• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 427
  • Last Modified:

Running SSH on two ports?

This relates to this question here:
http://www.experts-exchange.com/Security/Q_21223762.html

I may be pressured to run SFTP (FTP over SSH).

One thing I don't like is that it would require me to open up the SSH port (port 22) to the Internet (all IP because my SFTP users will be dynamic).

Can anyone give me any security guidelines (specifics) on locking down SSH?

Specifically one option I would like help with is the possibility of running SSH on two ports?  One that supports interactive logins, and one that has it disabled (SFTP only).  That way I can still limit access to the admin SSH port.  Is that possible?

Thx,
Shane
0
shanepresley
Asked:
shanepresley
  • 3
  • 3
1 Solution
 
chris_calabreseCommented:
Unless you hack the OpenSSH source, there is no way to restrict SSH to only doing SFTP other than on a user-by-user basis.

To setup a user as SFTP-only, set their login-shell to /the/path/of/sftp-server (for example, this would be /opt/openssh/libexec/sftp-server in our environment).

You'll also have to add sftp-server to /etc/shells.
0
 
shanepresleyAuthor Commented:
Thanks Chris,

What about on the second SSH server, only accepting authorized_keys?

For our internal users we accept passwords.   For these FTP jobs we may require public keys.  So if we ran this all on a single instance of SSH, then external users would be able to attempt brute force password cracks.  

So if we ran our internal SSH on port 22 (accepting passwords) and our external SSH (for sftp) on another port and restricted it to PubkeyAuthentication and authorized_keys?

Would that model work?  Allowing our internal users to use passwords, and forcing SFTP users to a pre-authorized key?

Shane
0
 
chris_calabreseCommented:
Yeah, that would work (run the second sshd with '-f /path/to/config-file').

But it might not be acceptable to (or too difficult for) the SFTP users.

And you still want to setup the SFTP-only users as above.

Oh, and almost forgot, unlike FTP, you can't restrict SFTP to only the users' home directories, so you want this on a machine that's not doing anything else and that is appropriately locked down.
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
shanepresleyAuthor Commented:
Thanks again Chris.

One more followup about "unlike FTP, you can't restrict SFTP to only the users' home directories"

Just to make sure I understand that corectly, their directory at login will be the user home directory, but they'll be able to access anything that their user account is allowed to access? So they can cd up a directory, and still get files, assuming Unix permissions allow them to?

0
 
chris_calabreseCommented:
Yes.
0
 
shanepresleyAuthor Commented:
Thanks!
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now