Re: [CentOS] Moving sshd listen port
On Wed, Jul 09, 2014 at 10:35:12AM -0400, Mike McCarthy, W1NR wrote: I am having a problem getting sshd to run after changing it's default port. I edit sshd_config and set the desired port, open it with firewall-cmd and then issue a systemctl start sshd. No error gets reported on the console but the following is logged in /var/messages sshd.service: main process exited, code=exited, status=255/n/a Not a very helpful error message. Sounds like I should report a bug? If you have SELinux enabled, it will block sshd from listening on a port other than what is described in the policy. You can add the additional port by running: semanage port -a -t ssh_port_t -p tcp $PORTNUM (replace $PORTNUM with the new port number you chose) -- Jonathan Billings billi...@negate.org ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Moving sshd listen port
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 This was a minimal install for a virtual server and semanage is not available so the command doesn't work... What package is semanage in? Mike On 07/09/2014 10:45 AM, Jonathan Billings wrote: On Wed, Jul 09, 2014 at 10:35:12AM -0400, Mike McCarthy, W1NR wrote: I am having a problem getting sshd to run after changing it's default port. I edit sshd_config and set the desired port, open it with firewall-cmd and then issue a systemctl start sshd. No error gets reported on the console but the following is logged in /var/messages sshd.service: main process exited, code=exited, status=255/n/a Not a very helpful error message. Sounds like I should report a bug? If you have SELinux enabled, it will block sshd from listening on a port other than what is described in the policy. You can add the additional port by running: semanage port -a -t ssh_port_t -p tcp $PORTNUM (replace $PORTNUM with the new port number you chose) -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlO9VsEACgkQW1M1BMdnYxmY1wCeNU+Jzf3bdoglIox15IxEuBF1 d/gAoMYocoFEh73K5l2VeBhhsg/vsUdu =5Sio -END PGP SIGNATURE- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Moving sshd listen port
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SELinux is not running. Any other ideas? Mike On 07/09/2014 10:50 AM, Mike McCarthy, W1NR wrote: This was a minimal install for a virtual server and semanage is not available so the command doesn't work... What package is semanage in? Mike On 07/09/2014 10:45 AM, Jonathan Billings wrote: On Wed, Jul 09, 2014 at 10:35:12AM -0400, Mike McCarthy, W1NR wrote: I am having a problem getting sshd to run after changing it's default port. I edit sshd_config and set the desired port, open it with firewall-cmd and then issue a systemctl start sshd. No error gets reported on the console but the following is logged in /var/messages sshd.service: main process exited, code=exited, status=255/n/a Not a very helpful error message. Sounds like I should report a bug? If you have SELinux enabled, it will block sshd from listening on a port other than what is described in the policy. You can add the additional port by running: semanage port -a -t ssh_port_t -p tcp $PORTNUM (replace $PORTNUM with the new port number you chose) ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlO9V6MACgkQW1M1BMdnYxlQ/wCfW51oVgxhq0GD+/ZPx1rcOZ2G qvQAoJ3LPBmy+mYA9oSIBHJe5Q2gfB+R =Vsyr -END PGP SIGNATURE- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Moving sshd listen port
On Jul 09, 2014, at 08:54 AM, Mike McCarthy, W1NR sy...@w1nr.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SELinux is not running. Any other ideas? Mike I did a google search on how to install semanage and found this: http://www.cyberciti.biz/faq/redhat-install-semanage-selinux-command-rpm/ -wes ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Moving sshd listen port
