1 (edited by kysil 2015-03-08 13:13:53)

Topic: Firewalld and SSH changed port

Hello,
after changed SSH port from 22 to 25250 in file "sudo vi /etc/ssh/sshd_config" > reboot

I can't access via SSH Terminal to my server.
How to fix it?

Thanks!

==== Information ====
- iRedMail version: 0.9.0
- Store mail accounts in which backend: MariaDB 10:
- Linux/BSD distribution name and version: CentOS 7
- Related log if you're reporting an issue:
====================

Login failed.
connect to host 199.51.21.24 port 25250: Connection refused

Please, Note: I have changed port before installing iRedMail.

< INFO > Disable SELinux in /etc/selinux/config.
< Question > Would you like to use firewall rules provided by iRedMail?
< Question > File: /etc/firewalld/zones/iredmail.xml, with SSHD port: 25250. [Y|n]y
< INFO > Copy firewall sample rules: /etc/firewalld/zones/iredmail.xml.
ln -s '/usr/lib/systemd/system/firewalld.service' '/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service'
ln -s '/usr/lib/systemd/system/firewalld.service' '/etc/systemd/system/basic.target.wants/firewalld.service'
< Question > Restart firewall now (with SSHD port 25250)? [y|N]y
< INFO > Restarting firewall ...
< Question > Would you like to use MySQL configuration file shipped within iRedMail now?
< Question > File: /etc/my.cnf. [Y|n]y

If "sudo systemctl stop firewalld" via Access page on Hosting terminal, I can perform entry via my SSH Terminal (Coda 2)

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Firewalld and SSH changed port

Post the file /etc/firewalld/zones/iredmail.xml and any others in that folder

3

Re: Firewalld and SSH changed port

iredmail.xml:

<?xml version="1.0" encoding="utf-8"?>
<zone>
    <short>Mail services</short>
    <description>Allow access to mail services from external network.</description>
    <service name="http"/>
    <service name="https"/>
    <service name="smtp"/>
    <service name="submission"/>
    <service name="pop3"/>
    <service name="pop3s"/>
    <service name="imap"/>
    <service name="imaps"/>
    <service name="ssh"/>
</zone>

*************************************
public.xml:

<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="dhcpv6-client"/>
  <service name="ssh"/>
</zone>

4

Re: Firewalld and SSH changed port

/etc/firewalld/

firewalld.conf:

# firewalld config file

# default zone
# The default zone used if an empty zone string is used.
# Default: public
DefaultZone=iredmail

# Minimal mark
# Marks up to this minimum are free for use for example in the direct
# interface. If more free marks are needed, increase the minimum
# Default: 100
MinimalMark=100

# Clean up on exit
# If set to no or false the firewall configuration will not get cleaned up
# on exit or stop of firewalld
# Default: yes
CleanupOnExit=yes

# Lockdown
# If set to enabled, firewall changes with the D-Bus interface will be limited
# to applications that are listed in the lockdown whitelist.
# The lockdown whitelist file is lockdown-whitelist.xml
# Default: no
Lockdown=no

# IPv6_rpfilter
# Performs a reverse path filter test on a packet for IPv6. If a reply to the
# packet would be sent via the same interface that the packet arrived on, the
# packet will match and be accepted, otherwise dropped.
# The rp_filter for IPv4 is controlled using sysctl.
# Default: yes
IPv6_rpfilter=yes

*************************************
lockdown-whitelist.xml:

<?xml version="1.0" encoding="utf-8"?>
<whitelist>
  <command name="/usr/bin/python /usr/bin/firewall-config"/>
  <selinux context="system_u:system_r:NetworkManager_t:s0"/>
  <selinux context="system_u:system_r:virtd_t:s0-s0:c0.c1023"/>
  <user id="0"/>
</whitelist>

5

Re: Firewalld and SSH changed port

It is configured to allow the default ssh port. Not 25250, once you change it to open 25250 instead of 22 it should be alright

6

Re: Firewalld and SSH changed port

Please, where to write / change it to a new port?

7

Re: Firewalld and SSH changed port

https://www.centos.org/forums/viewtopic … mp;t=47333
Seems like a good article, I don't run CentOS so am not entirely sure myself

8

Re: Firewalld and SSH changed port

Thank You, 7t3chguy!

I changed my SSH port on:

/usr/lib/firewalld/services/ssh.xml
/etc/firewalld/services/ssh.xml

and, as I said before changes are made to the file
/etc/ssh/sshd_config

systemctl restart firewalld
or/and
systemctl enable firewalld

Everything works fine! smile

9

Re: Firewalld and SSH changed port

big_smile Glad you got it working, will be closing this topic now

10

Re: Firewalld and SSH changed port

Turns out it's a bug in iRedMail, it doesn't correctly replace default port number by the currently used one.
Fixed moment ago:
https://bitbucket.org/zhb/iredmail/comm … 60d3ec44b2