YAST: SuSEfirewall2 + alternative ssh port = can't connect

I just tried to change the ssh port to another port in order to reduce the log-spam generated by these annoying ssh-brute-force-attacks.

Oddly I discovered that if I change the ssh port via Yast (from cli) to something like 2222 and select “open port in Firewall” everything seems to run smoothly BUT the port is still blocked by the firewall!

To check this, I disabled the firewall and you can log in using the alternative port. Adding “Secure Shell Server” to the firewall’s “Allowed Services” does not help either (even if you re-“open ports in firewall” under yast’s ssh settings afterwards once more)…

The way I got it working for now is to add the new ssh port to the firewall’s manually opened tcp ports (under “Advanced…”)

I dont think that is the way it should work when configuring your system with yast (from shell…have to admit, I am a gui huy)…so is this a bug or am I missing something here??

PS: I am running on openSUSE 11.3 64bit

Well that’s the way to do it. How would the firewall configurator know the alternate port number unless you define a custom rule like you did? Secure Shell Server is simply shorthand for “open port 22”.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Agreed. awiese2007, the
http://forums.opensuse.org/showthread.php?t=447155 thread may also be
useful for you to see how this works on the backend.

Good luck.

On 10/11/2010 06:36 PM, ken yap wrote:
>
> Well that’s the way to do it. How would the firewall configurator know
> the alternate port number unless you define a custom rule like you did?
> Secure Shell Server is simply shorthand for “open port 22”.
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJMs7g4AAoJEF+XTK08PnB5ko4P/iIW/GraIqmFWW6zMpNSNXev
iIwIuKbXwidA9So4jFfneLjjLTWRZAFQ6CL/6tQkYC80G9uHe43rpe2q7xhELnGn
eEx3t8EZzeMB8oUV5MpU7AskaZZuhg3JhxOB51wH4XyXsq/+gL4m4i3kttfyX8Gt
hJjKq8do6dz8/jTA8EBXMn9EQ9fFyPdt2XjyA005d0U1coQq8xqpAWkPFSq/HSCQ
8t/1rDUTDnhfEkocdVCdA1vhM5IM+G8AABLnRm2mrcl67zS0jYknLF1hO9M3Kr2L
OwdyJNF6qCfIHQ2opS7UU7reyST9pb7bVAvkh8aOjWMHrS1cfSCHbQjB1tWKnN2G
WD4oijuCfayMCKWtJNXlVN2ctmddLVA//5MBSuzM8X5jdFeZE+rhH3EcKTrhRU8F
aUp5Et9mH0VVi31g9Bb4t2CdKc8bQdraeSBbDmvvAbqbwn0ZiVF7WqYfQbz0GV7g
uRbiwoiTaJfgwCnlS/f2zQLd/bwlHxWJEKnYqB6GDriKVTG+GqjImUULCVYphB4a
z1m9Uqjip1QAmGRRMMGZdErXJ/IATg+gzEnGTWs47Dy7ExlStiGlTyjRJyGEm8a7
c4PEBEg+/SgQc5WOtObs3ruEtyNcg3Nq6pNHAmZq2AMBbh9Jxe6VrYJ3uX2W30/m
xp1OxVzDnvKveO9z4d40
=AEAv
-----END PGP SIGNATURE-----

hm so what you are saying is you will have to manually edit it (thats what I did and what is working)…

But still I think that a little bit confusing and inconsistent. If I am using yast for basic configuration and
tell sshd to use port XY instead of the default 22 via Yast and the move on in Yast to my firewall settings
and explicitly say “open the ports for the ssh service”…you can just expect this to work, dont you agree?

@ab novell com

thanks for the link, I saw the conf files for suse firewall but did not tinker with them manually/by editor…
but I will give it try, because I think it is a cleaner solution to have your firewall set up to allow services
and not single manually configured ports :slight_smile:

In an ideal world, YaST would also change the firewall setting so that it would then know which port to open. Unfortunately it’s not an ideal world yet. Feel free to file an enhancement request for this to be improved by the developers.

If you have an external firewall, say a modem/router, you would have to also configure it there, so it’s not all configured in one spot yet anyway.

