CA BD NY

  • Categories

  •  Subscribe in a reader

    Add to Google Reader or Homepage

  • Recent Posts

  • RSS MySQL Hacker

  • RSS Apache Hacker

  • RSS MiniCTO

  • Meta

  •  Subscribe in a reader

    Add to Google Reader or Homepage

    • Running SSH on a Non-standard Port

    Published November 3rd, 2008

    Problem Statement

    If you review your security log (/var/log/secure) from time to time, you will notice that you get a lot of attempt from outside world on port 22 (SSH). By putting your SSH traffic on a non-standard port, you create a level of obscurity for the low-lives that scan ports < 1024 to detect services. This is not a tactical approach more than anything. Here we will show you how to change your SSH port for both the server and our favorite SSH clients ssh CLI client on Linux and putty on Windows.

    Warning!
    Changing SSH port on remote server might cause you to lose your access if something goes wrong. We highly recommend that you do the port changing from a local console attached to the server or via a remote KVM.

    Step 1: Changing SSH Port on the Server

    First decide on a port number that you want to use. Any number higher than 1024 will do. For example, here we will use 12345 as the port number to replace the default ssh port: 22. Once you have logged on to the CentOS server as root via a local console or a remote KVM, do the following:

    1. Edit the /etc/ssh/sshd_config (server) configuration file and uncomment or add the Port directive to become Port [chosen number]. Example: Port 12345.
    2. Save the configuration file

    Step 2: Configuring iptables for new SSH port

    Next, you need to tell iptables to allow traffic through the new port. So do the following as root:

    1. Edit the /etc/sysconfig/iptables file and add the following lines beofore the last three lines:
      # SSH on port 12345
      -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 12345 -j ACCEPT
    2. Once the change is saved, restart iptables using service iptables restart
    3. Now run iptables -L -n and see if the rule for 12345 is shown as shown in the sample output below: 
      Chain RH-Firewall-1-INPUT
target     prot opt source     destination
[lines removed for brevity]
ACCEPT     tcp  --  0.0.0.0/0  0.0.0.0/0  state NEW tcp dpt:12345

    If you do not see a line with the new port number, you need to revisit the /etc/sysconfig/iptables file and restart iptables again.

    Step 3: Restart SSH

    Once iptables is configured, you can restart SSH using service sshd restart.

    Step 4: Testing SSH Connection to New Port

    Now from another Linux system, SSH to your server using the following command:

    ssh -l [username] [server hostname] -p [port number]

    For example:

    ssh -l kabir centos.example.com -p 12345

    You should be able to connect to your server as usual with appropriate username/password pair.

    You can make this new port as your default on your Linux workstations on other servers so that you do not have to specify it when connecting to your server (with the new port) by setting the following directives in your /etc/ssh/ssh_config (client) configuration file:

    Host [server host or IP address]
Port [new port number]

    For example:

    Host centos.example.com
Port 12345

    If you use putty on Windows and want to set it to default to your new server port, select the Default Settings and enter the port number in the Port field and save it as shown below:

    Once the new port number saved as default, you can logon to your server by just entering the hostname or IP address. Of course, this change will effect any other server name you enter in putty. So if you have previously saved your server specific settings in putty as a saved session, you can edit that particular session instead of changing the default port for putty to your new port.

    Now enjoy accessing your server on the non-standard port that most wanna-be hackers with a default scanner configuration will skip; your security log (/var/log/secure) should show a decrease in SSH login attempts going forward. But as we mentioned earlier, this is really a security by obscurity type of deal and thus should not be your only defence against SSH attacks.

    In a future article we will discuss a denyhosts service that will allow you automatically shut down IP addresses that fail to connect to your SSH server after a certain number of attempts. Until then, stay tuned for other interesting articles on centos.

    Cheers.

    Category: Remove Access, SSH | Tags:

    Global Search and Replace Using the fgres Utility

    Get a Trackback link

    No Comments Yet

    Be the first to comment!

    Leave a comment

    Comment Policy: First time comments are moderated. Please be patient.