SSH multiple ports?

joaocandre · 2015-03-13 16:38:27

I'm looking for a way to increase ssh security in my home data server, since it is connected to the internet. Right now I only have two users allowed to SHH into the server, one sudoer for administrative purposes and one chrooted for SFTP use, and both are using ssh RSA keys (password login is disabled).

Is there a way to :

1) Each user only be accessible through a specific port?
2) Disable SFTP protocol for the admin user?

I've though that it might be possible by running multiple sshd instances, but I doubt that is even possible.

Raynman · 2015-03-13 18:34:11

I think you can make sshd listen on multiple ports, deny all users by default and then override AllowUsers in Match sections using the LocalPort criterium.
Doesn't seem as easy, but it also seems even less useful than (1) if the admin is allowed to run arbitrary commands (not to mention the sudo privileges).

Last edited by Raynman (2015-03-13 18:40:22)

Slithery · 2015-03-13 18:36:07

Why would running different sshd instances on different ports make your system more secure?

If you want an additional layer of security take a look at OTP's, it's easy enough to set up...
https://wiki.archlinux.org/index.php/Go … henticator

ANOKNUSA · 2015-03-14 15:28:24

slithery wrote:

Why would running different sshd instances on different ports make your system more secure?

I'm wondering this myself. You can't make your home more secure by installing a new door.

SSH is very secure if you've changed the port on which the daemon listens, are using twin-key authentication, have disabled password and root logins, and have restricted the privileges of the remote user. Changing the sshd port foils any bots that come along, and changing login conditions and permissions leaves using a local account with a key and a remote account with sudo privileges the only method of modifying the system without physical access to the machine. With all those options set, though, physical access to the machine will be the only way to get access if you accidentally delete the SSH key.

lothar_m · 2015-03-14 18:54:38

Also keep in mind that several "secure" protocols are known to have been broken (including ssh) by state agencies, at the very least. If those exploits are already in the wild, being used by third parties is not known. Source

mr.MikyMaus · 2015-03-18 16:44:37

joaocandre wrote:

1) Each user only be accessible through a specific port?

This is called "security by obscurity" and doesn't really help anything. It only introduces more vectors for configuration management errors.

2) Disable SFTP protocol for the admin user?

Same as above, as long as you have root access reachable, it doesn't make sense to disable it in other instances, the attack vector is the same and if the attacker can break one, he can also break the other.

I've though that it might be possible by running multiple sshd instances, but I doubt that is even possible.

This is easily possible and quite common. The use case, however, usually isn't security but something practical - like having sshd listen on other well-known ports to fool some firewalls or proxies or having a backup sshd available when experimenting with the primary one. You can run an ssh daemon as user as well. This would add someting to the security if configured properly.

Last edited by mr.MikyMaus (2015-03-18 16:47:21)

GI Jack · 2015-03-25 15:11:23

Ahh, security through obscurity, this never works.

read this:

https://stribika.github.io/2015/01/04/s … shell.html

if you are really paranoid, then disable everything but the NaCL ciphers, chacha,ed,poly

use RSA keys instead of logins.

If your really really paranoid, then set up a VPN tunnel, and only use SHA56 for HMAC, and AES256 for encryption, and turn on packet authentication. Follow the instructions on the wiki

https://wiki.archlinux.org/index.php/Openvpn

edit: I forgot, after you setup a VPN tunnel, have SSH bind to the VPN IP address, so it would be unaccessable to the outside world.

Last edited by GI Jack (2015-03-26 16:23:26)

pcgyver · 2016-06-23 09:15:45

cp /usr/lib/systemd/system/sshd.service /usr/lib/systemd/system/sshd-trusted.service

nano /usr/lib/systemd/system/sshd-trusted.service
<ExecStart=/usr/bin/sshd -D
>ExecStart=/usr/bin/sshd -D -f /etc/ssh-trusted/sshd_config

mkdir /etc/ssh-trusted
cp /etc/ssh/* /etc/ssh-trusted/
nano /etc/ssh-trusted/sshd_config ---- changes what you need
systemctl enable sshd-trusted.service
systemctl start sshd-trusted.service

Last edited by pcgyver (2016-06-23 09:16:57)

TheChickenMan · 2016-06-23 11:36:48

GI Jack wrote:

If your really really paranoid, then set up a VPN tunnel, and only use SHA56 for HMAC, and AES256 for encryption, and turn on packet authentication. Follow the instructions on the wiki

This is the setup that I use though it's more for simplicity of admin. As long as I make sure my VPN is secure and everything else is firewalled I don't need to worry about what other services are doing.

pcgyver · 2016-06-23 13:11:21

I'm using two configurations
One accessible on high port number from any IP but with Authy Token Two Factor Auth for connecting from mobile phone.
Second accessible only from my static office IP without Authy.
OpenVPN in many locations calls into our office OpenVPN server and I have access by OpenVPN. But some times office is offline and I need access to servers from outside.

Arch Linux

#1 2015-03-13 16:38:27

SSH multiple ports?

#2 2015-03-13 18:34:11

Re: SSH multiple ports?

#3 2015-03-13 18:36:07

Re: SSH multiple ports?

#4 2015-03-14 15:28:24

Re: SSH multiple ports?

#5 2015-03-14 18:54:38

Re: SSH multiple ports?

#6 2015-03-18 16:44:37

Re: SSH multiple ports?

#7 2015-03-25 15:11:23

Re: SSH multiple ports?

#8 2016-06-23 09:15:45

Re: SSH multiple ports?

#9 2016-06-23 11:36:48

Re: SSH multiple ports?

#10 2016-06-23 13:11:21

Re: SSH multiple ports?

Board footer