Hi,
I've setup a small LAN of two desktops running CentOS 5 in a medical office. Both are connected to the Internet via a small modem/router.
Recently I played around with FreeNX on my own desktop, and I'd like to install it on these two computers. On my PC, I just redirected port 22 in the router, so SSH (and thus FreeNX) requests from the outside get redirected to my desktop PC. (And yes, I have a strong password :oD)
I'd like to handle the two PCs from the medical office remotely with FreeNX. I figured that the best way to distinguish them would be to assign a different port for SSH to each of them, and then redirect each of the ports respectively.
1) How do I choose different port numbers for SSH ? Any conventions or caveats for this ?
2) How do I configure these different ports ? By that, I mean : how do I tell SSH to use them instead of port 22 ?
Cheers,
Niki
Niki Kovacs wrote:
Hi,
I've setup a small LAN of two desktops running CentOS 5 in a medical office. Both are connected to the Internet via a small modem/router.
Recently I played around with FreeNX on my own desktop, and I'd like to install it on these two computers. On my PC, I just redirected port 22 in the router, so SSH (and thus FreeNX) requests from the outside get redirected to my desktop PC. (And yes, I have a strong password :oD)
I'd like to handle the two PCs from the medical office remotely with FreeNX. I figured that the best way to distinguish them would be to assign a different port for SSH to each of them, and then redirect each of the ports respectively.
- How do I choose different port numbers for SSH ? Any conventions or
caveats for this ?
Choose a random unused high port number (above 1023)
http://www.iana.org/assignments/port-numbers.
- How do I configure these different ports ? By that, I mean : how do I
tell SSH to use them instead of port 22 ?
http://wiki.centos.org/HowTos/Network/SecuringSSH#head-3579222198adaf43a3ecb...
Ned Slider a écrit :
Choose a random unused high port number (above 1023)
http://www.iana.org/assignments/port-numbers.
- How do I configure these different ports ? By that, I mean : how do I
tell SSH to use them instead of port 22 ?
http://wiki.centos.org/HowTos/Network/SecuringSSH#head-3579222198adaf43a3ecb...
Thanks, that helped. I sort of managed to configure different SSH ports for the two machines. Now I'm facing another quite unexpected problem. Let me try to describe what's going on.
Machine number 1 (bernadette) is 192.168.1.2. I reconfigured SSH on this machine to use port 10022.
Machine number 2 (raymonde) is 192.168.1.3. SSH port on raymonde is 10023.
I took care of reconfiguring the firewall and open the respective ports (10022:tcp on bernadette, 10023:tcp on raymonde).
In my router's web interface (Expert Mode > NAT) I defined a port redirection, so that requests for port 10022 are rerouted to 192.168.1.2, and requests for port 10023 to 192.168.1.3.
Now I can ssh into my two machines from the outside, using my public IP address. E. g. :
# ssh my.ip.add.res -p 10022 --> I'm logged into bernadette
# ssh my.ip.add.res -p 10023 --> Logs me into raymonde
Except... when logging in a second time, in the other machine, I get this, understandably :
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed.
Now, of course, I could manually open ~/.ssh/known_hosts, erase the respective line and then log back again. But is there a more orthodox way to log into two different machines via two distinct ports on one single IP address without getting this sort of error ?
Cheers,
Niki
On Sun, Mar 21, 2010 at 05:03:12PM +0100, Niki Kovacs wrote:
Now I can ssh into my two machines from the outside, using my public IP address. E. g. :
# ssh my.ip.add.res -p 10022 --> I'm logged into bernadette
# ssh my.ip.add.res -p 10023 --> Logs me into raymonde
[ Key changed... ]
Now, of course, I could manually open ~/.ssh/known_hosts, erase the respective line and then log back again. But is there a more orthodox way to log into two different machines via two distinct ports on one single IP address without getting this sort of error ?
From "man ssh_config" look into CheckHostIP
For example:
Host bernadette HostName my.ip.add.ress Port 10022 HostKeyAlias bernadette CheckHostIP no
Host raymonde HostName my.ip.add.ress Port 10023 HostKeyAlias raymonde CheckHostIP no
Now you should be able to do "ssh bernadette" and "ssh raymonde".
