This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
the_rock
Legend
Legend
‎2020-08-25 08:17 AM
Jump to solution

Changing ssh port on CP firewall

I know this may sound like a really dumb question, but is there any way to change ssh port for CP appliances (NOT smb)? I tried looking in clish, web gui, cant find the option anywhere. I even "combed: through whole clish config, nothing for ssh there.

 

Thanks in advance!

0 Kudos
1 Solution

Accepted Solutions
John_Fleming
Advisor
‎2020-08-27 09:05 AM
In response to the_rock
Jump to solution

This is a R80.40 MDS.

[Expert@MDS1:0]# netstat -anp | grep sshd | grep LIST
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 5310/sshd
[Expert@MDS1:0]# sed -i 's,^#Port 22$,Port 2222,' /etc/ssh/sshd_config
[Expert@MDS1:0]# service sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
[Expert@MDS1:0]# netstat -anp | grep sshd | grep LIST
tcp 0 0 0.0.0.0:2222 0.0.0.0:* LISTEN 25930/sshd
[Expert@MDS1:0]#

Looks like no reboot required?

View solution in original post

12 Replies
Danny
Champion Champion
Champion
‎2020-08-25 08:29 AM
Jump to solution

vi /etc/ssh/sshd_config && /etc/init.d/sshd restart

the_rock
Legend
Legend
‎2020-08-25 08:39 AM
In response to Danny
Jump to solution

Thanks Danny. tried that, no luck. All I did was vi the file, change port 22 to something random, restarted ssh service, but it still connected on port 22.

 

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2020-08-25 08:55 AM
In response to the_rock
Jump to solution

Original:

# The strategy used for options in the default sshd_config shipped with

# OpenSSH is to specify options with their default value where

# possible, but leave them commented.  Uncommented options change a

# default value.

 

#Port 22

#Protocol 2,1

Protocol 2

#AddressFamily any

#ListenAddress 0.0.0.0

#ListenAddress :: 

 

Change to:

# default value.

Port <something random>

#Port 22

#Protocol 2,1

Protocol 2

#AddressFamily any

#ListenAddress 0.0.0.0

#ListenAddress ::

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
the_rock
Legend
Legend
‎2020-08-25 09:23 AM
In response to G_W_Albrecht
Jump to solution

K, not really sure what Im missing...

 


#Port 777
#Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

0 Kudos
Mike_A
Advisor
‎2020-08-25 09:53 AM
In response to the_rock
Jump to solution

Remove the "#" in front of the line that pertains to the port. 

From this 

#Port 777
#Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

To this 

Port 777
#Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

 

And then restart services as Danny had said. 

the_rock
Legend
Legend
‎2020-08-25 09:55 AM
In response to Mike_A
Jump to solution

That was actually first thing I tried, but did not work. Let me just reboot this fw, since its in the lab anyway, and I will update after 🙂

0 Kudos
asc
Explorer
‎2020-08-25 08:41 AM
Jump to solution

As there are no means to configure that on clish or web gui you may just edit /etc/ssh/sshd_config

Uncomment the "Port" directive and change the port number to what you want. Activate the change by service sshd restart.

Take care: Update your rulebase to allow the new port before changing to avoid getting locked out!

0 Kudos
the_rock
Legend
Legend
‎2020-08-25 10:05 AM
In response to asc
Jump to solution

Thanks everyone, reboot worked! take care and thanks for the help!!

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2020-08-27 12:39 AM
In response to the_rock
Jump to solution

# set admin-access

allowed-ipv4-addresses   - Administrator access permissions policy for source IP addresses

ssh-access-port          - SSH Port

support-weak-tls-version - For security reasons, it is highly recommended never to change this parameter's value. Support of TLSv1.0 will be added back to the administration portal to allow connectivity with old browsers (usually ones released prior to 2014). Changing the default of this parameter exposes the administration portal to attacks that use vulnerabilities like Heartbleed (CVE-2014-0160).

web-access-port          - Web Port (HTTPS)

interfaces               - Configure which interfaces admin access is allowed from

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
John_Fleming
Advisor
‎2020-08-27 07:10 AM
In response to G_W_Albrecht
Jump to solution

That is only for Gaia Embedded (smb).

0 Kudos
the_rock
Legend
Legend
‎2020-08-27 07:37 AM
In response to John_Fleming
Jump to solution

Correct John...by the way, I ended up changing sshd_config and after reboot, it all worked fine. Not really sure why I had to reboot, since ssh service restart would be sufficient, but anyway. Its Check Point :)))

0 Kudos
John_Fleming
Advisor
‎2020-08-27 09:05 AM
In response to the_rock
Jump to solution

This is a R80.40 MDS.

[Expert@MDS1:0]# netstat -anp | grep sshd | grep LIST
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 5310/sshd
[Expert@MDS1:0]# sed -i 's,^#Port 22$,Port 2222,' /etc/ssh/sshd_config
[Expert@MDS1:0]# service sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
[Expert@MDS1:0]# netstat -anp | grep sshd | grep LIST
tcp 0 0 0.0.0.0:2222 0.0.0.0:* LISTEN 25930/sshd
[Expert@MDS1:0]#

Looks like no reboot required?

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events