I connect to my remote machine with ssh. One day i worked on it i saw (with 'tail -f' in the logs), that somebody is trying to brute-force into the machine.
ok, i thought, nothing can happen. you have a good password.
nevertheless i changed the original port from 22 and turned root login off. before i did that on my remote machine, i tried it locally. on the local machine is everything fine.
but since then i cannot login to the remote machine.

what can i do now?
thanks for any help.

Can you even access the ssh server? What errors do you get when you try to login? Please give details.

oh sorry, forgot that.
the machine respond pings. the webserver is running.

when i try to ssh to it, it only times out. nothing else happens.
is it lost, or is there a chance to connect some time again...?

If you changed the port on which ssh is running, are you trying to connect to the new port?

Could be your firewall too. You need to change it to allow incoming connections on the new port.

If he's firewalled off on the port, that'll be real fun. I guess he'll need to get someone local to the machine to work on it.

yes. i try it like that 'ssh x.x.x.x -p 245' then it says
'ssh: connect to host x.x.x.x port 245: Connection timed out'

and on the default port 22 it says, like expected
'ssh: connect to host x.x.x.x port 22: Connection refused'

i have a firewall on that machine. it is a SUSE machine.
in yast you can choose which service should not be firewalled. sshd was open, before i changed the port. i dont know much about firewalls, but shouldnt the SUSE firewall update automatically?

Does no one have any ideas, what i can do now?

Perhaps not really legal methods? i mean, the server belongs to me, so...

Well, since you say you use ssh, I'd assume that means you disabled telnet and the "r" commands (rsh, rcp, etc.). But maybe that's a bad assumption and you could still get in that way... (...and if so, you need to review you system security!)

This is a passive response. e.g., the packet was dropped (no reply was sent back to you).
This is an active response. You got through to your server, but it replied back to you "Sorry, this port is closed or no service is running there".

The passive response could be caused by your firewall rules that say DROP instead of REJECT. Or it could be caused because your server is behind a router and that router is set up to port forward port 22 but not port 245. Or your ISP may be blocking traffic on port 245. That port is normally assigned to something called "link". I have no idea what that service is or if an ISP might be inclined to block it.

If the problem is your router, can you login to the router from the WAN side and add a port forwarding rule? If the problem is your firewall dropping traffic on port 245 you're probably in for some real headaches. Its doing exactly what its supposed to.

Did you set up your sshd alternate port in your system config files? (i.e., will it persist past a system reboot?) If you set it up for the current boot session only, you could try researching cracker websites and attempt to crash your remote computer via some exploit (if you have it setup to automatically reboot after a crash). This would be pretty drastic!

1 members found this post helpful.

oh man. thats bad.
i think its the firewall.

and i changed the port in the sshd_config. so i think it is persistent.

but thank you a lot for all the answers.

merry christmas

Merry Christmas to you too!

You aren't running your webserver as root, are you? That would be a horrible security breach, but could be your ticket into your locked system. Fix this hole ASAP after getting back in if this is the case with your server....

[edit]
Upon further reflection, I deleted the suggestion that I had put here. A simple, older, and widely known way to compromise an insecure webserver running as userid root. Not an appropriate thing to post however. My apologies for my lack of forethought.
[/edit]

...And hopefully you're not running things like webservers as userid root in the first place! But you sound desperate so I'm suggesting desperate things.

If its your equipment call up the colo or wherever its located, have them login for you, and change things back to the defaults.

that would cost a lot.
thats why i asked here before.