Page 1 of 2
Changing SSH port
Posted: Mon Nov 10, 2014 2:26 pm
by durjoy
Hi
I am planning to change SSH port on all of my VPS for security reason.
I know new version of vestaCP comes with fail2ban and IPtable.
I don't want my IP address to get banned for failed login attempt.
How can I add new SSH port to IPTable and VestaCP.
what command shall I enter and what file shall I modify?
thanks
Re: Changing SSH port
Posted: Mon Nov 10, 2014 3:04 pm
by Milka
You should first allow the port (and maybe also your home/office IP) in Vesta, otherwise you'd lock yourself out. You can do that in Vesta's web interface. Then you can edit /etc/ssh/sshd_config to change the port. Don't forget to restart ssh (service sshd restart) to apply your changes.
Re: Changing SSH port
Posted: Mon Nov 10, 2014 10:23 pm
by Trentor
1. Decide which port you want to use to connect your server via SSH (for this example, 19).
2. In Vesta panel, under Firewall menu, modify the SSH entry and put the new port number. With that, the iptables will be properly modified.
3. Modify SSH config (use nano, vim, or your preferred text editor):
Edit the file:
Search for:
And change it:
Save the file.
4. We are going now to modify your fail2ban to add your IP to the whitelist.
Edit the file:
Search for:
Code: Select all
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8
Add your IP at the end of the block:
Save the file.
5. Restart the modified services:
Restart SSH (use the correct command for your distro, for this example, CentOS):
Restart iptables:
Restart fail2ban:
Done.
Re: Changing SSH port
Posted: Tue Nov 11, 2014 1:00 am
by durjoy
You guys are legends. thank you for all the help.
Re: Changing SSH port
Posted: Sat Aug 08, 2015 6:59 am
by pandabb
Hello guys, can i ask if i did the right thing?
I did the same above except that my ip is dynamic so what i did is converted my iprange to cidr using online site generators.
Will that work too?
TY
Re: Changing SSH port
Posted: Tue Aug 11, 2015 9:15 am
by skurudo
pandabb wrote:
I did the same above except that my ip is dynamic so what i did is converted my iprange to cidr using online site generators.
Will that work too?
Yep
ignoreip = 127.0.0.1 192.168.1.0/24 8.8.8.8
http://www.fail2ban.org/wiki/index.php/Whitelist
Re: Changing SSH port
Posted: Tue Aug 11, 2015 11:27 am
by pandabb
Thank again for the answer.
The guide shown in this thread suggest editing /etc/fail2ban/jail.local howerver in that section i cannot find the entry below:
Code: Select all
# This will ignore connection coming from common private networks.
# Note that local connections can come from other than just 127.0.0.1, so
# this needs CIDR range too.
ignoreip = 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
I found on it jail.conf instead of jail.local
Ty
i edited mine in jail.conf since its not found on jail.local ,
is that OK?
Re: Changing SSH port
Posted: Tue Aug 11, 2015 10:16 pm
by skurudo
By default settings in /etc/fail2ban/jail.conf, but there is and local file, where setting are too.
Every .conf file can be overridden with a file named .local. The .conf file is read first, then .local, with later settings overriding earlier ones. Thus, a .local file doesn't have to include everything in the corresponding .conf file, only those settings that you wish to override.
Modifications should take place in the .local and not in the .conf. This avoids merging problem when upgrading. These files are well documented and detailed information should be available there. --
http://www.fail2ban.org/wiki/index.php/ ... l_settings
Re: Changing SSH port
Posted: Wed Aug 12, 2015 7:40 am
by pandabb
Hi thanks i didnt know that.
By default i alraedy have jail.local what i did is add the whitelist ip at the very end, is this ok?
this is how it looks likes now.
Code: Select all
[ssh-iptables]
enabled = true
filter = sshd
action = vesta[name=SSH]
logpath = /var/log/secure
maxretry = 5
[vsftpd-iptables]
enabled = false
filter = vsftpd
action = vesta[name=FTP]
logpath = /var/log/vsftpd.log
maxretry = 5
[exim-iptables]
enabled = true
filter = exim
action = vesta[name=MAIL]
logpath = /var/log/exim/main.log
[dovecot-iptables]
enabled = true
filter = dovecot
action = vesta[name=MAIL]
logpath = /var/log/dovecot.log
[mysqld-iptables]
enabled = false
filter = mysqld-auth
action = vesta[name=DB]
logpath = /var/log/mysqld.log
maxretry = 5
[vesta-iptables]
enabled = true
filter = vesta
action = vesta[name=VESTA]
logpath = /var/log/vesta/auth.log
maxretry = 5
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8 MY IP ADDRESS HERE
Re: Changing SSH port
Posted: Wed Aug 12, 2015 7:44 am
by skurudo
pandabb wrote:
this is how it looks likes now.
Look nice.