Personnally, I use something like dnsalias.org to register my hostname so if the IP address changes I don't need to change config files (set HostName foobar.dnsalias.org - where foobar is the name you registered)
Stephen Harris a écrit :
From "man ssh_config" look into CheckHostIP
For example:
Host bernadette HostName my.ip.add.ress Port 10022 HostKeyAlias bernadette CheckHostIP no
Host raymonde HostName my.ip.add.ress Port 10023 HostKeyAlias raymonde CheckHostIP no
Now you should be able to do "ssh bernadette" and "ssh raymonde".
Thanks very much! That solved my problem.
Cheers,
Niki
On Sun, 2010-03-21 at 17:03 +0100, Niki Kovacs wrote:
Ned Slider a écrit :
Choose a random unused high port number (above 1023)
http://www.iana.org/assignments/port-numbers.
- How do I configure these different ports ? By that, I mean : how do I
tell SSH to use them instead of port 22 ?
http://wiki.centos.org/HowTos/Network/SecuringSSH#head-3579222198adaf43a3ecb...
Thanks, that helped. I sort of managed to configure different SSH ports for the two machines. Now I'm facing another quite unexpected problem. Let me try to describe what's going on.
Machine number 1 (bernadette) is 192.168.1.2. I reconfigured SSH on this machine to use port 10022.
Machine number 2 (raymonde) is 192.168.1.3. SSH port on raymonde is 10023.
I took care of reconfiguring the firewall and open the respective ports (10022:tcp on bernadette, 10023:tcp on raymonde).
In my router's web interface (Expert Mode > NAT) I defined a port redirection, so that requests for port 10022 are rerouted to 192.168.1.2, and requests for port 10023 to 192.168.1.3.
Now I can ssh into my two machines from the outside, using my public IP address. E. g. :
# ssh my.ip.add.res -p 10022 --> I'm logged into bernadette
# ssh my.ip.add.res -p 10023 --> Logs me into raymonde
Except... when logging in a second time, in the other machine, I get this, understandably :
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed.
Now, of course, I could manually open ~/.ssh/known_hosts, erase the respective line and then log back again. But is there a more orthodox way to log into two different machines via two distinct ports on one single IP address without getting this sort of error ?
---- I have resorted to using DNS to do this...
ssh -p SOME_PORT_NUMBER hostname1.example.com ssh -p SOME_OTHER_PORT hostname2.example.com
and hostname1.example.com and hostname2.example.com actually point to the same IP address (maybe one is an A record and the other a CNAME).
Craig
Niki Kovacs wrote:
Hi,
I've setup a small LAN of two desktops running CentOS 5 in a medical office. Both are connected to the Internet via a small modem/router.
Recently I played around with FreeNX on my own desktop, and I'd like to install it on these two computers. On my PC, I just redirected port 22 in the router, so SSH (and thus FreeNX) requests from the outside get redirected to my desktop PC. (And yes, I have a strong password :oD)
I'd like to handle the two PCs from the medical office remotely with FreeNX. I figured that the best way to distinguish them would be to assign a different port for SSH to each of them, and then redirect each of the ports respectively.
- How do I choose different port numbers for SSH ? Any conventions or
caveats for this ?
- How do I configure these different ports ? By that, I mean : how do I
tell SSH to use them instead of port 22 ?
You don't really need to change the ports on the hosts. Just configure the router to accept different ports on the internet side and redirect to port 22 at the different IP addresses on the inside. Then you only have to change the client settings for access from outside. I'd move both of them away from port 22 on the outside, though - you'll avoid a lot of password guessing attempts that will happen otherwise.
Les Mikesell wrote:
Niki Kovacs wrote:
Hi,
I've setup a small LAN of two desktops running CentOS 5 in a medical office. Both are connected to the Internet via a small modem/router.
Recently I played around with FreeNX on my own desktop, and I'd like to install it on these two computers. On my PC, I just redirected port 22 in the router, so SSH (and thus FreeNX) requests from the outside get redirected to my desktop PC. (And yes, I have a strong password :oD)
I'd like to handle the two PCs from the medical office remotely with FreeNX. I figured that the best way to distinguish them would be to assign a different port for SSH to each of them, and then redirect each of the ports respectively.
- How do I choose different port numbers for SSH ? Any conventions or
caveats for this ?
- How do I configure these different ports ? By that, I mean : how do I
tell SSH to use them instead of port 22 ?
You don't really need to change the ports on the hosts. Just configure the router to accept different ports on the internet side and redirect to port 22 at the different IP addresses on the inside. Then you only have to change the client settings for access from outside. I'd move both of them away from port 22 on the outside, though - you'll avoid a lot of password guessing attempts that will happen otherwise.
Not all home/consumer routers will allow redirection to another port - some only allow packet forwarding to the *same* port at another IP address.
Ned Slider wrote:
- How do I configure these different ports ? By that, I mean : how do I
tell SSH to use them instead of port 22 ?
You don't really need to change the ports on the hosts. Just configure the router to accept different ports on the internet side and redirect to port 22 at the different IP addresses on the inside. Then you only have to change the client settings for access from outside. I'd move both of them away from port 22 on the outside, though - you'll avoid a lot of password guessing attempts that will happen otherwise.
Not all home/consumer routers will allow redirection to another port - some only allow packet forwarding to the *same* port at another IP address.
I guess that's possible - but they are cheap enough to replace if they don't provide the functionality you want. I think I've seen some where they had a simple setup to forward a port for a service to the same port at one inside IP or you could do a custom setup where you could specific the target port as well.
Les Mikesell a écrit :
You don't really need to change the ports on the hosts. Just configure the router to accept different ports on the internet side and redirect to port 22 at the different IP addresses on the inside. Then you only have to change the client settings for access from outside. I'd move both of them away from port 22 on the outside, though - you'll avoid a lot of password guessing attempts that will happen otherwise.
Sorry, but I don't quite follow you. (One of these cases where I feel my IQ is just a bit insufficient :oD)
How can I possibly access two distinct machines behind one single IP address when they run SSH on the same port ?
Or, I'll reformulate my question more simply.
I have a router with *one* public IP address (213.41.141.252). And behind that router, on the local network, I have two different machines: 192.168.1.2 and 192.168.1.3.
Is there a (normal, orthodox) way to SSH into these machines directly from the outside? That is, without logging into the main box and then hopping around internally? Something where in one case, ssh 213.41.141.252 -option gets me into machine A, and then ssh 213.141.141.252 -otheroption gets me into machine B.
I'm confused.
On Sun, 2010-03-21 at 17:29 +0100, Niki Kovacs wrote:
Les Mikesell a écrit :
You don't really need to change the ports on the hosts. Just configure the router to accept different ports on the internet side and redirect to port 22 at the different IP addresses on the inside. Then you only have to change the client settings for access from outside. I'd move both of them away from port 22 on the outside, though - you'll avoid a lot of password guessing attempts that will happen otherwise.
Sorry, but I don't quite follow you. (One of these cases where I feel my IQ is just a bit insufficient :oD)
You can access multiple machines behind one single IP by machine name or DNS host1.net.com:22 host2.net.com 2203 .....
How can I possibly access two distinct machines behind one single IP address when they run SSH on the same port ?
Or, I'll reformulate my question more simply.
I have a router with *one* public IP address (213.41.141.252). And behind that router, on the local network, I have two different machines: 192.168.1.2 and 192.168.1.3.
I'm confused.
Yes you are.
John
Hi Nikki,
Niki Kovacs sent a missive on 2010-03-21:
Les Mikesell a écrit :
You don't really need to change the ports on the hosts. Just configure the router to accept different ports on the internet side and redirect to port 22 at the different IP addresses on the inside. Then you only have to change the client settings for access from outside. I'd move both of them away from port 22 on the outside, though - you'll avoid a lot of password guessing attempts that will happen otherwise.
Sorry, but I don't quite follow you. (One of these cases where I feel my IQ is just a bit insufficient :oD)
How can I possibly access two distinct machines behind one single IP address when they run SSH on the same port ?
You have to use a combination of NAT and PAT (NAT is Network address translation and PAT is Port address translation) on the router.
Or, I'll reformulate my question more simply.
I have a router with *one* public IP address (213.41.141.252). And behind that router, on the local network, I have two different machines: 192.168.1.2 and 192.168.1.3.
Is there a (normal, orthodox) way to SSH into these machines directly from the outside? That is, without logging into the main box and then hopping around internally? Something where in one case, ssh 213.41.141.252 -option gets me into machine A, and then ssh 213.141.141.252 -otheroption gets me into machine B.
I'm confused.
Depending on your router you will be able to configure it to do what you want.
On your router you "should" be able to do the following: Redirect connections to 213.141.141.252 port 2222 to 192.168.1.2 port 22 AND Redirect connections to 213.141.141.252 port 2223 to 192.168.1.3 port 22
You then can connect using your favourite ssh client (mine is absolute telnet :-) ) by connecting to 213.141.141.252 port 2222 you'll be connected to 192.168.1.2 via ssh.
Simples!
Hope this helps
Simon.
