reverse ssh

ssh itself ?

http://www.thegeekstuff.com/2013/11/reverse-ssh-tunnel/

Kaplan

Post by Erez D
hello
i have a linux machine with a private ip connected to the internet
i have a public ip and need to ssh to the linux box
any tools for that ?
_______________________________________________
Linux-il mailing list
http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il

Erez D

2014-07-20 09:03:15 UTC

Post by Lior Kaplan
ssh itself ?
http://www.thegeekstuff.com/2013/11/reverse-ssh-tunnel/

nice, however this requires me to give access to my server, which i do
not want ...
(or, can i give people permission to ssh to my server only for reverse
tunnels and no shell ?)

Post by Lior Kaplan
Kaplan

Lior Kaplan

2014-07-20 09:06:59 UTC

Didn't check it, but login in with a user who has /bin/true might do the
trick.

Kaplan

Post by Lior Kaplan
ssh itself ?
http://www.thegeekstuff.com/2013/11/reverse-ssh-tunnel/

nice, however this requires me to give access to my server, which i do
not want ...
(or, can i give people permission to ssh to my server only for reverse
tunnels and no shell ?)

Post by Lior Kaplan
Kaplan

Erez D

2014-07-20 09:16:08 UTC

Post by Lior Kaplan
Didn't check it, but login in with a user who has /bin/true might do the
trick.

you are correct, it works.
however it is still a security risk, as this means the client may
listen on unused port ...

Post by Lior Kaplan
Kaplan

Post by Lior Kaplan
ssh itself ?
http://www.thegeekstuff.com/2013/11/reverse-ssh-tunnel/

nice, however this requires me to give access to my server, which i do
not want ...
(or, can i give people permission to ssh to my server only for reverse
tunnels and no shell ?)

Post by Lior Kaplan
Kaplan

Rabin Yasharzadehe

2014-07-20 09:38:58 UTC

you can add a port-knocking tool like fwknop to add a dynamic rule to
forward your connection into the privet machine.

*--Rabin*

Post by Lior Kaplan
Didn't check it, but login in with a user who has /bin/true might do the
trick.

you are correct, it works.
however it is still a security risk, as this means the client may
listen on unused port ...

Post by Lior Kaplan
Kaplan

Post by Lior Kaplan
ssh itself ?
http://www.thegeekstuff.com/2013/11/reverse-ssh-tunnel/

nice, however this requires me to give access to my server, which i do
not want ...
(or, can i give people permission to ssh to my server only for reverse
tunnels and no shell ?)

Post by Lior Kaplan
Kaplan

_______________________________________________
Linux-il mailing list
http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il

Erez D

2014-07-20 10:31:55 UTC

looks a little complicated - extra ssh server, firewall with port knocking
all this for a ssh connection ...

Post by Rabin Yasharzadehe
you can add a port-knocking tool like fwknop to add a dynamic rule to
forward your connection into the privet machine.
--
Rabin

Post by Lior Kaplan
Didn't check it, but login in with a user who has /bin/true might do the
trick.

you are correct, it works.
however it is still a security risk, as this means the client may
listen on unused port ...

Post by Lior Kaplan
Kaplan

Post by Lior Kaplan
ssh itself ?
http://www.thegeekstuff.com/2013/11/reverse-ssh-tunnel/

nice, however this requires me to give access to my server, which i do
not want ...
(or, can i give people permission to ssh to my server only for reverse
tunnels and no shell ?)

Post by Lior Kaplan
Kaplan

_______________________________________________
Linux-il mailing list
http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il

Yedidyah Bar David

2014-07-20 11:30:13 UTC

If you just want an ssh connection you can simply redirect connection
attempts to some port on the
Internet-accessible machine to port 22 on the private-ip one - using
whatever tool that fits you best -
iptables, xinetd, redir, probably many others.
--
Didi

Post by Erez D
looks a little complicated - extra ssh server, firewall with port knocking
all this for a ssh connection ...

Post by Rabin Yasharzadehe
you can add a port-knocking tool like fwknop to add a dynamic rule to
forward your connection into the privet machine.
--
Rabin

Post by Lior Kaplan
Didn't check it, but login in with a user who has /bin/true might do

the

Post by Lior Kaplan
trick.

you are correct, it works.
however it is still a security risk, as this means the client may
listen on unused port ...

Post by Lior Kaplan
Kaplan

Post by Lior Kaplan
ssh itself ?
http://www.thegeekstuff.com/2013/11/reverse-ssh-tunnel/

nice, however this requires me to give access to my server, which i

Post by Erez D
not want ...
(or, can i give people permission to ssh to my server only for

reverse

Post by Erez D
tunnels and no shell ?)

Post by Lior Kaplan
Kaplan

_______________________________________________
Linux-il mailing list
http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il

Erez D

2014-07-20 11:33:44 UTC

On Sun, Jul 20, 2014 at 1:30 PM, Yedidyah Bar David

Post by Yedidyah Bar David
If you just want an ssh connection you can simply redirect connection
attempts to some port on the
Internet-accessible machine to port 22 on the private-ip one - using
whatever tool that fits you best -
iptables, xinetd, redir, probably many others.
--
Didi

i do not understand what do you mean

Post by Erez D
looks a little complicated - extra ssh server, firewall with port knocking
all this for a ssh connection ...

Post by Rabin Yasharzadehe
you can add a port-knocking tool like fwknop to add a dynamic rule to
forward your connection into the privet machine.
--
Rabin

Post by Lior Kaplan
Didn't check it, but login in with a user who has /bin/true might do the
trick.

you are correct, it works.
however it is still a security risk, as this means the client may
listen on unused port ...

Post by Lior Kaplan
Kaplan

Post by Lior Kaplan
ssh itself ?
http://www.thegeekstuff.com/2013/11/reverse-ssh-tunnel/

nice, however this requires me to give access to my server, which i do
not want ...
(or, can i give people permission to ssh to my server only for reverse
tunnels and no shell ?)

Post by Lior Kaplan
Kaplan

_______________________________________________
Linux-il mailing list
http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il

E.S. Rosenberg

2014-07-20 13:37:05 UTC

Re:all
You can have something running on the machine you want to SSH to that
updates the machine with a fixed IP what its' IP is and have a firewall
rule or some other way to redirect specific traffic like for instance
traffic to TCP:22222 from that machine to the IP that it was updated to
be....

Post by Erez D
On Sun, Jul 20, 2014 at 1:30 PM, Yedidyah Bar David

i do not understand what do you mean

Post by Erez D
looks a little complicated - extra ssh server, firewall with port

knocking

Post by Erez D
all this for a ssh connection ...

Post by Rabin Yasharzadehe
you can add a port-knocking tool like fwknop to add a dynamic rule to
forward your connection into the privet machine.
--
Rabin

Post by Lior Kaplan
Didn't check it, but login in with a user who has /bin/true might

Post by Lior Kaplan
the
trick.

you are correct, it works.
however it is still a security risk, as this means the client may
listen on unused port ...

Post by Lior Kaplan
Kaplan

On Sun, Jul 20, 2014 at 10:39 AM, Lior Kaplan <

Post by Lior Kaplan
ssh itself ?
http://www.thegeekstuff.com/2013/11/reverse-ssh-tunnel/

nice, however this requires me to give access to my server, which

do
not want ...
(or, can i give people permission to ssh to my server only for reverse
tunnels and no shell ?)

Post by Lior Kaplan
Kaplan

_______________________________________________
Linux-il mailing list
http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il

Erez D

2014-07-20 15:46:12 UTC

Post by E.S. Rosenberg
You can have something running on the machine you want to SSH to that
updates the machine with a fixed IP what its' IP is and have a firewall rule
or some other way to redirect specific traffic like for instance traffic to
TCP:22222 from that machine to the IP that it was updated to be....

still do not understand what you mean, and how it will let me connect
to a machine with a private ip

Post by Erez D
On Sun, Jul 20, 2014 at 1:30 PM, Yedidyah Bar David

i do not understand what do you mean

Post by Erez D
looks a little complicated - extra ssh server, firewall with port knocking
all this for a ssh connection ...