On 2010-10-16 15:06, ken yap wrote:
>
> awiese2007;2238746 Wrote:
>> But still I think that a little bit confusing and inconsistent. If I am
>> using yast for basic configuration and
>> tell sshd to use port XY instead of the default 22 via Yast and the
>> move on in Yast to my firewall settings
>> and explicitly say “open the ports for the ssh service”…you can just
>> expect this to work, dont you agree?
>
> In an ideal world, YaST would also change the firewall setting so that
> it would then know which port to open. Unfortunately it’s not an ideal
> world yet. Feel free to file an enhancement request for this to be
> improved by the developers.

Don’t forget the file /etc/services, as ports are defined there. Which will also affect the ssh
client - and might also affect the firewall automatically.


Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)

No, one never changes /etc/services. That map contains the official assignments of ports to services. If you run ssh on a different port, it is strictly speaking not the official ssh service. It is just the ssh protocol over a different port.

On 2010-10-17 04:06, ken yap wrote:
>
> No, one never changes /etc/services. That map contains the official
> assignments of ports to services. If you run ssh on a different port, it
> is strictly speaking not the official ssh service. It is just the ssh
> protocol over a different port.

You can change it, and then the new port becomes the new port for that service in your computer. It
will of course break connection to other computers using the standard ports. It depends on what you
want to do.

The thing is, you change the port there, and everything matches: server, client, and firewall. Or
should.


Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I’m not sure I completely agree with that for a couple reasons. First,
the file is made to hold assigned according to IANA or frequently-used
numbers. Changing this file doesn’t change the IANA assignment and
referencing the file may be useful for various purposes even when the
local system doesn’t use all of those same ports for those same services.
Second, while some applications use the contents therein for service
identification (number to name) few (none that I know) use the file for
configuration determining which port to use as a service or even a client.
Since it’s made to show the norm being wrong on one system may break some
kinds of resolution (number to name again) of other systems. Having a
local source of the norm is probably the better use, in my opinion, than
as a port configuration file for services on the box to the failure of
other regular uses.

Good luck.

On 10/17/2010 12:28 PM, Carlos E. R. wrote:
> On 2010-10-17 04:06, ken yap wrote:
>>
>> No, one never changes /etc/services. That map contains the official
>> assignments of ports to services. If you run ssh on a different port, it
>> is strictly speaking not the official ssh service. It is just the ssh
>> protocol over a different port.
>
> You can change it, and then the new port becomes the new port for that service in your computer. It
> will of course break connection to other computers using the standard ports. It depends on what you
> want to do.
>
> The thing is, you change the port there, and everything matches: server, client, and firewall. Or
> should.
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJMu0ngAAoJEF+XTK08PnB5Hv4P/2GYDpYZ+rO5p8EFNKUi3rm/
aUN3urf5dTX04Dlj4QRM+AY38CRxE4bKYWcuw7VuDrPwrf/EXqxeokORgVC1CxHG
jpGfFV1NtQJTTXcBKtDKUEo/zncJ+knnw/mwuMcXs4+pjfYVSptcZsR/JV7X03h9
xlICXF6TrVGt2/nCcVnoKBcybkaBMKZDVLEsQYeYC0Xm1loSlTbtmgGtRqo3Xjv1
HaAjY1tpgurmDUBEAdsFVh3ohNmrdLvuXMBHVyWhNQRXufMTpvnVByCGSFTypTWq
05f8FDDjlj7WWl07tJ+5CuIym2FXlhbCeMx4wNDRDdYmXy9DY5sF39M7lZ7zvsTw
XC4zbVV5+thJ+vUoejrPIhfr4xf70NAPY53TG6BypMufQZn7loz2NalgERamfswU
6AYbYQlHxoB/xYHTyN2UD4NMe0uBEwT7ueSGdjcVXUzV6DwGZq2Xsxcm/g35PJ6p
IgDoCUnw2R1G7xJeT7+S1XXjP4G5Urq5ezIdWkfTvIIVWhdXag3QTKMG4jjJZHrU
l1JueDB8xtL2Y8YgvkR5/nGULDaGVteoDJ8XxJg+qwiOmo8SrJfZVt60mrhkb6n9
ZJh0LSOTGRL9F4fe7DJ00hJNgUcVASWOMG7xIGmGPG0DGUk/Fx1EzM2termMP+Jx
twwOMKCzc6W9bMC0vK6Y
=UjHq
-----END PGP SIGNATURE-----

To understand why changing /etc/services is not very useful, you have to go back to the original intention of that map.

