[ubuntu-uk] SSH question

Tom Bamford tom at entrepreneuria.co.uk
Sat Jan 12 14:33:42 GMT 2008 

Alan Pope wrote:
> On Sat, Jan 12, 2008 at 12:56:30PM +0000, Stephen Garton wrote:
>   
>> Hi Al,
>>
>> On 12/01/2008, Alan Pope <alan at popey.com> wrote:
>>     
>>> On Sat, Jan 12, 2008 at 09:13:56AM +0000, Stephen Garton wrote:
>>>       
>>>> On a box at home, I have ssh running on a non-specific high numbered
>>>> port. Is it possible to also have it (ssh) listen on port 22, but
>>>> limit it to computers on the local network?
>>>>
>>>>         
>>> Why also have it on 22? Why not just edit ~/.ssh/config and add a line like
>>> this:-
>>>
>>> Host box
>>>  Port 2222
>>>
>>> (or whatever the hostname and port number is)
>>>
>>>       
>> I do/did. When I had (continuing your example) Port 2222 on it's own
>> in /etc/ssh/sshd_config (please let me know if this is not the one I
>> should be using, as it is the one I have stored in my notes that are a
>> year or two old on how to use ssh!) Tomboy reported it couldn't
>> contact the host.
>>
>>     
>
> I am talking about the client not the server. Put that line in ~/.ssh/config 
> on the _client_ and that tells it what port the server uses.
>
>   
>>>> The reason for asking is that I'd like to do things like synchronise
>>>> my tomboy notes over ssh, but there is nowhere in tomboy (that I can
>>>> find) to configure the port for the add-in.
>>>>
>>>>         
>>> I do the above for exactly this reason.
>>>
>>>       
>> Sorry, I think I'm lost. Will tomboy sync over ssh when a non-standard
>> port is used?
>>
>>     
>
> Yes. On my server I have /etc/ssh/sshd_config set to 2222, on my client I 
> have ~/.ssh/config set to tell my client what port the server is on. Job 
> done. It works.
>
> Cheers,
> Al.
>
>   

I don't bother changing the server port for sshd, it's security through 
obscurity. The crackers who only look for your server on port 22 are 
more of a nuisance than anything else, there's no way they'll get in 
unless you have a seriously crap password. If someone puts more effort 
into it they'll find your server no matter what port it's on, and it's 
them you'll have to worry about. You could also just disable password 
authentication and set yourself up key-based access to your boxes.

I also use FreeNX for remote access to Gnome desktops which doesn't yet 
work properly when you use a different port and block password 
authentication. So I just use Denyhosts to block clients that fail 
authentication, 1 try for the root account and 3 tries for any other 
account. They get blocked almost instantly using /etc/hosts.deny and I 
get emailed with their IP and hostname.

Regards,
Tom

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.ubuntu.com/archives/ubuntu-uk/attachments/20080112/f7363236/attachment-0001.htm

More information about the ubuntu-uk mailing list