HPE Community
Operating System - HP-UX
1753886 Members
7545 Online
108809 Solutions
New Discussion юеВ

Re: ssh port - two instances?

 
Michael Murphy_2
Frequent Advisor

тАО02-04-2009 07:27 AM

тАО02-04-2009 07:27 AM

ssh port - two instances?

Hello - we have a setup where we use ssh internally. now need to allow an external client to access us via sftp - firewall folks are saying they will not open port 22 for external due to well-known ssh port and possibility of remote login. I am thinking we could use port 22 for intercompany access and listen on a higher port for external use - that could be opened in a firwall. Has anyone done this? - is it possible/recommended? Can you run two ssh daemons? - would there be config/log file issues?
0 Kudos
Reply
4 REPLIES 4
Steven E. Protter
Exalted Contributor

тАО02-04-2009 07:34 AM

тАО02-04-2009 07:34 AM

Re: ssh port - two instances?

Shalom,

I was once tasked to run two ssh daemons on one system.

It did not come out very well.

I do believe that it is possible to get the one daemon to listen on two ports.

That would be by modification of the sshd_config file.

Take a look at these articles:
https://www.linuxquestions.org/questions/linux-software-2/configuring-ssh-to-listen-on-two-different-ports-at-once-386207/

http://linux.die.net/man/5/ssh_config

http://www.webhostingresourcekit.com/227.html

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Steven Schweda
Honored Contributor

тАО02-04-2009 07:48 AM

тАО02-04-2009 07:48 AM

Re: ssh port - two instances?

> [...] port 22 for intercompany access [...]

intra?

> [...] firewall folks are saying they will
> not [...]

Have they offered to do NAT/PAT to translate
a port of their choice to your port 22? If
they're creating the problem, I'd suggest an
opportunity for them to solve it.
0 Kudos
Reply
Mel Burslan
Honored Contributor

тАО02-04-2009 10:20 AM

тАО02-04-2009 10:20 AM

Re: ssh port - two instances?

On this issue, I'd say I have to side with Steven's solution of NAT/PAT'ing. Since Network group is the one who are balking at the idea of opening the fireall, they should be the ones to carry the burden and specify an external port and PAT it to your server's port 22.

This brings up another idiosyncracity of the network/firewall admins. In this day and age, they still think obscurity can provide security. What if you listen to port 65531 for an external ssl connection ? Port-scanners only take another few seconds to find that vulnerability and if you, the firewall admin, is incapable of doing very rudimentary screening of source IP address and what not, to determine the authenticity of the TCP packet, regardless of which port you listen to, you will get hacked. I am sorry to say but this is a very sloppy way of refusing service to address a (what looks like) legitimate business need. (off my soapbox now)

Cheers...
________________________________
UNIX because I majored in cryptology...
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО02-04-2009 10:44 AM

тАО02-04-2009 10:44 AM

Re: ssh port - two instances?

Shalom,

No you don't want to open the firewall and most firewall admins would never go with that.

This might help limit system exposure:
http://www.hpux.ws/?p=19

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.