SSHD Alternative Port + selinux
A very brief report.
Hope it's helpful for others. Last night I replaced our company's old linux router with a new one running CentOS 7. Today, I decided to change the standard listening port 22 to 4444. Code:
#Port 22 Code:
Port 4444 and then systemctl start sshd.service Users started calling saying "No internet! No internet!" systemctl status sshd.service showed that ssh daemon failed and exited with a status code I didn't understand. So the first hope was a simple cure by simple reboot; but, no go. Still no internet. I tethered my notebook to my android for internet access and found info. about a command "semanage" to tell selinux that the sshd service is now listening on a different port and that's okay. I tried the commmand and it's not found on my freshly updated centos 7 router. So then I wanted to review the basic selinux settings and found the following in /etc/sysconfig/selinux: Code:
# This file controls the state of SELinux on the system. But sshd.service continued to fail and exit upon start and there was no internet access. So, nothing to lose by trying: Code:
SELINUX=disabled All good. Alternative sshd port setting allows connections on that destination port. All users on the LAN regained access to the internet. I haven't worked with selinux enough to understand how to deploy it carefully while still allowing multiple services. Simply reporting the only way I found to use an alternate sshd port was to disable selinux. Cheers. |
None of this proves selinux had anything to do with it. Looking at the logs before rebooting, starting with the secure/auth log, would have been much more informative, instead of assuming the problem and the (probably coincidental) fix.
|
Mr, Zero - you could be very right about that.
I've posted some /var/log/secure content from the time the internet was down after changing the sshd listening port: Code:
May 19 13:06:30 localhost sshd[925]: Received signal 15; terminating. Code:
May 19 14:10:56 localhost polkitd[673]: Registered Authentication Agent for unix-process:2329:196896 (system bus name :1.17 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) Thank you for reading this. |
To tell selinux (centos7, fedora) about the alternate port, I use a command like
Quote:
|
Hi Doug, I tried that command and shell reported -
Code:
-bash: semanage: command not found If I decide to implement selinux, I'll give it another try. Thanks for your help. |
All times are GMT -5. The time now is 08:29 PM. |