LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > CentOS
User Name
Password
CentOS This forum is for the discussion of CentOS Linux. Note: This forum does not have any official participation.

Notices


Reply
  Search this Thread
Old 05-19-2016, 02:49 PM   #1
Sum1
Member
 
Registered: Jul 2007
Distribution: Fedora, CentOS, and would like to get back to Gentoo
Posts: 332

Rep: Reputation: 30
SSHD Alternative Port + selinux


A very brief report.
Hope it's helpful for others.

Last night I replaced our company's old linux router with a new one running CentOS 7.
Today, I decided to change the standard listening port 22 to 4444.

Code:
#Port 22
changed to
Code:
Port 4444
systemctl stop sshd.service
and then
systemctl start sshd.service

Users started calling saying "No internet! No internet!"

systemctl status sshd.service showed that ssh daemon failed and exited with a status code I didn't understand.
So the first hope was a simple cure by simple reboot; but, no go. Still no internet.

I tethered my notebook to my android for internet access and found info. about a command "semanage" to tell selinux that the sshd service is now listening on a different port and that's okay. I tried the commmand and it's not found on my freshly updated centos 7 router.

So then I wanted to review the basic selinux settings and found the following in /etc/sysconfig/selinux:
Code:
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted
OK, supposedly permissive mode only casts out warnings but doesn't enforce/inhibit any daemons or services, right?
But sshd.service continued to fail and exit upon start and there was no internet access.
So, nothing to lose by trying:
Code:
SELINUX=disabled
Reboot.
All good.
Alternative sshd port setting allows connections on that destination port.
All users on the LAN regained access to the internet.

I haven't worked with selinux enough to understand how to deploy it carefully while still allowing multiple services. Simply reporting the only way I found to use an alternate sshd port was to disable selinux.

Cheers.
 
Old 05-19-2016, 03:04 PM   #2
AlucardZero
Senior Member
 
Registered: May 2006
Location: USA
Distribution: Debian
Posts: 4,824

Rep: Reputation: 615Reputation: 615Reputation: 615Reputation: 615Reputation: 615Reputation: 615
None of this proves selinux had anything to do with it. Looking at the logs before rebooting, starting with the secure/auth log, would have been much more informative, instead of assuming the problem and the (probably coincidental) fix.
 
Old 05-19-2016, 03:46 PM   #3
Sum1
Member
 
Registered: Jul 2007
Distribution: Fedora, CentOS, and would like to get back to Gentoo
Posts: 332

Original Poster
Rep: Reputation: 30
Mr, Zero - you could be very right about that.
I've posted some /var/log/secure content from the time the internet was down after changing the sshd listening port:

Code:
May 19 13:06:30 localhost sshd[925]: Received signal 15; terminating.
May 19 13:06:30 localhost polkitd[672]: Unregistered Authentication Agent for unix-process:4477:5241808 (system bus name :1.74, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
May 19 13:06:30 localhost sshd[4484]: error: Bind to port 4444 on 0.0.0.0 failed: Permission denied.
May 19 13:06:30 localhost sshd[4484]: error: Bind to port 4444 on :: failed: Permission denied.
May 19 13:06:30 localhost sshd[4484]: fatal: Cannot bind any address.
May 19 13:06:33 localhost polkitd[672]: Registered Authentication Agent for unix-process:4486:5242126 (system bus name :1.75 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
May 19 13:06:33 localhost polkitd[672]: Unregistered Authentication Agent for unix-process:4486:5242126 (system bus name :1.75, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
May 19 13:06:33 localhost sshd[4491]: error: Bind to port 4444 on 0.0.0.0 failed: Permission denied.
May 19 13:06:33 localhost sshd[4491]: error: Bind to port 4444 on :: failed: Permission denied.
May 19 13:06:33 localhost sshd[4491]: fatal: Cannot bind any address.
May 19 13:06:34 localhost polkitd[672]: Registered Authentication Agent for unix-process:4493:5242237 (system bus name :1.76 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
May 19 13:06:34 localhost polkitd[672]: Unregistered Authentication Agent for unix-process:4493:5242237 (system bus name :1.76, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
May 19 13:06:34 localhost sshd[4498]: error: Bind to port 4444 on 0.0.0.0 failed: Permission denied.
May 19 13:06:34 localhost sshd[4498]: error: Bind to port 4444 on :: failed: Permission denied.
May 19 13:06:34 localhost sshd[4498]: fatal: Cannot bind any address.
May 19 13:06:55 localhost sshd[4434]: pam_unix(sshd:session): session closed for user root
May 19 13:07:16 localhost sshd[4503]: error: Bind to port 4444 on 0.0.0.0 failed: Permission denied.
May 19 13:07:16 localhost sshd[4503]: error: Bind to port 4444 on :: failed: Permission denied.
May 19 13:07:16 localhost sshd[4503]: fatal: Cannot bind any address.
May 19 13:07:58 localhost sshd[4505]: error: Bind to port 4444 on 0.0.0.0 failed: Permission denied.
May 19 13:07:58 localhost sshd[4505]: error: Bind to port 4444 on :: failed: Permission denied.
May 19 13:07:58 localhost sshd[4505]: fatal: Cannot bind any address.
May 19 13:08:40 localhost sshd[4507]: error: Bind to port 4444 on 0.0.0.0 failed: Permission denied.
May 19 13:08:40 localhost sshd[4507]: error: Bind to port 4444 on :: failed: Permission denied.
May 19 13:08:40 localhost sshd[4507]: fatal: Cannot bind any address.
May 19 13:09:23 localhost sshd[4509]: error: Bind to port 4444 on 0.0.0.0 failed: Permission denied.
May 19 13:09:23 localhost sshd[4509]: error: Bind to port 4444 on :: failed: Permission denied.
May 19 13:09:23 localhost sshd[4509]: fatal: Cannot bind any address.
May 19 13:10:05 localhost sshd[4511]: error: Bind to port 4444 on 0.0.0.0 failed: Permission denied.
May 19 13:10:05 localhost sshd[4511]: error: Bind to port 4444 on :: failed: Permission denied.
May 19 13:10:05 localhost sshd[4511]: fatal: Cannot bind any address.
May 19 13:10:47 localhost sshd[4532]: error: Bind to port 4444 on 0.0.0.0 failed: Permission denied.
May 19 13:10:47 localhost sshd[4532]: error: Bind to port 4444 on :: failed: Permission denied.
May 19 13:10:47 localhost sshd[4532]: fatal: Cannot bind any address.
May 19 13:11:29 localhost sshd[4534]: error: Bind to port 4444 on 0.0.0.0 failed: Permission denied.
May 19 13:11:29 localhost sshd[4534]: error: Bind to port 4444 on :: failed: Permission denied.
May 19 13:11:29 localhost sshd[4534]: fatal: Cannot bind any address.
May 19 13:12:11 localhost sshd[4536]: error: Bind to port 4444 on 0.0.0.0 failed: Permission denied.
May 19 13:29:18 localhost polkitd[672]: Unregistered Authentication Agent for unix-process:4730:5378621 (system bus name :1.86, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
May 19 13:29:21 localhost polkitd[672]: Registered Authentication Agent for unix-process:4801:5378960 (system bus name :1.87 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
May 19 13:29:21 localhost polkitd[672]: Unregistered Authentication Agent for unix-process:4801:5378960 (system bus name :1.87, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
May 19 13:29:34 localhost polkitd[672]: Registered Authentication Agent for unix-process:4823:5380214 (system bus name :1.88 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
May 19 13:29:34 localhost polkitd[672]: Unregistered Authentication Agent for unix-process:4823:5380214 (system bus name :1.88, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
May 19 13:29:47 localhost polkitd[672]: Registered Authentication Agent for unix-process:4839:5381527 (system bus name :1.89 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
May 19 13:29:47 localhost polkitd[672]: Unregistered Authentication Agent for unix-process:4839:5381527 (system bus name :1.89, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
May 19 13:29:53 localhost login: pam_unix(login:session): session closed for user root
May 19 13:30:29 localhost sshd[4860]: error: Bind to port 4444 on 0.0.0.0 failed: Permission denied.
May 19 13:30:29 localhost sshd[4860]: error: Bind to port 4444 on :: failed: Permission denied.
May 19 13:30:29 localhost sshd[4860]: fatal: Cannot bind any address.
May 19 13:31:11 localhost sshd[4862]: error: Bind to port 4444 on 0.0.0.0 failed: Permission denied.
May 19 13:31:11 localhost sshd[4862]: error: Bind to port 4444 on :: failed: Permission denied.
May 19 13:31:11 localhost sshd[4862]: fatal: Cannot bind any address.
May 19 13:31:53 localhost sshd[4864]: error: Bind to port 4444 on 0.0.0.0 failed: Permission denied.
May 19 13:31:53 localhost sshd[4864]: error: Bind to port 4444 on :: failed: Permission denied.
May 19 13:31:53 localhost sshd[4864]: fatal: Cannot bind any address.
And then after disabling selinux and rebooting:
Code:
May 19 14:10:56 localhost polkitd[673]: Registered Authentication Agent for unix-process:2329:196896 (system bus name :1.17 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
May 19 14:10:56 localhost polkitd[673]: Unregistered Authentication Agent for unix-process:2329:196896 (system bus name :1.17, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
May 19 14:11:59 localhost polkitd[667]: Loading rules from directory /etc/polkit-1/rules.d
May 19 14:11:59 localhost polkitd[667]: Loading rules from directory /usr/share/polkit-1/rules.d
May 19 14:11:59 localhost polkitd[667]: Finished loading, compiling and executing 2 rules
May 19 14:11:59 localhost polkitd[667]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
May 19 14:12:07 localhost sshd[920]: Server listening on 0.0.0.0 port 4444.
May 19 14:12:07 localhost sshd[920]: Server listening on :: port 4444.
May 19 14:12:46 localhost login: pam_unix(login:session): session opened for user root by LOGIN(uid=0)
May 19 14:12:46 localhost login: ROOT LOGIN ON tty1
If you have a min, can you provide some guidance on what to follow up on regarding rules in /etc/polkit-1/rules.d and /usr/share/polkit-1/rules.d.
Thank you for reading this.
 
