The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Two ssh ports ?

Discussion in 'General Discussion' started by Julien PHAM, Jul 17, 2009.

  1. Julien PHAM

    Julien PHAM Active Member

    Joined:
    Jul 9, 2009
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    1
    Hi,

    Is there a way to allow two different ports to run ssh?
    My goal would be to have one port open with password authentification to yes, and I will restrict the access to my ISP so it can connect to my server, and another port I'll use myself with password auth to no, so I'll use a private key to connect.

    So it leads to a second question : is it possible in cpanel to have two ssh ports, and to have one with password auth to yes, and another to no? In the cpanel interface I have seen just the possibility to enable or disable password auth.

    Thanks
     
  2. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    Is it possible? Yes!

    Would you want to? No!

    What is the point of closing off password logins in one part of your server
    if you are going to open it up in another part? That's pointless!

    You would totally and completely entirely defeat the point of having
    password authentication turned off in lieu of certificate authentication
    if you have another port on your server still using password authentication.

    If you were going to do that, there is no point in turning off password
    authentication in the first place and you may as well just simply leave
    everything on how you use it now which incidentally can login using either
    authentication method. Statististically, you are in better security shape
    leaving password authentication on than setting up two SSH ports even
    if you under some misguided notion of restricting one of the ports and
    the operative word there being "ONE" of the ports.

    There is simply no reason to setup two separate SSH ports and by doing
    so especially in the manner you ask, you completely undermine the entire
    basis of disabling password authentication in the first place and greatly
    weaken your security by now having to worry about two open ports
    instead of just one available for SSH access!

    I'm not sure what you have been thinking but time to wake up! :rolleyes:
     
    #2 Spiral, Jul 17, 2009
    Last edited: Jul 17, 2009
  3. Julien PHAM

    Julien PHAM Active Member

    Joined:
    Jul 9, 2009
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    1
    Mmmm then I'll try to explain more... I need to let my ISP to enter my server to fix things if I'm unable to access my server anymore.

    So I have to let just one IP, cache.ovh.net, to access my server.

    So the point would be to :

    - allow the port 22 with password authentification, but to allow with my firewall just cache.ovh.net to access this port.

    - create another port for ssh without password authentification for the other ssh access.

    Do you understand what I mean? Is this that awful to do?

    Thanks...

    (btw is this normal that my ssh client always ask me for my key passphrase everytime I login into ssh?)
     
  4. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    Your server provider doesn't need SSH access! The have console access!

    If you totally lock down SSH to certificate only, you can still login
    to the server directly using passwords at the console.

    In fact, you actually don't need the password either if at the console
    if you want to get technical.

    Again, I feel the sudden urge to slap you upside the head! :p

    You don't want to leave SSH on port 22 for any reason!

    (FYI, aside from your server provider not needing SSH access in the first place,
    even if they did use for some reason actually connect using remote SSH access,
    it still need not be on port 22 and it also doesn't matter whether you are using
    certificate or password authentication because any real server administrator can
    easily login to whatever configuration you have configured)

    Most server provider's ask you for your "root" password to simplify
    logging in at the console. This is **NOT** the same as your SSH login
    which may be using certificate access only!

    The server provider would still login using a password irregardless because
    console logins and SSH logins are **NOT** the same thing!

    If for some bizarre reason they actually do connect by SSH as might be
    the case of a low end server reseller that doesn't have KVM access
    (time to get another server provider) or maybe a 3rd party hired
    server manager, then you simply need to give them a copy of your
    login certificate or generate a second one for their use and that
    should be no problem whatsoever.

    If you are letting anyone other than yourself and your server provider (server manager) have SSH access
    then you have got much bigger problems to worry about especially given that I know from reading not only
    this post but from watching your other posts that you really know the first thing about server security concepts
    and no offense meant but I would be extremely concerned about giving out SSH access even if you did!

    That given, allowing anyone SSH access on your server is very ill advised!

    I am a security expert and I would be extremely concerned about giving out SSH access on my own servers!

    Oh and to answer your question, assuming you actually setup your client with shell access, your client is most
    likely leaving the connection type on "telnet" instead of "ssh" or saved the login profile wrong (bug in ExtraPutty)
    which will result in a failed connection and can't login in either case.
     
    #4 Spiral, Jul 17, 2009
    Last edited: Jul 17, 2009
  5. Julien PHAM

    Julien PHAM Active Member

    Joined:
    Jul 9, 2009
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    1
    In fact I have asked on my ISP forum, and the ISP use SSH on port 22 to login to the server, on the firewall config page they ask us to allow connection to port 22 for cache.ovh.net.

    In english it means : for SSH, if you would like to block access only for your IP, you should allow cache.ovh.net too. Indeed, in case of problem on your server, we can work in it and fix it. If you close port 22 for OVH techs, then we will not be able to help you if your computer is locked.

    BUT, according to what another one said, the OVH techs use a key authentification method to enter the server, not a password auth method, so I can lock port 22 and allow it only for OVH, create another port for my own use, AND still disable password authentification and so just allow passkey authentification method.

    Question : the file to edit to add another ssh port is /etc/ssh/sshd_config?

    Thanks

    Edit : ok, I have checked, and my ISP has a ssh access with a key in the root folder, which will allow it to access my server with root access without knowing my root password. and so this is fine like this... but my ISP uses port 22 for SSH access so I cannot change this unfortunately... all I can do is just allow my ISP for port 22 and nobody else... that is fine for me...
     
    #5 Julien PHAM, Jul 17, 2009
    Last edited: Jul 17, 2009
  6. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    See previous post!

    I would get a new server provider or get a server manager!

    If the host is really that limited that they must use SSH instead of console
    and can't be flexible to anything outside raw defaults, they either don't have
    the resources to be offering servers in the first place or are very poorly trained
    and extremely unqualified for the task of managing servers and either way
    I wouldn't want them managing my servers or even getting near my server!

    If I were you, I would be looking at either getting a new host or hiring a
    3rd party professional to handle your server management and whatever
    problems you have ... or both!
     
Loading...

Share This Page