Re: Why are high ports used by SFTP server implementation?

2016-02-24 Thread John Hartnup 
I think you've overcomplicated the answer here. The high numbers David is
seeing are the port number on the client, not on the server. This is
normal. Your server is not listening on any port except 22.

On Wed, Feb 24, 2016 at 2:58 AM Jon V.  wrote:

> I’ll try to simplify; TCP (the protocol) can have up to 0x ports or
> 65535
>
> Ports only need to be reserved for server services and outbound
> connections.  They both use the same pool size of 65535.  Each OS type
> allocates different range for user-space applications.  For linux its
> around 32768 ports.  When creating outbound connections the OS will
> randomly select an unused port.  This is this high port number.
>
> A connected TCP socket looks like this: local:45223 (ephemeral) <->
> remote:22 (fixed)
>
> What you are seeing is the port number of the client.  That number is
> allocated on their machine and not the server.
>
> Look up TCP on Wikipedia.
>
> On Tue, Feb 23, 2016 at 8:52 PM, David Hoffer  wrote:
>
> > Hum, that's not entirely clear to me.  The first link says...
> >
> > 'A TCP/IPv4 connection consists of two endpoints, and each endpoint
> > consists of an IP address and a port number.  Therefore, when a client
> user
> > connects to a server computer, an established connection can be thought
> of
> > as the 4-tuple of (server IP, server port, client IP, client port).
> > Usually three of the four are readily known -- client machine uses its
> own
> > IP address and when connecting to a remote service, the server machine's
> IP
> > address and service port number are required.
> >
> > What is not immediately evident is that when a connection is established
> > that the client side of the connection uses a port number.  Unless a
> client
> > program explicitly requests a specific port number, the port number used
> is
> > an *ephemeral* port number.  Ephemeral ports are temporary ports assigned
> > by a machine's IP stack, and are assigned from a designated range of
> ports
> > for this purpose.
> > In our case the server is configured to listen on port 22 and the client
> > connects to port 22 so isn't that fixing the port on both sides at port
> > 22?  Are you saying that although port 22 is the logical port used on
> both
> > systems, that in reality a different port is used on the client to
> connect
> > to the server?  We are using SSH only here I understand that only used
> port
> > 22.
> >
> > Regarding the second link is that for FTP or also for SFTP?  I know FTP
> > uses passive ports and so does FTPS but we are only using SFTP, e.g. file
> > transfer as part of SSH.
> >
> > Do those links really describe my situation?  Or are those high ports
> > created on the server so it can hand off work so it can listen on 22
> > again?  E.g. is it using separate ports to communicate with clients
> instead
> > of multiple threads on same port?
> >
> > Its not clear to me yet, trying to understand.
> >
> > -Dave
> >
> >
> >
> >
> > On Tue, Feb 23, 2016 at 4:32 PM, Chad Beaulac 
> wrote:
> >
> > > Hey Dave,
> > >
> > > Listener servers hand off to ephemeral ports.
> > > http://www.ncftp.com/ncftpd/doc/misc/ephemeral_ports.html
> > > You need ephemeral ports so a server can start listening on port 22
> again
> > > while something else is happening.
> > >
> > > Look here for some configuration options.
> > >
> >
> https://mina.apache.org/ftpserver-project/configuration_passive_ports.html
> > >
> > > -Chad
> > >
> > >
> > > On Tue, Feb 23, 2016 at 3:09 PM, David Hoffer 
> > wrote:
> > >
> > > > We are using SSHD in an application to create an embedded SFTP server
> > > which
> > > > works fine.  Our clients connect on port 22 and we don't have any
> issue
> > > > with that.
> > > >
> > > > The problem/question is that our IA folks are complaining that our
> app
> > > also
> > > > listens on what appear to be random high ports.  E.g. I see this in
> our
> > > > logs.
> > > >
> > > > Session username@/127.0.0.1:58118 authenticated
> > > > Server session created from /127.0.0.1:58132
> > > > Server session created from /127.0.0.1:58139
> > > > Server session created from /127.0.0.1:58157
> > > >
> > > > I see these later log statements are coming from IoSession in
> > > > ServerSessionImpl but I don't call this in my code so must be part of
> > the
> > > > SSHD/MINA framework.
> > > >
> > > > Why are these high ports being used and do we need them?  If not
> needed
> > > for
> > > > SFTP server how can I disable?  If they are needed, why and can I
> > control
> > > > the exact ports that are used?
> > > >
> > > > -Dave
> > > >
> > >
> >
>

Re: Why are high ports used by SFTP server implementation?

