I tried before)

[root@localhost ssh]# semanage port -l | grep ssh
ssh_port_t tcp 3022, 1486, 486, 22


port 3022 is listening too:

[root@localhost ssh]# netstat -ntpl | grep ssh
tcp 0 0 0.0.0.0:3022 0.0.0.0:* LISTEN 10202/sshd
tcp 0 0 :::3022 :::* LISTEN 10202/sshd



iptables I open port as well:


[root@localhost ssh]# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2482 235K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
7 524 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
4686 539K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3022

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 1955 packets, 275K bytes)
pkts bytes target prot opt in out source destination


ssh -vv 172.16.10.70 -p 3022
OpenSSH_4.2p1, OpenSSL 0.9.7f 22 Mar 2005
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to 172.16.10.70 [172.16.10.70] port 3022.
debug1: connect to address 172.16.10.70 port 3022: No route to host
ssh: connect to host 172.16.10.70 port 3022: No route to host
Posted on: 2012/7/13 14:12
Create PDF from Post Print
Top
  •  pschaff
      pschaff
Re: SSH port will not change.
#11
Moderator
Joined: 2006/12/13
From Tidewater, Virginia, North America
Posts: 18773
Looks like a routing problem, not a port problem. If more help is needed then please provide more information about your system by running "./getinfo.sh network" and showing us the output file.
_________________
Phil

Recommended reading: FAQ & Readme first ; Search hint: google "your topic site:centos.org"; Smart Questions
Posted on: 2012/7/15 13:50
Create PDF from Post Print
Top
  •  youknowme
      youknowme
Re: SSH port will not change.
#12
Peeking in the Member Window
Joined: 2011/11/20
From
Posts: 16
I got this result from running getinfo.sh


Information for networking problems.

== BEGIN uname -rmi ==
2.6.32-279.1.1.el6.x86_64 x86_64 x86_64
== END   uname -rmi ==

== BEGIN rpm -qa \*-release\* ==
centos-release-6-3.el6.centos.9.x86_64
== END   rpm -qa \*-release\* ==

== BEGIN cat /etc/redhat-release ==
CentOS release 6.3 (Final)
== END   cat /etc/redhat-release ==

== BEGIN getenforce ==
Disabled
== END   getenforce ==

== BEGIN free -m ==
             total       used       free     shared    buffers     cached
Mem:         32016        781      31234          0         46        309
-/+ buffers/cache:        425      31590
Swap:         2046          0       2046
== END   free -m ==

== BEGIN lspci -nn ==
00:00.0 Host bridge [0600]: Intel Corporation 2nd Generation Core Processor Family DRAM Controller [8086:0100] (rev 09)
00:02.0 VGA compatible controller [0300]: Intel Corporation 2nd Generation Core Processor Family Integrated Graphics Controller [8086:0102] (rev 09)
00:16.0 Communication controller [0780]: Intel Corporation 6 Series/C200 Series Chipset Family MEI Controller #1 [8086:1c3a] (rev 04)
00:19.0 Ethernet controller [0200]: Intel Corporation 82579V Gigabit Network Connection [8086:1503] (rev 05)
00:1a.0 USB controller [0c03]: Intel Corporation 6 Series/C200 Series Chipset Family USB Enhanced Host Controller #2 [8086:1c2d] (rev 05)
00:1b.0 Audio device [0403]: Intel Corporation 6 Series/C200 Series Chipset Family High Definition Audio Controller [8086:1c20] (rev 05)
00:1c.0 PCI bridge [0604]: Intel Corporation 6 Series/C200 Series Chipset Family PCI Express Root Port 1 [8086:1c10] (rev b5)
00:1c.3 PCI bridge [0604]: Intel Corporation 6 Series/C200 Series Chipset Family PCI Express Root Port 4 [8086:1c16] (rev b5)
00:1d.0 USB controller [0c03]: Intel Corporation 6 Series/C200 Series Chipset Family USB Enhanced Host Controller #1 [8086:1c26] (rev 05)
00:1f.0 ISA bridge [0601]: Intel Corporation H67 Express Chipset Family LPC Controller [8086:1c4a] (rev 05)
00:1f.2 SATA controller [0106]: Intel Corporation 6 Series/C200 Series Chipset Family SATA AHCI Controller [8086:1c02] (rev 05)
00:1f.3 SMBus [0c05]: Intel Corporation 6 Series/C200 Series Chipset Family SMBus Controller [8086:1c22] (rev 05)
01:00.0 PCI bridge [0604]: Integrated Technology Express, Inc. Device [1283:8892] (rev 10)
03:00.0 USB controller [0c03]: NEC Corporation uPD720200 USB 3.0 Host Controller [1033:0194] (rev 04)
== END   lspci -nn ==

