Ok, i come here because i like it here and i trust yall. Please forgive this question. Belive it or not, i was a ccna and took the first ccnp test.... 12 years ago haha.so its been a while

here is my question i used to know the answer to:

Lets say one of my friends have an ssh server setup and they make me a username and pass.

now, i use winscp, input his public ip or domain, enter my credentials, and hit connect. The request is sent OUT my router, travels the core, hits HIS router where the ACL checks to see if port 22 is accepting calls. It is, it sends back an auth, and then i am able to connect. A threeway handshake has been done.

where my question is, by default, i KNOW my router is not accepting calls on port 22, so how can i connect when HIS server sends back the auth? wouldnt my router block that?

i have not port forward anything in my router. I purposfully set it to default so i can figure this out. I know it works but i forget how.

thanks

your router opened a connection to the other router. The answer will be sent back on the same line, the other router will just use the existing connection. Your router will recognize if the package arrived is an answer therefore allowed to accept and forward it "on the line" back to the initiator - which is your host.
The connection is bidirectional.

What pan64 said is correct, but to clarify:
Connecting to a remote server on his port 22 does not mean that you are using port 22 on your 'puter.

I'm currently ssh'd into my server and netstat there says the foreign address (my local public IP address) is using port 59364 to connect to the remote port 22

1 members found this post helpful.

What pan64 and scasey said: all outbound connections are tracked by your router/firewall so when the traffic comes back, it knows where to come back to.

WORD! thats right, my PC wont be using port 22, it will be a port between 1-64000 but not 22. Ok, that makes way more sense now.

Also, when pan64 said the line is bi-directional, that clicked as well. Been a fat minutes guys! haha.

Speaking of ssh, can you piggy back ssh on another port such as 80? lets say i had a server at my student apartment, campus does not allow access to router or port 22, could i somehow have ssh piggy back on port 80 since that one is allowed IN?

thanks

You can configure sshd to run on any port. I don’t run it on port 22. You can’t run two daemons on the same port, however, so if you’re running a web server on port 80, you couldn’t also run sshd there.

Personally I avoid running SSH on port 22 as I don't like my log files growing exponentially by the second. Of course, to an experienced attacker changing the port means nothing but it really keeps the script kiddies from "trying the handles" every two minutes -- I know because I once ran a sacrificial VM with SSH on port 22 and the logs were huge.

1 members found this post helpful.

ok, let me reword what im trying to say haha. I never run ssh on port 22, usually port 5022, BUT since i do not have access to the router, and they do allow port 80 in, could i just run ssh on port 80 so that way at least it not blocked by the xfinity router? Its a basic xfinity router that the land lord owns and will not give me access to it or do any kind of configs to it. I do know that default ports are not being blocked.

Just trying to get ssh up and running (again) with out having to punch a hole in the FW. I want to use an all-ready allowed port

thanks for the ideas and help

Residential (making presumption here) ISPs don't typically open port 80 (or port 25), to prevent residential customers from using their services to host public servers. I don't know about other ports, but I'd think many would have to be open for outbound things to work.

Do you think port 80 is open because you're hosting a website and it's publicly accessible?
Or because you can access the internet with a browser? Just as with ssh and 22, you're not using port 80 to browse the web. My current connection from this PC to my web server is on my local port 45992, connected to port 443 on the server (the website is secure)

Have you tried to use 5022, or an even higher port, say above 20000, for ssh?

Port 80 is allowed in on your ISP's router they rent to you? That's horrible. You can't just SSH into an arbitrary port. A port and the service using that port are tied together when the service is set up. Port 80 is for HTTP. Just because a port is open, you cannot use any service you would like with that port. Make sense? If you control the device or OS that hosts the service, then you can assign any service to any port, but that's silly and confusing: certain services use certain ports for standardization. There is zero security reason to switch a service to another port to "hide" it.

port 80 is http right? so if i access someones web server, such as yours, its going to leave my PC on port <RANDOM> destined for 80, and return on <RANDOM> and now i see your point... damn.. LOL

So if it can return on <RANDOM> why cant i assign a service to a port that is not being blocked? Is it because MY pc did not make the initial request on <RANDOM> that the FW is blocking that inbound becasue MY pc never made that request in the first place?

hmm, im begining to remember my ccnp classes from 10 years ago.. You dont use it, you lose it haha

port 80 is http right? so if i access someones web server, such as yours, its going to leave my PC on port <RANDOM> destined for 80, and return on <RANDOM> and now i see your point... damn.. LOL

So if it can return on <RANDOM> why cant i assign a service to a port that is not being blocked? Is it because MY pc did not make the initial request on <RANDOM> that the FW is blocking that inbound becasue MY pc never made that request in the first place?

hmm, im begining to remember my ccnp classes from 10 years ago.. You dont use it, you lose it haha


Yes, i used 8022 as my go to, but the router, even with FW set to low security, blocks it. I mean, i can go to the routers gui and see SOME things like its low security, but thats it

I thought you didn't have access to the router?
Are you sure it's not the firewall on your server that's blocking rather than the router? 5022 or 8022 wouldn't typically be open on the server's firewall. Do you run selinux? That's another place it could be blocked. How are you sure it's the router?

+1 to 273's post and I respectfully disagree with sevendogsbsd -- security by obfuscation is a good additional step to firewalls and anti-cracking tools like fail2ban. I run sshd on a non-standard port and have never even had an attempt at cracking...so no logs full of Chinese IP addresses

I do agree with sevendogsbsd that trying to use non-standard ports for things like email or web services would be very limiting, although it is often done: Webmin's server uses non-standard ports (and I don't use its default port there, either), and putting things like myphpadmin on a non-standard port is also good additional security.

Of course you can. An HTTP server will, by convention, listen on port 80, and an HTTP client will, by default, try to connect to port 80. You can tell the HTTP server to listen on any idle port (port where you don't have any other server currently listening), and you can tell an HTTP client to attempt a connection to any port (port 8080 is a common alternate). The same is true for SSH. It's just that if you are using a nonstandard port, anyone trying to connect will have to specify the port explicitly.True enough, but it does greatly cut down on the log noise from script kiddies that try SSH connections to port 22 on every IPv4 address on the internet.

2 members found this post helpful.

I may have not made myself clear. Yes, changing a service to a non standard port will keep the script kiddies away but a professional will scan all ports, finding the service that is "hidden". I find things web masters attempt to hide every day at work because that's what I am paid to do. I do get that the majority of bad traffic out there is script kiddies and cutting down on the traffic "noise" is a good thing. I am used to security being all out, so anything less I tend to question.

rknichols - you cannot SSH to an arbitrary port where SSH is not running - that's what I should have said and what I meant. I was trying to correct the OP's statement "and they do allow port 80 in, could i just run ssh on port 80" because the implication there was because the port is open, you can use any service on that port, which is of course, not true: you can only access that port using the service running on that port.

Sorry if I wasn't clear.