Difference between revisions of "Changing the Astronaut SSH port"
Perspectoff (talk | contribs) |
(Added glossary link to Configuration~) |
||
(24 intermediate revisions by one other user not shown) | |||
Line 1: | Line 1: | ||
− | ( | + | This is an optional step for more security and for networks where there are multiple servers on the network using SSH connections. (In some networking [[configuration~|Configuration]]s it is difficult for a router to know to which SSH server it should forward port 22 traffic). This method involves changing the port for the SSH (tunnel) traffic. |
− | + | == Changing Windows environment variables and shortcuts == | |
− | *Create a new [[Astronaut_CPRS_client_package#Changing_environment_variables|environment variable]] ASTRO_SSH_PORT: | + | *Create a new [[Astronaut_CPRS_client_package#Changing_environment_variables|environment variable]] ''ASTRO_SSH_PORT'': |
:Start Menu -> Control Panel -> Settings -> Advanced system settings -> Advanced -> Environment variables | :Start Menu -> Control Panel -> Settings -> Advanced system settings -> Advanced -> Environment variables | ||
Line 12: | Line 12: | ||
A list of the environment variables is displayed. | A list of the environment variables is displayed. | ||
− | :-> System variables: New... : ''ASTRO_SSH_PORT'' -> Value: '' | + | :-> System variables: New... -> |
+ | :-> Variable Name: ''ASTRO_SSH_PORT'' | ||
+ | :-> Variable Value: ''22144'' | ||
− | :Although I used the default value 22 for SSH, obviously this is the value that is going to be changed. | + | :Although in this example I used the value ''22144'' (instead of the default value 22) for the SSH port, obviously this is the (somewhat arbitrary) value that is going to be chosen as your private SSH port number. Clearly whichever port value you choose will need to be forwarded by your LAN router and firewalls appropriately opened to allow traffic on this port. |
+ | |||
+ | === Change Astronaut SSH shortcut === | ||
+ | The "Astronaut SSH" shortcut that is used to invoke the PuTTY SSH client uses a command line: | ||
+ | "C:\Program Files\VistA\Putty\putty.exe" -ssh -l %ASTRO_SSH_clientID% -pw %ASTRO_SSH_CLIENT_PASS% -L %ASTRO_PORT%:127.0.0.1:%ASTRO_PORT% %ASTRO_SSH_HOST% | ||
+ | |||
+ | This must be changed to add the additional variable: | ||
+ | |||
+ | "C:\Program Files\VistA\Putty\putty.exe" -ssh -l %ASTRO_SSH_clientID% -pw %ASTRO_SSH_CLIENT_PASS% -L %ASTRO_PORT%:127.0.0.1:%ASTRO_PORT% %ASTRO_SSH_HOST% -P %ASTRO_SSH_PORT% | ||
+ | |||
+ | If using a manual [[configuration~|Configuration]] (for [[Astronaut_CPRS_client_package#Installing_in_a_protected_environment|protected environments]] or on a [[Astronaut_Client_on_a_USB_drive|USB drive]], for example) the revised Astronaut SSH shortcut would be similar to: | ||
+ | "C:\Program Files\VistA\Putty\putty.exe" -ssh -l client9260 -pw not#1sostrong -L 9260:127.0.0.1:9260 192.168.56.101 -P 22144 | ||
+ | |||
+ | === Change Text client shortcut === | ||
+ | The "Text client" shortcut that is used to invoke the Text client uses a command line: | ||
+ | "C:\Program Files\VistA\Putty\putty.exe" -P 22 %ASTRO_SSH_HOST% -l %ASTRO_textID% -pw %ASTRO_TEXT_PASS% | ||
+ | |||
+ | The revised Text client shortcut would therefore be: | ||
+ | |||
+ | "C:\Program Files\VistA\Putty\putty.exe" -P %ASTRO_SSH_PORT% %ASTRO_SSH_HOST% -l %ASTRO_textID% -pw %ASTRO_TEXT_PASS% | ||
+ | |||
+ | If using a manual [[configuration~|Configuration]] (for [[Astronaut_CPRS_client_package#Installing_in_a_protected_environment|protected environments]] or on a [[Astronaut_Client_on_a_USB_drive|USB drive]], for example) the revised Text client shortcut would be similar to: | ||
+ | "C:\Program Files\VistA\Putty\putty.exe" -P 22144 192.168.56.101 -l text9260 -pw not#1sostrong | ||
+ | |||
+ | == Changing the OpenSSH listening port on the VistA server == | ||
+ | |||
+ | *See [https://help.ubuntu.com/9.10/serverguide/C/openssh-server.html these instructions for OpenSSH on Ubuntu Server]. The instructions for other Linux operating systems are similar. | ||
+ | |||
+ | *In brief, from the Ubuntu Server command-line terminal edit the OpenSSH [[configuration~|Configuration]] file: | ||
+ | sudo nano /etc/ssh/sshd_config | ||
+ | |||
+ | *Change the line: | ||
+ | port 22 | ||
+ | |||
+ | :to the port of your desired SSH tunnel: | ||
+ | port ''22144'' | ||
+ | |||
+ | *Restart OpenSSH: | ||
+ | sudo /etc/init.d/ssh restart | ||
+ | |||
+ | *Don't forget to configure your firewall (if any) on the Ubuntu Server to allow the new SSH port (e.g. ''22144'') through. | ||
+ | |||
+ | == Why change the SSH port? == | ||
+ | The standard SSH port (22) is scanned constantly for someone using SSH password authentication (which is the default in the Astronaut platform). There are many [http://en.wikipedia.org/wiki/Internet_bot bots on the Internet] that exist just to attempt [http://en.wikipedia.org/wiki/Brute_force_attack brute force cracking] attempts on port 22. I have seen as many as 4000 attempts a day on port 22. Each attempt slows down your network (during the cracking attempts), and, in fact, is a variety of [http://en.wikipedia.org/wiki/Denial-of-service_attack denial of service attack]. | ||
+ | |||
+ | While there are bots that [http://en.wikipedia.org/wiki/Port_scanning scan for open ports] (even if you do change to another port), and bots that attempt password cracking, it takes a good deal of network time and computing power to scan for open ports (which takes a few seconds to do each time), recognize that a discovered open port is accepting SSH connections, and then initiate a password attempt, so the number of attacks are far fewer. |
Latest revision as of 20:56, 10 October 2012
This is an optional step for more security and for networks where there are multiple servers on the network using SSH connections. (In some networking Configurations it is difficult for a router to know to which SSH server it should forward port 22 traffic). This method involves changing the port for the SSH (tunnel) traffic.
Contents
Changing Windows environment variables and shortcuts
- Create a new environment variable ASTRO_SSH_PORT:
- Start Menu -> Control Panel -> Settings -> Advanced system settings -> Advanced -> Environment variables
There is also an Astronaut utility that brings up the environment variables:
- Start Menu -> Programs -> Astronaut -> Sessions -> Client Variables -> Environment Variables
A list of the environment variables is displayed.
- -> System variables: New... ->
- -> Variable Name: ASTRO_SSH_PORT
- -> Variable Value: 22144
- Although in this example I used the value 22144 (instead of the default value 22) for the SSH port, obviously this is the (somewhat arbitrary) value that is going to be chosen as your private SSH port number. Clearly whichever port value you choose will need to be forwarded by your LAN router and firewalls appropriately opened to allow traffic on this port.
Change Astronaut SSH shortcut
The "Astronaut SSH" shortcut that is used to invoke the PuTTY SSH client uses a command line:
"C:\Program Files\VistA\Putty\putty.exe" -ssh -l %ASTRO_SSH_clientID% -pw %ASTRO_SSH_CLIENT_PASS% -L %ASTRO_PORT%:127.0.0.1:%ASTRO_PORT% %ASTRO_SSH_HOST%
This must be changed to add the additional variable:
"C:\Program Files\VistA\Putty\putty.exe" -ssh -l %ASTRO_SSH_clientID% -pw %ASTRO_SSH_CLIENT_PASS% -L %ASTRO_PORT%:127.0.0.1:%ASTRO_PORT% %ASTRO_SSH_HOST% -P %ASTRO_SSH_PORT%
If using a manual Configuration (for protected environments or on a USB drive, for example) the revised Astronaut SSH shortcut would be similar to:
"C:\Program Files\VistA\Putty\putty.exe" -ssh -l client9260 -pw not#1sostrong -L 9260:127.0.0.1:9260 192.168.56.101 -P 22144
Change Text client shortcut
The "Text client" shortcut that is used to invoke the Text client uses a command line:
"C:\Program Files\VistA\Putty\putty.exe" -P 22 %ASTRO_SSH_HOST% -l %ASTRO_textID% -pw %ASTRO_TEXT_PASS%
The revised Text client shortcut would therefore be:
"C:\Program Files\VistA\Putty\putty.exe" -P %ASTRO_SSH_PORT% %ASTRO_SSH_HOST% -l %ASTRO_textID% -pw %ASTRO_TEXT_PASS%
If using a manual Configuration (for protected environments or on a USB drive, for example) the revised Text client shortcut would be similar to:
"C:\Program Files\VistA\Putty\putty.exe" -P 22144 192.168.56.101 -l text9260 -pw not#1sostrong
Changing the OpenSSH listening port on the VistA server
- See these instructions for OpenSSH on Ubuntu Server. The instructions for other Linux operating systems are similar.
- In brief, from the Ubuntu Server command-line terminal edit the OpenSSH Configuration file:
sudo nano /etc/ssh/sshd_config
- Change the line:
port 22
- to the port of your desired SSH tunnel:
port 22144
- Restart OpenSSH:
sudo /etc/init.d/ssh restart
- Don't forget to configure your firewall (if any) on the Ubuntu Server to allow the new SSH port (e.g. 22144) through.
Why change the SSH port?
The standard SSH port (22) is scanned constantly for someone using SSH password authentication (which is the default in the Astronaut platform). There are many bots on the Internet that exist just to attempt brute force cracking attempts on port 22. I have seen as many as 4000 attempts a day on port 22. Each attempt slows down your network (during the cracking attempts), and, in fact, is a variety of denial of service attack.
While there are bots that scan for open ports (even if you do change to another port), and bots that attempt password cracking, it takes a good deal of network time and computing power to scan for open ports (which takes a few seconds to do each time), recognize that a discovered open port is accepting SSH connections, and then initiate a password attempt, so the number of attacks are far fewer.