wg141124
Posts: 21
Joined: Thu Jul 26, 2018 10:05 am

SSH different ports

Thu Jul 26, 2018 12:39 pm

Hey, I wanted to ask if it's possible to set different SSH ports on different interfaces.

klricks
Posts: 6793
Joined: Sat Jan 12, 2013 3:01 am
Location: Grants Pass, OR, USA
Contact: Website

Re: SSH different ports

Thu Jul 26, 2018 12:54 pm

wg141124 wrote:
Thu Jul 26, 2018 12:39 pm
Hey, I wanted to ask if it's possible to set different SSH ports on different interfaces.
Explain why you think you need different ports?
I can connect ssh over WIFI and Ethernet at the same time without changing any ports.
Unless specified otherwise my response is based on the latest and fully updated Raspbian Buster w/ Desktop OS.

wg141124
Posts: 21
Joined: Thu Jul 26, 2018 10:05 am

Re: SSH different ports

Thu Jul 26, 2018 1:49 pm

Safety reasons. I mean I can use default 22 port while in LAN but some other port while in WAN

droleary
Posts: 174
Joined: Fri Feb 09, 2018 3:45 am
Location: Minneapolis, MN USA
Contact: Website Skype

Re: SSH different ports

Thu Jul 26, 2018 2:02 pm

wg141124 wrote:
Thu Jul 26, 2018 1:49 pm
Safety reasons. I mean I can use default 22 port while in LAN but some other port while in WAN
There is negligible extra safety in running services on non-standard ports. On any insecure network, you will be port scanned. SSH is pretty secure itself. Simply drop hostile IP ranges into your firewall if you don't like being repeatedly attacked.

tpyo kingg
Posts: 748
Joined: Mon Apr 09, 2018 5:26 pm
Location: N. Finland

Re: SSH different ports

Thu Jul 26, 2018 2:05 pm

The scans are mostly automatic and will find whatever odd port you have chosen. It's not much of an extra effort on their part to scan the whole machine and record any responses. Everything gets scanned all the time, at least in the IPv4 address space, so changing the port number won't affect either bots or manual attacks knocking on the door trying to get in:

https://bsdly.blogspot.com/2013/02/ther ... ports.html

If you still really want to change ports based on your network, look at the ListenAddress directive. You can set it multiple times with different ports on each. Once for the LAN, once for the WAN.

Either way, be sure to use SSH keys for authentication and turn off password authentication. That will do the most to turn away attacks. The attacks will taper off quickly once you make the change.

That said, what problem are you actually trying to solve?

User avatar
B.Goode
Posts: 9337
Joined: Mon Sep 01, 2014 4:03 pm
Location: UK

Re: SSH different ports

Thu Jul 26, 2018 2:08 pm

If it is possible at all, it will probably be documented here ( or some similar reference material ) -
https://linux.die.net/man/5/sshd_config

You probably need to look at the Port and ListenAddress options.

wg141124
Posts: 21
Joined: Thu Jul 26, 2018 10:05 am

Re: SSH different ports

Thu Jul 26, 2018 2:08 pm

Thanks for explaining :)
Closed

mfa298
Posts: 1387
Joined: Tue Apr 22, 2014 11:18 am

Re: SSH different ports

Thu Jul 26, 2018 2:57 pm

wg141124 wrote:
Thu Jul 26, 2018 1:49 pm
Safety reasons. I mean I can use default 22 port while in LAN but some other port while in WAN
If that WAN connections are being port forwarded on your home router then it may be possible to just do that on the router itself - Set the rule to listen on a random port and forward to pi:22 (some routers will allow that, some don't).
droleary wrote:
Thu Jul 26, 2018 2:02 pm
There is negligible extra safety in running services on non-standard ports. On any insecure network, you will be port scanned. SSH is pretty secure itself. Simply drop hostile IP ranges into your firewall if you don't like being repeatedly attacked.
Whilst it is security by obscurity - so doesn't stop a determined attacker. It is a simple way to cut out 99.9% of the automated bots and associated log spam. In my experience ssh on port 22 results in attempted logins every few seconds. Changing to a non standard port reduces that to them being lost in the noise of my normal logins.

n67
Posts: 938
Joined: Mon Oct 30, 2017 4:55 pm

Re: SSH different ports

Thu Jul 26, 2018 3:35 pm

A sensible poster wrote:
Changing to a non standard port reduces that to them being lost in the noise of my normal logins.
Thank you for posting this.

I suspect most of the people saying "alternate port accomplishes nothing" have no actual real world experience (of running a public-facing machine with an open SSH port). They are speaking from theory.