On 07/09/2014 10:54 AM, Mike McCarthy, W1NR wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SELinux is not running. Any other ideas? Did you update your IPTable? I change my SSHD port all the time. One of the first things I do on setting up a server. I know this is just obfusication, but it stops the robot noise. There are five steps: edit /etc/ssh/sshd_config edit IPtables add ssh policy for new port restart sshd restart iptables Mike On 07/09/2014 10:50 AM, Mike McCarthy, W1NR wrote: This was a minimal install for a virtual server and semanage is not available so the command doesn't work... What package is semanage in? Mike On 07/09/2014 10:45 AM, Jonathan Billings wrote: On Wed, Jul 09, 2014 at 10:35:12AM -0400, Mike McCarthy, W1NR wrote: I am having a problem getting sshd to run after changing it's default port. I edit sshd_config and set the desired port, open it with firewall-cmd and then issue a systemctl start sshd. No error gets reported on the console but the following is logged in /var/messages sshd.service: main process exited, code=exited, status=255/n/a Not a very helpful error message. Sounds like I should report a bug? If you have SELinux enabled, it will block sshd from listening on a port other than what is described in the policy. You can add the additional port by running: semanage port -a -t ssh_port_t -p tcp $PORTNUM (replace $PORTNUM with the new port number you chose) ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlO9V6MACgkQW1M1BMdnYxlQ/wCfW51oVgxhq0GD+/ZPx1rcOZ2G qvQAoJ3LPBmy+mYA9oSIBHJe5Q2gfB+R =Vsyr -END PGP SIGNATURE- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Moving sshd listen port
Not using IPTables. Using firewalld and yes, I opened the new port there as well. Mike On 07/09/2014 11:08 AM, Robert Moskowitz wrote: On 07/09/2014 10:54 AM, Mike McCarthy, W1NR wrote: SELinux is not running. Any other ideas? Did you update your IPTable? I change my SSHD port all the time. One of the first things I do on setting up a server. I know this is just obfusication, but it stops the robot noise. There are five steps: edit /etc/ssh/sshd_config edit IPtables add ssh policy for new port restart sshd restart iptables Mike On 07/09/2014 10:50 AM, Mike McCarthy, W1NR wrote: This was a minimal install for a virtual server and semanage is not available so the command doesn't work... What package is semanage in? Mike On 07/09/2014 10:45 AM, Jonathan Billings wrote: On Wed, Jul 09, 2014 at 10:35:12AM -0400, Mike McCarthy, W1NR wrote: I am having a problem getting sshd to run after changing it's default port. I edit sshd_config and set the desired port, open it with firewall-cmd and then issue a systemctl start sshd. No error gets reported on the console but the following is logged in /var/messages sshd.service: main process exited, code=exited, status=255/n/a Not a very helpful error message. Sounds like I should report a bug? If you have SELinux enabled, it will block sshd from listening on a port other than what is described in the policy. You can add the additional port by running: semanage port -a -t ssh_port_t -p tcp $PORTNUM (replace $PORTNUM with the new port number you chose) ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Moving sshd listen port
On Wed, Jul 09, 2014 at 10:54:29AM -0400, Mike McCarthy, W1NR wrote: SELinux is not running. Any other ideas? Checking the firewall is useful, but it sounds like you can't get the service to start in the first place. It might be helpful if you gave us the full error output. Do you get more information by running: systemctl status -l sshd.service ... after running the systemctl start? -- Jonathan Billings billi...@negate.org ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Moving sshd listen port
Nothing more than what was in messages namely 'code=exited, status=255/n/a' which looks an awful lot like a printf of an uninitialized variable... Mike On 07/09/2014 11:21 AM, Jonathan Billings wrote: On Wed, Jul 09, 2014 at 10:54:29AM -0400, Mike McCarthy, W1NR wrote: SELinux is not running. Any other ideas? Checking the firewall is useful, but it sounds like you can't get the service to start in the first place. It might be helpful if you gave us the full error output. Do you get more information by running: systemctl status -l sshd.service ... after running the systemctl start? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Moving sshd listen port
On 09/07/14 15:35, Mike McCarthy, W1NR wrote: sshd.service: main process exited, code=exited, status=255/n/a Hi Mike Can you run sshd manually in debugging mode and paste the output please: $ /usr/sbin/sshd -d It's worth looking at the output of strace that may help here: $ strace /usr/sbin/sshd -V signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Moving sshd listen port