Post by Rabin Yasharzadehe
you can add a port-knocking tool like fwknop to add a dynamic rule to
forward your connection into the privet machine.
--
Rabin

Post by Lior Kaplan
Didn't check it, but login in with a user who has /bin/true might do
the
trick.

you are correct, it works.
however it is still a security risk, as this means the client may
listen on unused port ...

Post by Lior Kaplan
Kaplan

On Sun, Jul 20, 2014 at 10:39 AM, Lior Kaplan

Post by Lior Kaplan
ssh itself ?
http://www.thegeekstuff.com/2013/11/reverse-ssh-tunnel/

nice, however this requires me to give access to my server, which i
do
not want ...
(or, can i give people permission to ssh to my server only for reverse
tunnels and no shell ?)

Post by Lior Kaplan
Kaplan

Post by Erez D
hello
i have a linux machine with a private ip connected to the
internet
i have a public ip and need to ssh to the linux box
any tools for that ?
_______________________________________________
Linux-il mailing list
http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il

_______________________________________________
Linux-il mailing list
http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il

E.S. Rosenberg

2014-07-20 20:54:31 UTC

I think we need to reset here for a minute...

Is your goal to connect to a machine with a IP on a private range where
there exists a gateway machine or router with a (known) public IP?
In that case the solution is very simple: port-forwarding
However I would not do that without also running fail2ban and maybe also
fwknop so that evil SSH traffic would have a harder time at getting at my
server.

Or is your goal to connect to a machine reachable via a dynamic IP and you
have a machine with a fixed IP that you can route via?
In that case solutions are more complex, most of the solutions above
related to that scenario I think.

So please clear up for us what your exact goal is.
Regards,
Eliyahu - ×××××

Post by E.S. Rosenberg
You can have something running on the machine you want to SSH to that
updates the machine with a fixed IP what its' IP is and have a firewall

rule

Post by E.S. Rosenberg
or some other way to redirect specific traffic like for instance traffic

Post by E.S. Rosenberg
TCP:22222 from that machine to the IP that it was updated to be....

still do not understand what you mean, and how it will let me connect
to a machine with a private ip

Post by Erez D
On Sun, Jul 20, 2014 at 1:30 PM, Yedidyah Bar David

i do not understand what do you mean

Post by Erez D
looks a little complicated - extra ssh server, firewall with port knocking
all this for a ssh connection ...

Post by Rabin Yasharzadehe
you can add a port-knocking tool like fwknop to add a dynamic rule

Post by Rabin Yasharzadehe
forward your connection into the privet machine.
--
Rabin

On Sun, Jul 20, 2014 at 11:06 AM, Lior Kaplan <

Post by Lior Kaplan
Didn't check it, but login in with a user who has /bin/true

might

Post by Lior Kaplan
do
the
trick.

you are correct, it works.
however it is still a security risk, as this means the client may
listen on unused port ...

Post by Lior Kaplan
Kaplan

On Sun, Jul 20, 2014 at 10:39 AM, Lior Kaplan

Post by Lior Kaplan
ssh itself ?
http://www.thegeekstuff.com/2013/11/reverse-ssh-tunnel/

nice, however this requires me to give access to my server,

which

i
do
not want ...
(or, can i give people permission to ssh to my server only for
reverse
tunnels and no shell ?)

Post by Lior Kaplan
Kaplan

Post by Erez D
hello
i have a linux machine with a private ip connected to the
internet
i have a public ip and need to ssh to the linux box
any tools for that ?
_______________________________________________
Linux-il mailing list
http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il

_______________________________________________
Linux-il mailing list
http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il

Erez D

2014-07-21 08:18:54 UTC

On Sun, Jul 20, 2014 at 11:54 PM, E.S. Rosenberg

Post by E.S. Rosenberg
I think we need to reset here for a minute...
Is your goal to connect to a machine with a IP on a private range where
there exists a gateway machine or router with a (known) public IP?
In that case the solution is very simple: port-forwarding
However I would not do that without also running fail2ban and maybe also
fwknop so that evil SSH traffic would have a harder time at getting at my
server.
Or is your goal to connect to a machine reachable via a dynamic IP and you
have a machine with a fixed IP that you can route via?
In that case solutions are more complex, most of the solutions above related
to that scenario I think.

it is not even a dynamic ip, it is a private ip behind a dynamic one

Post by E.S. Rosenberg
So please clear up for us what your exact goal is.
Regards,
Eliyahu - אליהו

still do not understand what you mean, and how it will let me connect
to a machine with a private ip

Post by Erez D
On Sun, Jul 20, 2014 at 1:30 PM, Yedidyah Bar David

i do not understand what do you mean

Post by Erez D
looks a little complicated - extra ssh server, firewall with port knocking
all this for a ssh connection ...
On Sun, Jul 20, 2014 at 11:38 AM, Rabin Yasharzadehe

Post by Rabin Yasharzadehe
you can add a port-knocking tool like fwknop to add a dynamic rule to
forward your connection into the privet machine.
--
Rabin

On Sun, Jul 20, 2014 at 11:06 AM, Lior Kaplan

Post by Lior Kaplan
Didn't check it, but login in with a user who has /bin/true
might
do
the
trick.

you are correct, it works.
however it is still a security risk, as this means the client may
listen on unused port ...

Post by Lior Kaplan
Kaplan

On Sun, Jul 20, 2014 at 10:39 AM, Lior Kaplan

Post by Lior Kaplan
ssh itself ?
http://www.thegeekstuff.com/2013/11/reverse-ssh-tunnel/

nice, however this requires me to give access to my server,
which
i
do
not want ...
(or, can i give people permission to ssh to my server only for
reverse
tunnels and no shell ?)

Post by Lior Kaplan
Kaplan
On Sun, Jul 20, 2014 at 11:36 AM, Erez D

Post by Erez D
hello
i have a linux machine with a private ip connected to the
internet
i have a public ip and need to ssh to the linux box
any tools for that ?
_______________________________________________
Linux-il mailing list
http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il

_______________________________________________
Linux-il mailing list
http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il

Guy Gold

2014-07-21 14:52:10 UTC

Hi Erez,

Post by Erez D
it is not even a dynamic ip, it is a private ip behind a dynamic one

Then, what Eliyahu wrote should serve you a perfect solution.

Also, there's not much advantage in the point of hiding behind the
"security by obscurity" method (i.e serve SSH at port 9000. or whichever).
The increase to security by using that method is in doubt - when taking
under consideration tools used by "bad guys (and girls)" nowadays .
If you must do it, that's fine, but don't let it be a reason for not using
much better methods, as Eliyahu suggested.

--
Guy Gold

Amos Shapira

2014-07-21 22:11:06 UTC

Post by Guy Gold
Hi Erez,

Post by Erez D
it is not even a dynamic ip, it is a private ip behind a dynamic one

The increase to security by using that method is in doubt - when taking

Post by Guy Gold
under consideration tools used by "bad guys (and girls)" nowadays .
If you must do it, that's fine, but don't let it be a reason for not using
much better methods, as Eliyahu suggested.
From personal experience - there is a huge advantage in picking a random

port for external SSH (and external HTTP). I always had port scanners on my
standard, dynamic ISP ADSL addresses until I moved them to different
non-standard ports. Since then my logs are clean, and I'm talking about
over 5 years of experience (I don't remember exactly when I did the switch).

This is of course not the only measure I take for security. I still treat
them as vulnerable etc. But after years of not having a single probe on the
new ports I have to say that it removed the threat of pretty much 100% of
the probes on my home network.

Perhaps they are more thorough on static ip addresses, known targets etc.,
but in my experience this is a very successful step.