== BEGIN lsusb ==
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
Bus 002 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 001 Device 003: ID 14dd:0002 Raritan Computer, Inc. 
== END   lsusb ==

== BEGIN rpm -qa kmod\* kmdl\* ==
== END   rpm -qa kmod\* kmdl\* ==

== BEGIN ifconfig -a ==
eth0      Link encap:Ethernet  HWaddr E0:69:95:EB:66:BD  
          inet addr: 1XX.XXX.X46.74  Bcast: 1XX.XXX.X46.79  Mask:255.255.255.248
          inet6 addr: fxxx::e269:95ff:fxxb:66bd/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:17652 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6965 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1175007 (1.1 MiB)  TX bytes:425426 (415.4 KiB)
          Interrupt:20 Memory:fe500000-fe520000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

== END   ifconfig -a ==

== BEGIN brctl show ==
bridge name	bridge id		STP enabled	interfaces
== END   brctl show ==

== BEGIN route -n ==
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
1XX.XXX.X46.72  0.0.0.0         255.255.255.248 U     0      0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     1002   0        0 eth0
0.0.0.0         1XX.XXX.46.73  0.0.0.0         UG    0      0        0 eth0
== END   route -n ==

== BEGIN sysctl -a | grep .rp_filter ==
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.arp_filter = 0
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.lo.arp_filter = 0
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.eth0.arp_filter = 0
== END   sysctl -a | grep .rp_filter ==

== BEGIN ip rule show ==
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default 
== END   ip rule show ==

== BEGIN ip route show ==
1XX.XXX.X46.72/29 dev eth0  proto kernel  scope link  src 1XX.XXX.X46.74 
169.254.0.0/16 dev eth0  scope link  metric 1002 
default via 1XX.XXX.X 46.73 dev eth0 
== END   ip route show ==

== BEGIN cat /etc/resolv.conf ==

nameserver 6X.XX.XXX.15
nameserver 6X.XX.XXX.14
== END   cat /etc/resolv.conf ==

== BEGIN egrep 'net|hosts' /etc/nsswitch.conf ==
#hosts:     db files nisplus nis dns
hosts:      files dns
#networks:   nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files     
netmasks:   files
networks:   files
netgroup:   files
== END   egrep 'net|hosts' /etc/nsswitch.conf ==

== BEGIN chkconfig --list | grep -Ei 'network|wpa' ==
network        	0:off	1:off	2:on	3:on	4:on	5:on	6:off
== END   chkconfig --list | grep -Ei 'network|wpa' ==
Posted on: 2012/7/20 3:24
Create PDF from Post Print
Top
  •  youknowme
      youknowme
Re: SSH port will not change.
#13
Peeking in the Member Window
Joined: 2011/11/20
From
Posts: 16
Anyone have any idea to why this is the change of port is not working? I am still lost.

Thanks
Posted on: 2012/7/28 4:01
Create PDF from Post Print
Top
  •  TrevorH
      TrevorH
Re: SSH port will not change.
#14
Moderator
Joined: 2009/9/24
From Brighton, UK
Posts: 6368
You have added the iptables rule to allow port 3022 to the end of the chain, after the existing final one that rejects everything - this means it's never reached because it rejects everything before it reaches it.
_________________
Linux/VoIP Systems Administrator
Posted on: 2012/7/28 11:01
Create PDF from Post Print
Top
  •  youknowme
      youknowme
Re: SSH port will not change.
#15
Peeking in the Member Window
Joined: 2011/11/20
From
Posts: 16
Quote:

TrevorH wrote:
You have added the iptables rule to allow port 3022 to the end of the chain, after the existing final one that rejects everything - this means it's never reached because it rejects everything before it reaches it.


