Skip to content

History / Changing the SSH Port Safely

Revisions

  • docs(wiki): R2c truth pass — align WK-1..10 to shipped v1.218.7 behavior Wiki-only truth pass against code (fleet-live v1.218.7, nft schema 1.84.0). Human-guide style; links down to the repo /docs/operator contracts rather than duplicating them. No product-repo, register, or scope content changed. - WK-1 loopback-before-invalid (v1.217.0): Firewall-Anchor-Architecture + Architecture-Overview now show loopback accept BEFORE the ct-state-invalid drop. - WK-2: added the missing `nftban search` entry to CLI-Commands-Reference (RFC5737 examples; links to BAN_FORENSICS.md). - WK-3: refreshed stale version stamps to "Last verified: v1.218.7" across ~14 pages (frozen-authority versions kept, "Last verified" appended); Project-Statistics relabelled as a v1.203.0 snapshot. - WK-4 Suricata: rewrote the command surface to the 7 shipped Go subcommands (status/filters/daemon/ enable/disable/set-threshold/set-action); the profile-*/scan*/rules-*/sid-*/custom-*/recommend*/ stats-daemon commands are documented as removed-in-v1.92; filter table corrected to the real filters.conf set (ssh/http/mail/dns/scan/exploit/ddos/malware/botnet enabled; ftp/rdp/mysql/ postgresql disabled) — removed fabricated wp_login/wp_xmlrpc/joomla/drupal/phpmyadmin/smb/ldap/voip filters; Gbps sizing framed as guidance not benchmarks; opt-in EVE-ingestion intro. - WK-5 Security-Architecture: replaced the insecure prefix-match polkit example with the shipped explicit-unit-allowlist rule; corrected 3-group→two-group model and retired the nftban-panel / 30-nftban-panel.rules tier (retired v1.137). - WK-6 DDoS: kept the correct shipped limits (HTTP/HTTPS=200, mail=30, SSH=15 — NOT 150); clarified base counters are schema-owned/always-on (not the DDoS module) and the penalty ladder is the shell maintenance timer (daemon only proxies the write). - WK-7 GeoBan: disclosed the real default (enabled by default, allow-all policy → enabled-but-IDLE, blocks nothing until countries are configured) in Configuration-Reference + Blacklist pages. - WK-8 metrics: kept the code-true `:9580` loopback-by-default wording; fixed a stale /metrics ACL citation (daemon_http.go:99-105); removed the retired GUI-dashboard node (no product surface named, two code-true consumers: Prometheus textfile + JSON cache). - WK-9 SLSA: corrected the stale repo slug nftban-v1.0-dev → itcmsgr/nftban (12 sites); scoped SLSA wording to nftban-core. - WK-10 hygiene: scrubbed a real admin port (55000) and real routable example IPs (45.66.x) to neutral / RFC5737 values. - R2b explainers: added an "Operator contracts (in the repo /docs)" section to Security-Operations-Guide linking the four /docs/operator pages. WK-6/WK-8 corrected premises honored (no 150; loopback code-true). No RBL-blocking / cluster / live-GUI / unframed-benchmark claims; no register/scope/COMPLETED bodies pasted; leak-free (55000/45.66/nftban-v1.0-dev = 0). 22 pages.

    @itcmsgr itcmsgr committed Jul 8, 2026
  • docs: ssh_ports set (v1.145) + whitelist --static tiers (v1.149) - Firewall-Anchor-Architecture + NFT-Schema-Validation: document the v1.145 set-driven SSH brute-force rate-limit (`tcp dport @ssh_ports ct count`), ssh_ports as a required set in both ip/ip6 tables, INV-F-002 update. - Changing-the-SSH-Port-Safely: document the v1.149 three-tier whitelist — `add --static` (durable, survives reload/restart/reboot), default `add` (runtime-only), `add --ttl` (timed) — for durable admin-IP anti-lockout.

    @itcmsgr itcmsgr committed Jun 5, 2026
  • docs: add SELinux semanage + verify lines to SSH-port quick reference EL/RHEL-tagged: semanage port -a ssh_port_t, semanage port -l verify, and ss listener check — the exact step that is required on SELinux Enforcing (proven: sshd refuses to bind unlabeled custom ports). Also adds sshd -t to the cheat sheet. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

    @itcmsgr itcmsgr committed Jun 4, 2026
  • docs: add "Changing the SSH Port Safely" page Newcomer-facing how-to for changing the SSH port on an NFTBan host without locking out. Covers: the two-systems model (sshd listens vs NFTBan firewall allows), sshd -t validation, the safe keep-a-session-open sequence, NFTBan's multi-port union detection (multiple Port lines / drop-ins / ListenAddress host:port / live ss listeners), the EL/SELinux ssh_port_t labeling step (semanage port), durable admin whitelist, portscan-self-ban caution, and lockout recovery. Closes the gap where this #1 lockout scenario was only covered in scattered fragments (Security-Operations-Guide recovery, Firewall-Anchor-Architecture sets). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

    @itcmsgr itcmsgr committed Jun 4, 2026