Secure Shell, or SSH for short, is one of the most advanced data protection technologies in transit. Using this mode on the same router allows you to ensure not only the confidentiality of the transmitted information, but also accelerate the exchange of packets. True, not everyone knows how to open the SSH port and why all this is needed. In this case, it is necessary to give a constructive explanation.
SSH port: what is it and why is it necessary?
Since we are talking about security, in this case, the SSH port should be understood as a dedicated communication channel in the form of a tunnel that provides data encryption.
The most primitive scheme of such a tunnel is that the open SSH port is used by default to encrypt information at the source and decrypt at the endpoint. This can be explained as follows: whether you want it or not, the transmitted traffic, unlike IPSec, is encrypted by force both at the output of one network terminal and at the input of the receiving side. To decrypt the information transmitted on this channel, the receiving terminal uses a special key. In other words, no one can intervene in the transfer or violate the integrity of the transmitted data at the moment without a key.
Just opening the SSH port on any router or using the appropriate settings of an additional client interacting directly with the SSH server allows you to fully use all the security features of modern networks. The point here is to use the default port or user settings. These parameters in the application may look rather complicated, but one cannot do without understanding the organization of such a connection.
Standard SSH Port
If you really proceed from the parameters of any router, first you need to decide what kind of software will be used to activate this communication channel. Actually, the default SSH port can have different settings. It all depends on what methodology is being used at the moment (direct connection to the server, installation of an additional client, port forwarding, etc.).
So, for example, if Jabber is used as a client, port 443 should be used for the correct connection, encryption and data transfer, although port 22 is installed in the standard version.
To reconfigure the router with the necessary conditions selected for a specific program or process, you will have to forward the SSH ports. What it is? This is the purpose of certain access for a single program that uses an Internet connection, regardless of what settings the current data exchange protocol (IPv4 or IPv6) has.
Technical rationale
As already clear, the standard SSH 22 port is not always used. However, here it is necessary to highlight some characteristics and parameters used in the configuration.
Why does the confidentiality of encrypted data transmission involve the use of the SSH protocol as an exclusively external (guest) user port? Yes, just because the tunneling used allows you to use the so-called remote shell (SSH), gain access to terminal management through remote login (slogin), and also apply remote copying (scp) procedures.
In addition, the SSH port can also be used in the case when the user needs to run remote X Windows scripts, which in the simplest case is the transfer of information from one machine to another, as already mentioned, with forced data encryption. In such situations, the use of AES-based algorithms will become most necessary. This is a symmetric encryption algorithm, which was originally provided in SSH technology. And to use it is not only possible, but also necessary.
Implementation history
The technology itself appeared a long time ago. Let us leave aside the question of how to forward the SSH ports, and dwell on how it all works.
Usually it comes down to using Socks-based proxies or using VPN tunneling. If some software application can work with VPN, it is better to prefer this option. The fact is that almost all currently known programs that use Internet traffic can work with VPN, and setting up routing is not difficult. This, as in the case of proxy servers, allows you to leave the external address of the terminal from which you are currently accessing the network unrecognized. That is, in the case of a proxy, the address changes constantly, but in the VPN variant it remains unchanged with the fixation of a certain region, different from where the access ban applies.
The technology itself, when the SSH port opens, was developed back in 1995 at the Technological University of Finland (SSH-1). In 1996, an improvement was added in the form of the SSH-2 protocol, which was quite widespread in the post-Soviet space, although for this, as in some countries of Western Europe, sometimes it is necessary to obtain permission to use such a tunnel, moreover, from government bodies.
The main advantage of opening an SSH port, unlike telnet or rlogin, is the use of an RSA or DSA digital signature (using a pair in the form of a public and private key). In addition, in this situation, he can use the so-called session key based on the Diffie-Hellman algorithm, which implies the use of symmetric encryption at the output, although it does not exclude the use of asymmetric encryption algorithms in the process of transmitting data and receiving it by another machine.
Servers and Shells
On Windows or Linux, opening an SSH port is not so difficult. The only question is what kind of tools will be used for this.
In this sense, attention should be paid to the issue of information transfer and authentication. Firstly, the protocol itself is quite protected from the so-called sniffing, which is the most common traffic “wiretap”. SSH-1 was defenseless against attacks. Intervention in the data transfer process in the form of a “man in the middle” scheme had its results. Information could simply be intercepted and decrypted quite simply. But the second version (SSH-2) was insured against this kind of interference, called session hijacking, which made it the most widespread.
Security Bans
As for security in relation to the transmitted and received data, the organization of the connection created using such technologies helps to avoid the following problems:
- determination of the host key at the transfer stage when a fingerprint is used;
- support for Windows and UNIX-like systems;
- substitution of IP and DNS addresses (spoofing);
- interception of open passwords during physical access to the data transmission channel.
Actually, the entire organization of such a system is built on the principle of "client-server", that is, first of all, the user machine through a special program or add-on accesses the server, which performs the corresponding redirection.
Tunneling
It goes without saying that in order to make this kind of connection, a special driver must be installed in the system.
Typically, on Windows-based systems, this is the Microsoft Teredo driver built into the software shell, which is a kind of virtual IPv6 protocol emulation tool in networks that support only IPv4. The tunnel adapter is active by default. In the event of failures associated with it, you can simply restart the system or execute the shutdown and restart commands in the command console. The following lines are used for deactivation:
- netsh;
- interface teredo set state disabled;
- interface isatap set state disabled.
After entering the commands, a reboot follows. To enable the adapter again and check its status, disabled is set to enabled instead of disabled, and then, again, the entire system restarts.
SSH server
Now let's see which SSH port is used as the main port, starting from the client-server scheme. Usually, the 22nd port is used by default, but, as mentioned above, it can also use the 443rd. The only question is the preference of the server itself.
The most common SSH servers are considered to be the following:
- for Windows: Tectia SSH Server, OpenSSH with Cygwin, MobaSSH, KpyM Telnet / SSH Server, WinSSHD, copssh, freeSSHd;
- for FreeBSD: OpenSSH;
- for Linux: Tectia SSH Server, ssh, openssh-server, lsh-server, dropbear.
All listed servers are free. However, you can find paid services that are characterized by an increased level of security, which is extremely necessary for organizing network access and protecting information in enterprises. The cost of such services is not discussed now. But in general, we can say that it is relatively inexpensive, even compared to installing a specialized software or "iron" firewall.
SSH client
Changing the SSH port will be possible based on the client program or the corresponding settings when forwarding ports on the router.
However, when it comes to client shells, the following software products can be used for different systems:
- Windows - SecureCRT, PuTTY \ KiTTY, Axessh, ShellGuard, SSHWindows, ZOC, XShell, ProSSHD, etc .;
- Mac OS X: iTerm2, vSSH, NiftyTelnet SSH;
- Linux and BSD: lsh-client, kdessh, openssh-client, Vinagre, putty.
Public Key Authentication and Port Change
Now a few words about how the verification and configuration of the server occurs. In the simplest case, you need to use the configuration file (sshd_config). However, you can do without this, for example, in the case of using programs like PuTTY. Changing the SSH port from the standard value (22) to any other can be completely elementary.
The main thing is that the number of the port to be opened does not exceed the value of 65535 (above the ports it just does not happen in nature). In addition, you should pay attention to some open ports by default, which can be used by clients like MySQL or FTPD databases. If you specify their configuration for SSH, of course, those will simply stop working.
It is worth considering that the same Jabber client must be running in the same environment using an SSH server, for example, in a virtual machine. And the localhost server itself will need to be assigned a value of 4430 (and not 443, as mentioned above). This configuration can be used when access to the main jabber.example.com file is blocked by a firewall.
On the other hand, you can also forward ports on the router itself, using the settings of its interface with the creation of exclusion rules. On most models, the input is through the input of addresses starting with 192.168 with the addition of 0.1 or 1.1, but on routers that combine the capabilities of ADSL modems like Mikrotik, the final address assumes the use of 88.1.
In this case, a new rule is created, after that the necessary parameters are set, for example, to establish an external dst-nat connection, and the ports are manually registered not in the general settings section, but in the action preferences section. There is nothing particularly complicated here. The main thing is to specify the necessary settings and set the correct port. By default, you can use port 22, but if you are using a specialized client (one of the above for different systems), the value can be changed arbitrarily, but only so that this parameter does not exceed the declared value, above which the port numbers are simply missing.
When setting up the connection, it is also worth paying attention to the parameters of the client program. It may well be that in its settings you will have to specify the minimum key length (512), although the default is usually set to 768. It is also advisable to set the login timeout at 600 seconds and allow remote access using root privileges. After applying these settings, you must also give permission to use all authentication rights, except those based on the use of .rhost (but this is only necessary for system administrators).
Among other things, if the name of the user registered in the system does not coincide with the currently entered, you will need to specify it explicitly using the user ssh master command with entering additional parameters (for those who understand what this is about).
The command ~ / .ssh / id_dsa (or rsa) can be used to convert the key and the encryption method itself. To create a public key, conversion is used using the string ~ / .ssh / identity.pub (but this is not necessary). But, as practice shows, the easiest way to use commands like ssh-keygen. Here the essence of the question boils down to adding a key to the available authorization tools (~ / .ssh / authorized_keys).
But we have gone too far. If you return to the question of configuring the SSH port, as already clear, changing the SSH port is not so difficult. True, in some situations, as they say, you will have to sweat, because you will need to take into account all the values of the main parameters. For the rest, the configuration issue comes down to either entering the server or client program (if it was originally provided), or to using port forwarding on the router. But even if you change port 22, which is installed by default, to the same 443rd one, you need to clearly understand that such a scheme does not always work, but only in the case of installing the same Jabber add-on (other analogues can use the corresponding ports, different from standard). In addition, special attention should be paid to setting the parameters of the SSH client, which will directly interact with the SSH server, if one is really supposed to be used in the current connection.
Otherwise, if port forwarding is not provided initially (although it is desirable to perform such actions), the settings and parameters for access via the SSH protocol can not be changed. Here, in general, no special problems are expected when creating a connection and its further use (unless, of course, manual configuration of the settings based on the server and client is used). The most common creation of an exception rule on a router allows you to fix all problems or to avoid their occurrence.