I SSH into my workstation, which is a mac running OS X Yosemite, daily. Unfortunately, I noticed a while back that enabling remote login into my machine has put it under the fire of many automated dictionary attacks trying to log in using the default port, 22.
To make my machine more secure, I changed the SSH port. To do so, I edited the /etc/services file, and changed the following two lines:
ssh 2123/udp # SSH Remote Login Protocol
ssh 2123/tcp # SSH Remote Login Protocol
That greatly reduced the number of dictionary attacks, but now when I try to SSH from my workstation to other machines, I always need to specify the port (which is usually port 22).
This is easy enough for most simple tasks, just specify the port when SSHing in:
ssh -p22 me#another.computer.com
It becomes a pain for more complicated tasks where specifying the port is not an option, but it can still be done by adding an entry in ~/.ssh/config:
Host github.com
Hostname ssh.github.com
Port 443
Between these two options, I could always connect to any machine I wanted to connect to. However, I'm now writing a script that will connect to machines that will have different IP addresses (and domain names), and there is no optional argument to specify the port number.
I have also been getting frustrated that it does not default to port 22 for outgoing connections, but I do not want to change my incoming port back to 22.
Is it possible to change the incoming SSH port, but still have the default outgoing SSH port? That is, can I only allow people to login to my workstation using port 2123, but when I try connecting to other machines, the default port it tries to use is port 22?
I'm running OS X 10.10.2 Yosemite.
Change the ssh port back in `/etc/services' - that sets the defined port for the ssh protocol.
Then change the port that sshd listens on. On OS-X this is more complicated than it need be. See https://serverfault.com/questions/18761/how-to-change-sshd-port-on-mac-os-x
Related
I am ssh-ing onto a remote desktop. Since I have to connect over the internet, I have exposed the ssh port (22) on the remote side using ngrok, and everything is working great. I connect to the desktop using the command
ssh username#2.tcp.ngrok.io -p portno
where I get the portno from the remote side, when I start the ngrok service from the line that says
Forwarding tcp://2.tcp.ngrok.io:portno -> localhost:22
However, everytime I start a new ngrok session on the remote side, a new portno is generated. Now, unless I have a secondary connection open (typically using teamviewer), I would not be able to know what that port number is.
How can I start the ngrok service with a fixed portno. This is because I want to have the ngrok service on startup as I would have to restart my remote desktop a couple of times and still want to connect to the desktop using ssh.
Thanks.
You'll need to reserve a TCP address on ngrok, which will give you a fixed address.
To associate a tunnel with a reserved TCP address, you should include the remote-addr option in your ngrok config when starting the tunnel.
An example from the docs: ngrok tcp --region=us --remote-addr 1.tcp.ngrok.io:20301 22
I'm developing some webhook required direct access public domain to internal machine, thinking use SSH tunnel to forward data, or got alternative solution?
Hosting server & development machine are in same network
192.168.1.2/24 (Hosting server)
2nd machine is virtual mapping using forticlient firewall without static or dynamic IP in visible in hosting server, so is 1 way initial communication right now.
In this case possible to setup SSH tunnel forward all traffic from 192.168.1.2:80 to handle in development machine port 8080?
How to ssh syntax look like?
Thanks.
This could be done by setting up an SSH tunnel to the remote machine:
ssh -L localhost:80:localhost:8080 development-system
Every request to port 80 on the hosting-server is now forwarded to port 8080 on the development-system.
Please note, that the port 80 on the hosting-server could only be used, when you start the SSH command as root. Also note that the port 80 is only accessible from the hosting-server. To access the port 80 on the hosting-server from everywhere use the following:
ssh -L 80:localhost:8080 development-system
Be sure that you want that.
A good introduction to the topic could be found at
https://www.ssh.com/ssh/tunneling/example
https://unix.stackexchange.com/questions/115897/whats-ssh-port-forwarding-and-whats-the-difference-between-ssh-local-and-remot
Okay, here's the situation I am in. I have a raspberry Pi 2 model B. I have Raspbain Jessie installed as the OS. I have Apache installed as well. I have a web server running and i am able to edit it and access the site from different devices on different internet connections. I want to be able to connect to my RaspPi through SSH on my MacBook Pro. I am able to do this while on the same network. My Pi is plugged into the router via an Ethernet. What i have tried is, logging into my router and reserving an IP for my Pi, i also entered my MAC address here. I have gone into the port forwarding options in my router and have it set up as: HTTP, TCP, Server address(the one i reserved) my Ipv6, and Start port 80, end port 80. Ontop of that i have gone into my /etc/dhcpcd.conf file. There at the end of the file i added
interface eth0
static ip_address=10.0.0.100
static routers=10.0.0.1
static domain_name_servers=68.44.180.118 2001:558:feed::1 2001:558:feed::2
The guide I followed is attached here and follows other guides i have seen.
http://www.circuitbasics.com/how-to-set-up-a-static-ip-on-the-raspberry-pi/
Yet when i try to SSH remotely i cannot get a connection, and when i connect on the same internet i can connect as normal. Please if anybody sees what could help .
Your router's firewall is probably blocking the ports for SSH, which does not use port 80 (in raspbian, I think its default is port 22). If you are going to take the risk of leaving your SSH open to the public, you should probably switch it to a different port other than the default before opening up a port on your firewall. The Raspbian Community has a thread on how to properly change SSH's default server port. You'll also need to make sure your SSH client is using the same port. You will need to leave 80 open for web, and also forward the SSH port, which ever you choose that to be (22 is the default).
I've searched and searched, but I can see no option to restrict Xming from listening on all my network interfaces.
I'd like to set Xming to listen ONLY for X11 forwarding via SSH tunneling.
Is it possible?
Refer to the description of the Xn.hosts file on this page.
The file X0.hosts, which you will find in the Xming installation directory, defines which hosts it will allow connections from. The default is only to allow connections from the local host (assuming you did not override it further using the xhost program).
This restricts the hosts which it will allow connections from, but AFAIK won't actually stop it from listening on the all interfaces.
Note that X11 forwarding over ssh requires that the X server on the local machine is listening on the loopback adapter at least. After all the ssh client will have to establish a connection to the X server somehow.
This might also be interesting.
I am currently trying to work out how to SSH to servers behind firewalls that deny all incoming connections. The servers can SSH out, so I am wondering if there is a way to get the server behind the firewall to create an SSH tunnel to my workstation, then allow my workstation to send commands back to the server through it?
I have looked into tunneling / reverse tunneling, but these appear to be port forwarding solutions, which will not work as the firewall denies all connections on all ports.
Ideally, I would like to do this in Ruby (using the Net::SSH gem), such that instead of opening a new connection like:
Net::SSH.start('host', 'user', :password => "password")
I could somehow bind to an existing tunnel.
Thanks!
This is fairly simple if you have control over the server. I'll give the command-line version, and you can work that into any framework you like:
server$ ssh -R 9091:localhost:22 client.example.egg
client$ ssh -p 9091 localhost
The server establishes a connection to the client first which starts listening on the "R"emote end (i.e. the client) on port 9091 (something I just made up), and forwards those connections to localhost:22, i.e. to the ssh server on itself.
The client then just needs to connect to its own local port 9091, which is transparently forwarded to the server's ssh server.
This will usually wreak havoc to your public key checking (and adherent security!), because the client's ssh client doesn't know that localhost:9091 is the same as server:22. If your client is Putty, then you have an option to provide the "real" server name somewhere so that the credentials can be looked up properly.
Unless you can create (and maintain) a tunnel out from the host you're trying to connect to first (which would allow you then to connect through that tunnel), no you can't. That's the point of a firewall: prevent unauthorised access to a network.
However the firewall shouldn't block a tunnel, although it depends exactly how the tunnel's managed. A port-forwarding tunnel set up using ssh's tunneling features would subvert the firewall. However it may also get you in trouble with the administrator of the remote network.
So ultimately, you'd need to speak to the network administrator to get the firewall rules relaxed in order to do it without needing to tunnel, or at least get authorisation to have a tunnel.