Post by Guy Gold
--
Guy Gold
_______________________________________________
Linux-il mailing list
http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il

--
[image: View my profile on LinkedIn]
<http://www.linkedin.com/in/gliderflyer>

E.S. Rosenberg

2014-07-21 22:21:40 UTC

Any decent port scanner (nmap for instance) will find the SSH service
regardless of the port its' on, while the likelihood of a firewall blocking
access to random non-standard ports is very high.

I use fail2ban to prevent brute forcing and generally also try to have some
form of port knocking (knockd and fwknop are good options) to prevent
initial access to the SSH server to "unidentified" machines.

Post by Guy Gold
Hi Erez,

Post by Erez D
it is not even a dynamic ip, it is a private ip behind a dynamic one

The increase to security by using that method is in doubt - when taking

From personal experience - there is a huge advantage in picking a random
port for external SSH (and external HTTP). I always had port scanners on my
standard, dynamic ISP ADSL addresses until I moved them to different
non-standard ports. Since then my logs are clean, and I'm talking about
over 5 years of experience (I don't remember exactly when I did the switch).
This is of course not the only measure I take for security. I still treat
them as vulnerable etc. But after years of not having a single probe on the
new ports I have to say that it removed the threat of pretty much 100% of
the probes on my home network.
Perhaps they are more thorough on static ip addresses, known targets etc.,
but in my experience this is a very successful step.

Post by Guy Gold
--
Guy Gold
_______________________________________________
Linux-il mailing list
http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il

--
[image: View my profile on LinkedIn]
<http://www.linkedin.com/in/gliderflyer>
_______________________________________________
Linux-il mailing list
http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il

Amos Shapira

2014-07-22 00:07:38 UTC

Whatever.

I'm speaking from personal experience that I didn't find this necessary.

Post by E.S. Rosenberg
Any decent port scanner (nmap for instance) will find the SSH service
regardless of the port its' on, while the likelihood of a firewall blocking
access to random non-standard ports is very high.
I use fail2ban to prevent brute forcing and generally also try to have
some form of port knocking (knockd and fwknop are good options) to prevent
initial access to the SSH server to "unidentified" machines.

Post by Guy Gold
Hi Erez,

Post by Erez D
it is not even a dynamic ip, it is a private ip behind a dynamic one

The increase to security by using that method is in doubt - when

Post by Guy Gold
taking under consideration tools used by "bad guys (and girls)" nowadays .
If you must do it, that's fine, but don't let it be a reason for not
using much better methods, as Eliyahu suggested.

From personal experience - there is a huge advantage in picking a random
port for external SSH (and external HTTP). I always had port scanners on my
standard, dynamic ISP ADSL addresses until I moved them to different
non-standard ports. Since then my logs are clean, and I'm talking about
over 5 years of experience (I don't remember exactly when I did the switch).
This is of course not the only measure I take for security. I still treat
them as vulnerable etc. But after years of not having a single probe on the
new ports I have to say that it removed the threat of pretty much 100% of
the probes on my home network.
Perhaps they are more thorough on static ip addresses, known targets
etc., but in my experience this is a very successful step.

Post by Guy Gold
--
Guy Gold
_______________________________________________
Linux-il mailing list
http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il

--
[image: View my profile on LinkedIn]
<http://www.linkedin.com/in/gliderflyer>

Erez D

2014-07-22 08:20:44 UTC

although port scanners can scan every port, it takes x 65536 times more
than scanning only port 22
and there are enough available port 22s,

so using a non-standard port is a smart move
as long as it is not the only one.

Post by Amos Shapira
Whatever.
I'm speaking from personal experience that I didn't find this necessary.

Post by Guy Gold
Hi Erez,

Post by Erez D
it is not even a dynamic ip, it is a private ip behind a dynamic one

The increase to security by using that method is in doubt - when

From personal experience - there is a huge advantage in picking a random
port for external SSH (and external HTTP). I always had port scanners on my
standard, dynamic ISP ADSL addresses until I moved them to different
non-standard ports. Since then my logs are clean, and I'm talking about
over 5 years of experience (I don't remember exactly when I did the switch).
This is of course not the only measure I take for security. I still
treat them as vulnerable etc. But after years of not having a single probe
on the new ports I have to say that it removed the threat of pretty much
100% of the probes on my home network.
Perhaps they are more thorough on static ip addresses, known targets
etc., but in my experience this is a very successful step.