And, yes, in theory, you can scan, and you can find open ports and then you can try every known protocol on every open port that you find, but, the fact is, in the real world, (almost) nobody does this.

Now, mind you , you could argue that, as long as your password(s) is/are strong (i.e., unguessable), there's nothing wrong with getting 50 zillion failed ssh attempts per whatever-short-length-of-time-you-prefer. It just fills up your logfile with junk. But, then again, having your log files filled up with junk is a bad thing - for a variety of reasons...

So, there's really no reason not to change the port. Except of course that now you have to remember, and remember-to-use, the new port number all the time.
"L'enfer, c'est les autres"

G fytc hsqr rum umpbq rm qyw rm rfc kmbq md rfgq dmpsk:

Epmu Sn!

J lnacjrw njbruh-carppnanm vxm rb mnuncrwp vh yxbcb!

n67
Posts: 938
Joined: Mon Oct 30, 2017 4:55 pm

Re: SSH different ports

Thu Jul 26, 2018 3:38 pm

Oh, and to answer OP's question: I think it is.

I think you can run two separate sshd daemons - on different ports and using different config files.

You can specify the interface to listen on in the config file. As well as everything else you will need to specify non-defaults for, including the port (obviously) and the location(s) of the log file(s).

Implementation of all of this is left as an exercise for the OP.
"L'enfer, c'est les autres"

G fytc hsqr rum umpbq rm qyw rm rfc kmbq md rfgq dmpsk:

Epmu Sn!

J lnacjrw njbruh-carppnanm vxm rb mnuncrwp vh yxbcb!

User avatar
rpdom
Posts: 16134
Joined: Sun May 06, 2012 5:17 am
Location: Chelmsford, Essex, UK

Re: SSH different ports

Thu Jul 26, 2018 4:01 pm

n67 wrote:I suspect most of the people saying "alternate port accomplishes nothing" have no actual real world experience (of running a public-facing machine with an open SSH port). They are speaking from theory.
Actually I have rather a lot of experience. Most people who use an alternate port use predictable port numbers 2222, 1022 etc. The scanners know that and routinely scan those common ports.

n67
Posts: 938
Joined: Mon Oct 30, 2017 4:55 pm

Re: SSH different ports

Thu Jul 26, 2018 4:20 pm

You're probably the exception covered by my use of the word "most".
"L'enfer, c'est les autres"

G fytc hsqr rum umpbq rm qyw rm rfc kmbq md rfgq dmpsk:

Epmu Sn!

J lnacjrw njbruh-carppnanm vxm rb mnuncrwp vh yxbcb!

jbudd
Posts: 1082
Joined: Mon Dec 16, 2013 10:23 am

Re: SSH different ports

Thu Jul 26, 2018 5:01 pm

Changing to a non standard port reduces that to them being lost in the noise of my normal logins.
Yes. if port 22 is open I very quickly see a lot of failed login attempts in the logs. Since changing to a different port number I have not seen any at all for months.
Most people who use an alternate port use predictable port numbers 2222, 1022 etc. The scanners know that and routinely scan those common ports.
Not sure how you can tell what most people do!
I think the highest possible port number is 65 535. Probably it makes sense to use a port above 10 000, in the hope that a hacker tests them in numerical order.

It should go without saying that "raspberry", "Passw0rd1" and "CorrectHorseBatteryStaple" are too well known to be good passwords.

tpyo kingg
Posts: 748
Joined: Mon Apr 09, 2018 5:26 pm
Location: N. Finland

Re: SSH different ports

Thu Jul 26, 2018 5:15 pm

n67 wrote:
Thu Jul 26, 2018 3:35 pm
I suspect most of the people saying "alternate port accomplishes nothing" have no actual real world experience (of running a public-facing machine with an open SSH port). They are speaking from theory.
Re-read Peter Hansteen's blog post linked to above.

Here are some fresh logins from one home machine running OpenSSH on a non-standard port with password authentication turned off:

Code: Select all

# awk '/Invalid user/{c[$8]++;} END {for (i in c) { print c[i],i;}}' /var/log/authlog | sort -k 1,1nr | head 
21 admin
8 oracle
4 ftp
4 pi
3 anonymous
3 ashish
3 auto
3 guest
3 test
3 tom
Note #4 there.

With password authentication on, it's about a hundred times worse, even on weird port numbers.

