I am new to cloud computing and plan to use an always free compute service from Oracle Cloud to obtain a public IP address to run a website. As a basic security measure I require my machines to not listen for SSH on default port 22 as this is too easy to sniff for but swap it to a new port that I will keep secret but I will refer to as NEWSSHPORT. This is especially important when using a public IP address.
My problem is after I ssh into the machine, I verify the firewall (by default) is down and so it allows all traffic in, and my preffered port NEWSSHPORT is not in use by any other service. I swap the listening port to the new port, reboot the ssh service, verify I had an ingress rule allowing this traffic in the oracle cloud website for my subnet.
I try to ssh using the new port and it times out just like any other port. The default port 22 instead gives a connection refused.
This question is similar to but not the same as:
changing ssh port caused refuse to connect
What am I missing?
Create compute instance:
Default Placement
Image: Canonical Ubuntu 18.04
Shape: VM.Standard.A1.Flex 4 Core OCPU, 24 GB memory
Default Networking
Save the private ssh key
Default Book volume
Create the instance
Wait for it to be provisioned
Copy its public IP address: 1.2.3.4
SSH to default port 22
ssh -i C:\path\to\saved\key\ssh-key-2021-12-14.key -p 22 [email protected]
New ECDSA fingerprint. Save it? Yes
SSH was successful.
On the machine:
Check firewall
$ sudo ufw status
inactive (This means all traffic is allowed through)
Check which ports are in use already:
UDP *:111
UDP *:932
TCP *:111 (LISTEN)
UDP *:111
UDP *:932
TCP *:111 (LISTEN)
UDP :68
UDP :53
UDP :53
UDP :53 (LISTEN)
TCP :22 (LISTEN)
TCP :22 (LISTEN)
:22 -> mypc:myport (my ssh connection)
My preferred port to listen on SSH is open/not in use by another program.
Change the ssh listening port. and set to prefereed port integer. I'm going to keep this integer private for security reasons but I will represent his number with the string: NEWSSHPORT
$ sudo vi /etc/ssh/sshd_config
Port NEWSSHPORT
restart the ssh service
$ sudo systemctl restart sshd
check that ssh is now listening on this new NEWSSHPORT:
$ sudo lsof -i -P -n
now these are present:
sshd root IPv4 TCP *:NEWSSHPORT (LISTEN)
sshd root IPv6 TCP *:NEWSSHPORT (LISTEN)
double check the firewall is still not online:
$ sudo ufw status
Status: inactive
So it's confirmed the firewall is not on so everythin is allowed through.
It's confirmed that ssh is now listening on the new port: NEWSSHPORT on both IPv4 and IPv6 for TCP traffic.
exit the machine:
$ exit
Check your Oracle cloud subnet allows traffic in on your new port:
Go to the compute instace > Instance information tab > Primary VNIC > click on the subnet link to view its subnet.
Security List > Default Security List. click on it.
Verify NEWSSHPORT has an ingress rule for IP 0.0.0.0/0 which is CIDR notation for all possible IP addresses. MY current Ingress Rule:
Stateless: No, Source: 0.0.0.0/0 TCP Source Port range: All, Destination Port range: NEWSSHPORT, Type and Code: I left empty.
Okay so traffic on your new port should be allowed in.
The moment of truth:
ssh -i C:\path\to\saved\key\ssh-key-2021-12-14.key -p NEWSSHPORT [email protected]
ssh: connect to host 1.2.3.4 port NEWSSHPORT: Connection timed out
but when I try the original port 22:
ssh -i C:\path\to\saved\key\ssh-key-2021-12-14.key -p 22 [email protected]
ssh: connect to host 152.70.195.101 port 22: Connection refused
and if I try some random port that nothing is listening on and I have no Oracle subnet rule to allow:
ssh -i C:\path\to\saved\key\ssh-key-2021-12-14.key -p 3456 [email protected]
ssh: connect to host 1.2.3.4 port 3456: Connection timed out
Conclusion: It looks like the original traffic to port 22 is certainly getting through but is being denied by the machine. That's the correct response but trying any other port it seems like the traffic is being blocked or dropped somewhere along the way to my machine.
What am I doing wrong?
