running sshd on a differnet port

[parkejr]

Hi,

I have two different networks, A and B and need to be able to connect from A to B over the open internet.

A is behind a firewall, B is behind a different firewall.

In my first attempt I configured the router at B to forward port 22 to a particular machine running sshd on port 22. I was then able to ssh from A to the machine on B.

Recently I have noticed an increased level of traffic hitting port 22 on the B router, so I decided to move the ssh service to a different, random port.

I reconfigured the router and sshd, and was able to ssh from the open internet to B, but I could not ssh from firewalled network A to B. The log from the router at B shows the incoming traffic on the correct port, but my ssh client doesn't give me a login prompt.

How does sshd respond to an incoming request? Does it answer on port 22, or on the port the request comes in on? If it answers on the port that it is running on, then that port is blocked by firewall A just now, and I wouldn't hear back from the server? Is there a way around this?

THanks,
Jeff

[Lazydog]

How does sshd respond to an incoming request? Does it answer on port 22, or on the port the request comes in on?

SSH answers on the port it was setup to listen on. So say you setup SSH to listen on port 2200

Requests from A would have sport:3489(random port here) dport:2200
Returns from B would have sport:2200 Dport:3489

If your firewall is session based and you allow port 2200 out then the return traffic should be able to pass as this is an ESTABLISHED connection.

If it answers on the port that it is running on, then that port is blocked by firewall A just now, and I wouldn't hear back from the server? Is there a way around this?

If A is hitting the firewall at B and being allowed to pass (you have to checked the logs), then the responses coming back should be allowed to pass the firewall at A as they should be coming back on the same port that the request went out on.

[parkejr]

thanks for explaining that. sounds like the firewall/proxy server that I'm working behind is not session based. I expect it's allowing incoming packets on port 22, but not on the random port I've chosen.

Is there a way to get sshd to answer on port 22, i.e.:

on A: ssh hydrogen:34567 (firewall allows any outgoing, so this gets out)

on B: sshd running on 34567 and firewall allows incoming on 34567, so packet arrives, but sshd responds on port 22.

on A: firewall on A allows incoming on port 22, but not 34567, so response on port 22 gets through.

perhaps I could just let sshd do its thing, but get the firewall at B to move outgoing WAN packets on 34567 to outgoing WAN packets on 22?

Regards,

Jeff.

[Defjam]

Let me understand:

A and B are behind the same GW?

If yes, you can only use different Ports let's say
ssh GWIP -p 22
ssh GWIP -p 122

If you want to forward now internally, you need to have a GW Router supporting portmapping

Br,

[Lazydog]

thanks for explaining that. sounds like the firewall/proxy server that I'm working behind is not session based. I expect it's allowing incoming packets on port 22, but not on the random port I've chosen.

This could be and in that case you either change the firewall to be session based or configure servB SSHD to listen on port 22.

Is there a way to get sshd to answer on port 22, i.e.:

on A: ssh hydrogen:34567 (firewall allows any outgoing, so this gets out)

on B: sshd running on 34567 and firewall allows incoming on 34567, so packet arrives, but sshd responds on port 22.

No SSHD answer with the port it is listening on.

on A: firewall on A allows incoming on port 22, but not 34567, so response on port 22 gets through.

See above.

perhaps I could just let sshd do its thing, but get the firewall at B to move outgoing WAN packets on 34567 to outgoing WAN packets on 22?

Not going to work as SSH is looking for the answers to come back on the port it sent out the request on.

Another thing you could do is setup ServB SSHD to listen on port 22 as normal. Then install fail2ban to block fail connections