Problems changing linux SSH port on Microsoft Azure - linux

I am trying to change the SSH port from 22 on an Ubuntu box hosted on Azure. According this this answer How to change SSH ports in Microsoft Azure properly? you can just change the 'public' port while keeping the 'private' ssh port at 22.
However the answer is a bit outdated as there is no mention of public/private ports on Azure as far as I can tell. In the Network Scurity Group settings there are only 'Source port range' and 'Destination port range'.
Using the default settings
Source port range: *
Destination port range: 22
I can login via shell OK ie
ssh -i my_key me#azure_ip
When I changed the Source port range to a specific port I want to use as the 'public' ssh port
Source port range: new_ip
Destination port range: 22
then try
ssh -i my_key me#azure_ip -p new_ip
then the connection just times out and I cant connect.
Then I tried changing the Port in the sshd_config on the server, leaving the Source port range as * and changed the Destination port range to the new ip but got a 'public key' error
Any ideas? (I am happy to either change the public port and or the private port)

For now, in ARM module, we can't use NSG to NAT one port to another port.
As a workaround, we can change sshd_config port settings, here are the steps:
1. SSH to this VM, change sshd_config settings like this, change port 22 to port 33320:
root#jasonvm:~# vi /etc/ssh/sshd_config
# Package generated configuration file
# See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for
Port 33320
2. restart ssh service:
root#jasonvm:~# service ssh restart
root#jasonvm:~# netstat -ant
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:33320 0.0.0.0:* LISTEN
tcp 0 0 10.0.0.4:33188 52.240.48.24:443 TIME_WAIT
tcp 0 0 10.0.0.4:44470 168.63.129.16:80 TIME_WAIT
tcp 0 0 10.0.0.4:33320 114.224.98.58:58180 ESTABLISHED
tcp 0 0 10.0.0.4:33186 52.240.48.24:443 TIME_WAIT
tcp 0 0 10.0.0.4:22 114.224.98.58:58088 ESTABLISHED
tcp 0 0 10.0.0.4:33182 52.240.48.24:443 TIME_WAIT
tcp 0 0 10.0.0.4:44464 168.63.129.16:80 TIME_WAIT
tcp 0 0 10.0.0.4:33180 52.240.48.24:443 TIME_WAIT
tcp6 0 0 :::33320 :::* LISTEN
3. Add inbound rule to NSG:
After that completed, we can use new port and public IP address to ssh this VM:
ssh user#xxx.xxx.xxx.xxx 33320

Related

Netplan ipv6 "No route to host"

