HI All,
With my new firewall in place, it has opened my eyes to how much traffic gets blocked in a single day and also what are the most active rules. I get *a lot* of requests for port 22.
How does one switch ssh ports? What is a good port to use? What ramifications does it have when I need to ssh in? Is it as simple as ssh user@hots:port?
Best, -ML
On Sat, 2009-10-24 at 05:56 -0700, ML wrote:
HI All,
With my new firewall in place, it has opened my eyes to how much traffic gets blocked in a single day and also what are the most active rules. I get *a lot* of requests for port 22.
How does one switch ssh ports? What is a good port to use? What ramifications does it have when I need to ssh in? Is it as simple as ssh user@hots:port?
---- I suppose it's easier to ask a list than to actually look at man pages.
man sshd_config man ssh
if there's something you don't understand after reading the man pages and trying things out for yourself, the list will be more useful to you.
Craig
How does one switch ssh ports? What is a good port to use? What ramifications does it have when I need to ssh in? Is it as simple as ssh user@hots:port?
In /etc/ssh/sshd_config replace "port 22" with "port <whatever high port (> 1024) you like>"
Then configure your ssh clients accordingly.
I was having my logs filled with *literally* hundreds of connection attempts to port 22 every single day. Since I moved ssh to another port that stopped.
Also, disable password authentication and use public/private key pairs as certification.
On 24/10/2009, at 11:40 PM, Miguel Medalha wrote:
How does one switch ssh ports? What is a good port to use? What ramifications does it have when I need to ssh in? Is it as simple as ssh user@hots:port?
In /etc/ssh/sshd_config replace "port 22" with "port <whatever high port (> 1024) you like>"
Then configure your ssh clients accordingly.
I was having my logs filled with *literally* hundreds of connection attempts to port 22 every single day. Since I moved ssh to another port that stopped.
I don't know if it is viable in your case but using /etc/hosts.allow and deny helps if you know what IPs are going to need SSH access.
Also, disable password authentication and use public/private key pairs as certification.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Change the port statement in /etc/ssh/sshd_config and restart sshd
Alternatively, you can make a port direction on your firewall, say, from TCP port 1234 to internal IP 22. Then, you don't need to change the server config.
My 2 cents.
Stephen WONG @ Hong Kong
On Sat, Oct 24, 2009 at 9:23 PM, Oliver Ransom oliver@ransom.com.au wrote:
On 24/10/2009, at 11:40 PM, Miguel Medalha wrote:
How does one switch ssh ports? What is a good port to use? What ramifications does it have when I need to ssh in? Is it as simple as ssh user@hots:port?
In /etc/ssh/sshd_config replace "port 22" with "port <whatever high port (> 1024) you like>"
Then configure your ssh clients accordingly.
I was having my logs filled with *literally* hundreds of connection attempts to port 22 every single day. Since I moved ssh to another port that stopped.
I don't know if it is viable in your case but using /etc/hosts.allow and deny helps if you know what IPs are going to need SSH access.
Also, disable password authentication and use public/private key pairs as certification.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Stephen Wong wrote:
Change the port statement in /etc/ssh/sshd_config and restart sshd
Alternatively, you can make a port direction on your firewall, say, from TCP port 1234 to internal IP 22. Then, you don't need to change the server config.
One thing to consider: an attacker with a clue will scan your system with something like nmap, and find whatever port you've opened for it.
Btw, you *have* made sure that only protocol 2 is enabled for ssh, right?
mark
One more thing - you might want to look at authfail. After a number of attempts to log in, it will add firewall rules to block that IP address.
mark
How does one switch ssh ports? What is a good port to use? What ramifications does it have when I need to ssh in? Is it as simple as ssh user@hots:port?
In /etc/ssh/sshd_config replace "port 22" with "port <whatever high port (> 1024) you like>"
Then configure your ssh clients accordingly.
So I added Port 2977 Under Host *
So I have: Host * Port 2977
I rebooted and I get a connection refused now when I try to connect.
I am doing: ssh -p 2977 user@ip
I must have missed something.
ML wrote:
How does one switch ssh ports? What is a good port to use? What ramifications does it have when I need to ssh in? Is it as simple as ssh user@hots:port?
In /etc/ssh/sshd_config replace "port 22" with "port <whatever high port (> 1024) you like>"
Then configure your ssh clients accordingly.
So I added Port 2977 Under Host *
So I have: Host * Port 2977
I rebooted and I get a connection refused now when I try to connect.
