Running ssh on Amazon EC2 instance on port other than 22 - ssh

I am not able to access Amazon EC2 instance via ssh as i am behind a firewall.
So, i thought of running ssh on port other than 22, like 80 or 443.
I tried starting Amazon EC2 instance via Web Management Console with following 'user data':
#!/bin/bash -ex
perl -pi -e 's/^#?Port 22$/Port 80/' /etc/ssh/sshd_config
service sshd restart || service ssh restart
The idea being that the above script would execute on instance startup and switch ssh from port 22 to port 80. (Ref: http://alestic.com/2010/12/ec2-ssh-port-80)
But ssh is still not accessible on port 80.
Apparently 'user data' script is not being executed on start up?
I can 'only' start stop instances via Web Management Console, not from command-line (being behind firewall)
Any ideas?

To connect to an AWS instance through ssh from a port different than default 22:
Open the security group of your instance so that it allows connections to that port from the source that you choose (0.0.0.0/0 for any source).
In your instance:
It is a new instance you could use an user-data script like this one:
#!/bin/bash -ex
perl -pi -e 's/^#?Port 22$/Port 443/' /etc/ssh/sshd_config
service sshd restart || service ssh restart
Please note that this only works if you are launching a new instance:
User data scripts and cloud-init directives only run during the first boot cycle when an instance is launched.
If it is not a new Instance, edit the /etc/ssh/sshd_config file adding/changing Port 22 to the port that you want (i.e: Port 443) to connect through ssh and then do service ssh restart and you should be done.
Note: I did this with an Ubuntu instance, with another Linux instances may be slightly different.

The amazon firewall blocks all ports other than 22. You first have to enable port 80/443/whatever.
HOWTO:
Go to "security groups" -> click on the group you chose for your instance, then on the "Inbound" tab.
There you can add your ports.
EDIT: If by chance you also installed apache or some other webserver, port 80 will be used and cannot be used by sshd. I do not know which operating system is installed on your server, but maybe some webserver is already included?
EDIT 2: As per the last comment, it seems nowadays all ports are blocked by default. So you will have to open port 22 if you need it. Wasn't the case eight years ago, but configurations change ;)

Here is what I came up with to run sshd on 443 and 22 having rhel8 on ec2
make sure your security groups allow connection from your network/ip to the desired ports (in my case 22 and 443)
tcp 443 1.2.3.4/32 #allow access to 443 from IP 1.2.3.4
tcp 22 1.2.3.4/32 #allow access to 22 from IP 1.2.3.4
Login to the EC2 and
#install semanage with
sudo yum install -y policycoreutils-python-utils
#delete 443 from http ports
sudo semanage port -d -t http_port_t -p tcp 443
#add 443 to ssh ports
sudo semanage port -m -t ssh_port_t -p tcp 443
Edit /etc/ssh/sshd_config
Port 22
Port 443
Restart sshd
sudo service sshd restart

Related

SSH Remote Tunnel port

I have 3 computers 2 Linux and 1 Windows.
Windows PC and Linux server (A) are on the same network (1).
The linux server (B) is on another network (2).
I want to make an SSH tunnel between the 2 linux servers to allow the Windows PC to access an HTTP page of the Linux server (B), which is therefore on another network.
With this command on the linux server (A) the tunnel works fine but only locally in linux.
ssh -R 8080:localhost:80 linuxa.internet.com
But from Windows PC I cannot access port 8080 on linux (A). http://linuxa.local:8080 does not work.
So I tried these two commands to open access to my PC but it doesn't work either.
ssh -R 0.0.0.0:8080:localhost:80 linuxa.internet.com
ssh -R ipwindows:8080:localhost:80 linuxa.internet.com
Can you help me ?
Thank you
From a comment, I conclude that you might have problem with the firewall. Suppose you can reach the tunnel from the host that is "proxy" (with curl,wget,ncat etc. on localhost). You should check what block traffic. In most cases, it is a firewall. Depending on your Linux distro you might have different backends and frontends for a firewall. If you have firewall-cmd command installed it's very likely that firewalld is one.
But before blaming the firewall, you should check if a port is open/closed. I prefer netcat:
HOST_THAT_SHOULD_HAVE_OPEN_PORT # nc -l 8080
HOST_THAT_SHOULD_BE_ABLE_TO_CONNECT # nc HOST_THAT_SHOULD_HAVE_OPEN_PORT 8080
If there is no connection or connection is refused, it's extremely likely that the firewall is the problem.
You can check if firewalld is running with systemctl:
# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2021-02-08 21:42:29 CET; 13h ago
Then you might add traffic on port 8080:
# firewall-cmd --add-port 8080/tcp
success
It will temporarily open network traffic on 8080. Then you should be able to use port 8080 and your ssh tunnel.
Thank you for your answer but I don't think I have a firewall installed
systemctl status firewalld
return
Unit firewalld.service could not be found.
and
firewall-cmd --add-port 8080/tcp
-bash: firewall-cmd: command not found

How to configure ssh to listen to private network IP address?