You can try it for yourself password authentication on or off makes the larger difference.

jbudd
Posts: 1082
Joined: Mon Dec 16, 2013 10:23 am

Re: SSH different ports

Thu Jul 26, 2018 5:19 pm

I guess your pi must have root login enabled tpyo kingg, because in my experience it''s by far the most popular "Invalid user"

User avatar
DougieLawson
Posts: 37128
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: SSH different ports

Thu Jul 26, 2018 5:34 pm

tpyo kingg wrote:
Thu Jul 26, 2018 5:15 pm
Re-read Peter Hansteen's blog post linked to above.

Here are some fresh logins from one home machine running OpenSSH on a non-standard port with password authentication turned off:

Code: Select all

# awk '/Invalid user/{c[$8]++;} END {for (i in c) { print c[i],i;}}' /var/log/authlog | sort -k 1,1nr | head 
21 admin
8 oracle
4 ftp
4 pi
3 anonymous
3 ashish
3 auto
3 guest
3 test
3 tom
Note #4 there.

With password authentication on, it's about a hundred times worse, even on weird port numbers.

You can try it for yourself password authentication on or off makes the larger difference.

Code: Select all

[email protected]:/var/log # awk '/Invalid user/{c[$8]++;} END {for (i in c) { print c[i],i;}}' /var/log/auth.log | sort -k 1,1nr | head
37 admin
14 postgres
12 test
10 RPM
8 ubuntu
5 oracle
5 pi
3 sales1
2 braxton
2 ethos
[email protected]:/var/log #
Pi is #7 in my list.

The thing about moving to a non-standard port is that you stop the stupid/banal script kiddies, but you won't stop the more sophisticated port scanners.

The script kiddies aren't dangerous, they're just a PITA. The port scanners are much darker, if they're going to the effort of port scanning they're at a different level to the majority. They're spending more time scanning your machine so if they do get in they're going to do more damage. (That's true until the script kiddies learn port scanning and get faster machines to support running it.)

In all cases the bad actors have all the time in the world. The folks running that internet facing machine providing a service probably have something better to do with their time.
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

jbudd
Posts: 1082
Joined: Mon Dec 16, 2013 10:23 am

Re: SSH different ports

Thu Jul 26, 2018 5:51 pm

No doubt there are still kids in their bedrooms hoping to find a login at the White House, but login attempts seem to come in co-ordinated waves from multiple IP addresses. Try just enough logins not to get banned (I use Fail2ban), go away for a while, come back from a different IP.

That seems like organisations hoping to build botnets for their own nefarious cyber war purposes.

Another blog post from Peter Hansteen https://bsdly.blogspot.com/2013/10/the- ... arned.html discusses this.

I guess I'm ok with GCHQ using my Pi, if they want, but I'm less happy to think it could be the NSA or FSB, Mob, etc!

tpyo kingg
Posts: 748
Joined: Mon Apr 09, 2018 5:26 pm
Location: N. Finland

Re: SSH different ports

Thu Jul 26, 2018 6:02 pm

jbudd wrote:
Thu Jul 26, 2018 5:19 pm
I guess your pi must have root login enabled tpyo kingg, because in my experience it''s by far the most popular "Invalid user"
At the moment I have just one RPi and the router itself on that publicly facing network. Raspbian seems to default to "without-password", which is the upstream default, too. However, I always have it set to just plain "no" when setting up any public-facing machines, and that seems to make a difference.

Code: Select all

# /usr/sbin/sshd -T | grep permitrootlogin
permitrootlogin no
When I have set PermitRootLogin to something else in the past, then "root" gets hammered upon. It looks like in recent years that the skilled crackers and the script kiddies both run efficient scripts that do not waste time on machines that won't respond to particular attacks, such as password guessing. I suppose I could turn PermitRootLogin on for a day or two again, but I've done that before and seen what happens, albeit a year or two ago. Now that anyone can spin up a pool of machines and pay by the minute, it is possible to scan the whole IPv4 address space in a few hours if you are looking for something specific.

Ernst
Posts: 1272
Joined: Sat Feb 04, 2017 9:39 am
Location: Germany

Re: SSH different ports

Thu Jul 26, 2018 6:04 pm

Just for information, I am running fail2ban and geoblocking (for accounting only) on a Pi0W and only port 22 is forwarded to this system, these are the counters for a number of countries where somebody has tried to access my system with ssh.

