SSH on Port 143

Update:  this was hacky and clumsy, see the more recent SSH on Port 995 for something better.

I'll leave this up, though, rather than attempt to whitewash my mistake.

I visited my Dad at St. Vincent's Hospital and their stupid network blocked all ports except for webserver (80, 443) and mail (25, 143, 993, 995) ports.  Meaning that I couldn't connect to my Jabber server and, more importantly, I couldn't ssh into my VPS or anything else (even over port 22).

Port 143 is for non-SSL IMAP connections, which you shouldn't be using anyway.  So, I decided I was going to set up SSH to listen on 143 on my VPS.  I found instructions for changing the non-SSL IMAP port on, of all things, a Direct Admin forum.

Here's the stanza to look for in /etc/dovecot/dovecot.conf:

    inet_listener imap {
      address = *,:: 
    }

Specify the port, that way it won't be the default 143:

    inet_listener imap {
      address = *,::
      port = 144    
    }

Lookee there, Dovecot is listening on 144 and isn't listening on 143 anymore:

root@schoolserver [~]# lsof -i :144
COMMAND     PID     USER   FD   TYPE     DEVICE SIZE/OFF NODE NAME
dovecot   12601     root   37u  IPv4 3783805864      0t0  TCP *:uma (LISTEN)
dovecot   12601     root   38u  IPv6 3783805865      0t0  TCP *:uma (LISTEN)
imap-logi 12604 dovenull    7u  IPv4 3783805864      0t0  TCP *:uma (LISTEN)
imap-logi 12604 dovenull    8u  IPv6 3783805865      0t0  TCP *:uma (LISTEN)
imap-logi 12610 dovenull    7u  IPv4 3783805864      0t0  TCP *:uma (LISTEN)
imap-logi 12610 dovenull    8u  IPv6 3783805865      0t0  TCP *:uma (LISTEN)
root@schoolserver [~]# lsof -i :143
root@schoolserver [~]#

That frees up port 143 to listen to SSH.  I changed it in the sshd config file.  Note that some Linux systems let you have SSH on multiple ports, but apparently CentOS 6 doesn't like it and sshd kept crashing.

root@schoolserver [/etc/ssh]# grep 143 /etc/ssh/sshd_config
Port 143

And it works!

anna@anna-lenovo:~$ ssh -p 143 root@schoolfield.org
The authenticity of host '[schoolfield.org]:143 ([162.246.58.251]:143)' can't be established.
RSA key fingerprint is a8:ad:eb:4e:f5:40:a1:dd:5e:24:8e:dd:8f:1f:4d:fc.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[schoolfield.org]:143,[162.246.58.251]:143' (RSA) to the list of known hosts.
Last login: Fri Jan 22 16:04:11 2016 from 65.5.225.206
root@schoolserver [~]#

It still says the name is imap, but sshd is listening on it:

root@schoolserver [~]# lsof -i :143
COMMAND   PID USER   FD   TYPE     DEVICE SIZE/OFF NODE NAME
sshd    13902 root    3u  IPv4 3784146335      0t0  TCP *:imap (LISTEN)
sshd    13902 root    4u  IPv6 3784146337      0t0  TCP *:imap (LISTEN)

I'm going to try this out tomorrow when we visit St. Vincent's and see if it works for me to do my "Poor Man's VPN" with sshuttle (which needs to go over ssh).

Addendum:

Because this is cPanel, I started getting a bunch of lfd email alerts that imap was down.  So, I changed 143 to 144 in these two files:

root@schoolserver [/etc/csf]# grep 144 lfd.pl
    if ($app eq "imapd") {$port = "144"; $sport = "993"}
root@schoolserver [/etc/csf]# grep 144 csf.conf 
PORTS_imapd = "144,993"

And then there's still an issue with checksrvd, it keeps wanting to look at imap on port 143, doesn't matter if I change the port in this file, it changes it back.  And then that kills the sshd service when it tries to connect.

root@schoolserver [/etc/chkserv.d]# cat imap 
service[imap]=144,A001 LOGOUT,* OK,/usr/local/cpanel/scripts/restartsrv_imap,dovecot||courier&&authdaemond,root,* OK|A001 LOGIN %service_auth_user% %service_auth_pass%|A001 OK|A002 LOGOUT
root@schoolserver [/etc/chkserv.d]# cat imap 
service[imap]=143,A001 LOGOUT,* OK,/usr/local/cpanel/scripts/restartsrv_imap,dovecot||courier&&authdaemond,root,* OK|A001 LOGIN %service_auth_user% %service_auth_pass%|A001 OK|A002 LOGOUT

I went to WHM -> Home »Service Configuration »Service Manager and unchecked monitor for imap, which seems to be the quick fix for now.

Of course, if you want to still use non-SSL for IMAP connections, you'll need to open that port in /etc/csf/csf.conf.

I'm sure I'll end up updating this crazy thing, stay tuned.

Update:

We went to the hospital to visit Dad today and ssh over port 143 worked over their public wifi.  I fired up sshuttle, then opened Firefox and checked my public IP at one of those "What is my IP" sites.  It reported my VPS's IP.

Dinking around with those configuration files, I'm sure a cPanel update is gonna screw it up.  It would probably be much better to set this up on my droplet.

Leave a Reply