Set Ssh Port

Posted By admin  On 01.05.21



By default, SSH runs on port 22. A port is simply a communication endpoint where a process is routed once it arrives on a server. To connect through SSH, a user requires the port number (e.g. 22 in this case) and a public IP address of the server alongside a. Connect and share knowledge within a single location that is structured and easy to search.

Dynamic port forwarding allows for a great deal of flexibility and secure remote connections. See how to configure and use this SSH feature.

Many enterprises use Secure Shell (SSH) accessible jump servers to access business-critical systems. Administrators first connect to a jump server using SSH, possibly through a VPN, before connecting to the target system. This method usually works great as long as an administrator sticks with command-line administration. It gets a bit more tricky when an administrator wants to break out of the command-line realm and use a web-based interface instead.

Let's look at the following scenario: Bob is a system administrator at Securecorp, and he just got an alert indicating that a database cluster consisting of sirius.securecorp.io and orion.securecorp.io is performing poorly. For an initial analysis, he usually uses the RHEL8 web console. The firewall doesn't allow him to connect directly to this system from his workstation, but he can go through a jump server called bastion.securecorp.io.

[ You might also enjoy: 6 essential SSH guides for sysadmins ]

SSH command-line access to the database cluster is straightforward:

But what if Bob wants to access the RHEL8 web console of sirius.securecorp.io and orion.securecorp.io? There are multiple ways to achieve this goal using SSH, all involving port forwarding of some sort.

Set Ssh Port Capistrano

Set Ssh Port

Disclaimer: In some organizations, security policies do not allow port forwarding. To make sure that you don't breach any rules, please consult with your IT security representative.

SSH port forwarding

Using SSH, Bob opens a TCP tunnel for both systems, pointing to the web console port (9090) for sirius.securecorp.io and port 9091 for orion.securecorp.io.

Linux Security

Bob can now point his local workstation's browser to https://localhost:9090 to access the web console for sirius.securecorp.io, and https://localhost:9091 to access the web console for orion.securecorp.io.

This approach might work well in certain cases but has its limitations:

SshSsh
  • TLS certificate validation: The local browser is unhappy because, in most cases, the certificate Common Name doesn't match with the hostname in the address bar (localhost), so the certificate validation fails.
  • Redirects: When the website you are accessing redirects you to another URL, the connection fails because port forwarding is only valid for exactly this web server. This situation might be a problem when using single sign-on (SSO), for instance.

Start a browser on the jump server

Bob would also be to start a browser such as Firefox on the jump server and display it locally on his workstation. SSH provides a feature called X forwarding, which can be used in this situation.

Set ssh port used

Using this method, the browser process runs on the jump server, and the connections to the web consoles of sirius.securecorp.io and orion.securecorp.io are allowed. Only the rendering of the browser window happens on Bob's workstation.

While this approach solves some problems of plain SSH port forwarding, it also has limitations:

  • Performance: This method usually performs rather poorly because the graphical output has to be transferred from the jump server to the workstation through the network, which is very inefficient.
  • Prerequisites: A browser such as Firefox needs to be installed on the jump server, and an X server needs to be running on the workstation.

Enter dynamic port forwarding

Having explored the previous two approaches and learned about their disadvantages, it would be great to have a third option, which brings us the best of both worlds:

  • The workstation's browser can be used.
  • Connectivity and DNS name resolution should be the same as on the jump server.

To achieve this, SSH provides a feature called dynamic port forwarding, which leverages the SOCKS protocol. In this configuration, SSH acts as a SOCKS proxy, relaying all relevant traffic through the SSH connection. For this to happen, the client (in our example, it is the browser) needs to be SOCKS-aware.

Bob can initiate an SSH session with dynamic port forwarding as follows:

After that, the browser on Bob's workstation needs to be made SOCKS-aware. The Firefox configuration can be accomplished like this:

  • Point the browser to about:preferences.
  • In the General tab, scroll down at the bottom, and click on Settings... in the Network Settings section.
  • In the Connection Settings window, choose Manual proxy configuration, specify localhost for SOCKS Host, 1080 as Port, and select SOCKS v5.
  • In the same window, select Proxy DNS when using SOCKS v5.