I am doing: ssh -p 2977 user@ip
I must have missed something.
Check your firewall rules.
mark
In /etc/ssh/sshd_config replace "port 22" with "port <whatever high port (> 1024) you like>"
Then configure your ssh clients accordingly.
So I added Port 2977 Under Host *
So I have: Host * Port 2977
I rebooted and I get a connection refused now when I try to connect.
I am doing: ssh -p 2977 user@ip
My firewall is set to allow 2977.
Just for shits I changed this to 29770
I ran: system-config-securitylevel-tui and customized and added 29770:tcp to other ports
I then: nano /etc/ssh/ssh_config and said Port 29770
So that I have: Host * Port 29770 Protocol 2
I then did: service sshd restart
and I still get connection refused. Comment out Port 29770 and all is well again.
-ML
On Sat, 2009-10-24 at 07:17 -0700, ML wrote:
In /etc/ssh/sshd_config replace "port 22" with "port <whatever high port (> 1024) you like>"
Then configure your ssh clients accordingly.
So I added Port 2977 Under Host *
So I have: Host * Port 2977
I rebooted and I get a connection refused now when I try to connect.
I am doing: ssh -p 2977 user@ip
My firewall is set to allow 2977.
Just for shits I changed this to 29770
I ran: system-config-securitylevel-tui and customized and added 29770:tcp to other ports
I then: nano /etc/ssh/ssh_config and said Port 29770
So that I have: Host * Port 29770 Protocol 2
I then did: service sshd restart
and I still get connection refused. Comment out Port 29770 and all is well again.
Have you restarted the ssh daemon after changing the config file?
Also, have you restarted the iptables service after changing the firewall rules?
I then did: service sshd restart
<snip>
Have you restarted the ssh daemon after changing the config file?
Ooops, I really need to not post to the mailing list when I am tired.
My second question still stands, Also, have you run nmap on your host to verify that the port is open?
Also, have you restarted the iptables service after changing the firewall rules?
I then did: service sshd restart
<snip>
Have you restarted the ssh daemon after changing the config file?
Ooops, I really need to not post to the mailing list when I am tired.
My second question still stands, Also, have you run nmap on your host to verify that the port is open?
No, but I might be a dork.
I was editing /etc/ssh/ssh_config and it looks like I wanted to edit / etc/ssh/sshd_config. I dont know if now I should put ssh_config back to its defaults or not. I need to query that.
Also, have you restarted the iptables service after changing the firewall rules?
I restarted the whole server actually.
-ML
On 25/10/2009, at 12:10 AM, ML wrote:
How does one switch ssh ports? What is a good port to use? What ramifications does it have when I need to ssh in? Is it as simple as ssh user@hots:port?
In /etc/ssh/sshd_config replace "port 22" with "port <whatever high port (> 1024) you like>"
Then configure your ssh clients accordingly.
So I added Port 2977 Under Host *
So I have: Host * Port 2977
I rebooted and I get a connection refused now when I try to connect.
I am doing: ssh -p 2977 user@ip
Try ssh -p 2977 -l user IP
Not user@ip
I must have missed something. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On 10/26/2009 07:41 PM, Michael Kress wrote:
ML wrote:
So I added Port 2977 Under Host *
So I have: Host * Port 2977
Never post your real port number here. Otherwise you don't need to hide it from the public. Right? ;-)
I'm not sure if this is a serious security suggestion, or a joke. (If it's a joke, sorry I missed the boat.) This is probably going to look like a troll, but I really do feel sorry for anyone who takes this kind of suggestion seriously.
Whatever alternate SSH port number you select is NOT a secret, and you have a false impression of security if you think of it as a secret. Thinking that "My system is more secure because I run SSH on an alternate port" is just fooling yourself.
If you're already taking appropriate precautions elsewhere, then changing the port number is really just a convenience/preference, to make your logs a little less noisy. Security-wise, it's window dressing, and it'll really only present a problem for the laziest attackers or bots. Your secret SSH port number is only a secret for about as long as it takes for a wide port scan to run. (And unless you've implemented IP-level rate-limiting on a per-remote-source-IP basis, that's a much shorter time than you think.)
Moving the SSH port will help cut down on the rate at which dictionary bots (account/password guessers) will hit you up. But do those dictionary bots really pose a security threat to you? Maybe, if your SSH server isn't patched and up-to-date, or if you haven't audited/locked your local accounts, or if you don't enforce strong passwords or keys-only logins.
