[sllug-members]: SSH question

Dan Witt dan at witt.tv
Fri Apr 18 10:51:07 MDT 2008 

Mark K. Spute wrote:
> Dan Witt wrote:
>> Mark K. Spute wrote:
>>> I ran
>>>
>>> ssh -p 22 root at 127.0.0.1
>>>
>>> from the server console and it gave:
>>>
>>> ssh: connet to host 127.0.0.1 port 22: Connection refused
>>>
>>> I tried it again with:
>>>
>>> ssh -p 3022 root at 127.0.0.1
>>>
>>> and I got:
>>>
>>> The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
>>> RSA key fingerprint is 23:3f: . . .
>>> Are you sure you want to continue connecting (yes/no)?
>>>
>>> Does this mean it is listening on this port, but it doesn't recognize 
>>> itself?
>>
>> Hey Mark, it appears that you've successfully changed the SSH port but 
>> iptables might be blocking port 3022. If 3022 is being blocked, you 
>> won't be able to connect.
>>
>> Check your iptables script in:
>>
>> /etc/sysconfig/iptables
>>
>> There might be a line in there that reads something like:
>>
>> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 
>> -j ACCEPT
>>
>> Just change the port from 22 to 3022 and restart iptables.
>>
>> You might also want use iptables to block any unknown IP addresses 
>> from hitting port 3022 on your server. Here's an example for the 
>> filter table:
>>
>> #Log any attempts to connect on port 3022
>> -A INPUT -i eth0 -p tcp -m tcp --dport 3022 -j LOG
>> #Allow my work IP to connect on port 3022
>> -A INPUT -i eth0 -s 123.123.23.31 -p tcp -m tcp --dport 3022 -j ACCEPT
>> #Allow my Mom to connect on port 3022
>> -A INPUT -i eth0 -s 121.121.43.11 -p tcp -m tcp --dport 3022 -j ACCEPT
>> #Block any other IP from trying to connect on 3022
>> -A INPUT -i eth0 -p tcp -m tcp --dport 3022 -j DROP
>>
>> Good luck!
>>
>> -Dan Witt
> 
> Okay, I updated my iptables as you suggested above and restarted 
> iptables.  Now I can login from machines behind my firewall (using 
> 127.0.0.1)  However, I tried to use putty to login to my public IP 
> address (216.126.226.210) and I get a fatal error.  It says Network 
> Error: connection refused.
> 
> Is this still an iptables issue?  (I know nothing about iptables, so I 
> am hesitant to get in there and mess around.)

Hey Mark,

Sorry, I'm a little confused when you say, "Now I can login from 
machines behind my firewall (using 127.0.0.1)" because it sounds like 
you are now able to connect to your server using any machine on your 
internal network but you then give the IP of 172.0.0.1 which is the 
local machine you are logged in to. If "127.0.0.1" was just a typo and 
you are able to SSH in from any internal machine then it sounds like 
the port isn't being forwarded properly from your router, you are trying 
to access your public IP internally or something like that.

I have to agree with Remo, you can shut down the iptables service 
temporarily and see if it works externally just to eliminate the 
firewall question.

/etc/init.d/iptables stop

-Dan Witt

More information about the sllug-members mailing list