Kubernetes and OpenShift

Bob can now point the browser to https://sirius.securecorp.io:9090 and https://orion.securecorp.io:9090 to analyze the performance problems of his two database servers using the RHEL8 web console. He can also access any other internal resources as if the browser was running on bastion.securecorp.io.

Note: Port 1080 is the IANA registered port for SOCKS, but the connection can use any other port. The numbers in the SSH and browser configuration have to match.

Personally, I found it useful to create a separate browser profile so it is not necessary to constantly switch between proxy configurations. A new profile can be created by passing the -P switch to the firefox command, launching the Profile Manager. I called my profile Jump. After creating a new profile, an empty configuration is created. In this profile, I applied the configuration as described above while leaving my default profile untouched.

After creating the profile, Firefox can be launched with the following command:

Another helpful tip is to create a host-specific configuration for dynamic port forwarding in your ~/.ssh/config file. For example:

[ A free course for you: Virtualization and Infrastructure Migration Technical Overview. ]

Ubuntu Set Ssh Port

Wrap up

There are many ways to connect to internal systems using a jump server and the possibilities outlined above are by no means exhaustive. In my experience, though, SSH provides you with a very powerful tool kit, which in most cases is available and ready to go without many hurdles. Dynamic port forwarding is one of these tools and it has helped me to be more productive in specific situations, so please give it a try yourself.

Check out these related articles on Enable Sysadmin

Short and complete guide to configure SSH on Cisco router and switch for secure remote connection. The Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. The best-known example application is for remote login to computer systems by users.

SSH provides a secure channel over an unsecured network in a client-server architecture, connecting an SSH client application with an SSH server. Common applications include remote command-line login and remote command execution, but any network service can be secured with SSH. The protocol specification distinguishes between two major versions, referred to as SSH-1 and SSH-2.

The typical use of SSH Protocol

The protocol is used in corporate networks for:

  • providing secure access for users and automated processes
  • interactive and automated file transfers
  • issuing remote commands
  • managing network infrastructure and other mission-critical system components.

Configure SSH on Cisco Router or Switch

To configure SSH on Cisco router, you need to do:

  1. Enable SSH on Cisco router.
  2. Set Password for SSH.
  3. Force remote access to use SSH.
  4. Enable Password Encryption.
  5. Add domain name Server (DNS).
  6. Add Username and Password.

Let’s enable and configure SSH on Cisco router or switch using the below packet tracer lab. The configure on a packet tracer lab and real Cisco devices are the same. Just try to learn and do it what the SSH remote authentication needs.

Download the packet tracer lab or create your own lab. SSH Configuration Packet Tracer Lab.

In this example, I just enable and configure SSH on SW1 and trying to access it from PC1. It’s enough to learn how to configure SSH on Cisco router.

That’s all. Let’s check the process one by one.

  1. I have set DNS domain name with “IP domain-name” command.
  2. Then configure the router to use RSA key pair with modulus size of 1024 bites for remote service authentication with “crypto key generate rsa” command.
  3. Add username “Admin” with Password of “Technig” for ssh authentication.
  4. Enabled ssh with “line vty 0 4” command.
  5. Configure ssh to use local username and password with “login local” command. Remember that you can set a username and password for ssh with “username Admin password Technig” command as well. But here we configure ssh to use local username and password.
  6. Configure the router to accept only ssh connection with “transport input ssh” command.
  7. Configure ssh to version 2 using “IP ssh version 2” and set the authentication times to 3 with “IP ssh authentication-retries 3” command.
  8. Finally set the ssh timeout to 120 seconds with “IP ssh time-out 120” command.

Linux Set Ssh Port

Related Article:Install SSH on CentOS 8.x and Red Hat Linux

The final step is to test the connectivity of ssh from PC1 with “ssh -l Admin 192.168.1.1” command for command prompt.

Set Ssh Port

OK, the ssh works perfectly.