Can't access ssh on non-standard port

Support for security such as Firewalls and securing linux
Post Reply
neilb
Posts: 3
Joined: 2014/11/14 10:43:58

Can't access ssh on non-standard port

Post by neilb » 2014/11/14 10:51:19

I've used CentOS 5 and 6, and have just got a box with CentOS 7. I've switched it to use iptables, as I use that everywhere else. I've done the following:

* reconfigured sshd to accept connections (for the moment) on 22 and NNNN
* "netstat -tulpn | grep NNNN" reports that it's running, and I can ssh -p NNNN localhost fine
* configured iptables to accept connections from my allowed IP addresses (this is the same config I use elsewhere, so fairly confident in it)
* used semanage to allow ssh on port NNN. If I run "semanage port -l | grep ssh", then I get "NNNN, 22", as expected

But when I try connecting from a remote host with "ssh -p NNNN host", the connection times out.

What am I missing please?

Cheers,
Neil

User avatar
TrevorH
Forum Moderator
Posts: 27417
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Can't access ssh on non-standard port

Post by TrevorH » 2014/11/14 11:28:12

Post the output of iptables-save
CentOS 6 will die in November 2020 - migrate sooner rather than later!
CentOS 5 has been EOL for nearly 3 years and should no longer be used for anything!
Full time Geek, part time moderator. Use the FAQ Luke

neilb
Posts: 3
Joined: 2014/11/14 10:43:58

Re: Can't access ssh on non-standard port

Post by neilb » 2014/11/14 11:41:12

Here it is, with IP addresses changed to XXX and the port number as NNNN

Code: Select all

# Generated by iptables-save v1.4.21 on Fri Nov 14 11:37:39 2014
*filter
:INPUT DROP [19198:2345794]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [690:86864]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -s XX.XX.XX.XX/32 -p tcp -m tcp --dport NNNN -j ACCEPT
-A INPUT -s XX.XX.XX.XX/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s XX.XX.XX.XX/32 -p tcp -m tcp --dport NNNN -j ACCEPT
-A INPUT -s XX.XX.XX.XX/32 -p tcp -m tcp --dport NNNN -j ACCEPT
-A INPUT -s XX.XX.XX.XX/32 -p tcp -m tcp --dport NNNN -j ACCEPT
-A INPUT -s XX.XX.XX.XX/32 -p tcp -m tcp --dport NNNN -j ACCEPT
-A INPUT -s XX.XX.XX.XX/32 -p tcp -m tcp --dport NNNN -j ACCEPT
-A INPUT -s XX.XX.XX.XX/32 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -s XX.XX.XX.XX/32 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -s XX.XX.XX.XX/32 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -s XX.XX.XX.XX/32 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -s XX.XX.XX.XX/32 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -s XX.XX.XX.XX/32 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 13 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 14 -j DROP
-A INPUT -p icmp -j ACCEPT
COMMIT
# Completed on Fri Nov 14 11:37:39 2014

neilb
Posts: 3
Joined: 2014/11/14 10:43:58

Re: Can't access ssh on non-standard port

Post by neilb » 2014/11/15 09:45:48

Well, turns out that the hosting provider (this is my first box with a new provider) has an additional level of port filtering that I wasn't aware of.

Having ruled out everything else, I emailed their support asking if it was down to them, and it was.

Neil

Post Reply

Return to “CentOS 7 - Security Support”