How to set ssh to try not only port 22 but secondary port every time?
Clash Royale CLAN TAG#URR8PPP
up vote
8
down vote
favorite
As part of my effort to reduce noise in logs and slightly reducing discoverability (and on top of fail2ban, allowing only public key authentication etc.) I routinely change sshd-ports on servers I set up to a different port, let's say 5492. Currently I either append -p 5492 to my ssh command, or add the port for each specific server into my ssh_config
.
Is there a way to configure ssh to try connecting to both port 22 and port 5492 if port 22 doesn't work?
ssh command-line
 |Â
show 1 more comment
up vote
8
down vote
favorite
As part of my effort to reduce noise in logs and slightly reducing discoverability (and on top of fail2ban, allowing only public key authentication etc.) I routinely change sshd-ports on servers I set up to a different port, let's say 5492. Currently I either append -p 5492 to my ssh command, or add the port for each specific server into my ssh_config
.
Is there a way to configure ssh to try connecting to both port 22 and port 5492 if port 22 doesn't work?
ssh command-line
1
I do prefer instead of having security through obscurity, setting up a VPN and not having open ssh ports to the Internet at large at all.
â Rui F Ribeiro
Feb 17 at 9:55
2
@RuiFRibeiro I agree, that it is not more secure. It does, however, keep noise down in log files. One could also use port knocking to reduce login attempts which does increase security.
â Ned64
Feb 17 at 10:13
2
@RuiFRibeiro Is a VPN server more secure than an SSH server though?
â Riley
Feb 17 at 10:55
It all depends on the implementation. In my former job, I defined 2 VPN entries for redundancy, and no whatsoeverssh
presence for the outside.
â Rui F Ribeiro
Feb 17 at 16:49
2
Security by obscurity is a good ADDITIONAL layer on top of a good setup, especially when it is about opportunistic attackers.
â rackandboneman
Feb 17 at 20:51
 |Â
show 1 more comment
up vote
8
down vote
favorite
up vote
8
down vote
favorite
As part of my effort to reduce noise in logs and slightly reducing discoverability (and on top of fail2ban, allowing only public key authentication etc.) I routinely change sshd-ports on servers I set up to a different port, let's say 5492. Currently I either append -p 5492 to my ssh command, or add the port for each specific server into my ssh_config
.
Is there a way to configure ssh to try connecting to both port 22 and port 5492 if port 22 doesn't work?
ssh command-line
As part of my effort to reduce noise in logs and slightly reducing discoverability (and on top of fail2ban, allowing only public key authentication etc.) I routinely change sshd-ports on servers I set up to a different port, let's say 5492. Currently I either append -p 5492 to my ssh command, or add the port for each specific server into my ssh_config
.
Is there a way to configure ssh to try connecting to both port 22 and port 5492 if port 22 doesn't work?
ssh command-line
edited Feb 18 at 18:47
GAD3R
22.4k154893
22.4k154893
asked Feb 17 at 9:48
Riley
1433
1433
1
I do prefer instead of having security through obscurity, setting up a VPN and not having open ssh ports to the Internet at large at all.
â Rui F Ribeiro
Feb 17 at 9:55
2
@RuiFRibeiro I agree, that it is not more secure. It does, however, keep noise down in log files. One could also use port knocking to reduce login attempts which does increase security.
â Ned64
Feb 17 at 10:13
2
@RuiFRibeiro Is a VPN server more secure than an SSH server though?
â Riley
Feb 17 at 10:55
It all depends on the implementation. In my former job, I defined 2 VPN entries for redundancy, and no whatsoeverssh
presence for the outside.
â Rui F Ribeiro
Feb 17 at 16:49
2
Security by obscurity is a good ADDITIONAL layer on top of a good setup, especially when it is about opportunistic attackers.
â rackandboneman
Feb 17 at 20:51
 |Â
show 1 more comment
1
I do prefer instead of having security through obscurity, setting up a VPN and not having open ssh ports to the Internet at large at all.
