How to configure and use the SSH port? Step-by-step instruction

Secure Shell, or abbreviated SSH, is one of the most advanced data protection technologies for transmission. Using this mode on the same router allows you to ensure not only the confidentiality of the transmitted information, but also to speed up the exchange of packets. True, not everyone knows how to open the port of SSH and why all this is necessary. In this case it is necessary to give a constructive explanation.

SSH Port: What is it and why?

As far as security is concerned, in this case the SSH port should be understood as a dedicated communication channel in the form of a tunnel that provides data encryption.

The most primitive scheme of this tunnel operation is that the open SSH port is used by default to encrypt information in the source and decrypt at the endpoint. To clarify this, you can do this: whether you like it or not, the transmitted traffic, unlike IPSec, is encrypted forcibly and at the output of one network terminal, and at the input of the receiving party. To decrypt the information transmitted on this channel, the receiving terminal uses a special key. In other words, no one can interfere with the transfer or disrupt the integrity of the transmitted data at the current moment without a key.

Just opening an SSH port on any router or using the corresponding settings of an additional client interacting with the SSH server directly allows you to take full advantage of all the security features of modern networks. It's about using the default port or custom settings. These parameters in the application may look quite difficult, but without understanding the organization of such a connection is indispensable.

Standard SSH port

If you really proceed from the parameters of any router, you first need to determine which software will be used to activate this communication channel. Actually, the default SSH port can have different settings. It all depends on what method is being used at the moment (direct connection to the server, installation of an additional client, port forwarding, etc.).

For example, if Jabber is used as the client, port 443 should be used for correct connection, encryption and data transfer, although port 22 is installed in the standard version.

In order to reconfigure the router with the selection of the necessary conditions for a particular program or process, you will need to perform SSH port forwarding . What it is? This is the purpose of a specific access for a single program that uses an Internet connection, regardless of what settings the current communication protocol (IPv4 or IPv6) has.

Technical rationale

As you can see, the standard SSH 22 port is not always used. However, here you need to highlight some characteristics and parameters used in the configuration.

Why does the confidentiality of the transmission of encrypted data involve the use of the SSH protocol as an exclusively external (guest) user port? It's only because the tunneling used allows you to use the so-called remote shell (SSH), to gain access to terminal management via remote log-in (slogin), and to use remote copy (scp) procedures.

In addition, the SSH port can also be used when the user needs to perform remote X Windows scripts, which in the simplest case is the transfer of information from one machine to another, as already mentioned, with forced data encryption. In such situations, the most essential will be the use of algorithms based on AES. This is a symmetric encryption algorithm, which is originally provided for in SSH technology. And it is not only possible to use it, but it is also necessary.

Implementation history

The technology itself appeared long ago. Let's leave aside the question of how to make the SSH port forwarding, but we'll stop at how it works.

Usually it all comes down to using a proxy based on Socks or using VPN tunneling. In the event that any software application can work with VPN, it is better to prefer this option. The fact is that almost all currently known programs that use Internet traffic can work with VPN, and the configuration of routing does not make much effort. This, as in the case of proxy servers, allows you to leave the external address of the terminal, which is currently being accessed to the network, unrecognized. That is, in the case of a proxy, the address changes constantly, and in the version of the VPN it remains unchanged with the fixation of a certain region different from where the access prohibition operates.

The technology itself, when the SSH port is opened, was developed back in 1995 at the Technological University of Finland (SSH-1). In 1996, an improvement in the form of the SSH-2 protocol was added, which became quite widespread in the post-Soviet space, although for this, as well as in some countries of Western Europe, it is sometimes necessary to obtain permission to use such a tunnel, and from government agencies.

The main advantage of opening an SSH port, unlike telnet or rlogin, is the use of the digital signature RSA or DSA (the use of a pair in the form of an open and buried key). In addition, in this situation, can use the so-called session key based on the Diffie-Hellman algorithm, which implies the use of symmetric encryption at the output, although it does not exclude the use of asymmetric encryption algorithms in the process of data transmission and reception by another machine.

Servers and Shells

In Windows or Linux, the SSH port is not so difficult to open . The only question is which toolbox will be used for this.

In this sense, you need to pay attention to the issue of information transfer and authentication. Firstly, the protocol itself is sufficiently protected from the so-called sniffing, which is the most common "wiretapping" of traffic. SSH-1 was defenseless before the attacks. Interference in the process of data transfer in the form of a "man in the middle" scheme had its results. Information could simply be intercepted and deciphered quite simply. But the second version (SSH-2) was insured against this kind of intervention, called session hijacking, which made it the most common.

Security bans

As for security with regard to transmitted and received data, the organization of a connection created using such technologies avoids the appearance of the following problems:

• Determining the key to the host at the transmission stage, when the "fingerprint" fingerprint is used;
• Support for Windows and UNIX-like systems;
• Substitution of IP and DNS addresses (spoofing);
• Interception of open passwords with physical access to the data transmission channel.

Actually, the whole organization of such a system is built on the principle of "client-server", that is, first of all, the user machine by means of a special program or add-on addresses to the server, which performs the corresponding redirection.

Tunneling

It goes without saying that a special driver must be installed in the system to implement this type of connection.