Post by Guy Gold
--
Guy Gold
_______________________________________________
Linux-il mailing list
http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il

Guy Gold

2014-07-22 12:47:50 UTC

Post by Guy Gold
Hi Erez,

Post by Erez D
it is not even a dynamic ip, it is a private ip behind a dynamic one

Then, what Eliyahu wrote should serve you a perfect solution.

Although this can become a flame-war :)

Source:
https://www.adayinthelifeof.nl/2012/03/12/why-putting-ssh-on-another-port-than-22-is-bad-idea/

==Begin quote ==

But there are more reasons why this is a bad idea and one of the most
important reason has to do with a bit of the (Linux) way of handling TCP/IP
ports. When you are logged onto a system as a non-root user (anyone not
being uid 0), you cannot create a listing TCP or UDP port below 1024. This
is because port numbers below 1024 are so-called privileged ports and can
only be opened by root or processes that are running as root. So for
instance, when your webserver (apache, nginx etc) will start, it will do so
as the privileged root user in order to open up a listening connection to
port 80 (the port that by default will be used for HTTP traffic). Now, as
soon as the port is opened and everything that needs to be done as root is
done, the webserver will fall back to a non-privileged user (either the
www-data, apache, or nobody user). From that point, when something bad is
happening, it is only limited to the rights that that user has.

Now, back to SSH: when we start SSH on port 22, we know for a fact that
this is done by root or a root-process since no other user could possibly
open that port. But what happens when we move SSH to port 2222? This port
can be opened without a privileged account, which means I can write a
simple script that listens to port 2222 and mimics SSH in order to capture
your passwords. And this can easily be done with simple tools commonly
available on every linux system/server. So running SSH on a non-privileged
port makes it potentially LESS secure, not MORE. You have no way of knowing
if you are talking to the real SSH server or not. This reason, and this
reason alone makes it that you should NEVER EVER use a non-privileged port
for running your SSH server.
==End quote==

Reading the whole page is recommended.

Though, some of Joshua Thijssen's points can be argued against (not by
myself, but I'm sure some folks can find some caveats in his article). I
tend to agree with what he points out.

I do acknowledge that SBO (security by...) divides quite a bit sysadmins
apart. Some live by it, and some, well, ridicule it, and for them, seeing
another sysadmin use such method is a tell sign of anachronism. The beauty
is that we can all choose, and what is important is being informed.

--
Guy Gold

Oleg Goldshmidt

2014-07-22 17:35:15 UTC

Post by Guy Gold
https://www.adayinthelifeof.nl/2012/03/12/why-putting-ssh-on-another-port-
than-22-is-bad-idea/

Should be titled, "Why Putting SSH on a Non-Privileged Port is a Bad
Idea."

Nothing there is relevant to SSH on port 234 (just picking something
easy to remember and not in /etc/services) or similar.

[NB: The poor corporate sysadmin who does not want to deal with every
machine running SSH on a different port - another problem mentioned
there - is a non-issue. In a corporate setting, if a non-standard port
is chosen for anything at all, it will be uniform and documented. And
not every Tom, Dick, and Harry will have root access to modify
sshd_config without adult supervision.]

I am not arguing for or against using a non-standard port. Just pointing
out that "non-standard" and "non-privileged" are two different things.

--
Oleg Goldshmidt | pub-kS3dXprRuVK+***@public.gmane.org

vordoo

2014-07-23 09:09:22 UTC

_______________________________________________
Linux-il mailing list
Linux-il-NSemkxREmS1YZAO8hgG6+***@public.gmane.org
http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il

Erez D

2014-07-23 08:44:09 UTC

1. only refer to non-privileged ports
2. btw, ssh will warn you if the server cert changes, so if someone
takes the port for it's ssh server, you will know

i'll still stick with a non standard privileged port.

