From owner-freebsd-questions@freebsd.org Wed Dec 7 01:29:29 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E7BAFC6A14B for ; Wed, 7 Dec 2016 01:29:29 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: from mail-pf0-x241.google.com (mail-pf0-x241.google.com [IPv6:2607:f8b0:400e:c00::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B8F8EB08 for ; Wed, 7 Dec 2016 01:29:29 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: by mail-pf0-x241.google.com with SMTP id 144so19515655pfv.0 for ; Tue, 06 Dec 2016 17:29:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-transfer-encoding; bh=H+udlAj+R7KhTQPqgrwQ6KB4EbmKUneLOUBqK0vHdDc=; b=du0YJkMjpjFCm2fIBL0FTvVRNmlYo1AwQc2eF+sFHbEHKlI9yeKA2SilU3Lmk4hSIM Vpca60bfS1db2naQiMfookarcevFsa6H7nDa9xuLnOAjdgmeADGrCxbbiz+oS5RiDRad R6bnm72W3GBzm2pMpbykj1uS9Ai4qaeG+QqqDrY5hOm1GmTAFM8rIaCdMEf2PhNhtQHP UwECHwOMhqUpYsv8FdiYy1C+Qz0YmAC0SMWwke/hDzlZMS0CerOmLzmfrerBWSf3B4EA N4FApsFTvwfP8eAHYdabubBXnQ2cj5HmDuwHzC+gOp0A2UghtQoMznQPq6/cVU6kVxQw FFEQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:content-transfer-encoding; bh=H+udlAj+R7KhTQPqgrwQ6KB4EbmKUneLOUBqK0vHdDc=; b=mGVpIrRq+/fvYQxkl0u1g1GCoHf8CGnnRQC/6odTi1qgzO3+ekvwtQtNtIAj5OnUpi o8v/QBBP+ICVLCgfVE7bHxGnR/FoAJEAKJ0mT5SpLnjHYOLP0opzbQ9gMEUmbxcHX0wG /ElJiWTpgDMXnzkR3HJIpkCTEY9nrMenzKRygwsQW4ThvVYDFsIr8HHaClJ19cq5UALv Qzav5x3d+gfY3kMjdkUPzLgC7v3n62F6n6bCxsfVEUcV8UL4uN7xbTLIy1S15zsDEuCg 1TBdg8+wdt+z7W1Tntb7F/61RATXUV93UuJkKpPRBlLUpikkQHo5caKAp84uNxnQMrEo tckA== X-Gm-Message-State: AKaTC03VN6G99Eev5wqo+Zjy274wg1LTech1PY/vjM8q4shI3Gw8qWAERle4axxfe+dTpw== X-Received: by 10.84.130.5 with SMTP id 5mr124692149plc.69.1481074169178; Tue, 06 Dec 2016 17:29:29 -0800 (PST) Received: from [192.168.1.103] ([120.29.76.197]) by smtp.googlemail.com with ESMTPSA id 89sm37454746pfi.70.2016.12.06.17.29.28 for (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 06 Dec 2016 17:29:28 -0800 (PST) Message-ID: <584765FD.6050901@gmail.com> Date: Wed, 07 Dec 2016 09:29:33 +0800 From: Ernie Luzar User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: freebsd-questions@freebsd.org Subject: Re: Closed port 22 in the jail redirects to the outer system References: <20161207002440.GA26711@becker.bs.l> In-Reply-To: <20161207002440.GA26711@becker.bs.l> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Dec 2016 01:29:30 -0000 Bertram Scharpf wrote: > Hi, > > I'm fed up with my log files being polluted by failing SSH > login attempts. I disabled password authentication totally > so there's not really a security problem, but it's annoying. > Using a higher port number does only help for a while. > > All I want to do is to log in myself from remote. Now I > tried to do the following: A jail runs an HTTP server with > several subpages. One of them asks for a password and then > starts an SSH daemon that accepts just one connection and > closes afterwards. From inside the jail then I can ssh to > the outer machine. > > But: As long as the SSH daemon inside the jail doesn't run, > the port 22 request gets caught by the outer system and > again I get my logfiles polluted. > > How can I make a port 22 request fail if an SSH server is > running on the outer machine but not inside the jail? > > Thanks in advance. > > Bertram > > I think you gave up on using a non-default port number for ssh to quickly. I have been using port 8522 for host ssh and have the host firewall deny inbound traffic to port 22. Been configured like this since release 2.1 and have never had any bogus attempts to login on that port all these long years. All port 22 login attempts get dropped by the firewall before ssh even knows it has a request resulting in no log entries in shh log or firewall log. Once your ssh logged into the host you can use the jls command to login to any running jail. This is the "keep it simple" method. Since you are the only remote user to know the ssh port number this gives you what you want. NO need for the back door approach your trying to use through the http jail server. You would need a static public ip address allocated to a jail before you could be able to remotely ssh into that jail.