On 07/09/2014 10:50 AM, Mike McCarthy, W1NR wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 This was a minimal install for a virtual server and semanage is not available so the command doesn't work... What package is semanage in? Had to dig back in my notes: policycoreutils-python Mike On 07/09/2014 10:45 AM, Jonathan Billings wrote: On Wed, Jul 09, 2014 at 10:35:12AM -0400, Mike McCarthy, W1NR wrote: I am having a problem getting sshd to run after changing it's default port. I edit sshd_config and set the desired port, open it with firewall-cmd and then issue a systemctl start sshd. No error gets reported on the console but the following is logged in /var/messages sshd.service: main process exited, code=exited, status=255/n/a Not a very helpful error message. Sounds like I should report a bug? If you have SELinux enabled, it will block sshd from listening on a port other than what is described in the policy. You can add the additional port by running: semanage port -a -t ssh_port_t -p tcp $PORTNUM (replace $PORTNUM with the new port number you chose) -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlO9VsEACgkQW1M1BMdnYxmY1wCeNU+Jzf3bdoglIox15IxEuBF1 d/gAoMYocoFEh73K5l2VeBhhsg/vsUdu =5Sio -END PGP SIGNATURE- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Moving sshd listen port
/usr/sbin/sshd -d seems to work properly and accept connections at the new port. So does typing /usr/sbin/sshd, which daemonizes and runs manually. It now appears that it will not start as a service if I change the port, even after a reboot. Mike On 07/09/2014 11:32 AM, Vipul Agarwal wrote: On 09/07/14 15:35, Mike McCarthy, W1NR wrote: sshd.service: main process exited, code=exited, status=255/n/a Hi Mike Can you run sshd manually in debugging mode and paste the output please: $ /usr/sbin/sshd -d It's worth looking at the output of strace that may help here: $ strace /usr/sbin/sshd -V ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Moving sshd listen port
On 07/09/2014 09:54 AM, Mike McCarthy, W1NR wrote: SELinux is not running. Any other ideas? Are you sure? (It's enabled by default.) What does 'getenforce' say? -- Ian Pilcher arequip...@gmail.com Sent from the cloud -- where it's already tomorrow ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Moving sshd listen port
On 07/09/2014 09:50 AM, Mike McCarthy, W1NR wrote: This was a minimal install for a virtual server and semanage is not available so the command doesn't work... What package is semanage in? # yum provides '*/semanage' It's in policycoreutils-python. -- Ian Pilcher arequip...@gmail.com Sent from the cloud -- where it's already tomorrow ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Moving sshd listen port
Well, getenforce says enforcing but 'systemctl status selinux' says 'Active: inactive (dead)' ? Mike On 07/09/2014 11:45 AM, Ian Pilcher wrote: On 07/09/2014 09:54 AM, Mike McCarthy, W1NR wrote: SELinux is not running. Any other ideas? Are you sure? (It's enabled by default.) What does 'getenforce' say? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Moving sshd listen port
On 09/07/14 16:45, Robert Moskowitz wrote: On 07/09/2014 10:50 AM, Mike McCarthy, W1NR wrote: This was a minimal install for a virtual server and semanage is not available so the command doesn't work... What package is semanage in? Had to dig back in my notes: policycoreutils-python Yum will tell you: yum provides */semanage ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Moving sshd listen port
On Wed, Jul 09, 2014 at 11:57:21AM -0400, Mike McCarthy, W1NR wrote: Well, getenforce says enforcing but 'systemctl status selinux' says 'Active: inactive (dead)' ? Sounds like you have SELinux enabled. It's not a service. If you look at the line right above the Active line you pasted, you'd see a line that said: Loaded: not-found (Reason: No such file or directory) It'll say that about anything that doesn't actually exist: # systemctl status selinux selinux.service Loaded: not-found (Reason: No such file or directory) Active: inactive (dead) # systemctl status asasdklfjhaskdfhj asasdklfjhaskdfhj.service Loaded: not-found (Reason: No such file or directory) Active: inactive (dead) I suggest installing the policycoreutils-python package and run the semanage command I mentioned earlier. -- Jonathan Billings billi...@negate.org ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Moving sshd listen port SOLVED