â Rui F Ribeiro
Feb 17 at 9:55
2
@RuiFRibeiro I agree, that it is not more secure. It does, however, keep noise down in log files. One could also use port knocking to reduce login attempts which does increase security.
â Ned64
Feb 17 at 10:13
2
@RuiFRibeiro Is a VPN server more secure than an SSH server though?
â Riley
Feb 17 at 10:55
It all depends on the implementation. In my former job, I defined 2 VPN entries for redundancy, and no whatsoeverssh
presence for the outside.
â Rui F Ribeiro
Feb 17 at 16:49
2
Security by obscurity is a good ADDITIONAL layer on top of a good setup, especially when it is about opportunistic attackers.
â rackandboneman
Feb 17 at 20:51
1
1
I do prefer instead of having security through obscurity, setting up a VPN and not having open ssh ports to the Internet at large at all.
â Rui F Ribeiro
Feb 17 at 9:55
I do prefer instead of having security through obscurity, setting up a VPN and not having open ssh ports to the Internet at large at all.
â Rui F Ribeiro
Feb 17 at 9:55
2
2
@RuiFRibeiro I agree, that it is not more secure. It does, however, keep noise down in log files. One could also use port knocking to reduce login attempts which does increase security.
â Ned64
Feb 17 at 10:13
@RuiFRibeiro I agree, that it is not more secure. It does, however, keep noise down in log files. One could also use port knocking to reduce login attempts which does increase security.
â Ned64
Feb 17 at 10:13
2
2
@RuiFRibeiro Is a VPN server more secure than an SSH server though?
â Riley
Feb 17 at 10:55
@RuiFRibeiro Is a VPN server more secure than an SSH server though?
â Riley
Feb 17 at 10:55
It all depends on the implementation. In my former job, I defined 2 VPN entries for redundancy, and no whatsoever
ssh
presence for the outside.â Rui F Ribeiro
Feb 17 at 16:49
It all depends on the implementation. In my former job, I defined 2 VPN entries for redundancy, and no whatsoever
ssh
presence for the outside.â Rui F Ribeiro
Feb 17 at 16:49
2
2
Security by obscurity is a good ADDITIONAL layer on top of a good setup, especially when it is about opportunistic attackers.
â rackandboneman
Feb 17 at 20:51
Security by obscurity is a good ADDITIONAL layer on top of a good setup, especially when it is about opportunistic attackers.
â rackandboneman
Feb 17 at 20:51
 |Â
show 1 more comment
3 Answers
3
active
oldest
votes
up vote
11
down vote
accepted
You could wrap a shell script around ssh
but ssh
itself will not do it.
One way using a bash function is this (put into ~/.bashrc
):
function ssh()
By the way, it is recommended to use root
-reserved ports for system services like ssh
in order to avoid users from having a process that listens on, say, port 5492. They may otherwise play man in the middle and possibly capture login data. So, use a port < 1024.
1
That's a great solution. Also a great note on the ports!
â Riley
Feb 17 at 10:57
5
Note that the second connection will be made even if the first one succeeds if the command executed byssh
returns non-zero. A trivial example would bessh user@server false
.
â Kusalananda
Feb 17 at 14:44
1
@Kusalananda Thanks, I have writtencommand
now. Just wanted to avoid recursion, as you have guessed right.
â Ned64
Feb 17 at 14:52
The problem @Kusalananda mentions can be (mostly) avoided by testing the specific exit status ofssh
-- if there's an ssh error (as opposed to the remote command failing), it'll exit with a status of 255. Thus,command ssh -p 22 "$@"; if [ "$?" -eq 255 ]; then command ssh -p 5492 "$@"; fi
should work.
â Gordon Davisson
Feb 17 at 22:15
add a comment |Â
up vote
9
down vote
ssh
itself can do this via Match
documented in ssh_config(5)
though the documentation is somewhat sparse on examples. This form may be suitable if one wants to push the complexity into the SSH configuration though is restricted by the limitations of the ssh_config(5)
syntax and may require some fiddling with for the desired outcome. Notably the custom port can either not be set or can be set wrongly from the previous Match
attempt. This is why, below, it is set twice when tested for, or once for the default, and is not set when establishing the canonical defaults.