Niki Kovacs wrote:
Les Mikesell a écrit :
You don't really need to change the ports on the hosts. Just configure the router to accept different ports on the internet side and redirect to port 22 at the different IP addresses on the inside. Then you only have to change the client settings for access from outside. I'd move both of them away from port 22 on the outside, though - you'll avoid a lot of password guessing attempts that will happen otherwise.
Sorry, but I don't quite follow you. (One of these cases where I feel my IQ is just a bit insufficient :oD)
How can I possibly access two distinct machines behind one single IP address when they run SSH on the same port ?
The router configuration for port forwarding should let you specify the port to accept on (where each does have to be different because of the single IP) and then the IP and port for redirection. Since the inside targets have different IPs, it doesn't matter that they have the same port. At least most routers work this way - you can redirect to a different port on the inside but they may have a different config section for 'custom' forwarding and a simplified one that just sends a service port to the same port on one inside target.
Or, I'll reformulate my question more simply.
I have a router with *one* public IP address (213.41.141.252). And behind that router, on the local network, I have two different machines: 192.168.1.2 and 192.168.1.3.
Is there a (normal, orthodox) way to SSH into these machines directly from the outside? That is, without logging into the main box and then hopping around internally? Something where in one case, ssh 213.41.141.252 -option gets me into machine A, and then ssh 213.141.141.252 -otheroption gets me into machine B.
Yes, just pick different port numbers for the router to redirect to port 22 at each internal IP. Then everything works normally internally and externally you use 'ssh -p nnn public_address' where your port number will be the one redirected to the internal machine you want (and the NX client also has a place in the config screen to set the port number).
Another option if most of your outside access is from a single location or from a laptop would be to set up openvpn to one of the inside machines, configuring the router to pass a single udp port for it. Then you can treat it like a routed subnet with normal access to all services. But, if you use freenx it doesn't make much difference because the session runs over ssh and the desktop will have 'inside' access anyway.
Les Mikesell a écrit :
Yes, just pick different port numbers for the router to redirect to port 22 at each internal IP. Then everything works normally internally and externally you use 'ssh -p nnn public_address' where your port number will be the one redirected to the internal machine you want (and the NX client also has a place in the config screen to set the port number).
OK, now I got it, and even managed to make it work in practice. Generally speaking, I understand things very fast when they're explained very slowly :o)
Thanks,
Niki
On Sunday 21 March 2010 10:54, Niki Kovacs wrote:
Recently I played around with FreeNX on my own desktop, and I'd like to install it on these two computers. On my PC, I just redirected port 22 in the router, so SSH (and thus FreeNX) requests from the outside get redirected to my desktop PC. (And yes, I have a strong password :oD)
There was a lot of information given to you about this, but one piece I didn't see. If you are using SSH then why not switch from password authentication to Key authentication? Thus should someone figure out what port you are using, and today it isn't that hard with the many tools out there, they still will not be able to connect.
I you want to remote those 3 desktop outside, You may have to use different SSH port for each PC like 22,2222,2223. Then you can forward the port from router separately.
On Sun, 21 Mar 2010 19:25:04 -0400, Robert Spangler mlists@zoominternet.net wrote:
On Sunday 21 March 2010 10:54, Niki Kovacs wrote:
Recently I played around with FreeNX on my own desktop, and I'd like
to
install it on these two computers. On my PC, I just redirected port 22 in the router, so SSH (and thus FreeNX) requests from the outside get redirected to my desktop PC. (And yes, I have a strong password :oD)
There was a lot of information given to you about this, but one piece I didn't see. If you are using SSH then why not switch from password authentication to Key authentication? Thus should someone figure out what port you are
using, and today it isn't that hard with the many tools out there, they still will not be able to connect.
--
Regards Robert
Linux User #296285 http://counter.li.org _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Sun, 2010-03-21 at 15:54 +0100, Niki Kovacs wrote:
I'd like to handle the two PCs from the medical office remotely with FreeNX. I figured that the best way to distinguish them would be to assign a different port for SSH to each of them, and then redirect each of the ports respectively.
I think the best option would be to use a freenx proxy server. Then, you only need to forward the standard ssh port to the proxy server. Once you're connected to the proxy machine, you could connect to any freenx server on the LAN.
Regards,
Ranbir
-
Chaminda Mendis -
Craig White -
JohnS -
Kanwar Ranbir Sandhu -
Les Mikesell -
Ned Slider -
Niki Kovacs -
Robert Spangler -
Simon Billis -
Stephen Harris