PDA

View Full Version : How to change SSH port?


mweier
03-07-2005, 12:13 PM
I've read about the security benefits of not using port 22 for SSH & tried to change mine. Sadly, my cheap Netgear router doesn't allow differing ports for external port to internal forwarded machine. So I can't just say some non-standard port (e.g. port 31337) should go to my OSX box as port 22.

So, what do I do to change this from the OSX side?
Using sudo pico,
I've edited the port in /etc/sshd_config (removed the #)
Port 31337

I also changed the 22's to 31337 in my /etc/services
ssh 31337/udp # SSH Remote Login Protocol
ssh 31337/tcp # SSH Remote Login Protocol

And, of course, I used my router's config panel to direct port 31337 to the OSX box.

Finally, I clicked "Stop Sharing" and "Start Sharing" to restart SSH.

What am I doing wrong? Everything was working fine back when I was still at port 22; Also, I'm sure that I have the right IP for my home box (since I can use Remote Desktop but not SSH)

Thanks!

yellow
03-07-2005, 12:26 PM
Make sure it's listening on the new port now with:

netstat -an | grep tcp46

netstat -an | grep tcp46
tcp46 0 0 *.548 *.* LISTEN
tcp46 0 0 *.22 *.* LISTEN


(If you turned off IPv6, you can change the grep to tcp4)

As you can see, it lists what ports are being listened to. You should see your new port being listened to if it's set up correctly. Don't forget that you now have to specify which port you want to connect to with your ssh request.

DoubleEdd
03-07-2005, 12:29 PM
Can you connect locally? eg 'ssh -p 31337 localhost'?

What happens if you do 'ssh -v [whatever]' - that'll give some useful info too.

hayne
03-07-2005, 12:35 PM
There was an article on the main macosxhints site not too long ago about exactly this - so have a look - maybe it will show you which part you are missing.

mweier
03-07-2005, 01:07 PM
yellow:
tcp46 0 0 *.31337 *.* LISTEN
does show up when I run that command

DoubleEdd:
No I can't - it just hangs on ssh -p 31337 localhost
So it's not the router port forwarding...

hayne:
I know. That's what prompted me to try upping the security in the first place. I saw this thread (http://tinyurl.com/3mq6z) which has a reply in it suggesting to change the port. Their tip, however, seemed to simply prompt doing it entirely in the router (which my router doesn't support).

Any other suggestions? Did I do something wrong? I can't think of what else to try, especially since I'm not much of a Unix Admin type.

I did at least confirm that setting everything back to the default in both sshd_config and services (and reverting port forward to 22) makes it all work again.

mweier
03-07-2005, 01:10 PM
Don't forget that you now have to specify which port you want to connect to with your ssh request.

Yup - was doing that too (was trying to connect as SFTP via Transmit which has a port field there in which to enter it). I also tried commandline ssh as mentioned in my other reply to everyone.

yellow
03-07-2005, 01:54 PM
yellow:
tcp46 0 0 *.31337 *.* LISTEN
does show up when I run that command

Hmm well it confirms that something is listening on that port, not necessarily sshd.. but it's a step in the right direction.

As DoubleEdd suggested, try using the -v flag to get verbose output from both a normal (localhost) ssh (to port 22), and one where you've changed the port and compare. Maybe it'll help you/us with a clue..

hayne
03-07-2005, 02:20 PM
You should also try turning on debugging on the server side (sshd). As I recall (man sshd) it makes it change into a one-shot server - so you need to restart it (on the command-line) after each attempt to connect. But you do get detailed messages about what is going on.

mweier
03-07-2005, 06:46 PM
As DoubleEdd suggested, try using the -v flag to get verbose output from both a normal (localhost) ssh (to port 22), and one where you've changed the port and compare. Maybe it'll help you/us with a clue..

Sure. I just did an ssh -v -p 31337 (myuser)@localhost

OpenSSH_3.6.1p1+CAN-2004-0175, SSH protocols 1.5/2.0, OpenSSL 0x0090702f
debug1: Reading configuration data /etc/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: Connecting to localhost [127.0.0.1] port 31337.
debug1: Connection established.
debug1: identity file /Users/(myuser)/.ssh/identity type -1
debug1: identity file /Users/(myuser)/.ssh/id_rsa type -1
debug1: identity file /Users/(myuser)/.ssh/id_dsa type -1
debug1: ssh_exchange_identification: 220---------- Welcome to Pure-FTPd [TLS] ----------

debug1: ssh_exchange_identification: 220-You are user number 1 of 15 allowed.

debug1: ssh_exchange_identification: 220-Local time is now 18:40. Server port: 31337.

debug1: ssh_exchange_identification: 220-This is a private system - No anonymous login

debug1: ssh_exchange_identification: 220-IPv6 connections are also welcome on this server.

debug1: ssh_exchange_identification: 220 You will be disconnected after 15 minutes of inactivity.


I'm confused why it never asked for password. Also why PureFTP stuck its nose in there (it's something I tried setting up a while ago but don't think I ever got working).

My abilities to analyze what's going on are little to none. Note that this is with (i think) all default settings in sshd_config except port 31337. Also, /etc/services is now back to default (has 22 for both ssh lines there)

DoubleEdd
03-09-2005, 07:24 AM
That Pure-FTPd thing is a bit worrying. It could be that the FTP daemon is running on that port, and not ssh. Try 'ftp -p -P 31337 hostname' and see if you can log in with that to an FTP server (or even just get a prompt for the username and password).

Did you set up Pure-FTP on 31337 originally? If not you should probably be worried in case someone else has set one up on your machine without your knowledge!

mweier
03-09-2005, 05:46 PM
Did you set up Pure-FTP on 31337 originally? If not you should probably be worried in case someone else has set one up on your machine without your knowledge!

Duh. That's totally it. I must have started that ages ago & just never finished it even though it's actually working. I'll just have to pick a different port.

Thanks to all for their UNIX incantations!

hayne
03-09-2005, 06:00 PM
You might also consider that the port number you had chosen (twice!) is perhaps not the best one if you want your SSH to be discreet.

mweier
03-09-2005, 06:16 PM
good point. I never even got to the point of disclosing PureFTP access info to people (since I didn't think I'd gotten it working), but especially given that I've posted port numbers here plenty, it's best to rethink what port I want to use. I'm assuming the rule of thumb is that most script kiddies don't bother portscanning anything above 1000? or should I keep it above 10000?

Thanks again!

voldenuit
03-09-2005, 06:31 PM
You should keep your port number below 65536.

Thats about it.

And don't forget about services you run ;)

mweier
03-09-2005, 06:48 PM
And don't forget about services you run ;)

I'd never do that ;)

gatoatigrado
05-21-2006, 08:10 PM
my configuration files were in /private/etc.

voldenuit
05-21-2006, 10:36 PM
my configuration files were in /private/etc.
You are not alone, however there are links to most of the directories Apple put in /private in / such as:

lrwxr-xr-x 1 root admin 11 Oct 29 2005 etc -> private/etc

most probably because it would be very cumbersome to bend traditional, decades old Unix paths for lots of apps just to keep the / directory tidy.