I've clearly misconfigured my ipv6 listener addresses. Question 1: I need someone to spot the error. And a bonus Question 2: is there any risk to removing the "/sbin/ip address add" command below?
This is on a ubuntu 18.04 virtual machine.
Here's a curl command, showing that ipv6 routing is not set up correctly:
curl -vvv -L "http://[2600:1303:d000:1::17c3:4571]"
* Trying 2600:1303:d000:1::17c3:4571...
* TCP_NODELAY set
* Immediate connect fail for 2600:1303:d000:1::17c3:4571: No route to host
* Closing connection 0
curl: (7) Couldn't connect to server
Previously, when the program started, it issued a native "/sbin/ip address add". That turned out to be problematic because when the network interface was reset, the route would be lost.
So, I added /etc/netplan because configuring the ipv6 routing survives a network restart. However, I didn't remove the "ip addr add" on startup. Currently, two commands are used to setup routing: netplan and "/sbin/ip address add". Here's the order of commands executed:
1. Manual one-time command of "/etc/netplan apply" which didn't return any errors.
2. "ip addr add" every time the server starts. So, at least once since the manual netplan command.
Here's the ipv6 addresses it's listening on:
netstat -anp | grep redir | grep LISTEN
tcp6 0 0 2600:1303:d000:1::17:80 :::* LISTEN 3187/my-service
tcp6 0 0 2600:1303:d000:1::17:80 :::* LISTEN 3187/my-service
tcp6 0 0 2600:1303:d000:1::17:80 :::* LISTEN 3187/my-service
tcp6 0 0 2600:1303:d000:1::17:80 :::* LISTEN 3187/my-service
tcp6 0 0 2600:1303:d000:1::17:80 :::* LISTEN 3187/my-service
Here's what I want it to be listening on:
[2600:1303:c000:1::15d4:456f]:80"
[2600:1303:d000:1::17c3:4570]:80"
[2600:1303:d000:1::17c3:4571]:80"
[2600:1303:d000:1::17c3:4572]:80"
Here's the "ip address add" command. Notice that the I'm using "/24" and I wonder if that's the problem. Or perhaps using both "ip addr add" and netplan isn't working as intended. This is a legacy application and because my networking skills in this area aren't strong, I wasn't sure if it would be safe to remove the "ip addr add". I didn't think it would hurt to keep the "ip addr add" command, but perhaps I was wrong.
out, e = exec.Command("/sbin/ip", "-6", "addr", "add", ip + "/24", "dev", "eth0").CombinedOutput()
Here's my netplan config file. Note that this is only part of the file; for security reasons I'm not including the mac address, name servers or gateway. However, they are correct because my ipv4 addresses work. Also, I haven't posted the real ipv6 addresses for security reasons as well.
root#ubuntu:~# cat /etc/netplan/50-cloud-init.yaml
# This file is generated from information provided by
# the datasource. Changes to it will not persist across an instance.
# To disable cloud-init's network configuration capabilities, write a file
# /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following:
# network: {config: disabled}
network:
version: 2
ethernets:
eth0:
addresses: [ '2600:1303:d000:1::17c3:456e/24', '2600:1303:d000:1::17c3:4570/24', '2600:1303:d000:1::17c3:4572/24', '2600:1303:d000:1::17c3:4571/24', '2600:1303:d000:1::17c3:456f/24' ]
Thanks in Advance ;)
There were a couple of problems:
There was no gateway6.
The bit mask should have been "/64" instead of "/24"
Netplan wouldn't delete the old routes. I had to do following steps:
1. ip -6 addr del 2600:1303:d000:1::17c3:456f/24 dev eth0
2. netplan apply

Port is closed on Azure Linux VM even though allowed by network security group (NSG)

here's my scenario:
I have IP camera behind the company firewall that I want to stream publicly, and for that, I've created two Azure VMs (Ubuntu 19.04) - let's call them vm1 and vm2
In case it's important, my VM SKU is Standard B1s (1 vcpus, 1 GiB memory)
I SSH to my camera and from there, I do a remote port forwarding for RTSP like this:
ssh -R 554:localhost:554 root#<vm1-ip>
And, I guess I need to enable root SSH because it's a "well-known" port.
I log in to vm1, and I see it's listening on the port: sudo netstat -tlnp gives me this:
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:554 0.0.0.0:* LISTEN 108748/sshd: root#p
tcp6 0 0 ::1:554 :::* LISTEN 108748/sshd: root#p
But, when I use nmap from from vm2, the port is shown as closed:
nmap <vm1-ip> -p 554
PORT STATE SERVICE
554/tcp closed rtsp
When I use vlc to connect to the stream, it doesn't work either: the URL I use in vlc is: rtsp://<vm1-ip>/...
I thought this might be an issue with the NSG (network security group) associated with vm1, so I tried allowing all inbound traffic:
and, needless to say that it doesn't solve the issue
Any thoughts on this?
Thank you

How do I change a listening rule with netcat?

