Hi I'm securing my linodes using firehol, only problem is for some reason the rules being setup block my ssh port. I have a ssh definition in the file:

server_ssh_ports="tcp/99999"
client_ssh_ports="99999"

That's not the real port, but you get the idea.

here are the rules for eth0

#web
interface eth0 public src not "${UNROUTABLE_IPS}"


protection strong
client all accept
server ICMP accept
server ping accept
server http accept
server https accept
server ssh accept
server mysql accept dst "private.ip.address"


Whenever I attempt to login via ssh here is what i see in the console:

''IN-public':'IN=eth0 OUT= MAC=MAC_ADDRESS* SRC=MY_REMOTE_IP* DST=SLICE_IP* LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=16994 DF PROTO=TCP SPT=51438 DPT=SSH_PORT* WINDOW=8192 RES=
0x00 SYN URGP=0

Anyone have any idea why this is being blocked?

Found the answer:

although the firehol documentation says to setup new servers the above way, this is what actually worked for me:

server custom ssh tcp/99999 default accept 

Also I've done a quick guide for getting basic security in place:

http://gregsidberry.com/2008/10/22/building-something-scalable-security/

When you added the custom line do you remove the regular "server ssh accept" line?

Also in the ssh config, you just change the port from 22 to whatever you wanted? Is it advisable to try both ports before commiting? I am asking because that is exactly what I wanted to try by putting "port = 25 99999" (not the real port) and I am not getting a connection after restarting on the huigh port but 22 still works. maybe I need a colon between the ports? I should look that up.

You have to edit your ssh config to use the port as well, then restart ssh

I'm not sure if you can make SSH bind to two ports at the same time. Anyway, the whole point of binding SSH to a custom port is to gain some measure of security by obscurity, so you aren't going to get real benefits if SSH is still listening on port 22.

Bedevere: the reason you're still connecting on 22 is because you have the regular "server ssh accept" line in your firehol conf. Remove that and you'll only be able to connect through the custom port. (Provided, of course, that your SSH configuration is adjusted accordingly.)

It's also a good idea to limit incoming SSH connections to a certain IP range, unless you're giving out shell accounts to random people. This can be done by adding an "src" clause to the appropriate line in your Firehol conf. For example,

server custom ssh tcp/99999 default accept src 123.123.123.123

I have a static IP at home, so this directive kicks out everyone except my home computer. If your IP changes from time to time, it might be better to use a broader IP range such as 123.123.0.0/16 This way, nobody in China will be able to connect to your box through SSH, let alone hack it through SSH, even if they happened to know which port to connect to.

If you lock yourself out, or you need emergency access from an IP address not listed in your Firehol conf, you can always go into Lish to fix it!

Yes I was editing the ssh config...sorry if I wasn't clear on that.

OK I wil remove the regular SSH. I actually tried naming the custom one SSH1, but thats not clean. And yeah when I messed it up I used the ajax console.

I already did the src as well. Good move there.

You can make ssh listen on one or more ports/ips..
I have this as my config in sshd_config so that i can connect in on 443 from some places.

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
ListenAddress <second ip here>:443
ListenAddress 0.0.0.0

Basicly that says use port 22, and listen on all interfaces (0.0.0.0) for connections, AND listen on <second ip>:443

Let me know if ou have any questions..

_________________
ServerAdmin - www.our-lan.com
"Diplomacy is the art of saying nice doggy whilst looking for a really big stick"
"In my experiece, any attempt to make any system idiot proof will only challenge God to make a better idiot"