Dropbear - Change SSH port

Low End Talk » Low End Talk

Dropbear - Change SSH port

(10 posts)

Started 1 year ago by greedyh4mster
Latest reply from EZ-CONCEPT - Isaac Kwan

No tags yet.

greedyh4mster
Member

Hiya!

I am using LowEndBox bootstrap script on a Debian 32bits Xen machine.

I want to change the default SSH port for dropbear. How do I go about doing it?

I have tried the following but with no luck:

1)Change port number in dropbear config file and restart xinetd using this command: "invoke-rc.d xinetd restart".

2)Edit dropbear script in xinetd to fit in -p argument. Restarted xinetd. Exit putty. Tried to login at port 22 and successful. Did a "ps aux". Got "dropbear -i -p 21413"

Update:
I even tried rebooting the machine, but with no avail.

Posted 1 year ago #
greedyh4mster
Member

Cant edit my post.

Update:
Did a "netstat -anp". It appears that even with "dropbear -i -p", xinetd still listens to port 22.

However, when I edit /etc/services to change ssh port and restarted xinetd. It finally changes its ssh listening port to the number I want.

But is it the only solution? Do I have to edit /etc/services to make xinetd listen to the port I want for SSH?

Update:
I think I found the solution. Since xinetd is the one listening to the connections, then there must be some way to change its listening port in itself instead of changing the /etc/services/ which will affect the whole system.

After much googling (I think an hour or two of it?), I found out that to use a non default SSH port; You will have to type=unlisted and the port=NUMBER into the xinetd dropbear script in my case.

I hope I am going towards the right direction. If I am wrong, please help to guide me towards the right one. =D

Posted 1 year ago #
Jackk
Member

Was also wondering how to do this as it's very insecure leaving SSH on port 22 imo.

Posted 1 year ago #

LowEndAdmin
Key Master

You can change your /etc/xinetd.d/dropbear to

service dropbear
{
    socket_type     = stream
    only_from       = 0.0.0.0
    wait            = no
    user            = root
    protocol        = tcp
    server          = /usr/sbin/dropbear
    server_args     = -i
    disable         = no
    port            = 21413
}

Note that

1) Change the service from "ssh" to "dropbear", so xinetd won't use the port number in /etc/services
2) Set the port number in the file

Posted 1 year ago #

NickM
Member

Was also wondering how to do this as it's very insecure leaving SSH on port 22 imo.

Leaving SSH on port 22 is in no way insecure. Putting it on another port isn't going to stop anyone from trying to bruteforce their way in via ssh. A simple port scan will reveal what port SSH is running on. A better solution is to ensure that you configure SSH in a secure manner - disable root login via ssh, disable password-based authentication completely (use a public-key/private-key pair instead), and use something such as fail2ban, which blocks inbound connections from IPs that have numerous failed login attempts. Security through obscurity is no security at all, in my book.

Posted 1 year ago #
greedyh4mster
Member

Leaving SSH on port 22 is in no way insecure. Putting it on another port isn't going to stop anyone from trying to bruteforce their way in via ssh. A simple port scan will reveal what port SSH is running on. A better solution is to ensure that you configure SSH in a secure manner - disable root login via ssh, disable password-based authentication completely (use a public-key/private-key pair instead), and use something such as fail2ban, which blocks inbound connections from IPs that have numerous failed login attempts. Security through obscurity is no security at all, in my book.

I would use public-key/private-key pair. However, I havent figured out how to do it though. Hehe.

The thing that makes me decided to change my ssh port is that there are people who have bots running to brute force those with the standard port with password-based authentication. It is much faster to do a brute force on standard ports than scanning an ip for open ports and then brute force. Changing the ssh port number is something for me to block off those script kiddies.

And Since I will be using xinetd to run dropbear upon ssh connection, that means if one is to try a login attempt; xinetd will create an instance of dropbear; CPU is utilized.

Of course changing ssh port number is just an addition thing like you said. It could never be estimated as a form of proper security measure. Just like when you bought an apple, you can eat them with or without washing the apple.

service dropbear
{
socket_type = stream
only_from = 0.0.0.0
wait = no
user = root
protocol = tcp
server = /usr/sbin/dropbear
server_args = -i
disable = no
port = 21413
}

This does not work. xinetd will not listen at all. However if you add a type = unlisted, then it will work. I would use the admin's solution; Much more cleaner.

This is the working xinetd script for dropbear that I have tested.

service dropbear
{
socket_type = stream
only_from = 0.0.0.0
wait = no
user = root
protocol = tcp
server = /usr/sbin/dropbear
server_args = -i
disable = no
port = 21413
type = unlisted
}

Thank you everyone for the great inputs! Helped me to learn a few things.

Posted 1 year ago #
NickM
Member

Here's a good page that explains how to set up key based authentication with OpenSSH (almost all of it applies to Dropbear as well, except for how to change the ssh daemon settings, obviously): http://sial.org/howto/openssh/publickey-auth/

Posted 1 year ago #
greedyh4mster
Member

Here's a good page that explains how to set up key based authentication with OpenSSH (almost all of it applies to Dropbear as well, except for how to change the ssh daemon settings, obviously): http://sial.org/howto/openssh/publickey-auth/

Thank you NickM!

I will give it a read in a while, after I finished trying configuring iptables. =D

Posted 1 year ago #
drmike
Member

We actually move ssh off of port 22 not for security but because some ISPs and cafe vendors block the port as their own security measure. I believe we use 2200 as an alternative usually.

Posted 1 year ago #
EZ-CONCEPT - Isaac Kwan
Member

You really think too much. The easiest way without complicated stuff is go straight to "vi /etc/default/dropbear" and you can change the port. Restart. Is that simple.

Posted 1 year ago #

RSS feed for this topic

Reply

You must log in to post.