After installing the correct utilities and setting the port with semanage, it now works. Thanks to all for this one. Looks like I got some real work to do moving from 6 to 7 and understanding the massive management changes that were made. Mike On 07/09/2014 12:04 PM, Jonathan Billings wrote: I suggest installing the policycoreutils-python package and run the semanage command I mentioned earlier. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Moving sshd listen port
On 07/09/2014 10:50 AM, Mike McCarthy, W1NR wrote: /usr/sbin/sshd -d seems to work properly and accept connections at the new port. So does typing /usr/sbin/sshd, which daemonizes and runs manually. It now appears that it will not start as a service if I change the port, even after a reboot. What does 'journalctl -u sshd.service' say? -- Ian Pilcher arequip...@gmail.com Sent from the cloud -- where it's already tomorrow ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Moving sshd listen port SOLVED
On 2014-07-09, Mike McCarthy, W1NR sy...@w1nr.net wrote: After installing the correct utilities and setting the port with semanage, it now works. Thanks to all for this one. Looks like I got some real work to do moving from 6 to 7 and understanding the massive management changes that were made. If I understand the problem (and its solution) correctly, this is not a 6-to-7 migration issue. The same SELinux fix would be required in CentOS 6. -- Liam ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Moving sshd listen port SOLVED
On 09.Jul.2014, at 18:44, Liam O'Toole liam.p.oto...@gmail.com wrote: On 2014-07-09, Mike McCarthy, W1NR sy...@w1nr.net wrote: After installing the correct utilities and setting the port with semanage, it now works. Thanks to all for this one. Looks like I got some real work to do moving from 6 to 7 and understanding the massive management changes that were made. If I understand the problem (and its solution) correctly, this is not a 6-to-7 migration issue. The same SELinux fix would be required in CentOS 6. That was my thought too. Athough the error message presented to Mike is not very helpful and maybe worth a bugzilla. -- Markus ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Moving sshd listen port SOLVED
My COS6 server never required me to do that even though SELinux is enabled there (I didn't even know it was until today). Before I even posted the first help I tried the semanage command and found that it was not installed so I assumed wrongly that SELinux was not enabled. Mike On 07/09/2014 01:34 PM, Markus Falb wrote: On 09.Jul.2014, at 18:44, Liam O'Toole liam.p.oto...@gmail.com wrote: On 2014-07-09, Mike McCarthy, W1NR sy...@w1nr.net wrote: After installing the correct utilities and setting the port with semanage, it now works. Thanks to all for this one. Looks like I got some real work to do moving from 6 to 7 and understanding the massive management changes that were made. If I understand the problem (and its solution) correctly, this is not a 6-to-7 migration issue. The same SELinux fix would be required in CentOS 6. That was my thought too. Athough the error message presented to Mike is not very helpful and maybe worth a bugzilla. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Moving sshd listen port SOLVED
Mike McCarthy, W1NR wrote: My COS6 server never required me to do that even though SELinux is enabled there (I didn't even know it was until today). Before I even posted the first help I tried the semanage command and found that it was not installed so I assumed wrongly that SELinux was not enabled. snip Just remember, getenforce is the true answer. mark, who really doesn't like selinux* * One of my annual goals: fix selinux permissions to SHUT IT UP, even when most servers are in permissive mode. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Moving sshd listen port SOLVED
