I am trying to change d default port (22) for my system, I edited the sshd_config file by changing to my desirable port no (5555) and restarted my service but it seem not to work . is there something else i have to change? thanks
Yes, you must allow that new port in iptables. iptables is the firewall program for Linux.
With root privileges you will need to do this:
iptables -I INPUT 1 -p tcp --dport 5555 -j ACCEPT
Make sure you can connect using port 5555 then disable the old port.
iptables -A INPUT -j DROP -p tcp --dport 22
then save the new settings
/etc/init.d/iptables save
Check out this really good webpage for more information:
http://www.rackspace.com/knowledge_center/article/introduction-to-iptables#Save_Save_Save_your_Ruleset
1) Make a backup of the sshd config file (optional but a good idea):
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
2) edit the sshd_config file to include your alternate port
vi /etc/ssh/sshd_config
Leave the default port 22 active for now and add your custom port
# Open ports for sshd
Port 22
Port 5555
3) Open the custom port in your firewall
iptables -I INPUT 1 -p tcp --dport 5555 -j ACCEPT
service iptables save
4) Use a new terminal window to make sure you can login with your custom port
ssh -p 5555 myuser#myserver.com
If this doesn't work, now you can still login on port 22 to troubleshoot
5) Once you've confirmed the custom port works, edit the sshd_config file and firewall settings to block port 22
vi /etc/ssh/sshd_config
...
# Open ports for sshd
# Port 22
Port 5555
...
iptables -A INPUT -j DROP -p tcp --dport 22
service iptables save
Now you'll want to test again to make sure you can login with your custom port but not with the default port of 22.
You will need to have root privileges or use sudo for the above commands.
Step - 1:
nano /etc/ssh/sshd_config
and change the port from 22 to the desired one i.e. 5555
service sshd restart
Step - 2:
nano /etc/sysconfig/iptables
Here, you will find an entry for port 22. You will need to change it to 5555
service iptables restart
Now, try the SSH using,
- ssh -p 5555 root#Your IP Address
To Change the SSH Port for Your Linux Server
Connect to your server via SSH
Switch to the root user
Run the following command:
vi /etc/ssh/sshd_config
Locate the following line: #Port 22
Remove # and change 22 to your desired port number like 2224 etc.
Restart the sshd service by running the following command:
service sshd restart
Related
I'm using Ubuntu and I have my subversion server running as you can see below:
root 31422 1 0 06:45 ? 00:00:00 /usr/bin/svnserve -d -r /var/svn/repos --log-file=/var/log/svnserve.log
I want to whitelist my subversion server, in other words, I want to allow only my IP address to checkout, commit, log, etc. Does svnserve support that?
NOTE: I'm not using Apache to access my subversion.
svnserve listens on TCP port 3690 by default, so you can use any firewalling solution the restrict access to this port. For example with iptables:
# Let the internal network access it
iptables -A INPUT -s 192.168.0.0/8 -p tcp --dport 3690 -j ACCEPT
# Let a specific external IP access it
iptables -A INPUT -s 1.1.1.1 -p tcp --dport 3690 -j ACCEPT
# Drop all the rest
iptables -A INPUT -p tcp --dport 3690 -j DROP
It would however be better security-wise if you would switch to apache + dav_svn as you get SSL encryption and user authentication and it's not too complicated to setup: http://svnbook.red-bean.com/en/1.7/svn.serverconfig.httpd.html
I'm working with an Ubuntu 12.04 LTS, 64 Bit server there I have used the following commands to send all http request on port 80 to port 8080
Commands:
cat /proc/sys/net/ipv4/ip_forward #returns 1
sudo iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
sudo iptables -A INPUT -p tcp -m tcp --sport 80 -j ACCEPT
sudo iptables -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
From there I wanted to proxy the requests based on (sub)domain to some other ports (i.e. 9000, 3000, 9615) using http-master. I'm having some problems getting this done and had it right once on a VPS on amazon aws where those ports where opened.
