changing ssh listener port?

**A. Jorge Garcia** · 12-16-2004, 03:05 AM

OK, now I'm home and I got sshd to listen on port 80. So I can ssh ing from home on port 22 and then I try to ssh back from work on port 80 and I get "connection closed by remote host." So, that's some progress! It only timed-out before. I did forward the port onthe D-Link before it worked. However, I'm still not in.

Regards,
AJG

**Markus** · 12-16-2004, 08:51 AM

If you have ALL:ALL in /etc/hosts.deny try adding the following lines to hosts.allow
ssh sshd : workIP @domain : ALLOW
ssh sshd : 127.0.0.1 LOCAL : ALLOW

EDIT: You can do this with one line:
ssh sshd : 127.0.0.1 .workdomain : ALLOW

You might as well start by testing the connection from home to home just to rule out some problems.

**A. Jorge Garcia** · 12-17-2004, 12:38 AM

OK, I'll try to edit hosts.allow as you suggest just as soon as I get home since I can't ssh there from work anymore and edit it from here! Boy, I never realized how much I had come to depend on ssh! What a pain this is. I've been using ssh, sftp and fish for tons of everyday stuff. In fact, I set up sshd because it was so easy to use and more secure than ftp and telnet ever was. I've never had to do anything to hosts.allow, but lets see what happens.

Anyway, here's the current state of affairs:
PC at work, I reset (after much tweaking) ssh_config and sshd_config to port 22.
PC at home, I also left ssh_config with port 22 but changed sshd_config at home to use port 80.

The idea is so I can still ssh from home to work without a problem:
ssh userid@homeip

Further, the idea was to ssh from work to home using port 80 thusly:
ssh userid@workip -p80

HomeToWork is fine. Before I switched to port 80, WorkToHome would timeout. I've apparently made some progress as now with port 80 I get connection closed by remote host! Now what?

Thanx,
AJG

**A. Jorge Garcia** · 12-17-2004, 01:26 AM

OK, I'm home!

BTW, port 80 works fine internally on my home office PCs and port 22 works fine internally on my work LAN and hosts.deny has ALL:PARANOID in it. Does that mater?

I placed the following 2 lines in hosts.allow and restarted ssh but no joy!
ssh sshd : workip@ALL : ALLOW
ssh sshd : 127.0.0.1 LOCAL : ALLOW
is that correct?

What if I just comment out ALL:PARANOID in hosts.deny
and change ssh sshd : workip@ALL : ALLOW to ssh sshd : ALL@ALL : ALLOW
in hosts.allow?

**Markus** · 12-17-2004, 09:18 AM

Originally Posted by A. Jorge Garcia

OK, I'm home!

BTW, port 80 works fine internally on my home office PCs and port 22 works fine internally on my work LAN and hosts.deny has ALL:PARANOID in it. Does that mater?

I placed the following 2 lines in hosts.allow and restarted ssh but no joy!
ssh sshd : workip@ALL : ALLOW
ssh sshd : 127.0.0.1 LOCAL : ALLOW
is that correct?

Nope. try:
ssh sshd : workip @workdomain : ALLOW

What if I just comment out ALL:PARANOID in hosts.deny
and change ssh sshd : workip@ALL : ALLOW to ssh sshd : ALL@ALL : ALLOW
in hosts.allow?

You need a space before "@". You're allowing an ip AND a domain. (wishing I remembered the syntax correct)
Besides, are you sure you want the whole world to be able to connect? At least add AllowUsers user1 user2 and so on to sshd_config.

**A. Jorge Garcia** · 12-18-2004, 01:04 AM

I don't understand what to put in for workdomain.

BTW, you need a userid and password and ipaddress to get in, right?

TIA,
AJG

**A. Jorge Garcia** · 12-18-2004, 03:56 AM

OK, in a desperaate attempt to try to get this working agian I commented out everything in hosts.deny (ie: ALL:PARANOID) and added

ssh sshd : ALL@ALL : ALLOW
ALL : 127.0.0.1 LOCAL : ALLOW

to hosts.allow (everything else in that file is commented out too). I restarted sshd, I sshed in to the work PC but I still can't ssh back from there. Something really wierd is going on here!

Regards,
AJG

**Markus** · 12-18-2004, 09:45 AM

Ok, I'm getting clueless again. I ran a test as example:

First check if ssh is really listening:
root@fujibox:~# netstat -tupan|grep LISTEN
tcp6 0 0 :::80 :::* LISTEN 3149/sshd

# /etc/hosts.allow: list of hosts that are allowed to access the system.
# ssh sshd : ALL@ALL : ALLOW
ssh sshd : 127.0.0.1 LOCAL : ALLOW
ssh sshd : ip.from.where.iconnect : ALLOW
# snipped a few allowed lines

#ALL : 127.0.0.1 LOCAL : ALLOW
#ALL : ALL@ALL : DENY
ALL:ALL:deny

# /etc/hosts.deny: list of hosts that are _not_ allowed to access the system.
#ALL: PARANOID
ALL:ALL

Opened in iptables:
$IPTABLES -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p udp -m udp --dport 80 -j ACCEPT

Forwarded in my router after checking inet addr with ifconfig:
to_IP:192.168.2.166 port:80 protocol:both enable

Connected with:
ssh -p 80 markus@my.ip.number

It then asks to save the rsa key and proceeds to connect.

**A. Jorge Garcia** · 12-18-2004, 02:22 PM

OK, let me try all that. But, one thing, you now say that I use

ssh sshd : ip.from.where.iconnect : ALLOW
say
ssh sshd : 111.112.113.114 : ALLOW

in hosts.allow, not

ssh sshd : ip.from.where.iconnect @domainname: ALLOW
say
ssh sshd : 111.112.113.114 @school.edu: ALLOW

that's what is confusing me. I thought you said I had to specify a domainname for my work which I'm not sure of.

I'm wondering if something else is going on here. I never had a problem setting up ssh like this....

Thanx for all your help!

Regards,
AJG

**Markus** · 12-18-2004, 06:12 PM

First of all, I'm hardly an expert on this.
Second, sorry if I mislead you. I meant you can specify an IP and/or a domain from where you connect. I just use an IP myself.
The domain is probably the @part of your work email.

I'm not trying to confuse you more but you can also allow an IP-range.
Say your workip is 111.222.333.444 you can do: whois 111.222.333.444 which should give you close to the top of the output inetnum.
Say the range is 111.222.333.0 - 111.222.444.555 you can then put in hosts.allow:
ssh sshd : 111.222.333. : ALLOW
ssh sshd : 111.222.444. : ALLOW