So, we have an absolutely clean system centos 7. And I decided the first thing there is to change the ssh port and make, for example, 34567

Through winscp I open the file / etc / ssh / sshd_config and instead of #Port 22 I prescribe there

Port 22 Port 34567

In the console I drive in sequentially:

 systemctl reload sshd systemctl restart sshd

Then I open the / etc / sysconfig / iptables file and add the line -A INPUT -p tcp -m state --state NEW -m tcp --dport 34567 -j ACCEPT, i.e. I bring it to mind:

 # sample configuration for iptables service # you can edit this manually or use system-config-firewall # please do not ask us to add additional ports/services to this default configuration *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 34567 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT

I save it, then in the console I drive in sequentially:

 systemctl reload iptables systemctl restart iptables

After that I open a new copy of winscp and try to connect to the server using the new port 34567 - everything is perfectly connected! 22 is also OK

Command output:

 # systemctl status iptables ● iptables.service - IPv4 firewall with iptables Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled) Active: active (exited) since Fri 2016-03-11 16:45:15 EST; 5min ago Process: 543 ExecStop=/usr/libexec/iptables/iptables.init stop (code=exited, status=0/SUCCESS) Process: 529 ExecReload=/usr/libexec/iptables/iptables.init reload (code=exited, status=0/SUCCESS) Process: 605 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS) Main PID: 605 (code=exited, status=0/SUCCESS) Mar 11 16:45:15 gestiondbi-nl systemd[1]: Starting IPv4 firewall with iptables... Mar 11 16:45:15 gestiondbi-nl iptables.init[605]: iptables: Applying firewall rules: [ OK ] Mar 11 16:45:15 gestiondbi-nl systemd[1]: Started IPv4 firewall with iptable

s.

  # systemctl status sshd ● sshd.service - OpenSSH server daemon Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled) Active: active (running) since Fri 2016-03-11 16:40:41 EST; 10min ago Docs: man:sshd(8) man:sshd_config(5) Process: 503 ExecReload=/bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS) Main PID: 509 (sshd) CGroup: /system.slice/sshd.service └─509 /usr/sbin/sshd -D Mar 11 16:40:41 gestiondbi-nl systemd[1]: Started OpenSSH server daemon. Mar 11 16:40:41 gestiondbi-nl systemd[1]: Starting OpenSSH server daemon... Mar 11 16:40:41 gestiondbi-nl sshd[509]: Server listening on 0.0.0.0 port 34567. Mar 11 16:40:41 gestiondbi-nl sshd[509]: Server listening on :: port 34567. Mar 11 16:40:41 gestiondbi-nl sshd[509]: Server listening on 0.0.0.0 port 22. Mar 11 16:40:41 gestiondbi-nl sshd[509]: Server listening on :: port 22. Mar 11 16:48:27 gestiondbi-nl sshd[623]: Accepted password for root from xxx.xxx.205.136 port 63648 ssh2 Mar 11 16:48:39 gestiondbi-nl sshd[631]: Accepted password for root from xxx.xxx.205.136 port 63649 ssh2 Mar 11 16:48:51 gestiondbi-nl sshd[639]: Accepted password for root from xxx.xxx.205.136 port 63650 ssh2 Mar 11 16:49:37 gestiondbi-nl sshd[647]: Accepted password for root from xxx.xxx.205.136 port 30621 ssh2 # iptables --list Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:dhanalakshmi REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination

It seems that everything is OK, you can reboot the server, do reboot and everything, the server is dead and no longer shows signs of life - it does not work for either port 22 or port 34567, it also changes its status to offline in the hoster panel. It helps only reinstall the OS. Today I did this operation a couple of times and invariably after the reboot it ended in failure.

What could be the reason? I remember before on my other servers I changed the ssh port and everything was fine, they still work on a non-standard port. And then I took a few VPS from the new hosting provider and here.

  • Maybe there is no control over the OS kernel and the sysctl command only works for the current session? - Max ZS
  • but then the idea was to remain able to connect on port 22, I specifically left such an opportunity in the configs. I set up openvpn on another exactly the same VPS and after reboot everything works fine there - sashaeee
  • if hosting support cannot answer the question “why does this happen to you?”, try to determine for yourself what exactly leads to failure: either adding a port to the sshd configuration, or adding a rule to the netfilter , or their combination: enter one of the change and reboot the system. if it reboots, reinstall the system, make the second of the changes and reboot. // sacramental question: did you try to reboot the system before making changes? - aleksandr barakin pm
  • In TP addressed? Surely VPS on OpenVZ, hence the problem. - Andrew Hobbit

3 answers 3

Good day! Stepwise technology should be used.
1. just restart the server a couple of times, for verification;
2. change the sshd port and reboot again. Now if everything works
3. make a rule to the firewall and reboot again.
In this way, you will determine at what stage the problem.

    I have Debian 8. I had a similar problem.

    decided as follows:
    in file

     /lib/systemd/system/ssh.socket

    commented out

     #[Socket] #ListenStream=22 #Accept=yes

    rebooted and everything worked
    I did not find out the reason and did not yet understand what and how

      SElinux disconnect and you will be happy!