If it's really that important that you cut the rate down, the iptables 'recent' module is a fantastic tool. Combined with some whitelisting, you can really cut the noise down, without inconveniencing yourself at all. If you find 'iptables' too intimidating, there are a few log-watching scripts that will dynamically block source IPs on-the-fly as the remote IPs roll into '/var/log/secure'.
(I'm just going to apologize now to anybody I've offended, if it means anything--this is just one guy's opinion on the Internet, after all.)
-Ryan
http://www.iana.org/assignments/port-numbers
See unassigned port, and You should to use it....
Need more secure only allow access ssh from intranet or by VPN. CMIIW
Regards, David ------------------------------------------------------------------------ ./nobody
Michael Kress wrote:
ML wrote:
So I added Port 2977 Under Host *
So I have: Host * Port 2977
Never post your real port number here. Otherwise you don't need to hide it from the public. Right? ;-) Regards Michael
On Mon, Oct 26, 2009 at 23:54, David Suhendrik david@pnyet.web.id wrote:
Need more secure only allow access ssh from intranet or by VPN. CMIIW
Not a bad suggestion. It's somewhat more heavyweight and restrictive, but if you're paranoid enough to worry about 0-day OpenSSH server exploits, this could help you sleep better at night.
This is an interesting judgement to consider. Personally, I don't generally consider the extra VPN layer to be a default requirement. Most VPNs clients require admin-level privs, and some kind of pre-connection setup process (install client software, distribute certs/keys, etc.), either of which could prevent legit users from connecting in certain common circumstances, like an Internet cafe or a borrowed machine.
I think it's good to ask yourself whether the risks really justify the loss of functionality: If your current security concern is dictionary bots, I don't think you'd need to bother with a VPN, because the bot attacks aren't usually probing for unpatched exploits, they're just guessing common login creds.
(Actually, I could be wrong about that last one--if anyone has profiled SSH bot traffic recently, I'd be interested in knowing how much of it [if any] is exploits vs. login guessing.)
-Ryan
On 24/10/2009, at 11:26 PM, ML wrote:
HI All,
With my new firewall in place, it has opened my eyes to how much traffic gets blocked in a single day and also what are the most active rules. I get *a lot* of requests for port 22.
Look in /etc/ssh/sshd_config
You can specify the port there, it's the first option which is commented out.
How does one switch ssh ports? What is a good port to use? What ramifications does it have when I need to ssh in? Is it as simple as ssh user@hots:port?
To specify another port you need to use ssh -p X -l whateveruse IP
I don't think there are any ramifications/disadvantages of running the SSH daemon on a non standard port.
Best, -ML _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On 24-Oct-2009 Oliver Ransom wrote:
I don't think there are any ramifications/disadvantages of running the SSH daemon on a non standard port.
Running sshd on a non-standard port is highly useful ; I always have 2 seperate sshd instances. One on 22 and one on 222. This way, if I muck up an sshd upgrade, or config change, I can always get in through the other instance on 222.
It is important to keep the 2 instances seperate, with serperate startup scripts and binaries (as in, cp /sbin/sshd /sbin/sshd222)
-Philip
On Sat, 24 Oct 2009, Philip Gwyn wrote:
On 24-Oct-2009 Oliver Ransom wrote:
I don't think there are any ramifications/disadvantages of running the SSH daemon on a non standard port.
Unless I want to sftp. It always looks for port 22; if I do:
sftp SERVER
It will deny me if SERVER is anything but port 22. Doing a man sftp yields no help on how to solve that. Any ideas?
******************************************************************************* Gilbert Sebenste ******** (My opinions only!) ****** *******************************************************************************
2009/10/24 Gilbert Sebenste sebenste@weather.admin.niu.edu:
It will deny me if SERVER is anything but port 22. Doing a man sftp yields no help on how to solve that. Any ideas?
From memory, try -o Port=222
Ben
On Sat, 24 Oct 2009, Benjamin Donnachie wrote:
2009/10/24 Gilbert Sebenste sebenste@weather.admin.niu.edu:
It will deny me if SERVER is anything but port 22. Doing a man sftp yields no help on how to solve that. Any ideas?
From memory, try -o Port=222
Ben
Thanks to all who responded. That's what I was looking for!
******************************************************************************* Gilbert Sebenste ******** (My opinions only!) ****** *******************************************************************************
Gilbert Sebenste wrote:
On Sat, 24 Oct 2009, Philip Gwyn wrote:
On 24-Oct-2009 Oliver Ransom wrote:
I don't think there are any ramifications/disadvantages of running the SSH daemon on a non standard port.