2016-02-23 Thread Jon V. 
I’ll try to simplify; TCP (the protocol) can have up to 0x ports or
65535

Ports only need to be reserved for server services and outbound
connections.  They both use the same pool size of 65535.  Each OS type
allocates different range for user-space applications.  For linux its
around 32768 ports.  When creating outbound connections the OS will
randomly select an unused port.  This is this high port number.

A connected TCP socket looks like this: local:45223 (ephemeral) <->
remote:22 (fixed)

What you are seeing is the port number of the client.  That number is
allocated on their machine and not the server.

Look up TCP on Wikipedia.

On Tue, Feb 23, 2016 at 8:52 PM, David Hoffer  wrote:

> Hum, that's not entirely clear to me.  The first link says...
>
> 'A TCP/IPv4 connection consists of two endpoints, and each endpoint
> consists of an IP address and a port number.  Therefore, when a client user
> connects to a server computer, an established connection can be thought of
> as the 4-tuple of (server IP, server port, client IP, client port).
> Usually three of the four are readily known -- client machine uses its own
> IP address and when connecting to a remote service, the server machine's IP
> address and service port number are required.
>
> What is not immediately evident is that when a connection is established
> that the client side of the connection uses a port number.  Unless a client
> program explicitly requests a specific port number, the port number used is
> an *ephemeral* port number.  Ephemeral ports are temporary ports assigned
> by a machine's IP stack, and are assigned from a designated range of ports
> for this purpose.
> In our case the server is configured to listen on port 22 and the client
> connects to port 22 so isn't that fixing the port on both sides at port
> 22?  Are you saying that although port 22 is the logical port used on both
> systems, that in reality a different port is used on the client to connect
> to the server?  We are using SSH only here I understand that only used port
> 22.
>
> Regarding the second link is that for FTP or also for SFTP?  I know FTP
> uses passive ports and so does FTPS but we are only using SFTP, e.g. file
> transfer as part of SSH.
>
> Do those links really describe my situation?  Or are those high ports
> created on the server so it can hand off work so it can listen on 22
> again?  E.g. is it using separate ports to communicate with clients instead
> of multiple threads on same port?
>
> Its not clear to me yet, trying to understand.
>
> -Dave
>
>
>
>
> On Tue, Feb 23, 2016 at 4:32 PM, Chad Beaulac  wrote:
>
> > Hey Dave,
> >
> > Listener servers hand off to ephemeral ports.
> > http://www.ncftp.com/ncftpd/doc/misc/ephemeral_ports.html
> > You need ephemeral ports so a server can start listening on port 22 again
> > while something else is happening.
> >
> > Look here for some configuration options.
> >
> https://mina.apache.org/ftpserver-project/configuration_passive_ports.html
> >
> > -Chad
> >
> >
> > On Tue, Feb 23, 2016 at 3:09 PM, David Hoffer 
> wrote:
> >
> > > We are using SSHD in an application to create an embedded SFTP server
> > which
> > > works fine.  Our clients connect on port 22 and we don't have any issue
> > > with that.
> > >
> > > The problem/question is that our IA folks are complaining that our app
> > also
> > > listens on what appear to be random high ports.  E.g. I see this in our
> > > logs.
> > >
> > > Session username@/127.0.0.1:58118 authenticated
> > > Server session created from /127.0.0.1:58132
> > > Server session created from /127.0.0.1:58139
> > > Server session created from /127.0.0.1:58157
> > >
> > > I see these later log statements are coming from IoSession in
> > > ServerSessionImpl but I don't call this in my code so must be part of
> the
> > > SSHD/MINA framework.
> > >
> > > Why are these high ports being used and do we need them?  If not needed
> > for
> > > SFTP server how can I disable?  If they are needed, why and can I
> control
> > > the exact ports that are used?
> > >
> > > -Dave
> > >
> >
>

Re: Why are high ports used by SFTP server implementation?

2016-02-23 Thread David Hoffer 
Hum, that's not entirely clear to me.  The first link says...

'A TCP/IPv4 connection consists of two endpoints, and each endpoint
consists of an IP address and a port number.  Therefore, when a client user
connects to a server computer, an established connection can be thought of
as the 4-tuple of (server IP, server port, client IP, client port).
Usually three of the four are readily known -- client machine uses its own
IP address and when connecting to a remote service, the server machine's IP
address and service port number are required.

