Re: [CentOS] OT: closing a port on home router
On Wed, 23 Sep 2015, James B. Byrne wrote: Moving the port by itself still opens a functioning connection to the internet on a service that is inherently susceptible to brute force and rainbow attacks. The 'dangerous' people on the Internet will find this port in a heartbeat and they are far more worrisome than the script-kiddies. Since you absolutely must build a defence against these opponents anyway then you might as well leave the service on the default port to avoid screwing up legitimate users expectations. Without disagreeing with the underlying assessment that SSH should be configured securely regardless of the port to which it's bound, my empirical findings are that few find the alternate port, and they certainly don't do it "in a heartbeat." In fact, rooting out casual ssh port scans gives you a much better sense of who the 'dangerous' people really are. When you see failed logins in /var/log/secure, you're less likely to write them off as the price of being on the Internet and more likely to see them as a real threat. Legitmate users aren't really an issue. If you give them access, then it's easy to tell them they need a stanza in ~/.ssh/config: Host *.mydomain Port [... etc ...] Again, this isn't a workaround for a sloppy ssh configuration, but I do think it has some value. -- Paul Heinlein heinl...@madboa.com 45°38' N, 122°6' W___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OT: closing a port on home router
On Wed, September 23, 2015 00:11, Always Learning wrote: > > > That is great. When I started on Linux that was one of the very > first things I did. Every machine, including servers, has port 22 > replaced by a unique alternative port. Port 22 is also blocked in > IPtables. > > There is an army of dangerous nutters attempting to break-in to > everything. They often mask their attacks using compromised Windoze > computers all around the world. > Changing the port that sshd listens on solves nothing from a security perspective. The only people that this action deflects are the script-kiddies. Who are admittedly numerous and who can be dangerous but usually are just low-talent opportunists. Moving the port by itself still opens a functioning connection to the internet on a service that is inherently susceptible to brute force and rainbow attacks. The 'dangerous' people on the Internet will find this port in a heartbeat and they are far more worrisome than the script-kiddies. Since you absolutely must build a defence against these opponents anyway then you might as well leave the service on the default port to avoid screwing up legitimate users expectations. I grant that dealing with an excessive logfile volume can be a consideration. However, this issue is often best dealt with through scripting your own analysis and reporting programs or employing someone else's. And is often solved with an aggressive set of firewall rules. In fact, the volume of entries should be a good indication of how well your defence is serving you. As you tighten the access rules and dynamically block persistent abusers then the volumes should drop and stay fairly low. Moving the port by itself is like rearranging the deck chairs on a sinking ship. It does not address the fundamental issue. Plus assignment to a non-standard port adds to maintenance and support load since it must be separately accounted for each time it is referenced. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OT: closing a port on home router
On Sun, Sep 13, 2015 at 4:46 AM, Fred Smith wrote: > Hi all! > > I'm wanting to close port 22 (ssh) on my home router, and I don't see any > facilities in its GUI for doing that. > man sshd_config; this option is perhaps your solution "ListenAddress." So explicitly mention your LAN port(s). ListenAddress Specifies the local addresses sshd(8) should listen on. The following forms may be used: ListenAddress host|IPv4_addr|IPv6_addr ListenAddress host|IPv4_addr:port ListenAddress [host|IPv6_addr]:port If port is not specified, sshd will listen on the address and all prior Port options specified. The default is to listen on all local addresses. Multiple ListenAddress options are permitted. Addition- ally, any Port options must precede this option for non-port qualified addresses. HTH -- Arun Khan ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OT: closing a port on home router
On Tue, 2015-09-22 at 22:52 -0400, Fred Smith wrote: > Paul, thanks for the comment. what you suggest is what my original > post was asking about. > > Now, the externally visible port is not 22. my original post was asking > for advice on tweaking the router to close 22, since I could find no > method for that in the router's UI. not wanting to have to write iptables > rules for the router, I found another method that effectively shuts off > port 22. 22 IS NOT OPEN to the world any more. Hi Fred, That is great. When I started on Linux that was one of the very first things I did. Every machine, including servers, has port 22 replaced by a unique alternative port. Port 22 is also blocked in IPtables. There is an army of dangerous nutters attempting to break-in to everything. They often mask their attacks using compromised Windoze computers all around the world. -- Regards, Paul. England, EU. England's place is in the European Union. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OT: closing a port on home router
On Wed, Sep 23, 2015 at 03:32:21AM +0100, Always Learning wrote: > > On Tue, 2015-09-22 at 18:52 -0400, Fred Smith wrote: > > > well, not , but another port I won't identify here, and it > > is forwarded to 22 on my linux box. > > Could an 'idea' also be to close permanently port 22 and configure SSH > to use a completely different port ? > > Inviting hackers by having a functioning, in one way or another, port 22 > is asking for trouble. Paul, thanks for the comment. what you suggest is what my original post was asking about. Now, the externally visible port is not 22. my original post was asking for advice on tweaking the router to close 22, since I could find no method for that in the router's UI. not wanting to have to write iptables rules for the router, I found another method that effectively shuts off port 22. 22 IS NOT OPEN to the world any more. -- Fred Smith -- fre...@fcshome.stoneham.ma.us - "For him who is able to keep you from falling and to present you before his glorious presence without fault and with great joy--to the only God our Savior be glory, majesty, power and authority, through Jesus Christ our Lord, before all ages, now and forevermore! Amen." - Jude 1:24,25 (niv) - ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OT: closing a port on home router
On Tue, 2015-09-22 at 18:52 -0400, Fred Smith wrote: > well, not , but another port I won't identify here, and it > is forwarded to 22 on my linux box. Could an 'idea' also be to close permanently port 22 and configure SSH to use a completely different port ? Inviting hackers by having a functioning, in one way or another, port 22 is asking for trouble. -- Regards, Paul. England, EU. England's place is in the European Union. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OT: closing a port on home router
On Tue, Sep 22, 2015 at 03:09:18PM -0700, John R Pierce wrote: > On 9/22/2015 1:45 PM, Fred Smith wrote: > >Actually, connecting to port 22 works fine, or did until my last hacking > >session on the router. Which is why I wanted to make it inaccessible. > > if you're forwarding WAN port , I do not understand what your > router is doing with port 22, unless the router itself is also > running a sshd well, not , but another port I won't identify here, and it is forwarded to 22 on my linux box. The idea was to put ssh on an unusual port. but I couldn't figure out how to close port 22, which was open by default on the router, apparently. I still don't see any way in its UI to do it, and didn't especially want to have to write a custom firewall rule. So I just forwarded WAN/22 to port 9 on the LAN side of the router. -- --- .Fred Smith / ( /__ ,__. __ __ / __ : / // / /__) / / /__) .+' Home: fre...@fcshome.stoneham.ma.us // (__ (___ (__(_ (___ / :__ 781-438-5471 Jude 1:24,25 - ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OT: closing a port on home router
On 9/22/2015 1:45 PM, Fred Smith wrote: Actually, connecting to port 22 works fine, or did until my last hacking session on the router. Which is why I wanted to make it inaccessible. if you're forwarding WAN port , I do not understand what your router is doing with port 22, unless the router itself is also running a sshd -- john r pierce, recycling bits in santa cruz ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OT: closing a port on home router
On Tue, Sep 22, 2015 at 03:11:53PM -0400, Bowie Bailey wrote: > On 9/12/2015 9:44 PM, Fred Smith wrote: > > > >yes, there is port forwarding, of course. I'm forwarding a different > >port to 22 on my desktop, and want to close 22 on the router so it won't > >also allow access to 22 on my desktop. > > If you have not set up forwarding for port 22 on the router, it is > already closed. You do not need to do anything. > > If you want to verify this, just try to connect to port 22 from > outside your network and see what happens. > > -- > Bowie Actually, connecting to port 22 works fine, or did until my last hacking session on the router. Which is why I wanted to make it inaccessible. My current "solution" is to forward 22 on the WAN side of the router to 9 on the LAN side of the router. since 9 on the LAN side has no services attached, the incoming connection fails. which is what I wanted. -- --- Under no circumstances will I ever purchase anything offered to me as the result of an unsolicited e-mail message. Nor will I forward chain letters, petitions, mass mailings, or virus warnings to large numbers of others. This is my contribution to the survival of the online community. --Roger Ebert, December, 1996 - The Boulder Pledge - ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OT: closing a port on home router
On 9/12/2015 9:44 PM, Fred Smith wrote: yes, there is port forwarding, of course. I'm forwarding a different port to 22 on my desktop, and want to close 22 on the router so it won't also allow access to 22 on my desktop. If you have not set up forwarding for port 22 on the router, it is already closed. You do not need to do anything. If you want to verify this, just try to connect to port 22 from outside your network and see what happens. -- Bowie ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OT: closing a port on home router
On Sat, Sep 12, 2015 at 08:23:14PM -0400, Scott Robbins wrote: > On Sat, Sep 12, 2015 at 04:26:09PM -0700, John R Pierce wrote: > > On 9/12/2015 4:16 PM, Fred Smith wrote: > > > > >I'm wanting to close port 22 (ssh) on my home router, and I don't see any > > >facilities in its GUI for doing that. > > > > inbound ports that aren't forwarded are closed by default on most > > any/all NAT routers, unless the router itself is listening to said > > port. > > Isn't there any sort of portforwarding thing? Such as forward port (I yes, there is port forwarding, of course. I'm forwarding a different port to 22 on my desktop, and want to close 22 on the router so it won't also allow access to 22 on my desktop. I know,... "security through obscurity is no security at all". But I figure it doesn't hurt to try. > wouldn't use that one, it's too common, but as an example) to 192.168.1.5, > and then have 192.168.1.5 listen on port ? Then have a firewall rule > to allow access on that port and edit /etc/ssh/sshd_config to listen on > instead of 22. It is as I said above, I don't want to have to write firewall rules for it because then I need to go to the trouble to make sure my custom rule(s) get reloaded at every reboot. > > Looking at > http://nextgendigitalhome.com/1829/home-network/scalable-gateway/the-asus-rt-n16-router-firmware-part-4-advanced-wan-settings/ > it seems as if it would allow this and it's described in the section WAN > Virtual Server/Port Fowarding. Ah, i've never seen that resource, thanks! I'll go peruse it and see what I find. thanks! -- Fred Smith -- fre...@fcshome.stoneham.ma.us - "And he will be called Wonderful Counselor, Mighty God, Everlasting Father, Prince of Peace. Of the increase of his government there will be no end. He will reign on David's throne and over his kingdom, establishing and upholding it with justice and righteousness from that time on and forever." --- Isaiah 9:7 (niv) -- ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OT: closing a port on home router
On 09/12/2015 04:16 PM, Fred Smith wrote: So, I'm trying this (please tell me if it makes sense to do it this way): I've set up a port forwarding rule on the router that forwards incoming port 22 to port 9 on the LAN side of the router. I'd suggest that you test it, but that does seem reasonable. Note that there is nothing special about port 9. There is a "discard" service that you can run on that port to consume data and discard it, but it's normally not running. In the normal state, with no service listening on port 9, it's just the same as any other port that isn't listening. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OT: closing a port on home router
On Sat, Sep 12, 2015 at 04:26:09PM -0700, John R Pierce wrote: > On 9/12/2015 4:16 PM, Fred Smith wrote: > >I'm wanting to close port 22 (ssh) on my home router, and I don't see any > >facilities in its GUI for doing that. > > inbound ports that aren't forwarded are closed by default on most > any/all NAT routers, unless the router itself is listening to said > port. Isn't there any sort of portforwarding thing? Such as forward port (I wouldn't use that one, it's too common, but as an example) to 192.168.1.5, and then have 192.168.1.5 listen on port ? Then have a firewall rule to allow access on that port and edit /etc/ssh/sshd_config to listen on instead of 22. Looking at http://nextgendigitalhome.com/1829/home-network/scalable-gateway/the-asus-rt-n16-router-firmware-part-4-advanced-wan-settings/ it seems as if it would allow this and it's described in the section WAN Virtual Server/Port Fowarding. -- Scott Robbins PGP keyID EB3467D6 ( 1B48 077D 66F6 9DB0 FDC2 A409 FA54 EB34 67D6 ) gpg --keyserver pgp.mit.edu --recv-keys EB3467D6 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OT: closing a port on home router
On 9/12/2015 4:16 PM, Fred Smith wrote: I'm wanting to close port 22 (ssh) on my home router, and I don't see any facilities in its GUI for doing that. inbound ports that aren't forwarded are closed by default on most any/all NAT routers, unless the router itself is listening to said port. -- john r pierce, recycling bits in santa cruz ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] OT: closing a port on home router
Hi all! I'm wanting to close port 22 (ssh) on my home router, and I don't see any facilities in its GUI for doing that. I don't mind learning how to write an iptables rule for that, but I'd rather not have to fool around with commandline stuff on the router, especially things that require extra steps to make it peresist across boots. So, I'm trying this (please tell me if it makes sense to do it this way): I've set up a port forwarding rule on the router that forwards incoming port 22 to port 9 on the LAN side of the router. As I understand it, port 9 is a /dev/null equivalent, and it seems to block the port well enough, but are there caveats I should be aware of? thanks! BTW, this is an Asus RT-N16 router using their latest released firmware. Fred -- Fred Smith -- fre...@fcshome.stoneham.ma.us - The Lord is like a strong tower. Those who do what is right can run to him for safety. --- Proverbs 18:10 (niv) - ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos