[sllug-members]: SSH question
Dan Witt
dan at witt.tv
Thu Apr 17 16:37:58 MDT 2008
Mark K. Spute wrote:
> I ran
>
> ssh -p 22 root at 127.0.0.1
>
> from the server console and it gave:
>
> ssh: connet to host 127.0.0.1 port 22: Connection refused
>
> I tried it again with:
>
> ssh -p 3022 root at 127.0.0.1
>
> and I got:
>
> The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
> RSA key fingerprint is 23:3f: . . .
> Are you sure you want to continue connecting (yes/no)?
>
> Does this mean it is listening on this port, but it doesn't recognize
> itself?
Hey Mark, it appears that you've successfully changed the SSH port but
iptables might be blocking port 3022. If 3022 is being blocked, you
won't be able to connect.
Check your iptables script in:
/etc/sysconfig/iptables
There might be a line in there that reads something like:
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
ACCEPT
Just change the port from 22 to 3022 and restart iptables.
You might also want use iptables to block any unknown IP addresses from
hitting port 3022 on your server. Here's an example for the filter table:
#Log any attempts to connect on port 3022
-A INPUT -i eth0 -p tcp -m tcp --dport 3022 -j LOG
#Allow my work IP to connect on port 3022
-A INPUT -i eth0 -s 123.123.23.31 -p tcp -m tcp --dport 3022 -j ACCEPT
#Allow my Mom to connect on port 3022
-A INPUT -i eth0 -s 121.121.43.11 -p tcp -m tcp --dport 3022 -j ACCEPT
#Block any other IP from trying to connect on 3022
-A INPUT -i eth0 -p tcp -m tcp --dport 3022 -j DROP
Good luck!
-Dan Witt
More information about the sllug-members
mailing list