SSH Ports

Not applicable

Hi All -

I don't think this can be done yet, so I suppose this is a feature request. I want to be able to change the default port used by SSH with Casper. Port 22 just seems so...obvious.

If I just missed this setting, could someone please let me know. I know it would be worth repeating for the group.

Thanks !

Wayne Casey

14 REPLIES 14

John_Wetter
Release Candidate Programs Tester

Just curious, but what makes you want to move away from the RFC port number
for ssh? If the password is sufficiently strong, there shouldn't be any
security concerns.

John

Not applicable

If a computer has port 22 open and is exposed on the internet directly you will find attempts to log in at port 22 sooner or later. When it happens it is often via some scripted brute force attempt. Its slows down the computer and fills up the logs to the point that anything valuable is completely lost. So I find it easier to use SSH over some alternative port. Security through obscurity. Its not real security, but it is cheap and easy so why not.

Wayne

lance_ogletree
Contributor
Contributor

Do you utilize SSH for anything other than within the Casper Suite?
You can secure the use of SSH to just the management account to help reduce the chance for a successful dictionary attack.

Also realize that if the machine is accessible to a port scan, the new port for where ssh is being served up on could be revealed as well.

Not applicable

Yes, its not very common to utilize SSH for anything other than Casper, but its a tool I am not giving up. ;-)

At other locations, I've used SSH quite a bit and it can be a very effective tool to have in troubleshooting and assisting users. i appreciate the SACLs too. This makes it very easy to secure the use of SSH.

Some part of the request is a desire to check the box of "Modified SSH ports" in OS hardening checklists. But to be honest I also want to stay out of the way of the script kiddies. No offense to students of any age intended. ;-)

For an example of what I am talking about see:

http://arstechnica.com/security/news/2008/05/strong-passwords-no-panacea-as-ssh-brute-force-attacks-...

To quote the article:
"...recommend running the SSH server on a non-standard high port, though they recognize that this is a "security through obscurity" tactic, and they advocate the use of software capable of parsing log files and noting multiple failed login attempts. These steps, taken in aggregate, should be sufficient to protect an SSH server, even if the number of attacks continues to rise."

Wayne

jarednichols
Honored Contributor

Wouldn't a better solution be to tune IPFW to drop packets to the ssh port unless it's from an allowed subnet? You can certainly use Casper to manage firewall rulesets. IPFW works very quickly and you'll see zero impact to the CPU. Hardening instead of obscurity.

j

safreder
New Contributor

I will soon be in a situation where ssh will be turned off "at the border" of our campus(incoming traffice will not be listed to). How will I be able to contact casper clients that are off campus? If the off campus mac uses a vpn clients, would that allow a secure connection for ssh, or is the vpn client using a totally diffeent port number as well?
SSH on port 22 will be allowed within our campus subnets, so all mac clients on campus will be able to be contacted inside our subnets, but what do you do for those clients that contact the jss through their local cable providers, or use dsl through their phone providers?

Any suggestions? We have several faculty that have a second desktop at home and we monitor those from campus. If we close incoming ssh traffice, how do we communicate with those macs if our network doens't accept their shh traffic?

jarednichols
Honored Contributor

If you're VPNd you'll be fine. You may want to consider a JSS out in the DMZ for over-the-internet direct management.

safreder
New Contributor

When you say, "a JSS out in the DMZ..." Would that mean placing a second JSS on a network, of say, a local cable provider, or on a DSL of a phone provider? Or do you have you a subnet that is out in the open that you manage. I don't think our campus has would want me to do that, but I thought I'd better clarify the answer, so I talk about it intelligently.

Do you or have you operated a JSS in similar situation? If you do, did you put your additional JSS on a subnet that you manage, or with another provider?

Thanks,

Scott

jarednichols
Honored Contributor

DMZs: http://en.wikipedia.org/wiki/DMZ_(computing))
JSS in the DMZ: https://jamfnation.jamfsoftware.com/article.html?id=174

For OPSEC, I'd like to not talk about our infrastructure setup here.

safreder
New Contributor

Understood. I appreaciate the help. Thanks for the links.

--Scott

daguy666
New Contributor II

Sorry to bring this thread back from the dead. But was this feature ever added? I was wondering if it was possible change the port that the JSS can ssh to hosts on. If only to scan my network for that specific port and then see what machines are hosting anything on that specific port. It could help get a grip on what machines have JAMF installed and which don't.

davidacland
Honored Contributor II

Just double-checked, it doesn't look like it.

daguy666
New Contributor II

I am going to put in a feature request.

davidacland
Honored Contributor II

Actually, scrap that, I found the details: https://jamfnation.jamfsoftware.com/featureRequest.html?id=2739

It looks like you just edit your ~/.ssh/config file with Port 23 (or whatever port you want to use. I'm assuming you would also need to edit the port in the /etc/ssh-config file on the target machines.