Post by Guy Gold
Hi Erez,

Post by Erez D
it is not even a dynamic ip, it is a private ip behind a dynamic one

Then, what Eliyahu wrote should serve you a perfect solution.

Although this can become a flame-war :)
https://www.adayinthelifeof.nl/2012/03/12/why-putting-ssh-on-another-port-than-22-is-bad-idea/
==Begin quote ==
But there are more reasons why this is a bad idea and one of the most
important reason has to do with a bit of the (Linux) way of handling TCP/IP
ports. When you are logged onto a system as a non-root user (anyone not
being uid 0), you cannot create a listing TCP or UDP port below 1024. This
is because port numbers below 1024 are so-called privileged ports and can
only be opened by root or processes that are running as root. So for
instance, when your webserver (apache, nginx etc) will start, it will do so
as the privileged root user in order to open up a listening connection to
port 80 (the port that by default will be used for HTTP traffic). Now, as
soon as the port is opened and everything that needs to be done as root is
done, the webserver will fall back to a non-privileged user (either the
www-data, apache, or nobody user). From that point, when something bad is
happening, it is only limited to the rights that that user has.
Now, back to SSH: when we start SSH on port 22, we know for a fact that this
is done by root or a root-process since no other user could possibly open
that port. But what happens when we move SSH to port 2222? This port can be
opened without a privileged account, which means I can write a simple script
that listens to port 2222 and mimics SSH in order to capture your passwords.
And this can easily be done with simple tools commonly available on every
linux system/server. So running SSH on a non-privileged port makes it
potentially LESS secure, not MORE. You have no way of knowing if you are
talking to the real SSH server or not. This reason, and this reason alone
makes it that you should NEVER EVER use a non-privileged port for running
your SSH server.
==End quote==
Reading the whole page is recommended.
Though, some of Joshua Thijssen's points can be argued against (not by
myself, but I'm sure some folks can find some caveats in his article). I
tend to agree with what he points out.
I do acknowledge that SBO (security by...) divides quite a bit sysadmins
apart. Some live by it, and some, well, ridicule it, and for them, seeing
another sysadmin use such method is a tell sign of anachronism. The beauty
is that we can all choose, and what is important is being informed.
--
Guy Gold
_______________________________________________
Linux-il mailing list
http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il

Erez D

2014-07-23 08:55:06 UTC

and i forgot:
what if my router redirect any port to my computer's port 22 ?
this can be a non priviledge port

if only i have access to the router settings ...

Post by Erez D
1. only refer to non-privileged ports
2. btw, ssh will warn you if the server cert changes, so if someone
takes the port for it's ssh server, you will know
i'll still stick with a non standard privileged port.

Post by Guy Gold
Hi Erez,

Post by Erez D
it is not even a dynamic ip, it is a private ip behind a dynamic one

Then, what Eliyahu wrote should serve you a perfect solution.

vordoo

2014-07-20 09:15:37 UTC

_______________________________________________
Linux-il mailing list
Linux-il-NSemkxREmS1YZAO8hgG6+***@public.gmane.org
http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il

geoffrey mendelson

2014-07-20 09:45:55 UTC

Post by Lior Kaplan
ssh itself ?
http://www.thegeekstuff.com/2013/11/reverse-ssh-tunnel/

nice, however this requires me to give access to my server, which i do
not want ...
(or, can i give people permission to ssh to my server only for reverse
tunnels and no shell ?)

What I did is to run a second SSH server listening on a port that no one
would expect SSH connections and ONLY allow connections with key
exchanges. So someone could connect to that port randomly or with a
scan, but would be unable to do anything with it.

The regular SSH server, which ran on port 22, allowed much looser
connections, root connections, etc, but port 22 was NOT forwarded out
the firewall. This allowed me to do RSYNC, etc locally as root or a user
with no restrictions.
Once the SSH connection is established, it can be used to tunnel anything.

Geoff.

--
Geoffrey S. Mendelson 4X1GM/N3OWJ
Jerusalem Israel.

Moish

2014-07-20 09:53:32 UTC

Post by geoffrey mendelson