As a rule, in Windows-based systems it is the Microsoft Teredo driver built into the software shell, which is a kind of virtual emulation tool for IPv6 protocol in networks with IPv4-only support. The tunnel adapter is in the active state by default. In the event of failures associated with it, you can simply restart the system or execute the shutdown and restart commands in the command console. To deactivate, the following lines are used:

• Netsh;
• Interface teredo set state disabled;
• Interface isatap set state disabled.

After entering the commands, you must reboot. To re-enable the adapter and check its status instead of disabled, permission is enabled, after which, again, the entire system should be restarted.

SSH server

Now let's see which SSH port is used as the primary port, starting from the "client-server" scheme. Typically, the 22nd port is used by default, but, as already mentioned above, can use the 443rd. The only question is the preference of the server itself.

The most common SSH-servers are considered to be the following:

• For Windows: Tectia SSH Server, OpenSSH with Cygwin, MobaSSH, KpyM Telnet / SSH Server, WinSSHD, copssh, freeSSHd;
• For FreeBSD: OpenSSH;
• For Linux: Tectia SSH Server, ssh, openssh-server, lsh-server, dropbear.

All listed servers are free. However, you can find paid services, which are characterized by an increased level of security, which is extremely necessary for organizing network access and protecting information in enterprises. The cost of such services is not discussed now. But in general, it can be said that it is relatively inexpensive, even compared to installing a specialized software or an "iron" firewall.

SSH client

The SSH port can be changed based on the client program or corresponding settings when routing ports on the router.

However, if you touch client shells, the following software products can be used for different systems:

• Windows - SecureCRT, PuTTY \ KiTTY, Axessh, ShellGuard, SSHWindows, ZOC, XShell, ProSSHD, etc .;
• Mac OS X: iTerm2, vSSH, NiftyTelnet SSH;
• Linux and BSD: lsh-client, kdessh, openssh-client, Vinagre, putty.

Authentication based on public keys and changing the port

Now a few words about how the verification and configuration of the server takes place. In the simplest case, you must use the configuration file (sshd_config). However, you can do without it, for example, in the case of programs like PuTTY. Change the SSH port from the standard value (22) to any other can be quite elementary.

The main thing is that the number of the port to be opened does not exceed the value 65535 (there is simply no such thing as a port in nature). In addition, you should pay attention to some open ports by default, which can be used by clients like MySQL or FTPD databases. If you specify their configuration for SSH, of course, they simply stop working.

It should be noted that the same Jabber client should be running in the same environment using an SSH server, for example, in a virtual machine. And the server localhost itself will need to assign a value of 4430 (and not 443, as mentioned above). This configuration can be used when access to the main file jabber.example.com is blocked by the firewall.

On the other hand, you can transfer ports on the router itself, using the settings of its interface to create exclusion rules for this. On most models, the input is through entering the addresses starting with 192.168 with the addition of 0.1 or 1.1, but on routers combining the capabilities of ADSL modems like Mikrotik, the end address assumes the use of 88.1.

In this case, a new rule is created, then the necessary parameters are set, for example, to set the external dst-nat connection, and also manually assign ports not in the general settings section, and in the Action preferences section. There is nothing particularly complicated here. The main thing is to specify the necessary settings and set the correct port. By default, you can use port 22, but if you use a dedicated client (some of the above for different systems), the value can be changed arbitrarily, but only so that this parameter does not exceed the declared value, above which the port numbers are simply absent.

When you configure the connection, you should also pay attention to the parameters of the client program. It may very well be that in its settings it is necessary to specify the minimum length of the key (512), although by default it is usually set to 768. It is also desirable to set the logon timeout at 600 seconds and permission for remote access using root rights. After applying these settings, you must also give permission to use all authentication rights, except those based on using .rhost (but this is only necessary for system administrators).

In addition, if the user name registered on the system does not match the one you are currently typing, you will need to specify it explicitly, using the user ssh master command with the additional parameters (for those who understand what they are talking about).

The ~ / .ssh / id_dsa (or rsa) command can be used to convert the key and the encryption method itself. To create a public key, the conversion is done using the string ~ / .ssh / identity.pub (but this is not necessary). But, as practice shows, it's easiest to use commands like ssh-keygen. Here the essence of the matter is reduced only to adding a key to available authorization tools (~ / .ssh / authorized_keys).

But we went too far. If you go back to the SSH port configuration issue, as you already know, changing the SSH port is not so difficult. True, in some situations, as they say, you have to sweat, because you will need to take into account all the values of the main parameters. Otherwise, the issue of tuning is reduced either to the input to the server or client program (if it is provided initially), or to the use of port forwarding on the router. But even if the default port 22 is changed to the same 443, you need to clearly understand that this scheme does not always work, but only if you install the same Jabber add-in (other analogs can also use their corresponding ports, Which differ from the standard ones). In addition, special attention should be paid to setting parameters of the SSH client, which will directly interact with the SSH server, if that is really supposed in using the current connection.

Otherwise, if the port forwarding is not provided initially (although it is desirable to perform such actions), the settings and parameters for SSH access can not be changed. There are no special problems when creating the connection and its further use, in general, it is not expected (unless, of course, manual configuration of the configuration based on the server and the client is used). The most common creation of an exception rule on the router allows you to fix all problems or to avoid their appearance.