shanepresley
asked on
Running SSH on two ports?
This relates to this question here:
https://www.experts-exchange.com/questions/21223762/Security-of-SFTP.html
I may be pressured to run SFTP (FTP over SSH).
One thing I don't like is that it would require me to open up the SSH port (port 22) to the Internet (all IP because my SFTP users will be dynamic).
Can anyone give me any security guidelines (specifics) on locking down SSH?
Specifically one option I would like help with is the possibility of running SSH on two ports? One that supports interactive logins, and one that has it disabled (SFTP only). That way I can still limit access to the admin SSH port. Is that possible?
Thx,
Shane
https://www.experts-exchange.com/questions/21223762/Security-of-SFTP.html
I may be pressured to run SFTP (FTP over SSH).
One thing I don't like is that it would require me to open up the SSH port (port 22) to the Internet (all IP because my SFTP users will be dynamic).
Can anyone give me any security guidelines (specifics) on locking down SSH?
Specifically one option I would like help with is the possibility of running SSH on two ports? One that supports interactive logins, and one that has it disabled (SFTP only). That way I can still limit access to the admin SSH port. Is that possible?
Thx,
Shane
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Yeah, that would work (run the second sshd with '-f /path/to/config-file').
But it might not be acceptable to (or too difficult for) the SFTP users.
And you still want to setup the SFTP-only users as above.
Oh, and almost forgot, unlike FTP, you can't restrict SFTP to only the users' home directories, so you want this on a machine that's not doing anything else and that is appropriately locked down.
But it might not be acceptable to (or too difficult for) the SFTP users.
And you still want to setup the SFTP-only users as above.
Oh, and almost forgot, unlike FTP, you can't restrict SFTP to only the users' home directories, so you want this on a machine that's not doing anything else and that is appropriately locked down.
ASKER
Thanks again Chris.
One more followup about "unlike FTP, you can't restrict SFTP to only the users' home directories"
Just to make sure I understand that corectly, their directory at login will be the user home directory, but they'll be able to access anything that their user account is allowed to access? So they can cd up a directory, and still get files, assuming Unix permissions allow them to?
One more followup about "unlike FTP, you can't restrict SFTP to only the users' home directories"
Just to make sure I understand that corectly, their directory at login will be the user home directory, but they'll be able to access anything that their user account is allowed to access? So they can cd up a directory, and still get files, assuming Unix permissions allow them to?
Yes.
ASKER
Thanks!
ASKER
What about on the second SSH server, only accepting authorized_keys?
For our internal users we accept passwords. For these FTP jobs we may require public keys. So if we ran this all on a single instance of SSH, then external users would be able to attempt brute force password cracks.
So if we ran our internal SSH on port 22 (accepting passwords) and our external SSH (for sftp) on another port and restricted it to PubkeyAuthentication and authorized_keys?
Would that model work? Allowing our internal users to use passwords, and forcing SFTP users to a pre-authorized key?
Shane