I have a server that has a rule like so when I check netstat -tulpn:
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
This has been all well and good as the mysql database we've use has only needed local access, but now I want to remote connect to it too. I need my netstat -tulpn to read like so:
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN -
How do I update this? I've been looking through nc but everything seems to only talk about setting up listening for the first time. Whenever I try to assign a new rule I get a message like this:
(base) ct#do-not-touch:/$ sudo nc -l 0.0.0.0 3306
nc: Address already in use
How do update the 127.0.0.1:3306 rule to be for 0.0.0.0:3306? Am I somehow totally off base here?
You can't* have two processes listening on the same IP and port. Since 0.0.0.0 means listen on all IPs, you can't bind to it if there's anything bound to any IP on that port. Stop the existing process listening on 127.0.0.1:3306, and then you'll be able to start one listening on 0.0.0.0:3306.
*: Technically, a flag called SO_REUSEPORT does exist, and forking after binding lets you do it as well, but neither is useful in your situation.
Ok so if you run into this in the future, you have kill the process that is using whatever port but first you must know that port.
sudo lsof -t -i:3306
Then kill whatever id.

Unable to access express/node server on port 3001 despite enabling via firewall-cmd

I've been searching around this morning trying to figure out how to resolve my issue but nothing appears to suit my situation or solve my problem and so here I am.
I have a server running on CentOS Linux release 7.5.1804 (Core) and I have installed node v10.11.0 in order to host a website. I have a domain foo.ca whereby I have two separate web servers running (one for client, one for server). The client runs on port 3000, and I used iptables to forward port 80 to port 3000 so I can actually view my website without explicitly listing the port (i.e. by entering foo.ca in the address bar)
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3000
This works fine, and I can see foo.ca
My problem arises when I try to access the server which is running on port 3001. I have enabled the port via tcp using firewall-cmd:
sudo firewall-cmd --zone=public --add-port=3000/tcp --permanent
sudo firewall-cmd --zone=public --add-port=3001/tcp --permanent
sudo firewall-cmd --reload
If I type foo.ca:3001 chrome tells me the site can't be reached, foo.ca took too long to respond.
I tested port 3001 via an online tool and it says that it is open, I also checked netstat:
netstat -tuplen
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
tcp 0 0 127.0.0.1:27017 0.0.0.0:* LISTEN 995 12161 -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 12066 -
tcp 0 0 0.0.0.0:3000 0.0.0.0:* LISTEN 1000 56647615 4926/node
tcp 0 0 0.0.0.0:3001 0.0.0.0:* LISTEN 1000 56671635 6195/node
Some online suggestions included using 0.0.0.0 rather than localhost but as you can see I already have that implemented. I don't really know what my options are at this point, I've tried enabling the port via iptables as well but I am not sure that did anything:
iptables -A INPUT -p tcp --dport 3001 -j ACCEPT
One last thing, my express server code is like so:
const express = require('express')
const app = express()
const port = 3001
app.get('/', (req, res) => res.send('Hello World!'))
app.listen(port, '0.0.0.0', () => console.log(`Example app listening on port ${port}!`))
And I run it like node test
Anyone have any ideas? I'm not much of a network guru
The solution was my network was blocking it for some reason

Unable to get to node.js externally

I've looked everywhere for an answer on this, but haven't had any luck.
I've installed node.js on my server. I've created the standard "Hello World" example like:
var http = require('http');
http.createServer(function (request, response) {
response.writeHead(200, {'Content-Type': 'text/plain'});
response.end('Hello World\n');
}).listen(8080, "0.0.0.0");
console.log('Server running at http://0.0.0.0:8080/');
After running the script on the server:
node app.js
I can connect internal to port 808 and see the Hello World message, but when I try to connect to port 8080 my server externally I get a "Can't connect to server" error. I've also tried this in my listen function:
etc..
}).listen(8080, "204.xxx.xxx.xxx");
(with my real external IP address) and haven't had any luck.
I've tried to accept connections on 8080 by adding this to iptables:
iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
but still have hit a wall. When I run netstat I get:
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
which I think tells me that port 8080 is listening for connections.
So — what am I doing wrong here?
You are most likely behind network address translation (NAT).
If you're using a normal home internet connection and you have a gateway router, you can have multiple devices using your home's internet connection (connected via Ethernet or Wifi), no?
But you only have one IP address.
To accomplish this, the router lets you connect out - but doesn't let any connections initiated from the outside back in (simplification for relevance - read up if you want more information).
You're going to have to look at configuring port forwarding - you want external port 8080 to forward to your computer's internal IP address.

Resources