Problem after changing the port for SSH

What do you get if you try connecting to SSH?

@bashy

I can access to my server by SSH from my PC, it works well.

But everything is stuck in Forge-Laravel,

Then it's past my knowledge, I don't know how Forge works, only SSH :)

Reason: PermitRootLogin no

Solution: PermitRootLogin yes

---

Make access to the Root is something undesirable, is there a solution? To make " PermitRootLogin no "

Forge uses root login?

I think it used root to contact with server to execute tasks.

you can try to make permit root login NO , then you see what is happen .

Yeah I don't use Forge, can do it all myself for free :P

Can you put a lesson about it, this will help a lot of people.

Hey guys,

I need to change the ssh port too, what would then be the correct way of doing it and what should I pay attention to? I am using digital ocean with forge.

Hi, maybe creating a new user with admin permissions and disabling the PermitRootLogin you can get another user manage your server. You can use any SSH port number but you need to restart your service after made all changes.

Remember add your .ssh key to the authorized_keys for your new user.

Hope it helps you.

Hi @codeatbusiness , thanks! Right now I don't need another user to manage it I just need to change the port from 22 to another one to put it in the safe zone. I cannot do that from the forge user. Need to log in as root, any idea where the password is? The droplet has been set up by forge and I can't seem to find the root password...

Hi @commandantp, I had the same issue related with the root user in a DigitalOcean Droplet and because of I uses my own ssh key, I cannot get the password for the root account. Then try using the following command:

ssh -i ~/.ssh/IdentityFIle  -o "IdentitiesOnly yes" yourUserName@yourserver.com

Alternatively you can find here some options for config your ssh access.

http://askubuntu.com/questions/87956/can-you-set-passwords-in-ssh-config-to-allow-automatic-login

Here you have one sample of alias configuration that you can put in a ∼/.ssh/config file:

Host hereYourAlias
   HostName yourweb.com
   Port 22
   User yourUser
   IdentityFile ~/.ssh/id_rsa
   IdentitiesOnly yes

Later you can use it as follow:

ssh hereYourAlias

Using IdentitiesOnly doesn't require any password for SSH login and it will use your IdentityFIle as your RSA SSH generated key.

Hope it helps you.

This is really not a solution. I'm looking at forge as a deployment environment, but the lack of ability to specify an oPort=xxxx is really not an option. I for one don't like having hundreds of bots spamming port 22 all day long on my servers attempting to break in. Therefore i have SSH via a custom port and I block 22.

If this is truly not something we can change, then we won't be using it, sadly.

Edit: Also best answer is permitrootlogin = yes? This is also not cool. the best solution is for forge to allow a port setting. This really should not be that difficult to implement. I know that alot of folks that use forge are not overly linux-savvy, and telling them to permit root login is not best practice.

@joleenshook Changing the port doesn't really fix that either. Install software to block repeated failed SSH logins with fail2ban. Have a post here for it https://bashy.im/blog/install-linux-software-to-make-your-server-easier-to-debug-and-monitor

I already use fail2ban. And yes, it's set to block repeated SSH logins. But by using a nonstandard port, they don't even get through my firewall. In three years, I've never seen fail2ban have to block an SSH break-in attempt on my servers. Fail2ban is a lifesaver though for many other malicious attacks and I would recommend it to anyone.

@joleenshook Depending on the amount of services you have front facing, it could be less on a higher port. Do you use Forge with the modified port?

Still it doesn't seems forge ssh login can be changed use a different port than 22.

I am using Forge with AWS, after installing OSSEC every hour there is a bot attempting to access my server on port 22 and I get OSSEC messages like this:

`OSSEC HIDS Notification. 2017 Jun 29 09:14:36

Received From: My-Test-Server->/var/log/auth.log Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." Portion of the log(s):

Jun 29 09:14:34 My-Test-Server sshd[7279]: error: maximum authentication attempts exceeded for root from 181.113.202.8 port 54819 ssh2 [preauth]`

all these IPs are in this ban list https://lists.blocklist.de/lists/ssh.txt

On my other server without forge where I changed ssh port to 22122 I do not get such attempts at all.

I raised a few complains on forge "contact support" but no even bothered to answer after two weeks. Looks like if we are using forge we are on our own.