firehol issues
serversshports="tcp/99999"
clientsshports="99999"
That's not the real port, but you get the idea.
here are the rules for eth0
web
interface eth0 public src not "${UNROUTABLE_IPS}"
protection strong
client all accept
server ICMP accept
server ping accept
server http accept
server https accept
server ssh accept
server mysql accept dst "private.ip.address"
Whenever I attempt to login via ssh here is what i see in the console:
''IN-public':'IN=eth0 OUT= MAC=MACADDRESS* SRC=MYREMOTEIP* DST=SLICEIP* LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=16994 DF PROTO=TCP SPT=51438 DPT=SSH_PORT* WINDOW=8192 RES=
0x00 SYN URGP=0
Anyone have any idea why this is being blocked?
6 Replies
although the firehol documentation says to setup new servers the above way, this is what actually worked for me:
server custom ssh tcp/99999 default accept
Also I've done a quick guide for getting basic security in place:
@poetics5:
server custom ssh tcp/99999 default accept
When you added the custom line do you remove the regular "server ssh accept" line?
Also in the ssh config, you just change the port from 22 to whatever you wanted? Is it advisable to try both ports before commiting? I am asking because that is exactly what I wanted to try by putting "port = 25 99999" (not the real port) and I am not getting a connection after restarting on the huigh port but 22 still works. maybe I need a colon between the ports? I should look that up.
Bedevere: the reason you're still connecting on 22 is because you have the regular "server ssh accept" line in your firehol conf. Remove that and you'll only be able to connect through the custom port. (Provided, of course, that your SSH configuration is adjusted accordingly.)
It's also a good idea to limit incoming SSH connections to a certain IP range, unless you're giving out shell accounts to random people. This can be done by adding an "src" clause to the appropriate line in your Firehol conf. For example,
server custom ssh tcp/99999 default accept src 123.123.123.123
I have a static IP at home, so this directive kicks out everyone except my home computer. If your IP changes from time to time, it might be better to use a broader IP range such as 123.123.0.0/16 This way, nobody in China will be able to connect to your box through SSH, let alone hack it through SSH, even if they happened to know which port to connect to.
If you lock yourself out, or you need emergency access from an IP address not listed in your Firehol conf, you can always go into Lish to fix it!
OK I wil remove the regular SSH. I actually tried naming the custom one SSH1, but thats not clean. And yeah when I messed it up I used the ajax console.
I already did the src as well. Good move there.
I have this as my config in sshd_config so that i can connect in on 443 from some places.
# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
ListenAddress <second ip="" here="">:443
ListenAddress 0.0.0.0</second>
Basicly that says use port 22, and listen on all interfaces (0.0.0.0) for connections, AND listen on
Let me know if ou have any questions..