vow*_*ght 8 ssh redhat iptables amazon-ec2 amazon-web-services
如果我将 SSH 端口从 22 更改为 23453,则无法再通过 ssh 登录。
更详细地说,我在 Amazon Web Services 上使用了 Red Hat EC2 实例。这是我全新安装的第二个更改(第一个更改是添加非 root 用户)。
我可以使用 Git Bash 和本地 .ssh/config 文件很好地 ssh,我编辑 /etc/ssh/sshd_config 中当前显示的行
#Port 23453
说
Port 23453
然后重新启动 sshd
sudo service sshd restart
然后我在我的 .ssh/config 文件中添加一行“Port 23453”
Host foo
Hostname my-ec2-public-DNS
Port 23453
IdentityFile my ssl key
如果我打开另一个 Git Bash shell(不关闭现有连接)并尝试通过 ssh 进入我的实例(使用 ssh foo),我会看到以下错误:
ssh: connect to host my-ec2-public-DNS port 23453: Bad file number
附加到这个实例的安全组有两个条目,都是 TCP
22 (SSH) 0.0.0.0/0
23453 0.0.0.0/0
我最好的猜测是该端口仍被我的防火墙阻止。
的输出sudo iptables -L如下
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
这对我来说看起来很开放。
更新
添加iptables规则后
iptables -A INPUT -p tcp --dport 23453 -j ACCEPT
再试一次,仍然没有运气。
输出 iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
ACCEPT tcp -- anywhere anywhere tcp dpt:23453
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
看起来足够开放。我不完全确定如何查找传入的数据包或端口上的活动。但是netstat -ntlp(作为根)的输出
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:56137 0.0.0.0:* LISTEN 948/rpc.statd
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 930/rpcbind
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1012/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1224/master
tcp 0 0 0.0.0.0:23453 0.0.0.0:* LISTEN 32638/sshd
tcp 0 0 :::36139 :::* LISTEN 948/rpc.statd
tcp 0 0 :::111 :::* LISTEN 930/rpcbind
tcp 0 0 ::1:631 :::* LISTEN 1012/cupsd
tcp 0 0 :::23453 :::* LISTEN 32638/sshd
在我看来,在 23453 上显示 sshd。
我再次检查该实例是否在安全组中打开了端口(端口:23453,协议:tcp,来源:0.0.0.0/0)
还有什么可能导致无法通过 SSH 连接?
干杯
尸检
我现在可以连接了。这是 iptables 中缺少的规则。iptables -L现在的输出如下所示:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:23453 state NEW
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
mel*_*yed 12
您的实例防火墙没有打开此端口。尝试以下命令:
iptables -I INPUT 3 -s 0.0.0.0/0 -d 0.0.0.0/0 -p tcp --dport 23453 -m state --state New -j ACCEPT
请注意,需要保存 iptables 规则以在重新启动后保持不变。在 RHEL 上:
/sbin/service iptables save
| 归档时间: |
|
| 查看次数: |
29507 次 |
| 最近记录: |