The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SSH Login

Discussion in 'General Discussion' started by Gutsmell, Apr 22, 2007.

  1. Gutsmell

    Gutsmell Member

    Joined:
    Feb 26, 2007
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    I logged into my remote server as root with ssh. I changed the port number, and I assigned a unique listenaddress ip in /etc/ssh/sshd_config. I restarted ssh, and when I attempted to login with the new ip and port number, I could not get back in. Datacenter support could login, but I couldn't. I tried from 2 different locations. Error was: "Network error. Session timed out."

    So, now I logged in with ssh, and enabled Telnet temporarily (/etc/xinetd.d/krb5-telnet), so that I could Telnet if I got locked out again, and restarted. I can't login with Telnet using PuttyTel or windows Telnet client. I know this was risky, but it was only temporary.

    Why would Telnet not work? Is there another way it could be disabled?

    Is there another login alternative to root login besides Telnet? Would I be locked out of sftp, if I was locked out of ssh?

    Why couldn't I ssh the server after I modified the port and listenaddress? One of the networks I used doesn't have a router, so I assume no firewall. I just use the modem for a router. Could it still have something blocking the port?

    Any information or advice would be greatly appreciated.
     
  2. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    Watch out for firewalls on your server and that includes also the built in "iptables" firewall

    Another common error is to map SSH to a port already in use by another process

    If you change the SSH port then you need to make sure that port is open and available!

    Check /etc/services to see a list of standard ports
     
  3. Gutsmell

    Gutsmell Member

    Joined:
    Feb 26, 2007
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    Thanks for the reply.

    I will check the ip against that list. But, I don't understand how the datacenter support had no problem loggin in with that ip and port.
     
  4. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    The DC isn't logging in remotely, they are logging in right at the machine.
     
  5. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    If you have APF or CSF installed you will also need to enable the SSH port in your firewall before you can use it. If you don't have either installed, try installing CSF, it will make life easier.

    It's always a good idea to just stay logged in on your existing ssh login session until you know the new port works. You can also use "test mode" on the firewall which turns it on for 5 mins then turns it off again, in case it doesn't work -- or is blocking something you need, as in your case.
     
  6. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    A follow up to what brianoz just said ....

    An easy way to make sure your configuration is working is to reset
    your SSHD process (/etc/rc.d/init.d/sshd restart) and while you keep your
    original connection connected, open a second SSH window and try to
    connect to the server with the new settings.

    If the new settings don't work, you still have you original SSH connection
    still open that you can use to undo your changes.
     
  7. Gutsmell

    Gutsmell Member

    Joined:
    Feb 26, 2007
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    Thanks again for the replies. You have been very helpful.

    I didn't realize I could keep the first session open if I changed the settings. I just assumed the first session would time out.

    I need to study the server firewall issues. I have APF, but I haven't tinkered with it yet. If someone could point me in the right direction, it would be greatly appreciated.
     
  8. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Therein lies the problem. If you haven't modified the default APF settings it won't be allowing SSH on non-standard ports. I'd recommend installing CSF instead - it can be updated to the latest in one line and detects many security problems out of the box, and can be configured from WHM.
     
  9. Gutsmell

    Gutsmell Member

    Joined:
    Feb 26, 2007
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    Thanks for the help. I was able to accomplish my goals with help from DC support.
     
  10. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    To answer the APF question, look for conf.apf in /etc/apf/ - that's your configuration file. Edit that and look for "TCP_CPORTS". Add your port number to that line, save and restart APF.
     
    #10 mctDarren, Apr 24, 2007
    Last edited: Apr 24, 2007
  11. Gutsmell

    Gutsmell Member

    Joined:
    Feb 26, 2007
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1

    No coffee typo. Ha! Ha! I was wondering if you were gonna change that.

    Thanks for the reply Serversphere. I found the info right after I posted the question. I was able to implement the port and ip change.

    I was wondering how much difference having a unique port and dedicated unique ip number will make in securing the server. I am hoping it will slow down the malicious slime.
     
  12. nickp666

    nickp666 Well-Known Member

    Joined:
    Jan 28, 2005
    Messages:
    770
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    /dev/null
    it signficantly reduces the amount of brute force attacks on SSH (unless someone has a personal vendetta ;) ) and therefore increases the overall security of the server, however the main of attacks nowdays is via vulnerable web scripts so mod_security with a strong ruleset is highly recommended
     
  13. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    <grin> Often guilty of not enough coffee, half awake slip ups when typing/spelling :)

    It should make a pretty nice difference, unless there is a real person behind the probe. Most of these scans are automatic via a script. And just like any slimeball looking to steal or harm, they want the easiest mark. Most scripts are programmed in this fashion: "No SSH response on port 22? Move on to the next in the list."

    For a real alternative, search on "Private/Public Keys" and cut out password based logins altogether. Here's a nice link to get you started on that:

    http://www.unixwiz.net/techtips/putty-openssh.html#keypair

    -Darren
     
  14. ujr

    ujr Well-Known Member

    Joined:
    Mar 19, 2004
    Messages:
    290
    Likes Received:
    0
    Trophy Points:
    16
    Gutsmell, generally I would also recommend adding a static IP which only you have access to, to the ignore list in APF or CSF. This way, when changing sshd_config, you could still access your box, using that allowed ip. All in all, ssh keys with password auth disabled is the way to go!
     
  15. Gutsmell

    Gutsmell Member

    Joined:
    Feb 26, 2007
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    Thanks for the info!

    I think I'm just gonna tweak settings for security until there's nothing left to tweak.
     
  16. Gutsmell

    Gutsmell Member

    Joined:
    Feb 26, 2007
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
  17. Gutsmell

    Gutsmell Member

    Joined:
    Feb 26, 2007
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    I used a dedicated ip, but didn't think about a limited access ip. That should be helpful.
    Thanks!
     
Loading...

Share This Page