Hi all!
I'm wanting to close port 22 (ssh) on my home router, and I don't see any facilities in its GUI for doing that.
I don't mind learning how to write an iptables rule for that, but I'd rather not have to fool around with commandline stuff on the router, especially things that require extra steps to make it peresist across boots.
So, I'm trying this (please tell me if it makes sense to do it this way): I've set up a port forwarding rule on the router that forwards incoming port 22 to port 9 on the LAN side of the router. As I understand it, port 9 is a /dev/null equivalent, and it seems to block the port well enough, but are there caveats I should be aware of?
thanks!
BTW, this is an Asus RT-N16 router using their latest released firmware.
Fred
On 9/12/2015 4:16 PM, Fred Smith wrote:
I'm wanting to close port 22 (ssh) on my home router, and I don't see any facilities in its GUI for doing that.
inbound ports that aren't forwarded are closed by default on most any/all NAT routers, unless the router itself is listening to said port.
On Sat, Sep 12, 2015 at 04:26:09PM -0700, John R Pierce wrote:
On 9/12/2015 4:16 PM, Fred Smith wrote:
I'm wanting to close port 22 (ssh) on my home router, and I don't see any facilities in its GUI for doing that.
inbound ports that aren't forwarded are closed by default on most any/all NAT routers, unless the router itself is listening to said port.
Isn't there any sort of portforwarding thing? Such as forward port 2222 (I wouldn't use that one, it's too common, but as an example) to 192.168.1.5, and then have 192.168.1.5 listen on port 2222? Then have a firewall rule to allow access on that port and edit /etc/ssh/sshd_config to listen on 2222 instead of 22.
Looking at http://nextgendigitalhome.com/1829/home-network/scalable-gateway/the-asus-rt... it seems as if it would allow this and it's described in the section WAN Virtual Server/Port Fowarding.
On Sat, Sep 12, 2015 at 08:23:14PM -0400, Scott Robbins wrote:
On Sat, Sep 12, 2015 at 04:26:09PM -0700, John R Pierce wrote:
On 9/12/2015 4:16 PM, Fred Smith wrote:
I'm wanting to close port 22 (ssh) on my home router, and I don't see any facilities in its GUI for doing that.
inbound ports that aren't forwarded are closed by default on most any/all NAT routers, unless the router itself is listening to said port.
Isn't there any sort of portforwarding thing? Such as forward port 2222 (I
yes, there is port forwarding, of course. I'm forwarding a different port to 22 on my desktop, and want to close 22 on the router so it won't also allow access to 22 on my desktop.
I know,... "security through obscurity is no security at all". But I figure it doesn't hurt to try.
wouldn't use that one, it's too common, but as an example) to 192.168.1.5, and then have 192.168.1.5 listen on port 2222? Then have a firewall rule to allow access on that port and edit /etc/ssh/sshd_config to listen on 2222 instead of 22.
It is as I said above, I don't want to have to write firewall rules for it because then I need to go to the trouble to make sure my custom rule(s) get reloaded at every reboot.
Looking at http://nextgendigitalhome.com/1829/home-network/scalable-gateway/the-asus-rt... it seems as if it would allow this and it's described in the section WAN Virtual Server/Port Fowarding.
Ah, i've never seen that resource, thanks! I'll go peruse it and see what I find.
thanks!
On 9/12/2015 9:44 PM, Fred Smith wrote:
yes, there is port forwarding, of course. I'm forwarding a different port to 22 on my desktop, and want to close 22 on the router so it won't also allow access to 22 on my desktop.
If you have not set up forwarding for port 22 on the router, it is already closed. You do not need to do anything.
If you want to verify this, just try to connect to port 22 from outside your network and see what happens.
On Tue, Sep 22, 2015 at 03:11:53PM -0400, Bowie Bailey wrote:
On 9/12/2015 9:44 PM, Fred Smith wrote:
yes, there is port forwarding, of course. I'm forwarding a different port to 22 on my desktop, and want to close 22 on the router so it won't also allow access to 22 on my desktop.
If you have not set up forwarding for port 22 on the router, it is already closed. You do not need to do anything.
If you want to verify this, just try to connect to port 22 from outside your network and see what happens.
-- Bowie
Actually, connecting to port 22 works fine, or did until my last hacking session on the router. Which is why I wanted to make it inaccessible.
My current "solution" is to forward 22 on the WAN side of the router to 9 on the LAN side of the router. since 9 on the LAN side has no services attached, the incoming connection fails. which is what I wanted.