# here we set the defaults for the host (no port!)
Match !canonical host testhost
CanonicalizeHostname yes
Hostname 192.0.2.42
IdentityFile ~/.ssh/id_blahblah
...
# port available?
Match canonical host 192.0.2.42 exec "is-ssh-up %h 2222"
Port 2222
# or the default port
Match canonical host 192.0.2.42
Port 22
is-ssh-up
merely checks whether something responds on the given port and might look like
#!/usr/bin/env expect
package require Tcl 8.5
if [llength $argv] < 2
puts stderr "Usage: is-ssh-up host port"
exit 1
puts stderr "is-ssh-up: DEBUG trying $argv"
set socket [socket -async [lindex $argv 0] [lindex $argv 1]]
chan event $socket readable [list exit 0]
after 3000 [list exit 1]
vwait godot
1
if-then-else in .ssh/config ? I wouldn't have believe it !!
â Archemar
Feb 18 at 9:56
add a comment |Â
up vote
1
down vote
You can use the wildcard function of ~.ssh/config
, putting this entry in your list:
Host *
Port 5492
But this won't fall back to 22 by itself.
If you put it at the end, you can still override it for those hosts were you need 22 by putting a different value above it. (And you can always override it on the command line.)
add a comment |Â
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
11
down vote
accepted
You could wrap a shell script around ssh
but ssh
itself will not do it.
One way using a bash function is this (put into ~/.bashrc
):
function ssh()
By the way, it is recommended to use root
-reserved ports for system services like ssh
in order to avoid users from having a process that listens on, say, port 5492. They may otherwise play man in the middle and possibly capture login data. So, use a port < 1024.
1
That's a great solution. Also a great note on the ports!
â Riley
Feb 17 at 10:57
5
Note that the second connection will be made even if the first one succeeds if the command executed byssh
returns non-zero. A trivial example would bessh user@server false
.
â Kusalananda
Feb 17 at 14:44
1
@Kusalananda Thanks, I have writtencommand
now. Just wanted to avoid recursion, as you have guessed right.
â Ned64
Feb 17 at 14:52
The problem @Kusalananda mentions can be (mostly) avoided by testing the specific exit status ofssh
-- if there's an ssh error (as opposed to the remote command failing), it'll exit with a status of 255. Thus,command ssh -p 22 "$@"; if [ "$?" -eq 255 ]; then command ssh -p 5492 "$@"; fi
should work.
â Gordon Davisson
Feb 17 at 22:15
add a comment |Â
up vote
11
down vote
accepted
You could wrap a shell script around ssh
but ssh
itself will not do it.
One way using a bash function is this (put into ~/.bashrc
):
function ssh()
By the way, it is recommended to use root
-reserved ports for system services like ssh
in order to avoid users from having a process that listens on, say, port 5492. They may otherwise play man in the middle and possibly capture login data. So, use a port < 1024.
1
That's a great solution. Also a great note on the ports!
â Riley
Feb 17 at 10:57
5
Note that the second connection will be made even if the first one succeeds if the command executed byssh
returns non-zero. A trivial example would bessh user@server false
.
â Kusalananda
Feb 17 at 14:44
1
@Kusalananda Thanks, I have writtencommand
now. Just wanted to avoid recursion, as you have guessed right.
â Ned64
Feb 17 at 14:52
The problem @Kusalananda mentions can be (mostly) avoided by testing the specific exit status ofssh
-- if there's an ssh error (as opposed to the remote command failing), it'll exit with a status of 255. Thus,command ssh -p 22 "$@"; if [ "$?" -eq 255 ]; then command ssh -p 5492 "$@"; fi
should work.
â Gordon Davisson
Feb 17 at 22:15
add a comment |Â
up vote
11
down vote
accepted
up vote
11
down vote
accepted
You could wrap a shell script around ssh
but ssh
itself will not do it.
One way using a bash function is this (put into ~/.bashrc
):
function ssh()
By the way, it is recommended to use root
-reserved ports for system services like ssh
in order to avoid users from having a process that listens on, say, port 5492. They may otherwise play man in the middle and possibly capture login data. So, use a port < 1024.
You could wrap a shell script around ssh
but ssh
itself will not do it.
One way using a bash function is this (put into ~/.bashrc
):
function ssh()
By the way, it is recommended to use root
-reserved ports for system services like ssh
in order to avoid users from having a process that listens on, say, port 5492. They may otherwise play man in the middle and possibly capture login data. So, use a port < 1024.
edited Feb 17 at 14:50
answered Feb 17 at 9:54
Ned64
2,44411035
2,44411035
1
That's a great solution. Also a great note on the ports!
â Riley
Feb 17 at 10:57
5
Note that the second connection will be made even if the first one succeeds if the command executed byssh
returns non-zero. A trivial example would bessh user@server false
.
â Kusalananda
Feb 17 at 14:44
1
@Kusalananda Thanks, I have writtencommand
now. Just wanted to avoid recursion, as you have guessed right.
â Ned64
Feb 17 at 14:52
The problem @Kusalananda mentions can be (mostly) avoided by testing the specific exit status ofssh
-- if there's an ssh error (as opposed to the remote command failing), it'll exit with a status of 255. Thus,command ssh -p 22 "$@"; if [ "$?" -eq 255 ]; then command ssh -p 5492 "$@"; fi
should work.
â Gordon Davisson
Feb 17 at 22:15
add a comment |Â
1
That's a great solution. Also a great note on the ports!
â Riley
Feb 17 at 10:57
5
Note that the second connection will be made even if the first one succeeds if the command executed byssh
returns non-zero. A trivial example would bessh user@server false
.
â Kusalananda
Feb 17 at 14:44
1
@Kusalananda Thanks, I have writtencommand
now. Just wanted to avoid recursion, as you have guessed right.
â Ned64
Feb 17 at 14:52
The problem @Kusalananda mentions can be (mostly) avoided by testing the specific exit status ofssh
-- if there's an ssh error (as opposed to the remote command failing), it'll exit with a status of 255. Thus,command ssh -p 22 "$@"; if [ "$?" -eq 255 ]; then command ssh -p 5492 "$@"; fi
should work.
â Gordon Davisson
Feb 17 at 22:15
1
1
That's a great solution. Also a great note on the ports!
â Riley
Feb 17 at 10:57
That's a great solution. Also a great note on the ports!
â Riley
Feb 17 at 10:57
5
5
Note that the second connection will be made even if the first one succeeds if the command executed by
ssh
returns non-zero. A trivial example would be ssh user@server false
.â Kusalananda
Feb 17 at 14:44
Note that the second connection will be made even if the first one succeeds if the command executed by
ssh
returns non-zero. A trivial example would be ssh user@server false
.â Kusalananda
Feb 17 at 14:44
1
1
@Kusalananda Thanks, I have written
command
now. Just wanted to avoid recursion, as you have guessed right.â Ned64
Feb 17 at 14:52
@Kusalananda Thanks, I have written
command
now. Just wanted to avoid recursion, as you have guessed right.â Ned64
Feb 17 at 14:52
The problem @Kusalananda mentions can be (mostly) avoided by testing the specific exit status of
ssh
-- if there's an ssh error (as opposed to the remote command failing), it'll exit with a status of 255. Thus, command ssh -p 22 "$@"; if [ "$?" -eq 255 ]; then command ssh -p 5492 "$@"; fi
should work.â Gordon Davisson
Feb 17 at 22:15
The problem @Kusalananda mentions can be (mostly) avoided by testing the specific exit status of
ssh
-- if there's an ssh error (as opposed to the remote command failing), it'll exit with a status of 255. Thus, command ssh -p 22 "$@"; if [ "$?" -eq 255 ]; then command ssh -p 5492 "$@"; fi
should work.â Gordon Davisson
Feb 17 at 22:15
add a comment |Â
up vote
9
down vote
ssh
itself can do this via Match
documented in ssh_config(5)
though the documentation is somewhat sparse on examples. This form may be suitable if one wants to push the complexity into the SSH configuration though is restricted by the limitations of the ssh_config(5)
syntax and may require some fiddling with for the desired outcome. Notably the custom port can either not be set or can be set wrongly from the previous Match
attempt. This is why, below, it is set twice when tested for, or once for the default, and is not set when establishing the canonical defaults.
# here we set the defaults for the host (no port!)
Match !canonical host testhost
CanonicalizeHostname yes
Hostname 192.0.2.42
IdentityFile ~/.ssh/id_blahblah
...
# port available?
Match canonical host 192.0.2.42 exec "is-ssh-up %h 2222"
Port 2222
# or the default port
Match canonical host 192.0.2.42
Port 22
is-ssh-up
merely checks whether something responds on the given port and might look like
#!/usr/bin/env expect
package require Tcl 8.5
if [llength $argv] < 2
puts stderr "Usage: is-ssh-up host port"
exit 1
puts stderr "is-ssh-up: DEBUG trying $argv"
set socket [socket -async [lindex $argv 0] [lindex $argv 1]]
chan event $socket readable [list exit 0]
after 3000 [list exit 1]
vwait godot
1
if-then-else in .ssh/config ? I wouldn't have believe it !!
â Archemar
Feb 18 at 9:56
add a comment |Â
up vote
9
down vote
ssh
itself can do this via Match
documented in ssh_config(5)
though the documentation is somewhat sparse on examples. This form may be suitable if one wants to push the complexity into the SSH configuration though is restricted by the limitations of the ssh_config(5)
syntax and may require some fiddling with for the desired outcome. Notably the custom port can either not be set or can be set wrongly from the previous Match
attempt. This is why, below, it is set twice when tested for, or once for the default, and is not set when establishing the canonical defaults.
# here we set the defaults for the host (no port!)
Match !canonical host testhost
CanonicalizeHostname yes
Hostname 192.0.2.42
IdentityFile ~/.ssh/id_blahblah
...
# port available?
Match canonical host 192.0.2.42 exec "is-ssh-up %h 2222"
Port 2222
# or the default port
Match canonical host 192.0.2.42
Port 22
is-ssh-up
merely checks whether something responds on the given port and might look like
#!/usr/bin/env expect
package require Tcl 8.5
if [llength $argv] < 2
puts stderr "Usage: is-ssh-up host port"
exit 1
puts stderr "is-ssh-up: DEBUG trying $argv"
set socket [socket -async [lindex $argv 0] [lindex $argv 1]]
chan event $socket readable [list exit 0]
after 3000 [list exit 1]
vwait godot
1
if-then-else in .ssh/config ? I wouldn't have believe it !!
â Archemar
Feb 18 at 9:56
add a comment |Â
up vote
9
down vote
up vote
9
down vote
ssh
itself can do this via Match
documented in ssh_config(5)
though the documentation is somewhat sparse on examples. This form may be suitable if one wants to push the complexity into the SSH configuration though is restricted by the limitations of the ssh_config(5)
syntax and may require some fiddling with for the desired outcome. Notably the custom port can either not be set or can be set wrongly from the previous Match
attempt. This is why, below, it is set twice when tested for, or once for the default, and is not set when establishing the canonical defaults.
# here we set the defaults for the host (no port!)
Match !canonical host testhost
CanonicalizeHostname yes
Hostname 192.0.2.42
IdentityFile ~/.ssh/id_blahblah
...
# port available?
Match canonical host 192.0.2.42 exec "is-ssh-up %h 2222"
Port 2222
# or the default port
Match canonical host 192.0.2.42
Port 22
is-ssh-up
merely checks whether something responds on the given port and might look like
#!/usr/bin/env expect
package require Tcl 8.5
if [llength $argv] < 2
puts stderr "Usage: is-ssh-up host port"
exit 1
puts stderr "is-ssh-up: DEBUG trying $argv"
set socket [socket -async [lindex $argv 0] [lindex $argv 1]]
chan event $socket readable [list exit 0]
after 3000 [list exit 1]
vwait godot
ssh
itself can do this via Match
documented in ssh_config(5)
though the documentation is somewhat sparse on examples. This form may be suitable if one wants to push the complexity into the SSH configuration though is restricted by the limitations of the ssh_config(5)
syntax and may require some fiddling with for the desired outcome. Notably the custom port can either not be set or can be set wrongly from the previous Match
attempt. This is why, below, it is set twice when tested for, or once for the default, and is not set when establishing the canonical defaults.
# here we set the defaults for the host (no port!)
Match !canonical host testhost
CanonicalizeHostname yes
Hostname 192.0.2.42
IdentityFile ~/.ssh/id_blahblah
...
# port available?
Match canonical host 192.0.2.42 exec "is-ssh-up %h 2222"
Port 2222
# or the default port
Match canonical host 192.0.2.42
Port 22
is-ssh-up
merely checks whether something responds on the given port and might look like
#!/usr/bin/env expect
package require Tcl 8.5
if [llength $argv] < 2
puts stderr "Usage: is-ssh-up host port"
exit 1
puts stderr "is-ssh-up: DEBUG trying $argv"
set socket [socket -async [lindex $argv 0] [lindex $argv 1]]
chan event $socket readable [list exit 0]
after 3000 [list exit 1]
vwait godot
answered Feb 17 at 16:22
thrig
22.3k12852
22.3k12852
1
if-then-else in .ssh/config ? I wouldn't have believe it !!
â Archemar
Feb 18 at 9:56
add a comment |Â
1
if-then-else in .ssh/config ? I wouldn't have believe it !!
â Archemar
Feb 18 at 9:56
1
1
if-then-else in .ssh/config ? I wouldn't have believe it !!
â Archemar
Feb 18 at 9:56
if-then-else in .ssh/config ? I wouldn't have believe it !!
â Archemar
Feb 18 at 9:56
add a comment |Â
up vote
1
down vote
You can use the wildcard function of ~.ssh/config
, putting this entry in your list:
Host *
Port 5492
But this won't fall back to 22 by itself.
If you put it at the end, you can still override it for those hosts were you need 22 by putting a different value above it. (And you can always override it on the command line.)
add a comment |Â
up vote
1
down vote
You can use the wildcard function of ~.ssh/config
, putting this entry in your list:
Host *
Port 5492
But this won't fall back to 22 by itself.
If you put it at the end, you can still override it for those hosts were you need 22 by putting a different value above it. (And you can always override it on the command line.)
add a comment |Â
up vote
1
down vote
up vote
1
down vote
You can use the wildcard function of ~.ssh/config
, putting this entry in your list:
Host *
Port 5492
But this won't fall back to 22 by itself.
If you put it at the end, you can still override it for those hosts were you need 22 by putting a different value above it. (And you can always override it on the command line.)
You can use the wildcard function of ~.ssh/config
, putting this entry in your list:
Host *
Port 5492
But this won't fall back to 22 by itself.
If you put it at the end, you can still override it for those hosts were you need 22 by putting a different value above it. (And you can always override it on the command line.)
answered Feb 17 at 14:38
Paà Âlo Ebermann
32028
32028
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f424755%2fhow-to-set-ssh-to-try-not-only-port-22-but-secondary-port-every-time%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
1
I do prefer instead of having security through obscurity, setting up a VPN and not having open ssh ports to the Internet at large at all.
â Rui F Ribeiro
Feb 17 at 9:55
2
@RuiFRibeiro I agree, that it is not more secure. It does, however, keep noise down in log files. One could also use port knocking to reduce login attempts which does increase security.
â Ned64
Feb 17 at 10:13
2
@RuiFRibeiro Is a VPN server more secure than an SSH server though?
â Riley
Feb 17 at 10:55
It all depends on the implementation. In my former job, I defined 2 VPN entries for redundancy, and no whatsoever
ssh
presence for the outside.â Rui F Ribeiro
Feb 17 at 16:49
2
Security by obscurity is a good ADDITIONAL layer on top of a good setup, especially when it is about opportunistic attackers.
â rackandboneman
Feb 17 at 20:51