I have a system with centOS 7 installed. And on the second system I have windows 10. Both the machines are connected to private network. Now, I want to access the centOS machine remotely over ssh.
I checked the IP address of my windows machine, and then I edited the
/etc/ssh/sshd_config
file on the centOS system, With the following entries
ListenAddress <Ip_address_of_window_machine>
But when I restart the ssh service using the following command
systemctl restart sshd.service
I get the following error
bind to port 22 on <ip-address> failed. cannot assign requested address
But when I configure entries like this
ListenAddress 0.0.0.0
ListenAddress [::]
it works fine. But I want to bound my ssh to just particular iP-address
The ListenAddress configuration options tells sshd process to bind to a specific network interface on the server. If you want restrict access to a CentOS host then you need to use firewall. Though firewalld is the proper way to go (with zones and so on), old good iptables will do the job:
sudo iptables -A INPUT -p tcp -s a.b.c.d --dport ssh -j ACCEPT
sudo iptables -A INPUT -p tcp --dport ssh -j REJECT
Where a.b.c.d is the ip address of windows hosts.
NOTICE: By configuring firewall over the networks you can easily lock yourself out!

Apache configured to listen on port 80 only but instead listening on port 8080 as well

I was not able to use port 8080 because it was apparently already used.
In order to see which program was using it, I typed the following command in my terminal (on MacOS):
sudo lsof -n -i :8080
Here's the result:
httpd is also listening on port 80, which I found out by using the following command:
sudo lsof -n -i :80 | grep LISTEN
Here's the result:
So I went to find out what this "httpd"-process was. Apparently it is basically the web server installed on my machine. The web server installed on my machine is Apache2.
Given this fact I concluded that Apache2 was apparently configured to listen on port 80 AND on port 8080.
BUT: Here's the crazy thing: I went to the folder /etc/apache2 and opened the file "httpd.conf". In the file Apache is configured to listen on port 80 only !!!
Why the hell is it also listening on port 8080 ?!
How can I make it listen on port 80 only ?

SSH Connection refuse after changing port

I am connecting to CentOS7 minimal installation machine in a LAN (192.168.1.33).
I have changed the ssh port vi /etc/ssh/sshd_config line 17 Port 1234
after restarting the sshd service the connection is refused
ssh demo#192.168.1.33 -p 1234
ssh: connect to host 192.168.1.33 port 1234: Connection refused
I have disabled SELinux and router-firewall but still having problem.
Though if I change back to port 22 I can login again.
Is there any other configuration to be changed?
Can you remotely connect to the server another way? If so, once you get in, run sudo netstat -plutn.
You should see at least one entry for sshd. If you don't, sshd isn't running. You can install it via sudo apt-get install openssh-server.
If you do, is the port under 'Local Address' for the sshd line 1234? This will tell you if you successfully changed the port configuration.
Hope that helps!

how should I test if port forwarding is working?

I am doing a local forwarding to the remote port at 80 which the apache2 is listening on like this ssh -L 80:localhost:80 user#host.com , so it connects me to the remote server, however I find I can still do mkdir rm and such commands. Isn't it so that I am only forwarded to application listening on port 80? so what's the difference to this command ssh -p 22 host.com ? Is there a way to test if this port forwarding is working?
Yes, you can Test as follows:
You should use a Client program on one Side and A Server Program on the other remote side.
Try to connect your client to your server according to ports and IP's used in your port forwarding by Netsh Cmd.
If connection succeed , that is it, if connection fails, that means port forwarding command was failed, or your ip and port configuration of your client and server is wrong.
More over if you send a text file to the server, you should receive it.
I hope that this will help.
Thanks.
You can listen on port 80 with netcat like this on the host ...
nc -l -p 80
... and then either send something back with netcat ...
nc host.com 80 <<< hello
... and see if you get a "hello" on the server, or use nmap :
nmap host.com -p 80
You can also use nmap the same way if you already have a server listening on port 80, like apache.
Just note that nmap will say it's closed unless there is something listening on that port.