So what I'm asking is if it's necessary to open every port and how I can do that on the command line?
After some further research and experimentation I concluded that it's only necessary to open the port that we use as entry points. If we then route it with a proxy or even with NAT configuration to another PORT, the latter will be used only to "listen".
I have a CentOS router with APF installed.
1 terminal with 3 NICs (3 IPs) is using that router as a Gateway to access the internet.
What I want is APF to block SSH access, on the 2 of 3 NICs (IPs).
So SSH is only accessible for a specific IP and not all three.
How can I achieve that directly on the router with APF or iptables?
Edit iptables to allow SSH connections from IP 111.222.222.222 and deny from all others.
vi /etc/sysconfig/iptables
Add
-A INPUT -p tcp -m tcp -s 111.222.222.222 --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp -s 0.0.0.0/0 --dport 22 -j DROP
I'm conecting to a VPN in Windows to access a remote computer (Linux) with a static IP. From this remote computer I have access to different machines (database, svn, etc.).
I am trying to set up my remote computer to have access from my Windows machine to the database, the svn server, etc, because working on a remote connection is very slow.
So I tried the next lines in /etc/rc.local, but it doesn't work:
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables --table nat -A POSTROUTING -o eth0 -j MASQUERADE
/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp -d B1.B2.B3.B4 --dport 89 -j DNAT --to R1.R2.R3.R4:89
/sbin/iptables -A FORWARD -p tcp -d R1.R2.R3.R4 --dport 89 -j ACCEPT
Where B1.B2.B3.B4 is my remote database IP, 89 is the port we use to access the database, and R1.R2.R3.R4 is my remote machine IP.
What is wrong in this configuration?
Thanks.
Make sure ip_forward is enabled:
echo 1 > /proc/sys/net/ipv4/ip_forward
Also, you need to make sure the VPN pushes routes for B1.B2.B3.B4 to your Windows machine when connecting; if not, you'll have to add the routes yourself.
I think the MASQUERADE rule should be enough, but write it like this:
iptables -t nat -A POSTROUTING -s WINDOWS_BOX_VPN_IP -j MASQUERADE
But if you don't want to mess with iptables, you can use SSH to setup tunnels to your remote services, for example (you need some Windows SSH client that can create tunnels, I'm giving an example how to run this from a linux box):
ssh user#R1.R2.R3.R4 -L 8989:B1.B2.B3.B4:89
This will create a tunnel on localhost:8989 which will forward the connection to B1.B2.B3.B4:89 (look for "Local port forwarding", http://chamibuddhika.wordpress.com/2012/03/21/ssh-tunnelling-explained/ )
At the end I found Rinetd that allows TCP redirections with an easy configuration.
According to my question, the configuration I had to add in /etc/rinetd.conf is:
R1.R2.R3.R4 89 B1.B2.B3.B4 89
Then I run Rinetd:
/usr/sbin/rinetd
And that's all.
If you want to run it automatically everytime you restart your computer, you can add the command before in the file /etc/rc.local
So I have a CentOS server with Nginx and now want to run Nginx with PHP-FPM. By default it's configured to port 9000 but I'm going to use 9001. I need to know how to open port 9001 for loopback in my iptables. Which of the following are correct, are they the same, or both wrong? Any help will be appreciated, thanks :)
iptables -A INPUT -p tcp -s 127.0.0.0 --dport 9001 -j ACCEPT
or
iptables -A INPUT -i lo --dport 9001 -j ACCEPT
You shouldn't need to open the firewall to connect to localhost, as it shouldn't be firewalled anyway (as a general rule).
But I would suggest following the above advice to use sockets instead.
Edit /etc/php5/fpm/php5-fpm.conf and search for these two lines:
listen = /var/run/php5-fpm.sock
;listen = 127.0.0.1:9000
Comment out the port one and uncomment the sock one - restart php-fpm :)