Old 05-19-2016, 11:16 PM   #4
Doug G
Member
 
Registered: Jul 2013
Posts: 749

Rep: Reputation: Disabled
To tell selinux (centos7, fedora) about the alternate port, I use a command like
Quote:
semanage port -a -t ssh_port_t -p tcp 4444
 
Old 05-20-2016, 06:32 AM   #5
Sum1
Member
 
Registered: Jul 2007
Distribution: Fedora, CentOS, and would like to get back to Gentoo
Posts: 332

Original Poster
Rep: Reputation: 30
Hi Doug, I tried that command and shell reported -

Code:
-bash: semanage: command not found
I've since googled and found how to get semanage on centos7.
If I decide to implement selinux, I'll give it another try.

Thanks for your help.

Last edited by Sum1; 05-20-2016 at 06:44 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Trouble connecting to sshd on Ubuntu 9.10. Logs point to SELinux problem... bartonski Linux - Server 3 02-15-2011 12:21 AM
SFTP and SELinux is preventing sshd "create" access djlinuxquestions Fedora 4 10-22-2010 12:34 AM
"selinux is preventing sshd getattr to /usr/NX/home.nx" ericcarlson Fedora 3 08-25-2008 12:04 PM
Starting sshd: /etc/init.d/sshd: line 113: /usr/sbin/sshd: Permission denied sumanc Linux - Server 5 03-28-2008 04:59 AM
FC8 sshd default configuration fails SeLinux john@ackley.net Linux - Software 1 12-29-2007 05:47 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > CentOS

All times are GMT -5. The time now is 02:28 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration