Setup sshd to listen to two ports ?

Hey, people!

I can't figure out what solution to use for the following problem:

From the office, I need to connect to a machine on my own home LAN. I can
configure my home router to send calls on port 22 to a certain IP on the LAN.
But my provider blocks an extent of ports, including 22.

It seems possible to change to port in sshd_config. But then, the other
machines in my LAN could connect to it with port 22.

What is the correct approach, here ?


--
There is an art, it says, or rather, a knack to flying.
The knack lies in learning how to throw yourself at the ground and miss.
Douglas Adams


Rikishi 42

On Mon, 13 Aug 2007 21:08:03 +0200, Rikishi 42 wrote:

> Hey, people!
>
> I can't figure out what solution to use for the following problem:
>
> From the office, I need to connect to a machine on my own home LAN. I can
> configure my home router to send calls on port 22 to a certain IP on the LAN.
> But my provider blocks an extent of ports, including 22.
>
> It seems possible to change to port in sshd_config. But then, the other
> machines in my LAN could connect to it with port 22.
>
> What is the correct approach, here ?
>
>

you can have two:
Port 22
Port 8022
lines in your sshd_config file... the ssh server will listen on both
ports....

I don't really like having my ssh server on a public port so I run
it on a non-standard port, require a ssh-key. On the ssh clients..
in the ssh_config file, i have the port listed for my servers so that
ssh server goes to the correct port...
( from ssh_config )
..
..
..

host server
port 8022


jack

--
D.A.M. - Mothers Against Dyslexia

see http://www.jacksnodgrass.com for my contact info.

jack - Grapevine/Richardson

On 2007-08-13, Jack Snodgrass <(E-Mail Removed)> wrote:

>> From the office, I need to connect to a machine on my own home LAN. I can
>> configure my home router to send calls on port 22 to a certain IP on the LAN.
>> But my provider blocks an extent of ports, including 22.
>>
>> It seems possible to change to port in sshd_config. But then, the other
>> machines in my LAN could connect to it with port 22.
>
> you can have two:
> Port 22
> Port 8022
> lines in your sshd_config file... the ssh server will listen on both
> ports....

Strange, I tried that and tought it didn't work.
I used nmap from another machine to search for opn ports. I saw 22, even saw
22 disapear when I stopped sshd. But I never saw the added port.
So I was looking for mistake I had made, when I finally tried it: the port
works!

Why would a port (eg: 8022) not appear in 'nmap server', but when I use ssh
user@server -p8022 the connection works perfectly?


--
There is an art, it says, or rather, a knack to flying.
The knack lies in learning how to throw yourself at the ground and miss.
Douglas Adams

On Aug 13, 2:51 pm, Rikishi 42 <fsck_s...@telenet.be> wrote:

> Why would a port (eg: 8022) not appear in 'nmap server', but when I use ssh
> user@server -p8022 the connection works perfectly?

You didn't ask 'nmap' to check port 8022, so it didn't.

DS

Hello,

Rikishi 42 a écrit :
>
> Why would a port (eg: 8022) not appear in 'nmap server', but when I use ssh
> user@server -p8022 the connection works perfectly?

From nmap manpage :

-p <port ranges>
This option specifies what ports you want to specify. [...] The default
is to scan all ports between 1 and 1024 as well as any ports listed in
the services file which comes with nmap.

I guess port 8022 is not in nmap's services file.

On 2007-08-13, David Schwartz <(E-Mail Removed)> wrote:
>
>
> On Aug 13, 2:51 pm, Rikishi 42 <fsck_s...@telenet.be> wrote:
>
>> Why would a port (eg: 8022) not appear in 'nmap server', but when I use ssh
>> user@server -p8022 the connection works perfectly?
>
> You didn't ask 'nmap' to check port 8022, so it didn't.

Trey, very true. Didn't know I had to. Learned that.

thx


--
There is an art, it says, or rather, a knack to flying.
The knack lies in learning how to throw yourself at the ground and miss.
Douglas Adams

On 2007-08-14, Pascal Hambourg <(E-Mail Removed)> wrote:

>> Why would a port (eg: 8022) not appear in 'nmap server', but when I use ssh
>> user@server -p8022 the connection works perfectly?
>
> From nmap manpage :
>
> -p <port ranges>
> This option specifies what ports you want to specify. [...] The default
> is to scan all ports between 1 and 1024 as well as any ports listed in
> the services file which comes with nmap.
>
> I guess port 8022 is not in nmap's services file.

Nope, and neighter is the port I was actually using.

But, all things working, I still couldn't connect from the office. Might be
other issues, I need more info from the providers, I think.

--
There is an art, it says, or rather, a knack to flying.
The knack lies in learning how to throw yourself at the ground and miss.
Douglas Adams

On Mon, 13 Aug 2007 21:08:03 +0200 Rikishi 42 <(E-Mail Removed)> wrote:

| Hey, people!
|
| I can't figure out what solution to use for the following problem:
|
| From the office, I need to connect to a machine on my own home LAN. I can
| configure my home router to send calls on port 22 to a certain IP on the LAN.
| But my provider blocks an extent of ports, including 22.
|
| It seems possible to change to port in sshd_config. But then, the other
| machines in my LAN could connect to it with port 22.
|
| What is the correct approach, here ?

I happen to have SSH listening to several different ports. I do it by
running a separate instance of the daemon for each. I also run each via
a separate copy of the executable so I can choose to kill all active
sessions by port using the killall command.

None of the ports I listen on is port 22. The password probes are so
heavy that I've found they have the effect of flooding my logs and waste
time checking for serious security issues. All these probes may well
be a reason your provider blocks 22 or other ports. I assume you have
figured out a port number you can get through on.

--
|---------------------------------------/----------------------------------|
| Phil Howard KA9WGN (ka9wgn.ham.org) / Do not send to the address below |
| first name lower case at ipal.net / spamtrap-2007-08-15-(E-Mail Removed) |
|------------------------------------/-------------------------------------|