The idea was simple and laudable: one should be able to refer to services by name rather than by port number. So in the Berkeley networking API you have getservbyname, analogous to gethostbyname.

Unfortunately, unlike DNS which is universal, there is no guarantee that all software will use the map or all hosts will be using a map. So this led to inconsistency, some services and clients would use the map, and some not, they just knew what port they were supposed to run at, and you used an option to override this.

Say you change ssh in that file to port 220. Ok, so maybe the server might pay attention to that, probably not, because there is a Port declaration in sshd_config. But say the ssh client does pay attention to it. Then you might have the situation where when you do ssh to some other normal sshd server, it tries to use 220 and of course this doesn’t work. Worse still if the user is not aware of it. If the server and client don’t use this map, then there was no point editing the map in the first place.

And also, the map says nothing about a service which runs on more than one port, in fact you can ask sshd to listen on 22 and 220 at the same time.

So in practice this map is not useful for controlling service ports and it should simply be regarded as a lookup table for the official IANA assignments.

On 2010-10-18 00:06, ken yap wrote:
>
> To understand why changing /etc/services is not very useful, you have to
> go back to the original intention of that map.

You are right, it works on some cases and on some not. ssh might not, as there is a config for it.
On other daemons I have seen it recomended to do the change in the services files (don’t remember
which, long ago). I understand it works for the susefirewall, or so I was told.


Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Works in what way? I do not believe that is the case… see my original
response on 2010-10-12 01:22 GMT linking to a post that does deal with
SuSEfirewall2 and port mappings.

Good luck.

On 10/17/2010 08:51 PM, Carlos E. R. wrote:
> On 2010-10-18 00:06, ken yap wrote:
>>
>> To understand why changing /etc/services is not very useful, you have to
>> go back to the original intention of that map.
>
> You are right, it works on some cases and on some not. ssh might not, as there is a config for it.
> On other daemons I have seen it recomended to do the change in the services files (don’t remember
> which, long ago). I understand it works for the susefirewall, or so I was told.
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJMu79aAAoJEF+XTK08PnB5U+kP/1FDCoUCM5ck8EBxStpTz0cV
Fuckzxm/H/1ub1rFVG/izMp4sP5lHMpNDcQowcaB7AnNt0yraMbs4Ot+UcDhhW0W
wxBTU96tIXFH+2l6FNshXNJoZ3jk3qiMMWitdvRGQjNxK0TeZ4QH+nrDsoOmwxHZ
S0eVW/qNhRSrvD7D8xk+HKzLjXpar9cK3MuvJw5k/6GIEniabh+aFDdBTXFPzPRi
AqitVjye06SWvq+Zk0QrL37uklXLNDSNhF7RJtvistEalPodAiKTQpdt0iN0OQMf
Ws+x3H+sdoqJvRRrI8pe4PZhzj4+fwk8L3lniSTwrHDI9fFtSpgDU9HkmjmGEGjU
sVe1wWwZmPD3QiHDaveNBUzdsNpKmUOS+khq+4b8nJRQiMsl3ymGQZ3Wx5TFvl8i
zc2GcUcpsdtiCWNgEQdLZ6Bz7sjjnmuERaC7rD+cfeDUPEvHfTf/Z4teLgChCxQH
Zlvlrbx6PZwYQVQR46eWPTdk97J04HeNq6s0fWqKTUjfj9DVxVVWEq34YhDgEf8R
QZqeEEJFrpd5ABcZilqHEfMDW1SdX3OuDFACF1wzB99AXpB8USu8c8doHO7kReDi
nQgy4Lzj0hw3yCi58tNJNSjd0IkTa6xWOEXZXxZPJkNK9tgIyCimLG3kAbCA9aOC
4JY/FoJVXQvpxmBw8xB+
=8HVf
-----END PGP SIGNATURE-----