Hello,
--- David Strout <[EMAIL PROTECTED]> wrote:
> On an added note ... if you "really" need sshd to
> listen on specific interfaces you can manually
> edit /etc/ssh/sshd_config and add a ListenAddress
> directive, then restart sshd.
>
> Here's how:
[CUT]
I've followed your instructions and I had to change
some commands.
> THEN EDIT THE SSHD CONFIG
I had this idea: have standard port no. 22 for trusted
LAN and a non-standard port for untrusted WAN (e.g
Internet). I read the man documentation and I changed
/etc/ssh/sshd_config by adding these three lines:
# additional SSH port
Port xyz
ListenAddress aa.bb.cc.dd
...where aa.bb.cc.dd is a LAN IP
> SAVE THE FILE AND FIND THE PID FOR SSHD:
> !! NOTE !!
> DO NOT use "pkill -HUP sshd" or you WILL knock
> yourself off the box.
pkill didn't work on my pfSense. I had to use:
$kill -s HUP xxxxx
Next step I have to do is to add an entry in Firewall
Rules & NAT. Note that I haven't checked if it works
yet!
The main problem I've seen while I was trying this
customization on the pfSense test machine is that
sshd_config loses changes on next reboot. What I have
to modify to make those changes permanent?
> ADDITIONAL NOTES:
> If ssh is enabled on the WAN (NOT AT ALL
> recommended !!!)
An additional access to the pfSense machine from WAN
poses a security risk, especially if not well
configured, but I've the need to have an additional
way to manage the pfSense machine even if all PCs in
network are shutdown.
> use keys.
Do you mean the following lines in sshd_config?
# from /etc/ssh/sshd_config
PasswordAuthentication no
PubkeyAuthentication yes
In this case the problem seems to be these settings
are inherited by the ssh LAN port, too. It would be
useful to have two config files, so ssh LAN port
accepts both password & public key, whilst ssh WAN
port accepts public key only. But the main trouble is
to find out how to make changes permanent in
sshd_config on next reboot.
Thank you for your support!
___________________________________
L'email della prossima generazione? Puoi averla con la nuova Yahoo! Mail:
http://it.docs.yahoo.com/nowyoucan.html
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]