Update: this was hacky and clumsy, see the more recent SSH on Port 995 for something better.
I’ll leave this up, though, rather than attempt to whitewash my mistake.
I visited my Dad at St. Vincent’s Hospital and their stupid network blocked all ports except for webserver (80, 443) and mail (25, 143, 993, 995) ports. Meaning that I couldn’t connect to my Jabber server and, more importantly, I couldn’t ssh into my VPS or anything else (even over port 22).
Port 143 is for non-SSL IMAP connections, which you shouldn’t be using anyway. So, I decided I was going to set up SSH to listen on 143 on my VPS. I found instructions for changing the non-SSL IMAP port on, of all things, a Direct Admin forum.
Here’s the stanza to look for in /etc/dovecot/dovecot.conf:
inet_listener imap {
address = *,::
}
Specify the port, that way it won’t be the default 143:
inet_listener imap {
address = *,::
port = 144
}
Lookee there, Dovecot is listening on 144 and isn’t listening on 143 anymore:
root@schoolserver [~]# lsof -i :144 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME dovecot 12601 root 37u IPv4 3783805864 0t0 TCP *:uma (LISTEN) dovecot 12601 root 38u IPv6 3783805865 0t0 TCP *:uma (LISTEN) imap-logi 12604 dovenull 7u IPv4 3783805864 0t0 TCP *:uma (LISTEN) imap-logi 12604 dovenull 8u IPv6 3783805865 0t0 TCP *:uma (LISTEN) imap-logi 12610 dovenull 7u IPv4 3783805864 0t0 TCP *:uma (LISTEN) imap-logi 12610 dovenull 8u IPv6 3783805865 0t0 TCP *:uma (LISTEN) root@schoolserver [~]# lsof -i :143 root@schoolserver [~]#
That frees up port 143 to listen to SSH. I changed it in the sshd config file. Note that some Linux systems let you have SSH on multiple ports, but apparently CentOS 6 doesn’t like it and sshd kept crashing.
root@schoolserver [/etc/ssh]# grep 143 /etc/ssh/sshd_config Port 143
And it works!
anna@anna-lenovo:~$ ssh -p 143 root@schoolfield.org The authenticity of host '[schoolfield.org]:143 ([162.246.58.251]:143)' can't be established. RSA key fingerprint is a8:ad:eb:4e:f5:40:a1:dd:5e:24:8e:dd:8f:1f:4d:fc. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '[schoolfield.org]:143,[162.246.58.251]:143' (RSA) to the list of known hosts. Last login: Fri Jan 22 16:04:11 2016 from 65.5.225.206 root@schoolserver [~]#
It still says the name is imap, but sshd is listening on it:
root@schoolserver [~]# lsof -i :143 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME sshd 13902 root 3u IPv4 3784146335 0t0 TCP *:imap (LISTEN) sshd 13902 root 4u IPv6 3784146337 0t0 TCP *:imap (LISTEN)
I’m going to try this out tomorrow when we visit St. Vincent’s and see if it works for me to do my “Poor Man’s VPN” with sshuttle (which needs to go over ssh).
Addendum:
Because this is cPanel, I started getting a bunch of lfd email alerts that imap was down. So, I changed 143 to 144 in these two files:
root@schoolserver [/etc/csf]# grep 144 lfd.pl
if ($app eq "imapd") {$port = "144"; $sport = "993"}
root@schoolserver [/etc/csf]# grep 144 csf.conf PORTS_imapd = "144,993"
And then there’s still an issue with checksrvd, it keeps wanting to look at imap on port 143, doesn’t matter if I change the port in this file, it changes it back. And then that kills the sshd service when it tries to connect.
root@schoolserver [/etc/chkserv.d]# cat imap service[imap]=144,A001 LOGOUT,* OK,/usr/local/cpanel/scripts/restartsrv_imap,dovecot||courier&&authdaemond,root,* OK|A001 LOGIN %service_auth_user% %service_auth_pass%|A001 OK|A002 LOGOUT root@schoolserver [/etc/chkserv.d]# cat imap service[imap]=143,A001 LOGOUT,* OK,/usr/local/cpanel/scripts/restartsrv_imap,dovecot||courier&&authdaemond,root,* OK|A001 LOGIN %service_auth_user% %service_auth_pass%|A001 OK|A002 LOGOUT
I went to WHM -> Home »Service Configuration »Service Manager and unchecked monitor for imap, which seems to be the quick fix for now.
Of course, if you want to still use non-SSL for IMAP connections, you’ll need to open that port in /etc/csf/csf.conf.
I’m sure I’ll end up updating this crazy thing, stay tuned.
Update:
We went to the hospital to visit Dad today and ssh over port 143 worked over their public wifi. I fired up sshuttle, then opened Firefox and checked my public IP at one of those “What is my IP” sites. It reported my VPS’s IP.
Dinking around with those configuration files, I’m sure a cPanel update is gonna screw it up. It would probably be much better to set this up on my droplet.