On 07/09/2014 02:11 PM, Mike McCarthy, W1NR wrote: My COS6 server never required me to do that even though SELinux is enabled there (I didn't even know it was until today). Before I even posted the first help I tried the semanage command and found that it was not installed so I assumed wrongly that SELinux was not enabled. I just check the notes I made when setting up my DNS Centos 6 server from scratch. The date that I built this server looks like Sept '11. One of the first steps after the install was to move sshd to my perfered port number and my notes include the semanage command. Looking back in the Fedora list archive, I am seeing help on this for F12 and that was Jan '10. Mike On 07/09/2014 01:34 PM, Markus Falb wrote: On 09.Jul.2014, at 18:44, Liam O'Toole liam.p.oto...@gmail.com wrote: On 2014-07-09, Mike McCarthy, W1NR sy...@w1nr.net wrote: After installing the correct utilities and setting the port with semanage, it now works. Thanks to all for this one. Looks like I got some real work to do moving from 6 to 7 and understanding the massive management changes that were made. If I understand the problem (and its solution) correctly, this is not a 6-to-7 migration issue. The same SELinux fix would be required in CentOS 6. That was my thought too. Athough the error message presented to Mike is not very helpful and maybe worth a bugzilla. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Moving sshd listen port SOLVED
On 07/09/2014 02:36 PM, m.r...@5-cent.us wrote: Mike McCarthy, W1NR wrote: My COS6 server never required me to do that even though SELinux is enabled there (I didn't even know it was until today). Before I even posted the first help I tried the semanage command and found that it was not installed so I assumed wrongly that SELinux was not enabled. snip Just remember, getenforce is the true answer. mark, who really doesn't like selinux* * One of my annual goals: fix selinux permissions to SHUT IT UP, even when most servers are in permissive mode. Doesn't permissive mode mean don't enforce but tell me what you would not have liked? Perhaps another mode is needed? Quite mode? And then maybe to temporarily change it to permissive when you make a change? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Moving sshd listen port SOLVED
Robert Moskowitz wrote: On 07/09/2014 02:36 PM, m.r...@5-cent.us wrote: Mike McCarthy, W1NR wrote: My COS6 server never required me to do that even though SELinux is enabled there (I didn't even know it was until today). Before I even posted the first help I tried the semanage command and found that it was not installed so I assumed wrongly that SELinux was not enabled. snip Just remember, getenforce is the true answer. mark, who really doesn't like selinux* * One of my annual goals: fix selinux permissions to SHUT IT UP, even when most servers are in permissive mode. Doesn't permissive mode mean don't enforce but tell me what you would not have liked? No, what *it* didn't like. And it can get *very* noisy. Perhaps another mode is needed? Quite mode? And then maybe to temporarily change it to permissive when you make a change? I'd like a tell me once a day, PERIOD. I've had it overload its queue, it was spitting mad about something. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Moving sshd listen port SOLVED
On 07/09/2014 02:58 PM, Reindl Harald wrote: Am 09.07.2014 20:45, schrieb Robert Moskowitz: On 07/09/2014 02:36 PM, m.r...@5-cent.us wrote: Mike McCarthy, W1NR wrote: My COS6 server never required me to do that even though SELinux is enabled there (I didn't even know it was until today). Before I even posted the first help I tried the semanage command and found that it was not installed so I assumed wrongly that SELinux was not enabled. snip Just remember, getenforce is the true answer. mark, who really doesn't like selinux* * One of my annual goals: fix selinux permissions to SHUT IT UP, even when most servers are in permissive mode. Doesn't permissive mode mean don't enforce but tell me what you would not have liked? nothing else did he say if you don't want to told all the long the same in permissive mode just fix it Perhaps another mode is needed? Quite mode? And then maybe to temporarily change it to permissive when you make a change? that mode is called disabled and exists Dah. Your right. The only difference between disabled and permissive is all the noise you get. But actually permissive can be a way to get info you need to create policies so you CAN run in enforcing. I have some simple instructions here somewhere that I have used to create a few policies there are 3 modes: * enforced (block and cry) * permissive (allow and cry) * disable (allow and shut up) what else do you need? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos