Date: Wed, 07 Dec 2016 09:29:33 +0800 From: Ernie Luzar <luzar722@gmail.com> To: freebsd-questions@freebsd.org Subject: Re: Closed port 22 in the jail redirects to the outer system Message-ID: <584765FD.6050901@gmail.com> In-Reply-To: <20161207002440.GA26711@becker.bs.l> References: <20161207002440.GA26711@becker.bs.l>
next in thread | previous in thread | raw e-mail | index | archive | help
Bertram Scharpf wrote: > Hi, > > I'm fed up with my log files being polluted by failing SSH > login attempts. I disabled password authentication totally > so there's not really a security problem, but it's annoying. > Using a higher port number does only help for a while. > > All I want to do is to log in myself from remote. Now I > tried to do the following: A jail runs an HTTP server with > several subpages. One of them asks for a password and then > starts an SSH daemon that accepts just one connection and > closes afterwards. From inside the jail then I can ssh to > the outer machine. > > But: As long as the SSH daemon inside the jail doesn't run, > the port 22 request gets caught by the outer system and > again I get my logfiles polluted. > > How can I make a port 22 request fail if an SSH server is > running on the outer machine but not inside the jail? > > Thanks in advance. > > Bertram > > I think you gave up on using a non-default port number for ssh to quickly. I have been using port 8522 for host ssh and have the host firewall deny inbound traffic to port 22. Been configured like this since release 2.1 and have never had any bogus attempts to login on that port all these long years. All port 22 login attempts get dropped by the firewall before ssh even knows it has a request resulting in no log entries in shh log or firewall log. Once your ssh logged into the host you can use the jls command to login to any running jail. This is the "keep it simple" method. Since you are the only remote user to know the ssh port number this gives you what you want. NO need for the back door approach your trying to use through the http jail server. You would need a static public ip address allocated to a jail before you could be able to remotely ssh into that jail.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?584765FD.6050901>