Resolved Plesk firewall - SSH access issue

[indy0077]

Hi, after I changed the ssh port from 22 to 988, I can't access the server via ssh. After the changes I applied the changes in Plesk firewall and also restarted the whole VPS, but still cannot log in via port 988 nor 22. If I disable the Plesk firewall in CP and reboot the server login works via port 22. The ssh port 988 has been added to the firewall rules, but iptables check doesn't contain this port under accepted.

Any help with this please? Thanks

 

[IgorG]

Check ssh port in /etc/services too. Make sure that port is open for connections with

# lsof -i tcp:998

 

[indy0077]

Here are some checks:

[root@vs1 /]# ps -A | grep sshd
5349 ? 00:00:00 sshd
5542 ? 00:00:00 sshd
[root@vs1 /]# semanage port -l | grep ssh
ssh_port_t tcp 22
[root@vs1 /]# sestatus
SELinux status: disabled
[root@vs1 /]# ss -tnlp | grep ssh
LISTEN 0 5 *:22 *:* users("sshd",pid=5679,fd=3))

The port 988 isn't in '/etc/services' there. Has this to be added manualy there?


The ssh port in the ssh config file has been changed to 988 so why I'm still able to log in via 22?

 

[IgorG]

You need to change ssh port in sshd-config and in '/etc/services' too.

 

[indy0077]

Works, thank you. P.S. I had to reboot the server to get the ssh port changes working.

 

[indy0077]

Hi, it seems it was a false alarm. The ssh port 988 still doesn't work.

1. this has been added to '/etc/services':
ssh 988/tcp # The Secure Shell (SSH) Protocol
ssh 988/udp

2. this is in the 'etc/ssh/ssh_config':

# Site-wide defaults for various options

# Host *
# ForwardAgent no
# ForwardX11 no
# RhostsAuthentication no
# RhostsRSAAuthentication no
# RSAAuthentication yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# BatchMode no
# CheckHostIP yes
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
Port 988
Protocol 2
# Cipher 3des
# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
# EscapeChar ~

3. Firewall several times disabled/enabled and checked the ssh connection on 988 - fails
4. after the changes, the server has been rebooted as well - nothing changed

The server is still accessible through the port 22

Thanks

 

[gastonwagner]

I have the same problem. Could you fix it?
Default installation of Pelsk on Centos 7

 

[indy0077]

You need to change ssh port in sshd-config and in '/etc/services' too.

This has been changed as well in '/etc/services' to:

ssh 988/tcp # The Secure Shell (SSH) Protocol
ssh 988/udp # The Secure Shell (SSH) Protocol

But after reboot the ssh port is still 22:

# semanage port -l | grep ssh
ssh_port_t tcp 22

What now???

 

[indy0077]

I have the same problem. Could you fix it?
Default installation of Pelsk on Centos 7

No, the changed ssh port still doesn't work.

 

[indy0077]

You need to change ssh port in sshd-config

After changing the port in 'sshd_config' now no ssh access is working:

Network error: Connection refused

No port 22 nor xxx the changed one... Ok, what is the next step to get this fixed for ever?

 

[virtubox]

After changing the port in 'sshd_config' now no ssh access is working:

Network error: Connection refused

No port 22 nor xxx the changed one... Ok, what is the next step to get this fixed for ever?

Hello @indy0077. At first, when you choose a custom ssh port, choose it between 1024 and 64000, because port under 1024 can be used by another service.
Then change the port in /etc/ssh/sshd_config, before reloading the ssh service.
And then, if you use Plesk firewall, add a rules for an incoming connection on the custom ssh port you have choosen.

 

[indy0077]

Hello @indy0077. At first, when you choose a custom ssh port, choose it between 1024 and 64000, because port under 1024 can be used by another service.
Then change the port in /etc/ssh/sshd_config, before reloading the ssh service.
And then, if you use Plesk firewall, add a rules for an incoming connection on the custom ssh port you have choosen.

Ok, would like to try your tip, but as I said, now the VPS/Plesk is not accessible over ssh, after I made the changes in 'sshd_config'.