Really? This is a clean install. I have done nothing but tried to change the SSH port ... How can I fix this? The only thing which I have installed is BFD ... but I checked that and it does not seem to be blocking any ports.

Thanks
Posted on: 2012/7/28 20:18
Create PDF from Post Print
Top
  •  TrevorH
      TrevorH
Re: SSH port will not change.
#16
Moderator
Joined: 2009/9/24
From Brighton, UK
Posts: 6368
The default INPUT iptables chain in CentOS 6 has a final rule which rejects everything that hasn't matched a previous ALLOW rule. If you use `iptables -A INPUT ...` then this will append a rule to the end of the INPUT chain after the one that rejects everything and will never be reached. Check by running `service iptables save` then look in /etc/sysconfig/iptables for a rule that looks like 

-A INPUT -j REJECT --reject-with icmp-host-prohibited


I bet your new rule is listed after that one. Move it up above the REJECT one, save the file and run `service iptables restart` and it will take effect (existing connections may be dropped when you run the restart).

The solution to this next time is to insert your new rule at a specific position in the chain by giving it a line number, e.g. to insert the rule so it's on line 3 of the ruleset use

iptables -I INPUT 3 -p tcp -m tcp --dport 3022 -j ACCEPT
_________________
Linux/VoIP Systems Administrator
Posted on: 2012/7/28 20:27
Create PDF from Post Print
Top
  •  youknowme
      youknowme
Re: SSH port will not change.
#17
Peeking in the Member Window
Joined: 2011/11/20
From
Posts: 16
 
# Generated by iptables-save v1.4.7 on Sat Jul 28 12:44:57 2012
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [7:868]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT
-A INPUT
-A INPUT
-A INPUT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Sat Jul 28 12:44:57 2012



"state NEW -m tcp --dport 22 -j ACCEPT" I am trying to change the port to 1992 ... shouldn't the "22" change to 1992 by it self?

Thanks
Posted on: 2012/7/28 21:17
Create PDF from Post Print
Top
  •  vonskippy
      vonskippy
Re: SSH port will not change.
#18
Professional Board Member
Joined: 2006/12/30
From Colorado, USA
Posts: 455
Quote:

youknowme wrote:
shouldn't the "22" change to 1992 by it self?

No. Edit the file, change the port to the correct number, save, then restart IPTABLES.
Posted on: 2012/7/28 22:05
Create PDF from Post Print
Top
  •  youknowme
      youknowme
Re: SSH port will not change.
#19
Peeking in the Member Window
Joined: 2011/11/20
From
Posts: 16
I did that but it keeps on changing it back to 22 ... not sure what is happening.
Posted on: 2012/7/28 23:18
Create PDF from Post Print
Top
  •  TrevorH
      TrevorH
Re: SSH port will not change.
#20
Moderator
Joined: 2009/9/24
From Brighton, UK
Posts: 6368
If you have
IPTABLES_SAVE_ON_RESTART="yes"

set in /etc/sysconfig/iptables-config and edit the file and do a restart then it'll be overwritten during the restart. Either stop the service, edit the file, start it again or learn how to use `iptables -I ` (the latter would be my preferred solution since it doesn't leave you with a window where the firewall is stopped).
_________________
Linux/VoIP Systems Administrator
Posted on: 2012/7/28 23:39
Create PDF from Post Print
Top
 Top   Previous Topic   Next Topic

 

 You cannot start a new topic.
 You can view topic.
 You cannot reply to posts.
 You cannot edit your posts.
 You cannot delete your posts.
 You cannot add new polls.
 You cannot vote in polls.
 You cannot attach files to posts.
 You cannot post without approval.




"Linux" is a registered trademark of Linus Torvalds. | All other trademarks are property of their respective owners. | All other content is Copyright @ 2004-2009 by the CentOS Project or "each individual contributor (forums, comments, etc.) unless otherwise assigned".| Theme based on a theme by 7dana.com