topic Re: ssh port - two instances? in Operating System - HP-UX

ssh port - two instances?

Michael Murphy_2 — Wed, 04 Feb 2009 15:27:38 GMT

Hello - we have a setup where we use ssh internally. now need to allow an external client to access us via sftp - firewall folks are saying they will not open port 22 for external due to well-known ssh port and possibility of remote login. I am thinking we could use port 22 for intercompany access and listen on a higher port for external use - that could be opened in a firwall. Has anyone done this? - is it possible/recommended? Can you run two ssh daemons? - would there be config/log file issues?

Re: ssh port - two instances?

Steven E. Protter — Wed, 04 Feb 2009 15:34:10 GMT

Shalom,

I was once tasked to run two ssh daemons on one system.

It did not come out very well.

I do believe that it is possible to get the one daemon to listen on two ports.

That would be by modification of the sshd_config file.

Take a look at these articles:
https://www.linuxquestions.org/questions/linux-software-2/configuring-ssh-to-listen-on-two-different-ports-at-once-386207/

http://linux.die.net/man/5/ssh_config

http://www.webhostingresourcekit.com/227.html

SEP

Re: ssh port - two instances?

Steven Schweda — Wed, 04 Feb 2009 15:48:25 GMT

> [...] port 22 for intercompany access [...]

intra?

> [...] firewall folks are saying they will
> not [...]

Have they offered to do NAT/PAT to translate
a port of their choice to your port 22? If
they're creating the problem, I'd suggest an
opportunity for them to solve it.

Re: ssh port - two instances?

Mel Burslan — Wed, 04 Feb 2009 18:20:19 GMT

On this issue, I'd say I have to side with Steven's solution of NAT/PAT'ing. Since Network group is the one who are balking at the idea of opening the fireall, they should be the ones to carry the burden and specify an external port and PAT it to your server's port 22.

This brings up another idiosyncracity of the network/firewall admins. In this day and age, they still think obscurity can provide security. What if you listen to port 65531 for an external ssl connection ? Port-scanners only take another few seconds to find that vulnerability and if you, the firewall admin, is incapable of doing very rudimentary screening of source IP address and what not, to determine the authenticity of the TCP packet, regardless of which port you listen to, you will get hacked. I am sorry to say but this is a very sloppy way of refusing service to address a (what looks like) legitimate business need. (off my soapbox now)

Cheers...

Re: ssh port - two instances?

Steven E. Protter — Wed, 04 Feb 2009 18:44:52 GMT

Shalom,

No you don't want to open the firewall and most firewall admins would never go with that.

This might help limit system exposure:
http://www.hpux.ws/?p=19

SEP