What is not immediately evident is that when a connection is established
that the client side of the connection uses a port number.  Unless a client
program explicitly requests a specific port number, the port number used is
an *ephemeral* port number.  Ephemeral ports are temporary ports assigned
by a machine's IP stack, and are assigned from a designated range of ports
for this purpose.
In our case the server is configured to listen on port 22 and the client
connects to port 22 so isn't that fixing the port on both sides at port
22?  Are you saying that although port 22 is the logical port used on both
systems, that in reality a different port is used on the client to connect
to the server?  We are using SSH only here I understand that only used port
22.

Regarding the second link is that for FTP or also for SFTP?  I know FTP
uses passive ports and so does FTPS but we are only using SFTP, e.g. file
transfer as part of SSH.

Do those links really describe my situation?  Or are those high ports
created on the server so it can hand off work so it can listen on 22
again?  E.g. is it using separate ports to communicate with clients instead
of multiple threads on same port?

Its not clear to me yet, trying to understand.

-Dave




On Tue, Feb 23, 2016 at 4:32 PM, Chad Beaulac  wrote:

> Hey Dave,
>
> Listener servers hand off to ephemeral ports.
> http://www.ncftp.com/ncftpd/doc/misc/ephemeral_ports.html
> You need ephemeral ports so a server can start listening on port 22 again
> while something else is happening.
>
> Look here for some configuration options.
> https://mina.apache.org/ftpserver-project/configuration_passive_ports.html
>
> -Chad
>
>
> On Tue, Feb 23, 2016 at 3:09 PM, David Hoffer  wrote:
>
> > We are using SSHD in an application to create an embedded SFTP server
> which
> > works fine.  Our clients connect on port 22 and we don't have any issue
> > with that.
> >
> > The problem/question is that our IA folks are complaining that our app
> also
> > listens on what appear to be random high ports.  E.g. I see this in our
> > logs.
> >
> > Session username@/127.0.0.1:58118 authenticated
> > Server session created from /127.0.0.1:58132
> > Server session created from /127.0.0.1:58139
> > Server session created from /127.0.0.1:58157
> >
> > I see these later log statements are coming from IoSession in
> > ServerSessionImpl but I don't call this in my code so must be part of the
> > SSHD/MINA framework.
> >
> > Why are these high ports being used and do we need them?  If not needed
> for
> > SFTP server how can I disable?  If they are needed, why and can I control
> > the exact ports that are used?
> >
> > -Dave
> >
>

Re: Why are high ports used by SFTP server implementation?

2016-02-23 Thread Chad Beaulac 
Hey Dave,

Listener servers hand off to ephemeral ports.
http://www.ncftp.com/ncftpd/doc/misc/ephemeral_ports.html
You need ephemeral ports so a server can start listening on port 22 again
while something else is happening.

Look here for some configuration options.
https://mina.apache.org/ftpserver-project/configuration_passive_ports.html

-Chad


On Tue, Feb 23, 2016 at 3:09 PM, David Hoffer  wrote:

> We are using SSHD in an application to create an embedded SFTP server which
> works fine.  Our clients connect on port 22 and we don't have any issue
> with that.
>
> The problem/question is that our IA folks are complaining that our app also
> listens on what appear to be random high ports.  E.g. I see this in our
> logs.
>
> Session username@/127.0.0.1:58118 authenticated
> Server session created from /127.0.0.1:58132
> Server session created from /127.0.0.1:58139
> Server session created from /127.0.0.1:58157
>
> I see these later log statements are coming from IoSession in
> ServerSessionImpl but I don't call this in my code so must be part of the
> SSHD/MINA framework.
>
> Why are these high ports being used and do we need them?  If not needed for
> SFTP server how can I disable?  If they are needed, why and can I control
> the exact ports that are used?
>
> -Dave
>

Why are high ports used by SFTP server implementation?

2016-02-23 Thread David Hoffer 
We are using SSHD in an application to create an embedded SFTP server which
works fine.  Our clients connect on port 22 and we don't have any issue
with that.

The problem/question is that our IA folks are complaining that our app also
listens on what appear to be random high ports.  E.g. I see this in our
logs.

Session username@/127.0.0.1:58118 authenticated
Server session created from /127.0.0.1:58132
Server session created from /127.0.0.1:58139
Server session created from /127.0.0.1:58157

I see these later log statements are coming from IoSession in
ServerSessionImpl but I don't call this in my code so must be part of the
SSHD/MINA framework.

Why are these high ports being used and do we need them?  If not needed for
SFTP server how can I disable?  If they are needed, why and can I control
the exact ports that are used?

-Dave