Code: Select all

 pkts bytes
  402 48825    country VN
 1362  172K    country US
  225 28285    country UA
  159 21703    country TW
  120 16141    country TH
  313 41313    country SG
  356 45220    country RU
  119 12951    country PL
  902 64017    country NL
   33  4386    country MY
  110 14152    country MX
    5   200    country ME
  778  105K    country KR
   39  5801    country JP
   86 12322    country IR
  491 69366    country IN
   13   712    country IL
   17  2227    country IE
  295 41002    country ID
  100 10440    country HK
25064   37M    country GB
 1386  211K    country FR
  116 15839    country ES
   87 11251    country EG
  111 11368    country EC
   16  1976    country DK
  771 76616    country DE
  140 19136    country CO
 9127  764K    country CN
  241 27293    country CA
  578 76342    country BR
   41  5670    country BE
   13  2019    country AU
   58  8021    country AR
   13  2019    country AE
   
at this moment I have

Code: Select all

~ $ sudo iptables -L -v -n | grep 'REJECT' | wc -l
417
IP addresses blocked.
The road to insanity is paved with static ip addresses

User avatar
DougieLawson
Posts: 37128
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: SSH different ports

Thu Jul 26, 2018 6:15 pm

I've got fail2ban set up to never expire a block.

[email protected]:~ # iptables -L -v -n | grep 'REJECT' | wc -l
3434
[email protected]:~ #

How are you doing the geoblocking? I've got some IP address blocks hard-coded in a script as they are persistent offenders.
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

droleary
Posts: 174
Joined: Fri Feb 09, 2018 3:45 am
Location: Minneapolis, MN USA
Contact: Website Skype

Re: SSH different ports

Fri Jul 27, 2018 1:38 pm

n67 wrote:
Thu Jul 26, 2018 3:35 pm
I suspect most of the people saying "alternate port accomplishes nothing" have no actual real world experience (of running a public-facing machine with an open SSH port).
Funny, but I think the same thing when I hear people trying to roll their own security solutions, especially when it comes to standard/critical services like SSH. It's a rookie move to think that switching ports offers any true advantage in the real world.
Now, mind you , you could argue that, as long as your password(s) is/are strong (i.e., unguessable), there's nothing wrong with getting 50 zillion failed ssh attempts per whatever-short-length-of-time-you-prefer. It just fills up your logfile with junk. But, then again, having your log files filled up with junk is a bad thing - for a variety of reasons...
If you're just ignoring 50 zillion failed logins, you have terrible security practices. The reason I leave services running on their standard ports is because I want those attacks to be logged. I want to know which networks out there are insecure rather than burying my head in the sand. Then I can take real security measures (e.g., firewall entries) to stop not only their stupid attempts to compromise one service, but all future attacks on any other services as well.

jbudd
Posts: 1082
Joined: Mon Dec 16, 2013 10:23 am

Re: SSH different ports

Fri Jul 27, 2018 1:56 pm

The reason I leave services running on their standard ports is because I want those attacks to be logged
Then I can take real security measures (e.g., firewall entries)
How many IP addresses do you have banned? And does the number of attempts get less over time?

Ernst
Posts: 1272
Joined: Sat Feb 04, 2017 9:39 am
Location: Germany

Re: SSH different ports

Fri Jul 27, 2018 1:56 pm

DougieLawson wrote:
Thu Jul 26, 2018 6:15 pm
I've got fail2ban set up to never expire a block.

[email protected]:~ # iptables -L -v -n | grep 'REJECT' | wc -l
3434
[email protected]:~ #

How are you doing the geoblocking? I've got some IP address blocks hard-coded in a script as they are persistent offenders.
Sorry Doug, I missed this post.
This is an experimental setup using xtables-addons with xt_geoip for accounting on a dedicated Pi0W frozen at 4.9.80+ #1098, fail2ban is set to ban on the first failed attempt for 72 hours.
The road to insanity is paved with static ip addresses

droleary
Posts: 174
Joined: Fri Feb 09, 2018 3:45 am
Location: Minneapolis, MN USA
Contact: Website Skype

Re: SSH different ports

Sat Jul 28, 2018 2:00 am

jbudd wrote:
Fri Jul 27, 2018 1:56 pm
How many IP addresses do you have banned? And does the number of attempts get less over time?
I don't ban individual IP addresses, but entire networks that host attackers. At this point I have 4271 entries that are at least /24 ranges (the min I'll do), and of that total 6 of them are /8 ranges (the max I'll do).

The number of attacks has greatly reduced over time, but I would say it mostly comes from slowly cutting off certain countries that appear to support state-sponsored hacking. If you don't do business with some of the obvious hostile countries, you could probably get an instant boost in security if you just dropped all their IPs into the firewall. Or, of course, do the opposite and whitelist the ranges you know you'll be connecting through.

Return to “Beginners”