How do I specify the source port in the ssh client?

[Barakat]

Hi all,

I have an ssh server on FreeBSD, and on the firewall i have this rule:

Code:

block all in
pass in log proto tcp from any port 3333 to port 1000

When I chack the firewall with hping, it looks OK :

Code:

# hping -c 1 -S 192.168.43.128 -p 1000
HPING 192.168.43.128 (vmnet8 192.168.43.128): S set, 40 headers + 0 data bytes

--- 192.168.43.128 hping statistic ---
1 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
#

Code:

# hping -c 1 -S 192.168.43.128 -p 1000 -s 3333
HPING 192.168.43.128 (vmnet8 192.168.43.128): S set, 40 headers + 0 data bytes
len=44 ip=192.168.43.128 ttl=64 id=32548 sport=1000 flags=SA seq=0 win=16384 rtt=1.7 ms

--- 192.168.43.128 hping statistic ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 1.7/1.7/1.7 ms
#

but I tried on my debian computer to connect using :

Code:

ssh -D 3333 192.168.43.128 -p 1000

but the source port is chosen randomly. is ther another way?

[unspawn]

the source port is chosen randomly. is ther another way?

Maybe a SSH tunnel with a specific local port?

[Lazydog]

Question: Why do you want to limit the source port? Is there a good reason for this?

[Barakat]

Thank you guys for replay,

@ unspawn : The port will still be chosen randomly. Maybe this picture will explain :



@ Lazydog : There are zombie networks that are used to scan a wide range of IP addresses. If they detect an SSH server, many computers will try to brute force that server and they will not stop untill a long time. I just want to make the SSH server invisible from the random scans since I don't have a static IP.

[Lazydog]

@ Lazydog : There are zombie networks that are used to scan a wide range of IP addresses. If they detect an SSH server, many computers will try to brute force that server and they will not stop untill a long time. I just want to make the SSH server invisible from the random scans since I don't have a static IP.

Forcing a sort port will not stop this either. Attacher could get lucky and his system use the same source port. What you need to be looking at is SSH-Keys and Fail2ban.

With SSH-Keys there is no password, unless you lock your key with a password (which is what I do here), and no one can log in without the correct key.

Fail2ban you can setup to block incoming attach when x amount of failed attempts are made to login.

If you are really worried about someone hacking your system then the above combination would be your best bet.

[Barakat]

@ lazydog: Thank you for this great information, I'm realy not afraid that someone succeed login to the system but I'm a afraid of losing lots of bandwidth because of that huge networks. I manged to solve this problem via ncat (that comes with namp):

Code:

ncat -l 2222 --sh-exec "ncat 192.168.43.128 3333 -p 1000"

Code:

ssh root@localhost -p 2222

The connection will be redirected to the host with the source port that I want.

Thank you all for help

[Lazydog]

Please enlighten me on how this is going to protect your bandwidth?
Are you talking about protecting it from the inside or the outside?

[Barakat]

These networks are huge, if they detect an open SSH/FTP server, thay will start brute forcing these service. They will not succeed login but they would cost me lots of bandwidth and for nothing. Instead of fight these machines, I think it would be better to not attract them in the first.

[Lazydog]

So we are talking external then. OK, you are going about this sdrawkcabssa. If you are really worried about SSH then change the port it listens on from 22 to something in the high range 1025+. It really doesn't help you at all to stop someone from blasting your system by making a source port as the only one accepted. An attacker could get lucky and just happen to use that port. Now what? Your system is once again open to him. You are giving yourself a false sense of security. Once you are figured out it is game on for the hackers. The above is a lot better angle to stop the attackers with. Even if they figure you out after X amount of failed logins they are blocked by Fail2ban.

Anyone can still fill up your bandwidth with a attach to port 1. Your firewall still needs to process the packets it receives before dropping them........