Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

SSH Ports

3 views
Skip to first unread message

John S Flowers

unread,
Aug 24, 1997, 3:00:00 AM8/24/97
to

I am not sure if this question has already been asked, so I apologize if I
missed it in the FAQ or on this group.

I have a firewall (actually, it's a CISCO router with hardcore rules
defined) that I have setup to allow only a few ports access.

One of these ports is 80 (for http) and another is 22 (for SSH). My
problem is this: SSH connections happen on port 22, but they also require
higher port numbers once the connection is established.

For example; my last few sessions were on ports 1710, 1735, 1753 and then
on 1933, 1242, 3142 and 2049.

I am trying to determine which ports are required for an SSH connection,
but it seems almost random.

Is there any way to set the SSH Server to only use certain ports (like a
range of 1700-1999) or do I just need to allow a whole slew of ports access
through my router?

Pretty scary stuff from a security standpoint. Any advice would be
appreciated, either here (in comp.security.ssh) or via follow-up e-mail.

Thanks in advance.

Mark Atwood

unread,
Aug 24, 1997, 3:00:00 AM8/24/97
to jflo...@microft.org

jflo...@microft.org (John S Flowers) writes:
>
> I am not sure if this question has already been asked, so I apologize if I
> missed it in the FAQ or on this group.
>
> I have a firewall (actually, it's a CISCO router with hardcore rules
> defined) that I have setup to allow only a few ports access.
>
> One of these ports is 80 (for http) and another is 22 (for SSH). My
> problem is this: SSH connections happen on port 22, but they also require
> higher port numbers once the connection is established.
>
> For example; my last few sessions were on ports 1710, 1735, 1753 and then
> on 1933, 1242, 3142 and 2049.
>
> I am trying to determine which ports are required for an SSH connection,
> but it seems almost random.
>
> Is there any way to set the SSH Server to only use certain ports (like a
> range of 1700-1999) or do I just need to allow a whole slew of ports access
> through my router?
>

What you are seeing is not SSH's "fault", it is how TCP in general works.
The HTTP connections you allow through your firewall do the same thing.

A TCP server "listens" on a "well known port", such as 80 for HTTP, 21
for TELNET, and 22 for SSH.

A client program on the "outside" requests a connection by sending a
packet to that port number. Your router will let that packet through.

The server recieves the request packet, allocates a high numbered port
(above 1024) and sends a packet back to the client telling it what
high numbered port to use.

Communication flows back and forth with that high numbered port.


So what you need to do is:
Block all "low numbered ports" except HTTP and SSH
Allow all other ports
Trust your servers not to listen on non-blocked ports.

Again, this isn't a SSH thing, it's a TCP thing. HTTP does exactly the
same thing.

--
Mark Atwood | Thank you gentlemen, you are everything we have come to
z...@ampersand.com | expect from years of government training. -- MIB Zed


Hugo van der Kooij

unread,
Aug 25, 1997, 3:00:00 AM8/25/97
to

On Sun, 24 Aug 1997, John S Flowers wrote:

> I am not sure if this question has already been asked, so I apologize if I
> missed it in the FAQ or on this group.
>
> I have a firewall (actually, it's a CISCO router with hardcore rules
> defined) that I have setup to allow only a few ports access.
>
> One of these ports is 80 (for http) and another is 22 (for SSH). My
> problem is this: SSH connections happen on port 22, but they also require
> higher port numbers once the connection is established.
>
> For example; my last few sessions were on ports 1710, 1735, 1753 and then
> on 1933, 1242, 3142 and 2049.
>
> I am trying to determine which ports are required for an SSH connection,
> but it seems almost random.
>
> Is there any way to set the SSH Server to only use certain ports (like a
> range of 1700-1999) or do I just need to allow a whole slew of ports access
> through my router?
>

> Pretty scary stuff from a security standpoint. Any advice would be
> appreciated, either here (in comp.security.ssh) or via follow-up e-mail.

Don't know about the SSH point of view. But there should be NO servers
using ports above 1023

Hugo.

+------------------------+------------------------------+
| Hugo van der Kooij | mailto:hvdk...@caiw.nl |
| Oranje Nassaustraat 16 | http://www.caiw.nl/~hvdkooij |
| 3155 VJ Maasland | (De man met de rode hoed) |
+------------------------+------------------------------+

Try this:
echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq'|dc

Adam Shostack

unread,
Aug 26, 1997, 3:00:00 AM8/26/97
to

Hugo van der Kooij wrote:

| Don't know about the SSH point of view. But there should be NO servers
| using ports above 1023
|

Not that you're wrong; there should be no servers up there. But:

X11 6000
lotusnotes 1352
ircd 6667

And isn't there an NFS thing at 2049?

Adam

--
"It is seldom that liberty of any kind is lost all at once."
-Hume

Kyler Laird

unread,
Aug 27, 1997, 3:00:00 AM8/27/97
to

ad...@homeport.org (Adam Shostack) writes:

>Hugo van der Kooij wrote:

>| Don't know about the SSH point of view. But there should be NO servers
>| using ports above 1023

>Not that you're wrong; there should be no servers up there. But:

>X11 6000
>lotusnotes 1352
>ircd 6667

>And isn't there an NFS thing at 2049?

Yup, and why is this a problem? If you trust
applications merely because they answer on the
right port, you deserve what you get.

--kyler

Jyri Kaljundi

unread,
Aug 27, 1997, 3:00:00 AM8/27/97
to

On Tue, 26 Aug 1997, Keith Jackson wrote:

> you're very confused! what would happen if more than one connection
> came into ssh! like most demons it forks and creates a new port above
> 1024 for communication and the original process is still listening at
> port 22.

No I am not confused. You should take a book and read how TCP/IP protocols
really work, it helps in security field where you have to deal with
networking protocols all the time. Here's what basically happens:

Each TCP connection has specific data that makes it unique. This data
consists of two 32-bit numbers (host address of server and host address of
client) and two 16-bit numbers (server port number and client port
number).

Let's say I have a PC (pc.stallion.ee) where I have F-Secure SSH Windows
client and a Unix server (server.stallion.ee) where I have SSH server. I
open a ssh connection from PC to server, then I open another window and do
the same there. After that I have two ssh connections between 2 machines.
The connection parameters for the two connections are
pc.stallion.ee:20770:server.stallion.ee:22 and
pc.stallion.ee:20774:server.stallion.ee:22, these are like identifier
strings for the TCP connections. Now when a packet is moving from PC to
server it still goes to port 22 on the server. Yes, sshd is forked to open
a new daemon process, but all the forked processes are using port 22. The
system remembers pairs of hostnames (actually IP addresses) and port
numbers and according to the clients source port address (which really is
unique every time) it knows which sshd daemon process it belongs to.

I hope this cleared it up a little bit. For example FTP negotiates a port
above 1024 for the data connection, but most TCP protocols don't.

Jyri Kaljundi
j...@stallion.ee
AS Stallion Ltd
http://www.stallion.ee/


> Jyri Kaljundi wrote:
> > >
> > > Communication flows back and forth with that high numbered port.
> >

> > Are you sure ?! I have always known that SSH uses _only_ port 22 on the
> > server and not anything else, I don't think it uses anything else. Well
> > the client source port is not 22, that is something in the 1000-2000
> > range, but the server never suggest any other ports to be used.
> >
> > We are not talking about FTP protocol here if you think about how that
> > works.

0 new messages