Help Center/ Elastic Cloud Server/ User Guide (Paris Regions)/ FAQs/ Login and Connection/ Why Cannot I Use a Non-Default SSH Port to Log In to My Linux ECS?
Updated on 2024-01-11 GMT+08:00

Why Cannot I Use a Non-Default SSH Port to Log In to My Linux ECS?

Symptom

After changing the default SSH port, you could not use the new port to log in to the ECS.

Possible Causes

  • The access to the new port is not allowed in the security group.
  • The new port is not enabled on the firewall.
  • The new port is not added to the SSH configuration file.
  • The hosts configuration file is incorrectly configured.

Checking Security Group Rules

Check whether the security group is correctly configured.

For example, if the new SSH port number is 2020, ensure that there is a security group rule without restriction in the outbound direction and allowing access to this port in the inbound direction.

Checking Firewall Rules

Run the iptables command to check whether the new SSH port, for example, port 2020 is enabled on the firewall.
  1. Log in to the Linux ECS.
  2. Take CentOS 7.5 as an example. Run the following command to edit the iptables file:

    vi /etc/sysconfig/iptables

  3. Add a rule for port 2020.
    -A INPUT -m state -state NEW -m tcp -p tcp -dport 2020 -j ACCEPT
  4. Restart iptables.

    systemctl restart iptables

Checking the SSH Configuration File

Log in to the ECS and check the SSH configuration file.
  1. Run the following command to check whether port 2020 has been configured:

    vi /etc/ssh/sshd_config

  2. If the port has not been configured, replace #Port 22 with Port 2020.
  3. Run the following command to restart SSH:

    service sshd restart

Checking the hosts Configuration File

The /etc/hosts.allow and /etc/hosts.deny files of a Linux ECS are used to permit or deny an IP address or an IP address segment, respectively, to remotely access the ECS using SSH.
  1. Add the following statement to /etc/hosts.allow to allow the IP address 192.168.1.3 to access the ECS using SSH:
    sshd: 192.168.1.3
  2. Check /etc/hosts.deny. If sshd:all:deny is contained, comment it out.

    If a rule is set in both hosts.allow and hosts.deny, the rule in hosts.allow takes precedence. For example, if "sshd: 192.168.1.3" is set in hosts.allow and "sshd:all:deny" is set in hosts.deny, the ECS allows only the SSH login from IP address 192.168.1.3.