SSH Firewall – What to Do When Locked Out After Changing Port

firewallssh

I have a VPS where I changed the SSH port from the default 22. Unfortunately I forgot to allow the new port through the firewall. I don't have physical access to the server, and my host does not seem to offer any shell access to the VPS through their website. Result: I'm locked out of the server. Is there any way I can rectify this short of resetting the server?

Best Answer

If you made the changes by hand and reinvoked sshd resetting might help, but if you changed sshd_config then resetting the server will not help you, the server will come back up and listen on the new, firewalled, port.

You will have to access the VPS through a console or any other means your provider provides to rectify this kind of problem.

BTW, you can, and should, specify multiple ports in your sshd_config:

Port 22
Port 2222

that way you can test things on the new port before removing the old one, assuming you have to remove the old port in the first place. The only reason I ever had to setup sshd to listen to a different port is because a friend's internet provider blocks access to ports below 1025, and his router is not able to map ports, only to allow specific port traffic through, to an internal address.

Related Solutions

Ssh – what is the required ports to be opened on the firewall

This is security by obscurity, and you have chosen a port that in my experience is more often scanned. Just leave ssh on port 22 and get that opened. If you do plan to use security by obscurity, it is best not to pick a well known port. Scanning rates on them tends to be higher than other ports.

An alternative approach is to ssh into an already accessible system and connect from there. ssh can be programmed to automatically forward you to another system.

The only ports that need to be open to any network are those that are used. The list of outbound ports is usually different than inbound. You may want to retrieve patches from your vendor (often on port 80), while not allowing incoming HTTP requests.

Email should generally go to a relay server which will route it appropriately.

Ssh – How to work out which port to log in on with SSH

First check on the config file which port is configured:

$ sudo grep Port /etc/ssh/sshd_config
Port 22

Then either restart ssh to make sure it loads the config you just saw or find out on which port ssh is running:

$ sudo netstat -tpln | egrep '(Proto|ssh)'
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      12586/sshd

That's a normal ssh running on port 22.

Best Answer

Related Solutions

Ssh – what is the required ports to be opened on the firewall

Ssh – How to work out which port to log in on with SSH

Related Question