LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 06-21-2016, 03:50 AM   #1
GarimaJain
LQ Newbie
 
Registered: Jun 2016
Posts: 1

Rep: Reputation: Disabled
Enable SSH on port x and only sftp on port 22.


Hi,

I have ssh and sftp requests coming to the server. SSH is running currently on port x whereas sftp is receiving a request on port 22 and forwarding it to say port y.
While connecting SSH on 22, the connection is establishing but failing at the time of providing username and password. I want to block port 22 completely for SSH.

Is there a way that I can restrict the response of the pot based on protocol as in SSH or SFTP?
 
Old 06-21-2016, 05:28 AM   #2
wpeckham
Senior Member
 
Registered: Apr 2010
Location: Continental USA
Distribution: Debian, Ubuntu, Fedora, RedHat, DSL, Puppy, CentOS, Knoppix, Mint-DE, Sparky, Vsido, tinycore, Q4OS
Posts: 3,432

Rep: Reputation: 1496Reputation: 1496Reputation: 1496Reputation: 1496Reputation: 1496Reputation: 1496Reputation: 1496Reputation: 1496Reputation: 1496Reputation: 1496
I have implemented something like this. I found no way to do it with a single listener. (Not to say it canot be done, but I did not find the way.)
I created two sshd_config files, one for port 22 set to allow sftp only, and one for a higher port that allowed full sshd services. I then created two startup scripts (in /etc/init.d at that time) one the standard oen that came with the package, and the other modified to start up using the alternate sshd_config file.

It worked.

OpenSSH has come a LONG way since, so there may be a way to do this with a single listener now. If researching the settings (check the MAN page for the latest release) and consider running two listeners as a fallback if you do not find what you need to make it work in a single instance.
 
Old 06-21-2016, 05:38 AM   #3
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,071
Blog Entries: 3

Rep: Reputation: 2534Reputation: 2534Reputation: 2534Reputation: 2534Reputation: 2534Reputation: 2534Reputation: 2534Reputation: 2534Reputation: 2534Reputation: 2534Reputation: 2534
SFTP is over SSH, so you have SSH on any port offering SFTP. You could make it so that the SSH daemon listens on two ports but allows only SFTP on one of them.

Use Listen or Port to set the ports and Match + ForceCommand to block regular shell access on one of the ports. Here you could connect to port 8888 and get a regular login, but connecting to the normal port 22 you would get only an SFTP session:

Code:
Port 22
Port 8888

...

Subsystem sftp internal-sftp

Match LocalPort 22
        ForceCommand internal-sftp
 
2 members found this post helpful.
Old 06-21-2016, 01:56 PM   #4
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Seems to be from https://help.ubuntu.com/community/St...instead_of_FTP ?

Good stuff!
 
Old 06-21-2016, 02:12 PM   #5
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,071
Blog Entries: 3

Rep: Reputation: 2534Reputation: 2534Reputation: 2534Reputation: 2534Reputation: 2534Reputation: 2534Reputation: 2534Reputation: 2534Reputation: 2534Reputation: 2534Reputation: 2534
Quote:
Originally Posted by Habitual View Post
Actually from sshd_config(5) directly. Using the internal-sftp option has been the more practical way to chroot SFTP and has been around for ages and ages. Though chroot is not used in this case, the option is open. Similar use-cases tend to converge on similar configurations.

Last edited by Turbocapitalist; 06-21-2016 at 03:31 PM. Reason: link to release notes on internal-sftp
 
Old 06-21-2016, 02:56 PM   #6
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Quote:
Originally Posted by Turbocapitalist View Post
Actually from sshd_config(5) directly. Using the internal-sftp option has been the more practical way to chroot SFTP and has been around for ages and ages. Though chroot is not used in this case, the option is open. Similar use-cases tend to converge on similar configurations.
It's a Keeper.
 
Old 06-21-2016, 03:12 PM   #7
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,071
Blog Entries: 3

Rep: Reputation: 2534Reputation: 2534Reputation: 2534Reputation: 2534Reputation: 2534Reputation: 2534Reputation: 2534Reputation: 2534Reputation: 2534Reputation: 2534Reputation: 2534
It's best to try to stay upstream as far as possible in regards to the sources of information, so in this case it means the manual pages for the various OpenSSH utilities and configuration files. To get started for ideas of what to look for in the manual pages there are a lot of SFTP recipes out there. However, one very large problem is the large body of legacy documents pointing people to nasty old FTP. FTP is very difficult to set up, so there is a lot of discussion and a very large number guides for the search engines to find. So when people look for a way to upload files, they often get FTP recommended to them as if it is still the 1980's and end up burning a lot of resources setting it up and then more when the site gets compromised. It'd be nice to be able to find all those guides and discussions and prepend them with a big 'deprecated' warning and point to SFTP. But I digress. SFTP is what is used in this case, and that is good.

About this case, the two connection choices are SSH alone or SSH connecting to the SFTP subsystem. The recipe posted above is the latter plus a ForceCommand option to prevent using anything except the SFTP subsystem. That's about as close as one can get to answering the question in #1 above.
 
