687
edits
Changes
Jump to navigation
Jump to search
mLine 6:
Line 6: + + − + + + + − + − + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Line 58:
Line 98: − +
→Changing the default ssh port on SME 7
Based on: [http://no.longer.valid/phpwiki/index.php/Changing%20the%20default%20ssh%20port Changing the default ssh port] written by cc_skavenger. Use his howto if you are running SME 5.6 - 6.x!
Based on: [http://no.longer.valid/phpwiki/index.php/Changing%20the%20default%20ssh%20port Changing the default ssh port] written by cc_skavenger. Use his howto if you are running SME 5.6 - 6.x!
[[#Procedure:_SME_7.1.3|Updated 4/11/07 for SME 7.1.3 (possibly 7.1.x?)]]
=== Introduction ===
=== Introduction ===
In order to change the default port used by the sshd server you must change two configuration files on the SME server:
In order to change the default port used by the sshd server in SME 7.0 you must change two configuration files on the SME server:
*1. you must tell sshd what port to listen on in /etc/ssh/sshd_config and
*1. you must tell sshd what port to listen on in /etc/ssh/sshd_config and
*2. you must configure /etc/rc.d/init.d/masq to allow inbound traffic on your new sshd port
*2. you must configure /etc/rc.d/init.d/masq to allow inbound traffic on your new sshd port
As of SME 7.1.3 (and possibly from 7.1 onwards?) you can change this port completely by modifying configuration database entries (there is no longer an need to create a custom template).
SME 7 keeps the firewall information in the 'configuration' database instead of in the 'masq' templates as was done on 5.6 - 6.0x; this howto demonstrates
SME 7 keeps the firewall information in the 'configuration' database instead of in the 'masq' templates as was done on 5.6 - 6.0x; this howto demonstrates
*1. how to use a custom template fragment to modify sshd_config
*1. how to use a custom template fragment to modify sshd_config (Does not apply to SME 7.1.3)
*2. how to change the configuration database to open the desired non-standard port for your sshd server
*2. how to change the configuration database to open the desired non-standard port for your sshd server
*3. how to use 'expand-template' to re-generate the new sshd_config and masq files
*3. how to use 'expand-template' to re-generate the new sshd_config and masq files
*4. how to force the sshd and firewall services to recognize the new configurations
*4. how to force the sshd and firewall services to recognize the new configurations
=== Procedure ===
I have inserted the procedure for SME 7.1.3 at below, and left the old procedure in place for anyone still running 7.0
=== Procedure: SME 7.1.3 ===
==== Summary Version: ====
config setprop sshd TCPPort <newport>
signal-event remoteaccess-update
/etc/init.d/sshd restart
See [[#Conclusions|Conclusions]]
==== Annotated Version (same as "Summary Version", but with eplanations & verification) ====
* Check, then modify the TCPPort setting for sshd
config getprop sshd TCPPort
(should return '22')
config setprop sshd TCPPort <newport>
config getprop sshd TCPPort
(should now return <newport>)
* Regenerate the firewall rules and sshd configuration
signal-event remoteaccess-update
(this modifies the firewall rules to allow inbound traffic on <newport> and recreates /etc/ssh/sshd_config)
* Check that sshd_config was updated and restart sshd
grep Port /etc/ssh/sshd_config
(should return 'Port <newport>')
/etc/init.d/sshd restart
(restart sshd, causing it to recognize the new values in /etc/ssh/sshd_config)
Note that any existing connection will remain unaffected, so that you *can* safely execute this procedure remotely. If you do change the sshd port remotely, be sure to open a connection on <newport> before you disconnect your existing session!
Please read the [[#Conclusions|Conclusions]] section below for important security information. SSH should NOT be open for password access from the Internet!
=== Procedure: SME 7.0 ===
*Modify the firewall and sshd settings to allow inbound traffic on the new port (only the 2nd command is required, the first and third commands are included only to allow you to verify that the database was updated properly).
*Modify the firewall and sshd settings to allow inbound traffic on the new port (only the 2nd command is required, the first and third commands are included only to allow you to verify that the database was updated properly).
Be sure to test your modifications before you have to rely on them! Make sure you can connect to your server using the new port value from both inside and outside of your network.
Be sure to test your modifications before you have to rely on them! Make sure you can connect to your server using the new port value from both inside and outside of your network.
=== Conslusions ===
=== Conclusions ===
This Howto was developed in response to the recommendations in this article at [http://isc.sans.org/diary.php?storyid=846 isc.sans.org]. The article briefly suggests taking 3 steps to secure your server against ssh attacks:
This Howto was developed in response to the recommendations in this article at [http://isc.sans.org/diary.php?storyid=846 isc.sans.org]. The article briefly suggests taking 3 steps to secure your server against ssh attacks: