Hello all,

Problem: Need to be able to ssh into two hosts - both behind NAT'ed LAN - from the outside in.

Let me first start off by giving you the network topology so there's no confusion about host-to-host communication. I have the ever-common NAT'ed LAN via a standard Linksys wired router. The internet is fed via a run-of-the-mill cable modem issued by Knology, my ISP. The network technician I spoke with at Knology was nice enough to provide me with the ports he knows they block which are:

445, 6129, 2754, 3410, 135, 137, 139, 25

So, they give me the public IP from their DHCP lease which I convert to a private set of IP's via my router, aka NAT. We all pretty much know how this works.

I have two hosts on my LAN that I'd like to access via port 22. I realize this won't be possible until I tell one of the hosts to use an alternate port. The two hosts in question are: Fedora 5 & a Serial over IP appliance (lets me control such things as console access to cisco routers & a serial devices and so forth). By viewing the /etc/ssh/sshd_config file on the Fedora box, I see that there are two lines that might pertain to changing the default port 22 for ssh connections to something else. Here's what I have at the moment:

#Port 22
#Protocol 2,1
Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

What I've found from search results off of google.com/linux is that the ListenAddress 0.0.0.0 & ListenAddress :: deal with what IP/port listening should process. What I don't know is what my syntax should be if I wanted to change it to, let's say port 2262, for instance. Also, I suppose the next logical question would be whether the port I decide to change it to might interfere with another service or application I install in the future. In other words, if others have this same setup, what are some good port ranges I should pick from? Perhaps some of you out there can post what your sshd_config files look like that give you successful results when attempting to ssh into an alternate port.

Any and all help would be greatly appreciated.

Best regards,
LoadedMind aka John

The /etc/services file is a table containing the port numbers and service names.
Also, if you chkconfig or nmap, you can find out which services your host uses.

Here is a web page with a handy listing of the most common ports used.
http://www.portdetective.com/portinfo.html
What you are planning isn't ssh forwarding, in that you are just using one port number for host A and another for host B and not going through Host A to get to Host B. There is nothing wrong with that, and it is the simplest solution.

Port 23 is for telnet. You probably don't have that service installed (Unless you are insanely careless about security), and since it is one port above 22, might make a logical choice.

Here is a somewhat related webpage on port forwarding. You could do this on the FC5 host, and forward the ssh tunnel to the appliance.
http://www.securityfocus.com/infocus/1816
An advantage to this approach is that you have more control over who can log in than you might from the appliance. Such as the AllowUsers or DenyUsers entries in /etc/sshd_config.

Here is a linuxjournal article on hardening ssh. They use port 13 as an alternate ssh port.
http://interactive.linuxjournal.com/article/8500

I started a thread recently on sshd_config. The response was that AllowUsers pretty much trumps all other entries, and can be thought of as "Deny ALL users and groups except for these users". By tightening access to a standard ssh port on FC5, and using it to access the appliance, only you will be able to attempt to log into the appliance.

Also, before I forget, the config files each have their own man pages. ssh_config and sshd_config.

Hi jschiwal and thanks so much for your reply. I believe you left out a link when you posted this:

"Here is a linuxjournal article on hardening ssh. They use port 13 as an alternate ssh port.

I started a thread recently on sshd_config. The response was that AllowUsers pretty much trumps all other entries, and can be thought of as "Deny ALL users and groups except for these users". By tightening access to a standard ssh port on FC5, and using it to access the appliance, only you will be able to attempt to log into the appliance."

I did a search on google with the following inputted on the search field:

ssh harden 13 site:linuxjournal.com

and found this article:

http://www.linuxjournal.com/article/8500

Is this the one you were referring to?

Also, I'm curious to know whether you have a sample you can provide from your ssh_config file so I can verify my syntax is accurate. Specifically, I just want to change the port to listen to 2262 so I can forward ssh connections from the outside to the Fedora box via this port, then use the 22 on the Serial over IP appliance still - all from the same public IP port-forwarded through NAT/router to hosts on LAN.

Would something like the following allow me to access my linux box from the outside via 2262?:

Port 2262
#Protocol 2,1
Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::



Many thanks,
John aka LoadedMind

Yes, that's the exact link I was referring to, and corrected my previous post.
I haven't changed my ssh port from the default. The port line you gave is correct, but this won't do the port forwarding you might want to do. It changes which port the FC5 hosts listens to.

I'm not certain if you can forward a non-privilaged port on the FC5 host to a priviledged port on the appliance. I'm not certain if you want to tunnel through the FC5 host for authenticated reasons, or if you simply want to be able to ssh to both hosts. If it is the latter, then simply changing the FC5 ssh listening port should be enough. If it is the former, you can configure a tunnel in the configuration so you don't need to do it manually after connecting to FC5. For this, you would log into one fc5 ssh port if you want to work on your FC5 port, and log into another if you want to connect to the appliance. The linux gazette article covers adding another port.

I would recommend picking up a book on using the secure shell. Also, print out the manpages for ssh, ssh_config and sshd_config.
man -t ssh | lpr
man -t ssh_config | lpr
man -t sshd_config | lpr

If you are the only person who will ssh into the machines, I would highly recommend that you use "AllowUsers loadedmind" ( I'm using your username on this site as an example.)
If you take a look at your logs, I bet you may find a lot of attempts to connect to ssh using system user names, and various others from a dictionary list. Using AllowUsers will only allow that one user to connect.

You can also start a second ssh daemon, which loads in it's own sshd_config file. This would allow you, for example, to have a different user allowed for that port. I believe with PAM authentication ( /etc/security/(groups|time) ) that you could set it up so that the Allowed User could only get in on certain days of the week and times. A clever system admin might use a cron job to run the iptables command to shut down the port totally during a certain time period, so that any scan will be dropped. ( Gee, that's a neat idea! ).

However, port forwarding is usually used to protect other services over an ssh tunnel. You are talking about using the FC5 computer as a gateway to the appliances ssh server. You don't need to change the FC5 port number to do that. Changing the FC5 port number would have the advantage however of avoiding some port scans made by hackers.
You could use agent forwarding, or you could execute (on the remote host) ssh FC5 "ssh appliance" where FC5 and appliance are hostnames in this example.

This can all get very complicated. Since the appliance uses ssh and not something stupid like telnet, you might consider changing the FC5 port; leaving the appliance port on 25 since that is your only choice; on the router, port forward port 25 to the appliance and 2262 to FC5. Otherwise you have to setup a forwarding agent, and a force script and a alias for the appliance in ~/.ssh/config, and hope that scp and sftp also work.

----

ps. Don't forget to open port 2262 in the FC5 firewall.

Thanks! That's basically all I wanted to do was make sure the Fedora box only listens on a different port other than 22. I uncommented the #Port Listen 22 line and changed it to another port.