Unless I want to sftp. It always looks for port 22; if I do:
sftp SERVER
It will deny me if SERVER is anything but port 22. Doing a man sftp yields no help on how to solve that. Any ideas?
I usually prefer rsync over ssh for file transfers where possible. There it would be rsync -e 'ssh -p nnn' ....
2009/10/25 Les Mikesell lesmikesell@gmail.com:
Gilbert Sebenste wrote:
On Sat, 24 Oct 2009, Philip Gwyn wrote:
On 24-Oct-2009 Oliver Ransom wrote:
I don't think there are any ramifications/disadvantages of running the SSH daemon on a non standard port.
Unless I want to sftp. It always looks for port 22; if I do:
sftp SERVER
It will deny me if SERVER is anything but port 22. Doing a man sftp yields no help on how to solve that. Any ideas?
I usually prefer rsync over ssh for file transfers where possible. There it would be rsync -e 'ssh -p nnn' ....
Also, you coud set up the port on /etc/ssh/ssh_config for the name/ip of the target machine, so you don't need to type "-o Port xxx" or "-p xxx" every time. The downside is that you forget the port over time, not using it.
ML wrote:
HI All,
With my new firewall in place, it has opened my eyes to how much traffic gets blocked in a single day and also what are the most active rules. I get *a lot* of requests for port 22.
How does one switch ssh ports? What is a good port to use? What ramifications does it have when I need to ssh in? Is it as simple as ssh user@hots:port?
Pretty much everything you need to know about SSH is on the Wiki here:
http://wiki.centos.org/HowTos/Network/SecuringSSH
Why don't people use the Wiki? These same topics come up over and over again, and no one ever refers to the resources available on the Wiki?
Pretty much everything you need to know about SSH is on the Wiki here:
http://wiki.centos.org/HowTos/Network/SecuringSSH
Why don't people use the Wiki? These same topics come up over and over again, and no one ever refers to the resources available on the Wiki?
I dont think it is well advertised. I dont ever recall to look there.
Ned,
Pretty much everything you need to know about SSH is on the Wiki here:
http://wiki.centos.org/HowTos/Network/SecuringSSH
Why don't people use the Wiki? These same topics come up over and over again, and no one ever refers to the resources available on the Wiki?
Thanks for the link, this should help me create public/private keys too!
-ML
As mentioned previously, requiring certificates, and not allowing interactive logins, is safest.
But even if you decide to allow interactive logins, there are things you SHOULD do.
Disable admin/root login.
Update sshd so that only named users can login via SSH, all other users that might be on the system cannot login.
Require SSH 2 as mentioned in another email.
it probably helps too if the named user isn't a "common" name, like mark, etc, like I've seen in logs when I've perused them.
Running firewall tools that block IP addresses with several failed attempts.
And, of course, a strong password.
I've never setup certificates for my private, personal, use to my box. But I've disabled root login, only 1 account can connect, ssh2 is required, I don't use a "common" name,. An I have a strong password.
On Oct 24, 2009, at 7:56 AM, ML wrote:
HI All,
With my new firewall in place, it has opened my eyes to how much traffic gets blocked in a single day and also what are the most active rules. I get *a lot* of requests for port 22.
How does one switch ssh ports? What is a good port to use? What ramifications does it have when I need to ssh in? Is it as simple as ssh user@hots:port?
Best, -ML _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
ML wrote:
HI All,
With my new firewall in place, it has opened my eyes to how much traffic gets blocked in a single day and also what are the most active rules. I get *a lot* of requests for port 22.
How does one switch ssh ports? What is a good port to use? What ramifications does it have when I need to ssh in? Is it as simple as ssh user@hots:port?
Perhaps the first thing I do on a new server is:
vi /etc/ssh/sshd_config
And uncomment the port line, change the port number to my favorite port number, save the file, then restart sshd.
I much perfer this method to setting up port limiting runs in iptables and ip6tables.
-
Benjamin Donnachie -
Craig White -
David Suhendrik -
Gilbert Sebenste -
Kevin Krieser -
Les Mikesell -
Lorenzo Quatrini -
mark -
Michael Kress -
Miguel Medalha -
ML -
Ned Slider -
Oliver Ransom -
Philip Gwyn -
Robert Moskowitz -
Ryan B. Lynch -
Ryan Lynch
-
Stephen Wong -
Tait Clarridge