[colug-432] SSH
Richard Troth
rmt at casita.net
Wed Mar 9 22:16:04 EST 2011
RJ is right. When you change the server port, you have to tell EVERY
client hitting your box legitimately to use that non-standard port.
I had to change the SSH port on my publicly facing machines because I
was getting hammered by script kiddies trying every weak password in
the book. They might have never gotten in, but I didn't want to take
that chance. Annoying. So now I have to specify my non-standard
port. I hate it. There are other ways to defend. I may use one or
more of them in the future (eg: maybe port knocking).
If the session from across town times out, then either you're hitting
the wrong address or some traffic handler in between is dropping your
packets. It could be a problem with the port. Depends on your
FW/router. If you were hitting the box directly and tried the wrong
port you should get ECONNREFUSED, not timed out. Well designed
behaviours are modified in the name of security. [sigh]
-- Rick; <><
On Wed, Mar 9, 2011 at 21:17, Richard Hornsby <richardjhornsby at gmail.com> wrote:
>
> On Mar 9, 2011, at 19:51 , Steve VanSlyck wrote:
>
>> Well, I can ssh from the same box, and ssh from a box on the same
>> network, but cannot ssh from across town. The session times out
>>
>> Port forwarding is set up on the router (Linksys). Using fake port
>> numbers,
>
> "fake port numbers"? port numbers matter, and unlike IP addresses, don't personally identify your machine. 22 is the normal port for SSH, it is listed in /etc/services, and is considered "well-known" for SSH. Are the port numbers in your email fake?
>
> If you wish to change the port, that is your prerogative. There are a couple of things I can think of off hand:
>
> 1. After changing sshd_config, make sure you restart sshd. IIRC (it has been a while) on RH variants it is something like
>
> /etc/init.d/rc.d/sshd restart
>
> (oh how I miss the days of sending a process a simple HUP to make it re-read the config.)
>
> 2. You have to specify a non-standard port in your ssh client. It might be that you're able to log in locally because your client assumes 22, and you haven't restarted sshd yet. When you try to get in externally, the port forwarding isn't configured for 22 - it is set up for 31210 - but again, sshd isn't listening on 31210.
>
>
> These might be obvious, and they're related.
>
> If for some reason you want ssh to be on a non-standard port on the external facing side, you can always tell your router to port forward external:31210 to internal:22
>
> I, however, wouldn't go changing it from 22 in the first place. Just makes things harder on myself and doesn't add any meaningful measure of security.
>
> -rj
>
>
>
>>
>> I have sshd_config set to port 31210, ssh_config set to the same thing,
>> and the applications and gaming page on the router forwards port 31210
>> (same number for both start and end of the range) to IP 192.168.1.102,
>> which ifconfig reports as being the box's internal IP address:
>>
>> [steve at localhost ~]$ ifconfig
>> eth0 Link encap:Ethernet HWaddr 00:11:85:65:41:38
>> inet addr:192.168.1.102 Bcast:192.168.1.255
>> Mask:255.255.255.0
>> inet6 addr: fe80::211:85ff:fe65:4138/64 Scope:Link
>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>> RX packets:7360 errors:0 dropped:0 overruns:0 frame:0
>> TX packets:9076 errors:0 dropped:0 overruns:0 carrier:0
>> collisions:0 txqueuelen:1000
>> RX bytes:6045785 (5.7 MiB) TX bytes:1255649 (1.1 MiB)
>> Interrupt:177 Memory:f0300000-f0310000
>>
>> lo Link encap:Local Loopback
>> inet addr:127.0.0.1 Mask:255.0.0.0
>> inet6 addr: ::1/128 Scope:Host
>> UP LOOPBACK RUNNING MTU:16436 Metric:1
>> RX packets:1431 errors:0 dropped:0 overruns:0 frame:0
>> TX packets:1431 errors:0 dropped:0 overruns:0 carrier:0
>> collisions:0 txqueuelen:0
>> RX bytes:2303832 (2.1 MiB) TX bytes:2303832 (2.1 MiB)
>>
>> [steve at localhost ~]$
>>
>> Ideas or thoughts?
>>
>>
>> _______________________________________________
>> colug-432 mailing list
>> colug-432 at colug.net
>> http://lists.colug.net/mailman/listinfo/colug-432
>
>
> _______________________________________________
> colug-432 mailing list
> colug-432 at colug.net
> http://lists.colug.net/mailman/listinfo/colug-432
>
More information about the colug-432
mailing list