 

[virtubox]

Ok, would like to try your tip, but as I said, now the VPS/Plesk is not accessible over ssh, after I made the changes in 'sshd_config'.

If you have set a custom ssh port, you have to allow this port in the plesk firewall settings., directly from the plesk interface

 

[indy0077]

If you have set a custom ssh port, you have to allow this port in the plesk firewall settings., directly from the plesk interface

I use the Juggernaut Security and Firewall and both ssh ports have been allowed there. But still no ssh access.

Now we change back the ssh port to 22 in 'ssh_config' and 'sshd_config' and we can log in again with port 22. Notice that before we tried many things: the firewall has been disabled, reboots after changes, every combinations in ssh_config and sshd_config, but no success.

'/etc/services' includes:

ssh 988/tcp # The Secure Shell (SSH) Protocol
ssh 988/udp # The Secure Shell (SSH) Protocol

Here is the current output of:

# systemctl status sshd.service
● sshd.service - OpenSSH server daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
Active: activating (start) since Tue 2017-10-10 21:17:39 CEST; 1s ago
Docs: man:sshd(8)
man:sshd_config(5)
Main PID: 2541 (sshd)
Memory: 4.5M
CGroup: /system.slice/sshd.service
├─2415 sshd: root@pts/0
├─2451 -bash
├─2541 /usr/sbin/sshd -D
└─2543 systemctl status sshd.service

Oct 10 21:17:39 xyz.com sshd[2541]: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Oct 10 21:17:39 xyz.com sshd[2541]: Permissions 0640 for '/etc/ssh/ssh_host_rsa_key' are too open.
Oct 10 21:17:39 xyz.com sshd[2541]: It is recommended that your private key files are NOT accessible by others.
Oct 10 21:17:39 xyz.com sshd[2541]: This private key will be ignored.
Oct 10 21:17:39 xyz.com sshd[2541]: bad permissions: ignore key: /etc/ssh/ssh_host_rsa_key
Oct 10 21:17:39 xyz.com sshd[2541]: Server listening on 0.0.0.0 port 22.
Oct 10 21:17:39 xyz.com sshd[2541]: Could not load host key: /etc/ssh/ssh_host_rsa_key
Oct 10 21:17:39 xyz.com sshd[2541]: Could not load host key: /etc/ssh/ssh_host_dsa_key
Oct 10 21:17:39 xyz.com sshd[2541]: Disabling protocol version 2. Could not load host key
Oct 10 21:17:39 xyz.com sshd[2541]: error: Bind to port 22 on :: failed: Address already in use.

 

[G J Piper]

Can you show the command line you are using to attempt to connect?

 

[indy0077]

Can you show the command line you are using to attempt to connect?

Don't understand... what do you mean? The ssh login?

 

[G J Piper]

Don't understand... what do you mean? The ssh login?

Yes. Obscure the domain name if you like.

When I changed mine, all that was needed was to open the firewall port and add the "Port XXX" to the sshd_config file.
I think I left the "Port 22" in the file though as well, and just closed it at the firewall from outside.

 

[indy0077]

The ssh login command is as usual:

root
password

If you mean the ssh access details:

server IP
port

That's it.

 

[G J Piper]

The ssh login command is as usual:

root
password

If you mean the ssh access details:

server IP
port

That's it.

I'm not communicating well enough... as an example, here is what I use to log in to my servers via command line:

# ssh -24kvx -i ~/.ssh/id_rsa -c aes256-ctr -l admin mydomain.com -p 22

 

[indy0077]

Ok, the problem solved. The solution is:

after changing the port in 'sshd_config' and '/etc/services' you have to restart the ssh service from the command line or on what's ever way. The reboot from Plesk admin panel, ssh console or from the VPS panel doesn't restart the ssh service.

Or won't be the ssh service restared automatically by a reboot of the server/VPS?

P.S. this counts maybe just in my case of a KVM virtualization with CentOS 7.3. No idea if that happens by OpenVZ, XEN etc.