Closed port 22 in the jail redirects to the outer system
luzar722 at gmail.com
Wed Dec 7 01:29:30 UTC 2016
Bertram Scharpf wrote:
> I'm fed up with my log files being polluted by failing SSH
> login attempts. I disabled password authentication totally
> so there's not really a security problem, but it's annoying.
> Using a higher port number does only help for a while.
> All I want to do is to log in myself from remote. Now I
> tried to do the following: A jail runs an HTTP server with
> several subpages. One of them asks for a password and then
> starts an SSH daemon that accepts just one connection and
> closes afterwards. From inside the jail then I can ssh to
> the outer machine.
> But: As long as the SSH daemon inside the jail doesn't run,
> the port 22 request gets caught by the outer system and
> again I get my logfiles polluted.
> How can I make a port 22 request fail if an SSH server is
> running on the outer machine but not inside the jail?
> Thanks in advance.
I think you gave up on using a non-default port number for ssh to
quickly. I have been using port 8522 for host ssh and have the host
firewall deny inbound traffic to port 22. Been configured like this
since release 2.1 and have never had any bogus attempts to login on that
port all these long years. All port 22 login attempts get dropped by the
firewall before ssh even knows it has a request resulting in no log
entries in shh log or firewall log. Once your ssh logged into the host
you can use the jls command to login to any running jail. This is the
"keep it simple" method.
Since you are the only remote user to know the ssh port number this
gives you what you want. NO need for the back door approach your trying
to use through the http jail server.
You would need a static public ip address allocated to a jail before you
could be able to remotely ssh into that jail.
More information about the freebsd-questions