On 9/22/2015 1:45 PM, Fred Smith wrote:
Actually, connecting to port 22 works fine, or did until my last hacking session on the router. Which is why I wanted to make it inaccessible.
if you're forwarding WAN port 2222, I do not understand what your router is doing with port 22, unless the router itself is also running a sshd
On Tue, Sep 22, 2015 at 03:09:18PM -0700, John R Pierce wrote:
On 9/22/2015 1:45 PM, Fred Smith wrote:
Actually, connecting to port 22 works fine, or did until my last hacking session on the router. Which is why I wanted to make it inaccessible.
if you're forwarding WAN port 2222, I do not understand what your router is doing with port 22, unless the router itself is also running a sshd
well, not 2222, but another port I won't identify here, and it is forwarded to 22 on my linux box. The idea was to put ssh on an unusual port. but I couldn't figure out how to close port 22, which was open by default on the router, apparently. I still don't see any way in its UI to do it, and didn't especially want to have to write a custom firewall rule. So I just forwarded WAN/22 to port 9 on the LAN side of the router.
On Tue, 2015-09-22 at 18:52 -0400, Fred Smith wrote:
well, not 2222, but another port I won't identify here, and it is forwarded to 22 on my linux box.
Could an 'idea' also be to close permanently port 22 and configure SSH to use a completely different port ?
Inviting hackers by having a functioning, in one way or another, port 22 is asking for trouble.
On Wed, Sep 23, 2015 at 03:32:21AM +0100, Always Learning wrote:
On Tue, 2015-09-22 at 18:52 -0400, Fred Smith wrote:
well, not 2222, but another port I won't identify here, and it is forwarded to 22 on my linux box.
Could an 'idea' also be to close permanently port 22 and configure SSH to use a completely different port ?
Inviting hackers by having a functioning, in one way or another, port 22 is asking for trouble.
Paul, thanks for the comment. what you suggest is what my original post was asking about.
Now, the externally visible port is not 22. my original post was asking for advice on tweaking the router to close 22, since I could find no method for that in the router's UI. not wanting to have to write iptables rules for the router, I found another method that effectively shuts off port 22. 22 IS NOT OPEN to the world any more.
On Tue, 2015-09-22 at 22:52 -0400, Fred Smith wrote:
Paul, thanks for the comment. what you suggest is what my original post was asking about.
Now, the externally visible port is not 22. my original post was asking for advice on tweaking the router to close 22, since I could find no method for that in the router's UI. not wanting to have to write iptables rules for the router, I found another method that effectively shuts off port 22. 22 IS NOT OPEN to the world any more.
Hi Fred,
That is great. When I started on Linux that was one of the very first things I did. Every machine, including servers, has port 22 replaced by a unique alternative port. Port 22 is also blocked in IPtables.
There is an army of dangerous nutters attempting to break-in to everything. They often mask their attacks using compromised Windoze computers all around the world.
On 09/12/2015 04:16 PM, Fred Smith wrote:
So, I'm trying this (please tell me if it makes sense to do it this way): I've set up a port forwarding rule on the router that forwards incoming port 22 to port 9 on the LAN side of the router.
I'd suggest that you test it, but that does seem reasonable.
Note that there is nothing special about port 9. There is a "discard" service that you can run on that port to consume data and discard it, but it's normally not running. In the normal state, with no service listening on port 9, it's just the same as any other port that isn't listening.
On Sun, Sep 13, 2015 at 4:46 AM, Fred Smith fredex@fcshome.stoneham.ma.us wrote:
Hi all!
I'm wanting to close port 22 (ssh) on my home router, and I don't see any facilities in its GUI for doing that.
man sshd_config; this option is perhaps your solution "ListenAddress." So explicitly mention your LAN port(s).
<quote> ListenAddress Specifies the local addresses sshd(8) should listen on. The following forms may be used:
ListenAddress host|IPv4_addr|IPv6_addr ListenAddress host|IPv4_addr:port ListenAddress [host|IPv6_addr]:port
If port is not specified, sshd will listen on the address and all prior Port options specified. The default is to listen on all local addresses. Multiple ListenAddress options are permitted. Addition- ally, any Port options must precede this option for non-port qualified addresses. </quote>
HTH -- Arun Khan
-
Always Learning -
Arun Khan -
Bowie Bailey -
Fred Smith -
Gordon Messmer -
John R Pierce -
Scott Robbins