{Disarmed} Re: [Leaplist] SSH Ports

Gray Frost grayf327 at gmail.com
Wed Aug 13 16:56:14 EDT 2008 

Thank you all for your great responses.

Phase TWO now:

I have two linux boxes.  One Fedora 9, the other Ubuntu.  The first I set up
per the discussion so far.  Thanks again.

Now for the Second:

I tried and tried and tried but failed to connect into the Fedora 9 machine
but didn't have any problems pinging it or ssh and scp out of it.

Anyways for you newbies like me Fedora loads ups SELINUX on installation
which I forgot about.  So this next question is for the SELINUX side of
things.

When I went into Selinux to change the port from 22 to my new XXXXX number
it* would not allow* me to change it. Of course you had to be logged into
the system as root but still it was "grayed" out.  Anyways I am horrible
with SELINUX and usually disable it but in this case I want the added
security so this is what I did.  Let me know if this good, bad, ugly or just
plain wrong.  It works though /shrug.

I have read a little about and vaguely understand the concept of port
forwarding.  So I figured I would tell SELINUX "If you see something seeking
to come into port XXXXX please forward to Port 22 (since I could not change
22 to XXXXX in the first place).

It works!  So Question:  Why can I not change port 22 to XXXXX.   Did what I
did correct even though it works?

On Mon, Aug 11, 2008 at 2:43 AM, John Simpson <jms1 at jms1.net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 2008-08-10, at 1607, Gray Frost wrote:
>
>>
>> I have set up SSH on my computer and I can ssh in just fine.  I would now
>> like to change from the default port 22 to port XXXXX  I have changed that
>> in the routers virtual ports easy enough.
>>
>> 1) Where do I make the changes on my ssh host computer?
>>
>> 2) In the /etc/ssh_config file there is a line "#port 22" (commented out)
>> Is
>> this where I make the change?
>>
>
> yes. un-comment the line and change the number to something other than 22.
>
> also, next to that line is usually a "Protocol" line. make sure to
> un-comment that one as well, and make it say "Protocol 2". the version 1
> protocol is known to have security problems.
>
>
>  3) Do I have have to change anything else?
>>
>
> no, just restart sshd after making the change.
>
>
>  4) Next question:  When ssy'ing or scp'ing in from an other computer is it
>> necessary to specifically call out the new port such as:
>>
>> "ssh -p XXXXX myuser at mydyndns.address"
>>
>
> yes. it's "-p xxx" for ssh, and "-P xxx" (capital p) for scp.
>
> but see below.
>
>
>  5) Does the other comp have to have the same port set up or is the default
>> port 22 ok on the other comp?
>>
>
> the port number used by the server's sshd, and the port used by the client
> (the ssh, scp, or sftp program) need to be the same. it doesn't matter what
> port the client machine's sshd is running, or even IF it's running one. if
> the server's "sshd" is using port 222, then the client's "ssh" (or scp, or
> sftp) needs to connect to port 222.
>
> my own server uses a non-standard port for ssh. on my desktop and laptop
> machines, in my ~/.ssh/config file i have lines like the following:
>
> Host phineas
>        Port xxx
>
> Host jms1.net
>        Port xxx
>
> Host 208.111.3.163
>        Port xxx
>
> Host *
>        ForwardAgent yes
>        ForwardX11 yes
>        Protocol 2
>
> what this says is that if a client (ssh, scp, sftp) is connecting to a host
> named "phineas", or "jms1.net", or my server's IP address, then it will
> use my non-standard port number. and regardless of what i'm connecting to,
> it will forward my SSH agent connection, forward the X11 server connection,
> and only use version 2 of the SSH protocol (it won't even try version 1.)
>
> with the port numbers specified in the config file like this, i don't have
> to include a "-p" or "-P" option on the command line, every time i type one.
>
>
> - --------------------------------------------------------
> | John M. Simpson  --  KG4ZOW  --  Programmer At Large |
> | http://www.jms1.net/                 <jms1 at jms1.net> |
> - --------------------------------------------------------
> |   Hope for America  --  http://www.ronpaul2008.com/  |
> - --------------------------------------------------------
>
>
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (Darwin)
>
> iD8DBQFIn9+Gj42MmpAUrRoRAnORAJ948eC3gYqwO1Zq2kLnGliPw0Ch/gCgxQB0
> lQRouVtqAFGKW8pPobjcNWA=
> =rnaO
> -----END PGP SIGNATURE-----
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> _______________________________________________
> Leaplist mailing list
> Leaplist at leap-cf.org
> http://lists.leap-cf.org/mailman/listinfo/leaplist
>



-- 

Gray

" Don't think you are, know you are."

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.leap-cf.org/pipermail/leaplist/attachments/20080813/01cf6fd1/attachment.html

More information about the Leaplist mailing list