Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: RedHat from 4 -9, Fedora, Ubuntu, Centos 3 - 7, Puppy Linux, and lots of raspberry pi
Posts: 142
Rep:
ssh on two ports
Due to the increase in ssh probes etc, I want to fully stealth my server in the first 1056 ports - which will give me a GRC thumbs-up.
My idea is to stealth port 22 to traffic outside but leave it open to the internal network. Then I want to add another port and open it up in the firewall.
My questions are:
Is this a workable or even worthwhile / good idea ?
If I use a port >2000 which is often assigned to other services (not that I use them) - what happens if this service on another PC tickles the port? Does ssh reply?
Is this likely to evade the ssh scanners or do they look for other open ports?
Current nmap versions (since ~ 3.49) do application detection not simply port x = service y. So configuring sshd to listen on an alternative port will only fool older versions.
Also, you'd have to modify the remote ssh clients to connect to whatever port you decide to use rather than port 22.
Just keep your ssh server version up to date, keep your passwords secure and, if possible, restrict access to ssh by firewall (make it only accessible from certain hosts/networks).
Moving ssh service to other that usual port is not a security precausion.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
Actually, intuitively this idea is not very good since it's quite easy to identify SSH on different ports by using automated tools, or even telnet. In practice it works fantastically well. I run port forwarding on several ports and IPs to sever different internal machines running SSH, and I haven't had ONE automated login attempt yet! This despite the fact that I have 3 static IPs and several published domain names pointing to them, as well as public HTTP and SMTP access.
Security through obscurity is a bad idea, but some times it's quite effective. Just remember not to rely on it as your only defense. Keep up to date with security patches, maintain strong passwords (or disable password auth entirely for SSH), etc...
As for how to do it, the easiest way to to have your machine listen on the internal network on the default port 22, but have your firewall redirect some high-order port to it. You can also play around with /etc/ssh/sshd_config to change the port numbers if that box is directly connected to the Internet (not behind a firewall).
Distribution: RedHat from 4 -9, Fedora, Ubuntu, Centos 3 - 7, Puppy Linux, and lots of raspberry pi
Posts: 142
Original Poster
Rep:
Thanks for the advice.
Chort - I like the fact that you haven't had one automated attempt.
I have been reasonably careful. I have disabled root login and only assigned one user ssh access.
Principally my idea was to avoid the automated scan which then leads to the various attempts. I had someone trying solidly for 20 mins the other day, which provided a nice list of names that were considered possible users (john, david, stephen ........etc)
Will try it. Most likely to use sshd_config Ports option. Tried it briefly so I know it works (ie internal net on 22 and outside not).
I have wondered (and it probably exists but I'm not experienced enough to have tried it/heard of it) if it is possible to have a service like ssh listening but only replying when it gets a specific packet of data. Then it would reply and go through the whole logging in process. It would mean that the port was effectively stealthed until you opened it with a pre-defined key. Make scanning difficult.
There is one more posibilities.. We can configure port forward. In can write the rule in ipchanis/iptables . What are the request comes for port 22 will redirect to some other port like 1030.
Note :
1. we have to modify the port number in /etc/ports file.
2. Write the rule in ipchains/iptables to forward the request for port 22 to request 1030. So we can avoid the hacking.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
yuva_mca, unless I'm seriously misunderstanding what you wrote, your solution does not protect anything at all. The port scans are for port 22/tcp. If you simply take that port on your firewall and forward it to some other port internall, the port scans will be forwarded as well. Changing the port number in /etc/services will have absolutely no effect at all in this case.
Am I missing something?
Edit: I just realized you might have interpreted when I said "port forwarding" as "SSH port forwarding", i.e. You thought I was talking about using SSH to forward ports rather than using the firewall. When I said "port forwarding" I meant "the firewall packet filter forwards external port 29384 to an internal host on port 22".
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.