LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 07-21-2006, 03:23 PM   #1
Braynid
Member
 
Registered: May 2006
Location: Romania
Distribution: CentOS
Posts: 140

Rep: Reputation: 15
SSH login on port 80


Hello,
I know it's a simple one but i just can't figure this out on my own.
How can i grat only one user the posibility to connect both on port 21 and 80 using ssh?
I have Ubuntu 6.06 server.
Thanks
 
Old 07-21-2006, 10:31 PM   #2
JimBass
Senior Member
 
Registered: Oct 2003
Location: New York City
Distribution: Debian Sid 2.6.32
Posts: 2,100

Rep: Reputation: 49
You don't.

First off, port 80 is for websites, and 21 is for FTP. Port 22 is for ssh. You can go in the ssh.conf file and set it to listen at any port you choose, but using a port that is assigned can lead to wierd events. How does your ssh server deal with a request from a web browser? It should just refuse it, but you never know.

With a firewall, particularly a good hardware firewall, you could direct traffic from a given IP address (the one user) headed to port 80 or 21 to port 22 on the machine.

Also, what do you mean by only one user? Is there only one user on the machine, or do you only want one person of the several with accounts on it to have access to it?

Peace,
JimBass
 
Old 07-22-2006, 07:55 AM   #3
Braynid
Member
 
Registered: May 2006
Location: Romania
Distribution: CentOS
Posts: 140

Original Poster
Rep: Reputation: 15
Right you are my firend, just to clear things out, i know 80 if or http, i have a friend that can only access the 80 port from where he connects to the internet and i want him to be able to connect remotely on my machine (on port 22).
About that firewall, i have only my linux to use, how can i configure it rigt?

My deepest thanks!
 
Old 07-22-2006, 09:14 AM   #4
JimBass
Senior Member
 
Registered: Oct 2003
Location: New York City
Distribution: Debian Sid 2.6.32
Posts: 2,100

Rep: Reputation: 49
Ok, here's how I would do it:

1) Edit /etc/ssh/sshd_config. Take the line that says
Code:
# What ports, IPs and protocols we listen for
Port 22
and turn the 22 into 80. Then restart sshd.

2) That means you have ssh listening on 80, so if you run any webpages of of this box, you need to move them to some port other than 80.

3) For you, your friend, or anyone else to connect, You need to pass a port to the ssh client. That command should look like
Code:
ssh -p 80 your.ip.address.or.domainname
For the sake of security, make sure you don't allow root to ssh in (force users to log in as users then use su to elevate). Allowing root in directly is a major security hole, as all the script kiddies try to ssh as root. You may also want to use the authorized_keys file to allow access, and once you get the key from your friend, change the sshd_config again so that password authentication is disabled. That way nobody can get in except your friend. The way to set up such keys is covered on this page, close to the top with the title "How do I setup OpenSSH". Don't do it is root or backuppc as the article says, have your friend do it as the username he has on your machine. http://backuppc.sourceforge.net/faq/ssh.html

Have fun.

Peace,
JimBass
 
Old 07-22-2006, 04:00 PM   #5
osor
HCL Maintainer
 
Registered: Jan 2006
Distribution: (H)LFS, Gentoo
Posts: 2,450

Rep: Reputation: 75
What I would do instead (assuming you know your friend's ip or domain name), is to put in some NAT rules using iptables (but only for that one ip). That way, the ssh server thinks it's communicating over port 22, and the client thinks it's communicating over port 80, and it only works for your friend.
 
Old 07-22-2006, 04:23 PM   #6
JimBass
Senior Member
 
Registered: Oct 2003
Location: New York City
Distribution: Debian Sid 2.6.32
Posts: 2,100

Rep: Reputation: 49
Yes, Osor is correct, I didn't read carefully. If your friend can only come out on port 80, but you want him to connect at the standard port of 22, then you need to use a router or firewall to translate any request of his that comes in at port 80 to be forwarded to port 22. Without a hardware/software firewall or router to translate 80 (from his IP only) to 22, you won't get it to do what you want.

Doing what I suggested earlier would move SSH for everyone from 22 to 80, which is the inverse (converse?) of what you asked for. My bad.

Peace,
JimBass
 
Old 07-24-2006, 04:02 AM   #7
Braynid
Member
 
Registered: May 2006
Location: Romania
Distribution: CentOS
Posts: 140

Original Poster
Rep: Reputation: 15
I've got the point but i don't really know iptables that well Can you please guide me a little?!
Thanks!
 
Old 07-24-2006, 06:22 PM   #8
osor
HCL Maintainer
 
Registered: Jan 2006
Distribution: (H)LFS, Gentoo
Posts: 2,450

Rep: Reputation: 75
Well, to start with, you need to have the required netfilter modules loaded (I don't know the names off the top of my head since mine are always in the kernel. I think just basic iptables.ko and iptables-nat.ko will do for this).

Then try (I haven't had time to thoroughly proofread, so if you have trouble, it's probably my fault):
Code:
# iptables -t nat -A PREROUTING  -s ${IP_FRIEND} -p tcp -m tcp --dport 80 -j DNAT --to-destination ${IP_YOURS}:22
# iptables -t nat -A POSTROUTING -d ${IP_FRIEND} -p tcp -m tcp --sport 22 -j SNAT --to-source      ${IP_YOURS}:80
The first rule will make your computer think that everything coming from your friend's IP with a TCP destination port of 80 should be interpreted as coming to TCP destination port 22 (using your IP). The second rule does the opposite (it makes everything destined to your friend with a source port of 22 actually leave your computer with a source port of 80).

This is a very basic implementation of what I was talking about. Of course, there are probably other, more elegant methods for this, so I await a post from someone more knowledgeable than I am about this stuff.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How-to: MC over SSH to port other then 22? igoruch Linux - Networking 2 06-02-2006 09:47 AM
ssh over port 80 but port 80 isnt available profoX Linux - Networking 4 06-01-2006 03:12 AM
SSH over port 80 or 21 jeucken Linux - Networking 2 08-12-2004 01:03 PM
ftp login -- ssh no login waffe Linux - General 4 12-27-2003 01:42 AM
SSH Port Finlay Linux - Networking 4 06-09-2003 06:00 PM


All times are GMT -5. The time now is 12:00 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration