[sllug-members]: SSH question
Mark K. Spute
mks at certa.org
Fri Apr 18 10:13:57 MDT 2008
Dan Witt wrote:
> Mark K. Spute wrote:
>> I ran
>>
>> ssh -p 22 root at 127.0.0.1
>>
>> from the server console and it gave:
>>
>> ssh: connet to host 127.0.0.1 port 22: Connection refused
>>
>> I tried it again with:
>>
>> ssh -p 3022 root at 127.0.0.1
>>
>> and I got:
>>
>> The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
>> RSA key fingerprint is 23:3f: . . .
>> Are you sure you want to continue connecting (yes/no)?
>>
>> Does this mean it is listening on this port, but it doesn't recognize
>> itself?
>
> Hey Mark, it appears that you've successfully changed the SSH port but
> iptables might be blocking port 3022. If 3022 is being blocked, you
> won't be able to connect.
>
> Check your iptables script in:
>
> /etc/sysconfig/iptables
>
> There might be a line in there that reads something like:
>
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
> ACCEPT
>
> Just change the port from 22 to 3022 and restart iptables.
>
> You might also want use iptables to block any unknown IP addresses from
> hitting port 3022 on your server. Here's an example for the filter table:
>
> #Log any attempts to connect on port 3022
> -A INPUT -i eth0 -p tcp -m tcp --dport 3022 -j LOG
> #Allow my work IP to connect on port 3022
> -A INPUT -i eth0 -s 123.123.23.31 -p tcp -m tcp --dport 3022 -j ACCEPT
> #Allow my Mom to connect on port 3022
> -A INPUT -i eth0 -s 121.121.43.11 -p tcp -m tcp --dport 3022 -j ACCEPT
> #Block any other IP from trying to connect on 3022
> -A INPUT -i eth0 -p tcp -m tcp --dport 3022 -j DROP
>
> Good luck!
>
> -Dan Witt
Okay, I updated my iptables as you suggested above and restarted
iptables. Now I can login from machines behind my firewall (using
127.0.0.1) However, I tried to use putty to login to my public IP
address (216.126.226.210) and I get a fatal error. It says Network
Error: connection refused.
Is this still an iptables issue? (I know nothing about iptables, so I
am hesitant to get in there and mess around.)
Mark
More information about the sllug-members
mailing list