changing ssh listener port?

[A. Jorge Garcia]

Thanx for all your generous help so far markus!

OK, here's the current state of affairs:

I checked netstat in a root shell and its OK.

I did all that iptable stuff you said in a root shell.

Here's my whole /etc/hosts.deny file (except for commented lines):
ALL:ALL

Here's my whole /etc/hosts.allow file (except for commented lines):
ssh sshd : 127.0.0.1 LOCAL : ALLOW
ssh sshd : XX.XX.XX.XX : ALLOW
ALL:ALL:deny

Here's my whole /etc/ssh/ssh_config file (except for commented lines):
Host localhost
ForwardAgent yes
ForwardX11 yes
Host *
ForwardX11 yes
RhostsAuthentication no
RhostsRSAAuthentication yes
RSAAuthentication yes
PasswordAuthentication yes
FallBackToRsh no
UseRsh no
CheckHostIP yes
Port 22
Protocol 2,1
Cipher blowfish

Here's my whole /etc/ssh/sshd_config file (except for commented lines):
Port 80
HostKey /etc/ssh/ssh_host_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
ServerKeyBits 768
LoginGraceTime 600
KeyRegenerationInterval 3600
PermitRootLogin yes
IgnoreRhosts yes
StrictModes yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog no
KeepAlive yes
SyslogFacility AUTH
LogLevel INFO
RhostsRSAAuthentication no
HostbasedAuthentication no
RSAAuthentication yes
PasswordAuthentication yes
PermitEmptyPasswords no
Subsystem sftp /usr/lib/sftp-server
UsePAM yes

I issued the following command in a root shell:
/etc/init.d/ssh restart

I logged-in to my workpc from home (using port 22)
ssh apcs@XX.XX.XX.XX

Then I logged-in from there to my homepc (using port 80)
ssh apcs@XX.XXX.XXX.XX -p80

and the best I get is:
ssh_exchange_identification: Connection closed by remote host

ARRGGGHHHHH!

Frustrated,
AJG

[Markus]

I did all that iptable stuff you said in a root shell.

Umm, thats a line I use in my firewall.sh, it's not a command.
Do you have iptables running? Check with iptables -nL

Here's my whole /etc/hosts.deny file (except for commented lines):
ALL:ALL

Here's my whole /etc/hosts.allow file (except for commented lines):
ssh sshd : 127.0.0.1 LOCAL : ALLOW
ssh sshd : XX.XX.XX.XX : ALLOW
ALL:ALL:deny

Can't see a fault there..

Here's my whole /etc/ssh/ssh_config file (except for commented lines):

That's only for outward connections.

Then I logged-in from there to my homepc (using port 80)
ssh apcs@XX.XXX.XXX.XX -p80

Is the missing space between p and 80 a typo?

ARRGGGHHHHH!

Frustrated,

That I believe.

In your sshd_config:
HostKey /etc/ssh/ssh_host_key ---this would accept also ssh1 protocol

Well, here's my sshd_config:
Port 22
Protocol 2 ---your missing this if you want protocol 2 only
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
UsePrivilegeSeparation yes ---not sure if this is important
KeyRegenerationInterval 3600
ServerKeyBits 768
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 600
PermitRootLogin no ---change this to no
StrictModes yes
RSAAuthentication yes ---your missing this
PubkeyAuthentication yes ---your missing this
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
PasswordAuthentication no
X11Forwarding no
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
KeepAlive yes
Subsystem sftp /usr/lib/sftp-server
UsePAM yes

I just ssh'd with this to work and back to home so at least for me it works. Could it be that your work has disabled the not so secure protocol1?
How about: ssh -2 -p 80 login@IP
Check first if you can connect from home to home with ssh -p 80 homelogin@homeIP and ssh -2 -p 80 homelogin@homeIP

We might be barking up the wrong tree. For all I know the answer is probably obvious and simple. I'm just not seeing it.

EDIT: Another thought. Try deleting the line for your homeIP in the known_hosts file at your work.

[A. Jorge Garcia]

Well, I never had to setup iptables before! So I didn't know what I was doing when I used that shell command you gave me.

Anyway, here's what iptables -nL returns:
root@gaurdian.mil:~# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:80

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

BTW, ssh apcs@localhost -p80 works fine as does ssh apcs@localhost -p 80

Also, ssh apcs@localhost -p80 works fine as does ssh -2 apcs@localhost -p80

EDIT: OK, maybe you're on to something again with the known_hosts file....

Stumped,
AJG

[Markus]

Well, I never had to setup iptables before! So I didn't know what I was doing when I used that shell command you gave me.

Anyway, here's what iptables -nL returns:
root@gaurdian.mil:~# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:80

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Ok, so iptables is running. Are you sure it wasn't running before? Otherwise I'm not sure where you got those chains. How about a reboot and then check if iptables is still running. Or check in /etc/rc2-5.d if you see something calling iptables. I haven't played with the iptables script in knoppix so I don't even know what starts it.

BTW, ssh apcs@localhost -p80 works fine as does ssh apcs@localhost -p 80

Ok, so space isn't important.

Also, ssh apcs@localhost -p80 works fine as does ssh -2 apcs@localhost -p80

Oh well, home to home seems to work too and protocol isn't important at home but how about from work with -2.

Let's hope it's the known_hosts file because quite frankly I'm really getting out of ideas here.

[A. Jorge Garcia]

Sorry, I'm not up on iptables. I just issued the commands you gave me in a root shell:

iptables -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p udp -m udp --dport 80 -j ACCEPT

Regards,
AJG

[A. Jorge Garcia]

I'm free, free a last, thank God almighty, free at last!!!

Markus, you are an officer, a gentleman and a genius! I just tweaked everything again on the homePC and the workPC and on the router - now all of it works! I don't know just exactly what I fixed, but I did delete the known_host files on both PCs. I think that was the clincher.

BTW, the only thing I didn't change was
PermitRootLogin yes
so I can tweak the workPC from home and the homePC from work if necessary (like I did today).

Again, thank you, and underscore, so very much!

Relieved,
AJG

[Markus]

I'm free, free a last, thank God almighty, free at last!!!

Well done. Would be nice to know what it was but the main thing is it's working.

BTW, the only thing I didn't change was
PermitRootLogin yes
so I can tweak the workPC from home and the homePC from work if necessary (like I did today).

You can still do su to root even when it's set to no, the Permit thingy is just to keep out script kiddies and such that try to login directly as root with different password lists.

[A. Jorge Garcia]

Thanx , Markus, for all your help. You are god amoung Linux Gurus!

BTW, I think maybe I will remove root permission after all.

Regards,
AJG

[Markus]

Ahem, you're very welcome but I'm really just another semi-intermediate user.
Wish there was some certified ladder to climb , like:
ultranoob
newbie
accomplished newb
semi-intermediate user
intermediate user
user
accomplished user
semi-guru
guru
kernel hacker

[A. Jorge Garcia]

I guess I'll aspire to one day be an AccomplishedNoob!

Remember when this forum first started out? People would get some kind of rank based on how many posts they made. What happened to that? With over 1000 posts I guess I would be awarded the rank of UltraNoob since most of my posts have been questions....

Regards,
AJG