Changing SSH port
Changing SSH port
Hi
I am planning to change SSH port on all of my VPS for security reason.
I know new version of vestaCP comes with fail2ban and IPtable.
I don't want my IP address to get banned for failed login attempt.
How can I add new SSH port to IPTable and VestaCP.
what command shall I enter and what file shall I modify?
thanks
I am planning to change SSH port on all of my VPS for security reason.
I know new version of vestaCP comes with fail2ban and IPtable.
I don't want my IP address to get banned for failed login attempt.
How can I add new SSH port to IPTable and VestaCP.
what command shall I enter and what file shall I modify?
thanks
Re: Changing SSH port
You should first allow the port (and maybe also your home/office IP) in Vesta, otherwise you'd lock yourself out. You can do that in Vesta's web interface. Then you can edit /etc/ssh/sshd_config to change the port. Don't forget to restart ssh (service sshd restart) to apply your changes.
Re: Changing SSH port
1. Decide which port you want to use to connect your server via SSH (for this example, 19).
2. In Vesta panel, under Firewall menu, modify the SSH entry and put the new port number. With that, the iptables will be properly modified.
3. Modify SSH config (use nano, vim, or your preferred text editor):
Edit the file:
Search for:
And change it:
Save the file.
4. We are going now to modify your fail2ban to add your IP to the whitelist.
Edit the file:
Search for:
Add your IP at the end of the block:
Save the file.
5. Restart the modified services:
Restart SSH (use the correct command for your distro, for this example, CentOS):
Restart iptables:
Restart fail2ban:
Done.
2. In Vesta panel, under Firewall menu, modify the SSH entry and put the new port number. With that, the iptables will be properly modified.
3. Modify SSH config (use nano, vim, or your preferred text editor):
Edit the file:
Code: Select all
nano /etc/ssh/sshd_configSearch for:
Code: Select all
#Port 22Code: Select all
Port 194. We are going now to modify your fail2ban to add your IP to the whitelist.
Edit the file:
Code: Select all
nano /etc/fail2ban/jail.localCode: Select all
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8
Code: Select all
ignoreip = yo.ur.ip5. Restart the modified services:
Restart SSH (use the correct command for your distro, for this example, CentOS):
Code: Select all
service sshd restartCode: Select all
service iptables restartCode: Select all
service fail2ban restartRe: Changing SSH port
You guys are legends. thank you for all the help.
Re: Changing SSH port
Hello guys, can i ask if i did the right thing?
I did the same above except that my ip is dynamic so what i did is converted my iprange to cidr using online site generators.
Will that work too?
TY
I did the same above except that my ip is dynamic so what i did is converted my iprange to cidr using online site generators.
Will that work too?
TY
Re: Changing SSH port
Yeppandabb wrote: I did the same above except that my ip is dynamic so what i did is converted my iprange to cidr using online site generators.
Will that work too?
http://www.fail2ban.org/wiki/index.php/Whitelistignoreip = 127.0.0.1 192.168.1.0/24 8.8.8.8
Re: Changing SSH port
Thank again for the answer.
The guide shown in this thread suggest editing /etc/fail2ban/jail.local howerver in that section i cannot find the entry below:
I found on it jail.conf instead of jail.local
Ty
i edited mine in jail.conf since its not found on jail.local , is that OK?
The guide shown in this thread suggest editing /etc/fail2ban/jail.local howerver in that section i cannot find the entry below:
Code: Select all
# This will ignore connection coming from common private networks.
# Note that local connections can come from other than just 127.0.0.1, so
# this needs CIDR range too.
ignoreip = 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16Ty
i edited mine in jail.conf since its not found on jail.local , is that OK?
Re: Changing SSH port
By default settings in /etc/fail2ban/jail.conf, but there is and local file, where setting are too.
Every .conf file can be overridden with a file named .local. The .conf file is read first, then .local, with later settings overriding earlier ones. Thus, a .local file doesn't have to include everything in the corresponding .conf file, only those settings that you wish to override.
Modifications should take place in the .local and not in the .conf. This avoids merging problem when upgrading. These files are well documented and detailed information should be available there. -- http://www.fail2ban.org/wiki/index.php/ ... l_settings
Every .conf file can be overridden with a file named .local. The .conf file is read first, then .local, with later settings overriding earlier ones. Thus, a .local file doesn't have to include everything in the corresponding .conf file, only those settings that you wish to override.
Modifications should take place in the .local and not in the .conf. This avoids merging problem when upgrading. These files are well documented and detailed information should be available there. -- http://www.fail2ban.org/wiki/index.php/ ... l_settings
Re: Changing SSH port
Hi thanks i didnt know that.
By default i alraedy have jail.local what i did is add the whitelist ip at the very end, is this ok?
this is how it looks likes now.
By default i alraedy have jail.local what i did is add the whitelist ip at the very end, is this ok?
this is how it looks likes now.
Code: Select all
[ssh-iptables]
enabled = true
filter = sshd
action = vesta[name=SSH]
logpath = /var/log/secure
maxretry = 5
[vsftpd-iptables]
enabled = false
filter = vsftpd
action = vesta[name=FTP]
logpath = /var/log/vsftpd.log
maxretry = 5
[exim-iptables]
enabled = true
filter = exim
action = vesta[name=MAIL]
logpath = /var/log/exim/main.log
[dovecot-iptables]
enabled = true
filter = dovecot
action = vesta[name=MAIL]
logpath = /var/log/dovecot.log
[mysqld-iptables]
enabled = false
filter = mysqld-auth
action = vesta[name=DB]
logpath = /var/log/mysqld.log
maxretry = 5
[vesta-iptables]
enabled = true
filter = vesta
action = vesta[name=VESTA]
logpath = /var/log/vesta/auth.log
maxretry = 5
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8 MY IP ADDRESS HERE
Re: Changing SSH port
Look nice.pandabb wrote: this is how it looks likes now.