Solved: Configured SSH on my ISR4431/K9 but still port 22 not open

piwale7827 · ‎11-23-2023

Hi all!

As the title suggests,

I have configured my Router to be running both http and ssh.

When trying to access the SSH port (22) i get connection refused.

Thank you for the help!

- Attached: config.txt

MHM Cisco World · ‎11-23-2023

ip ssh port 2001 rotary 1
line 1 16
   no exec
   rotary 1
   transport input ssh
   exec-timeout 0 0
   modem InOut
   stopbits 1

Change the defualt port ssh use via above and make sure change any NAT use well known ssh port.

View solution in original post

M02@rt37 · ‎11-23-2023

Hello @piwale7827

The current configuration allows SSH access from the 192.168.100.0/24 and 11.1.9.0/24 subnets. You confirm that your client's IP address is in one of these subnets ?

Please do #show log and check if you have SSH error connection.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

piwale7827 · ‎11-23-2023

To my knowledge, the client access the router from one of these subnets.

Also, even if he didn't, Does that mean that he will get connection refused error as the port isnt open? i always thought that the restriction occurs on application level

MHM Cisco World · ‎11-23-2023

ip ssh port 2001 rotary 1
line 1 16
   no exec
   rotary 1
   transport input ssh
   exec-timeout 0 0
   modem InOut
   stopbits 1

Change the defualt port ssh use via above and make sure change any NAT use well known ssh port.

piwale7827 · ‎11-23-2023

Hello again MHM!

As always helpful but confusing xD

Can you please detail me what these lines do ?

Love you man thank you for all the responsiveness!

MHM Cisco World · ‎11-23-2023

some times router not use 22 for ssh it use other port' these line force ssh to use specific port (not 22).

Note:- config only one line with these commnd.

piwale7827 · ‎11-23-2023

Replicated the exact thing, and still im getting connection refused

MHM Cisco World · ‎11-23-2023

Can I see the config you use

piwale7827 · ‎11-23-2023

THank you very much it worked!

Was my own fault of something stupid.

you are the best as always see you later!

piwale7827 · ‎11-23-2023

Well i dont know if it got anything to do with that but here is the last few lines from the time i tried to connect to port 22 on my cisco router.

*Nov 23 14:10:46.484: %SELINUX-3-MISMATCH: R0/0: audispd: type=AVC msg=audit(1700748646.483:4489): avc:  denied  { execute } for  pid=14930 comm="sp.raw" name="ssh" dev="dm-0" ino=9210 scontext=system_u:system_r:polaris_nginx_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=1
*Nov 23 14:10:46.484: %SELINUX-3-MISMATCH: R0/0: audispd: type=AVC msg=audit(1700748646.483:4489): avc:  denied  { read open } for  pid=14930 comm="sp.raw" path="/tmp/sw/mount/isr4400-mono-universalk9.17.04.01a.SPA.pkg/usr/bin/ssh" dev="dm-0" ino=9210 scontext=system_u:system_r:polaris_nginx_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=1
*Nov 23 14:10:46.484: %SELINUX-3-MISMATCH: R0/0: audispd: type=AVC msg=audit(1700748646.483:4489): avc:  denied  { execute_no_trans } for  pid=14930 comm="sp.raw" path="/tmp/sw/mount/isr4400-mono-universalk9.17.04.01a.SPA.pkg/usr/bin/ssh" dev="dm-0" ino=9210 scontext=system_u:system_r:polaris_nginx_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=1
*Nov 23 14:10:46.484: %SELINUX-3-MISMATCH: R0/0: audispd: type=AVC msg=audit(1700748646.483:4489): avc:  denied  { map } for  pid=14930 comm="ssh" path="/tmp/sw/mount/isr4400-mono-universalk9.17.04.01a.SPA.pkg/usr/bin/ssh" dev="dm-0" ino=9210 scontext=system_u:system_r:polaris_nginx_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=1
*Nov 23 14:10:46.490: %SELINUX-3-MISMATCH: R0/0: audispd: type=AVC msg=audit(1700748646.488:4490): avc:  denied  { search } for  pid=14930 comm="ssh" name=".ssh" dev="overlay" ino=1233879 scontext=system_u:system_r:polaris_nginx_t:s0 tcontext=system_u:object_r:ssh_home_t:s0 tclass=dir permissive=1
*Nov 23 14:10:46.491: %SELINUX-3-MISMATCH: R0/0: audispd: type=AVC msg=audit(1700748646.489:4491): avc:  denied  { name_connect } for  pid=14930 comm="ssh" dest=22 scontext=system_u:system_r:polaris_nginx_t:s0 tcontext=system_u:object_r:ssh_port_t:s0 tclass=tcp_socket permissive=1
*Nov 23 14:10:46.492: %SELINUX-3-MISMATCH: R0/0: audispd: type=AVC msg=audit(1700748646.491:4492): avc:  denied  { getattr } for  pid=14930 comm="ssh" path="/root/.ssh" dev="overlay" ino=1233879 scontext=system_u:system_r:polaris_nginx_t:s0 tcontext=system_u:object_r:ssh_home_t:s0 tclass=dir permissive=1
*Nov 23 14:10:46.495: %SELINUX-3-MISMATCH: R0/0: audispd: type=AVC msg=audit(1700748646.494:4493): avc:  denied  { read } for  pid=14930 comm="ssh" name="known_hosts" dev="overlay" ino=1233882 scontext=system_u:system_r:polaris_nginx_t:s0 tcontext=system_u:object_r:ssh_home_t:s0 tclass=file permissive=1
*Nov 23 14:10:46.495: %SELINUX-3-MISMATCH: R0/0: audispd: type=AVC msg=audit(1700748646.494:4493): avc:  denied  { open } for  pid=14930 comm="ssh" path="/root/.ssh/known_hosts" dev="overlay" ino=1233882 scontext=system_u:system_r:polaris_nginx_t:s0 tcontext=system_u:object_r:ssh_home_t:s0 tclass=file permissive=1
*Nov 23 14:10:46.495: %SELINUX-3-MISMATCH: R0/0: audispd: type=AVC msg=audit(1700748646.494:4494): avc:  denied  { getattr } for  pid=14930 comm="ssh" path="/root/.ssh/known_hosts" dev="overlay" ino=1233882 scontext=system_u:system_r:polaris_nginx_t:s0 tcontext=system_u:object_r:ssh_home_t:s0 tclass=file permissive=1

thank you!