Old 06-22-2016, 06:07 AM   #8
wpeckham
Senior Member
 
Registered: Apr 2010
Location: Continental USA
Distribution: Debian, Ubuntu, Fedora, RedHat, DSL, Puppy, CentOS, Knoppix, Mint-DE, Sparky, Vsido, tinycore, Q4OS
Posts: 3,432

Rep: Reputation: 1496Reputation: 1496Reputation: 1496Reputation: 1496Reputation: 1496Reputation: 1496Reputation: 1496Reputation: 1496Reputation: 1496Reputation: 1496
Quote:
Originally Posted by Turbocapitalist View Post
Actually from sshd_config(5) directly. Using the internal-sftp option has been the more practical way to chroot SFTP and has been around for ages and ages. Though chroot is not used in this case, the option is open. Similar use-cases tend to converge on similar configurations.
Only if by "ages and ages" you mean since version 5.2 or so.

I do like that match port setup, that is far more elegant than the way I had to do this in early version 4.
 
Old 06-22-2016, 06:27 AM   #9
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,071
Blog Entries: 3

Rep: Reputation: 2534Reputation: 2534Reputation: 2534Reputation: 2534Reputation: 2534Reputation: 2534Reputation: 2534Reputation: 2534Reputation: 2534Reputation: 2534Reputation: 2534
Thanks. Match is pretty useful, though there are still some configurations (ciphers, macs, and key exchange algorithms for example) that are only one per server so an additional daemon and configuration file is needed for those cases. Of note, Match blocks are also allowed in the client configuration file as well lately. However, I still have mine set up per host or with a host pattern.

Digging, I see that it was only OpenSSH version 4.8 when "internal-sftp" was added. That would put it around OpenBSD 4.3 which was from May 2008. Time flies, but, ok, maybe just ages ago and not ages and ages ago.
 
Old 06-22-2016, 07:12 PM   #10
wpeckham
Senior Member
 
Registered: Apr 2010
Location: Continental USA
Distribution: Debian, Ubuntu, Fedora, RedHat, DSL, Puppy, CentOS, Knoppix, Mint-DE, Sparky, Vsido, tinycore, Q4OS
Posts: 3,432

Rep: Reputation: 1496Reputation: 1496Reputation: 1496Reputation: 1496Reputation: 1496Reputation: 1496Reputation: 1496Reputation: 1496Reputation: 1496Reputation: 1496
Quote:
Originally Posted by Turbocapitalist View Post
Digging, I see that it was only OpenSSH version 4.8 when "internal-sftp" was added. That would put it around OpenBSD 4.3 which was from May 2008. Time flies, but, ok, maybe just ages ago and not ages and ages ago.
DANG: You make an old guy that started *NIX on AT&T 3B2 running SYS-V version 3 feel REALLY old. (Ages and ages indeed!. Let me load up my CPM box with the 8" OS floppy and play some games to recover.)
 
Old 06-24-2016, 05:28 AM   #11
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,071
Blog Entries: 3

Rep: Reputation: 2534Reputation: 2534Reputation: 2534Reputation: 2534Reputation: 2534Reputation: 2534Reputation: 2534Reputation: 2534Reputation: 2534Reputation: 2534Reputation: 2534
Code:
10 Klingons
2 starbases at 7,7, 6,6
It takes 250 units to kill a Klingon

Short range sensor scan
  0 1 2 3 4 5 6 7 8 9 
0 . . . . . . . . . * 0   stardate      2500.00
1 . . . . . . . . . . 1   condition     GREEN
2 . . @ . . . . . . . 2   position      7,7/7,4
3 . . . . . . . . . . 3   warp factor   5.0
4 . . . . # . . . . . 4   total energy  5000
5   . . . . . . . . . 5   torpedoes     10
6 . . . . . . . . . . 6   shields       up, 100%
7 . . . . E . . . . . 7   Klingons left 10
8 . . . . . . . . . . 8   time left     14.00
9 . . . . . . * . * . 9   life support  active
  0 1 2 3 4 5 6 7 8 9 
Starsystem Canopus V

Command: _
 
Old 06-24-2016, 06:26 AM   #12
descendant_command
Senior Member
 
Registered: Mar 2012
Posts: 1,743

Rep: Reputation: 560Reputation: 560Reputation: 560Reputation: 560Reputation: 560Reputation: 560

I learned to hack out Basic scripts really fast so I could spend the rest of my timeslot on the school's only AppleII killing Klingons!
 
Old 07-03-2016, 06:39 AM   #13
gexacor
LQ Newbie
 
Registered: Jul 2016
Posts: 6

Rep: Reputation: Disabled
Quote:
Originally Posted by GarimaJain View Post
Hi,
I have ssh and sftp requests coming to the server. SSH is running currently on port x whereas sftp is receiving a request on port 22 and forwarding it to say port y.
While connecting SSH on 22, the connection is establishing but failing at the time of providing username and password. I want to block port 22 completely for SSH.
Didn't know if that possible but can you explain please why do you need it?
If it's about brutforce attacks handle you can use fail2ban.

SSH at port 22 without any possibility to login shouldn't give you any problems except auth logs grow (where fail2ban can help again).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] IPtables : ssh port forwarding one port to another port issue routers Linux - Networking 7 08-07-2018 08:41 AM
ssh and sftp using different port in the same time invincible Linux - Server 4 07-30-2012 11:34 AM
SFTP server port blocked on Uni network, need to change the listening port. sammyboy161 Linux - Newbie 2 10-21-2010 12:03 PM
cannot SFTP to SUSE 9.2 box, port 22 open, can putty in though using same port. jgrady Linux - Networking 6 03-29-2005 08:44 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 09:39 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration