Difference between revisions of "Changing the Astronaut SSH port"

From VistApedia
Jump to: navigation, search
(Changing the OpenSSH listening port on the VistA server)
Line 1: Line 1:
 
 
This is an optional step for more security and for networks where there are multiple servers on the network using SSH connections. (In some networking configurations it is difficult for a router to know to which SSH server it should forward port 22 traffic). This method involves changing the port for the SSH (tunnel) traffic.
 
This is an optional step for more security and for networks where there are multiple servers on the network using SSH connections. (In some networking configurations it is difficult for a router to know to which SSH server it should forward port 22 traffic). This method involves changing the port for the SSH (tunnel) traffic.
  
Line 58: Line 57:
  
 
*Don't forget to configure your firewall (if any) on the Ubuntu Server to allow the new SSH port (e.g. ''22144'') through.
 
*Don't forget to configure your firewall (if any) on the Ubuntu Server to allow the new SSH port (e.g. ''22144'') through.
 +
 +
== Why change the SSH port? ==
 +
The standard SSH port (22) is scanned constantly for someone using SSH password authentication (which is the default in the Astronaut platform). There are many bots on the Internet that exist just to attempt brute force cracking attempts on port 22. I have seen as many as 4000 attempts a day on port 22. Each attempt slows down your network (during the cracking attempts), and, in fact, is a type of denial of service attack.
 +
 +
While there are bots that scan for open ports (even if you do change to another port), and bots that attempt password cracking, it takes a good deal of network time and computing power to scan for open ports (which takes a few seconds to do each time), recognize that a discovered open port is accepting SSH connections, and then initiate a password attempt, so the number of attacks are far fewer.

Revision as of 01:25, 3 March 2010

This is an optional step for more security and for networks where there are multiple servers on the network using SSH connections. (In some networking configurations it is difficult for a router to know to which SSH server it should forward port 22 traffic). This method involves changing the port for the SSH (tunnel) traffic.

Changing Windows environment variables and shortcuts

Start Menu -> Control Panel -> Settings -> Advanced system settings -> Advanced -> Environment variables

There is also an Astronaut utility that brings up the environment variables:

Start Menu -> Programs -> Astronaut -> Sessions -> Client Variables -> Environment Variables

A list of the environment variables is displayed.

-> System variables: New... ->
-> Variable Name: ASTRO_SSH_PORT
-> Variable Value: 22144
Although in this example I used the value 22144 (instead of the default value 22) for the SSH port, obviously this is the (somewhat arbitrary) value that is going to be chosen as your private SSH port number. Clearly whichever port value you choose will need to be forwarded by your LAN router and firewalls appropriately opened to allow traffic on this port.

Change Astronaut SSH shortcut

The "Astronaut SSH" shortcut that is used to invoke the PuTTY SSH client uses a command line:

"C:\Program Files\VistA\Putty\putty.exe" -ssh -l %ASTRO_SSH_clientID% -pw %ASTRO_SSH_CLIENT_PASS% -L %ASTRO_PORT%:127.0.0.1:%ASTRO_PORT% %ASTRO_SSH_HOST%

This must be changed to add the additional variable:

"C:\Program Files\VistA\Putty\putty.exe" -ssh -l %ASTRO_SSH_clientID% -pw %ASTRO_SSH_CLIENT_PASS% -L %ASTRO_PORT%:127.0.0.1:%ASTRO_PORT% %ASTRO_SSH_HOST% -P %ASTRO_SSH_PORT%

If using a manual configuration (for protected environments or on a USB drive, for example) the revised Astronaut SSH shortcut would be similar to:

"C:\Program Files\VistA\Putty\putty.exe" -ssh -l client9260 -pw not#1sostrong -L 9260:127.0.0.1:9260 192.168.56.101 -P 22144

Change Text client shortcut

The "Text client" shortcut that is used to invoke the Text client uses a command line:

"C:\Program Files\VistA\Putty\putty.exe" -P 22 %ASTRO_SSH_HOST% -l %ASTRO_textID% -pw %ASTRO_TEXT_PASS%

The revised Text client shortcut would therefore be:

"C:\Program Files\VistA\Putty\putty.exe" -P %ASTRO_SSH_PORT% %ASTRO_SSH_HOST% -l %ASTRO_textID% -pw %ASTRO_TEXT_PASS%

If using a manual configuration (for protected environments or on a USB drive, for example) the revised Text client shortcut would be similar to:

"C:\Program Files\VistA\Putty\putty.exe" -P 22144 192.168.56.101 -l text9260 -pw not#1sostrong

Changing the OpenSSH listening port on the VistA server

  • In brief, from the Ubuntu Server command-line terminal edit the OpenSSH configuration file:
sudo nano /etc/ssh/sshd_config
  • Change the line:
port 22
to the port of your desired SSH tunnel:
port 22144
  • Restart OpenSSH:
sudo /etc/init.d/ssh restart
  • Don't forget to configure your firewall (if any) on the Ubuntu Server to allow the new SSH port (e.g. 22144) through.

Why change the SSH port?

The standard SSH port (22) is scanned constantly for someone using SSH password authentication (which is the default in the Astronaut platform). There are many bots on the Internet that exist just to attempt brute force cracking attempts on port 22. I have seen as many as 4000 attempts a day on port 22. Each attempt slows down your network (during the cracking attempts), and, in fact, is a type of denial of service attack.

While there are bots that scan for open ports (even if you do change to another port), and bots that attempt password cracking, it takes a good deal of network time and computing power to scan for open ports (which takes a few seconds to do each time), recognize that a discovered open port is accepting SSH connections, and then initiate a password attempt, so the number of attacks are far fewer.