Closed port 22 in the jail redirects to the outer system

Ernie Luzar luzar722 at
Wed Dec 7 01:29:30 UTC 2016

Bertram Scharpf wrote:
> Hi,
> I'm fed up with my log files being polluted by failing SSH
> login attempts. I disabled password authentication totally
> so there's not really a security problem, but it's annoying.
> Using a higher port number does only help for a while.
> All I want to do is to log in myself from remote. Now I
> tried to do the following: A jail runs an HTTP server with
> several subpages. One of them asks for a password and then
> starts an SSH daemon that accepts just one connection and
> closes afterwards. From inside the jail then I can ssh to
> the outer machine.
> But: As long as the SSH daemon inside the jail doesn't run,
> the port 22 request gets caught by the outer system and
> again I get my logfiles polluted.
> How can I make a port 22 request fail if an SSH server is
> running on the outer machine but not inside the jail?
> Thanks in advance.
> Bertram

I think you gave up on using a non-default port number for ssh to 
quickly. I have been using port 8522 for host ssh and have the host 
firewall deny inbound traffic to port 22. Been configured like this 
since release 2.1 and have never had any bogus attempts to login on that 
port all these long years. All port 22 login attempts get dropped by the 
firewall before ssh even knows it has a request resulting in no log 
entries in shh log or firewall log. Once your ssh logged into the host 
you can use the jls command to login to any running jail. This is the 
"keep it simple" method.

Since you are the only remote user to know the ssh port number this 
gives you what you want. NO need for the back door approach your trying 
to use through the http jail server.

You would need a static public ip address allocated to a jail before you 
could be able to remotely ssh into that jail.

More information about the freebsd-questions mailing list