New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
What do you mean by "different permissions"? What do you want to achieve?
A little add-on security through obscurity, but with a different twist: selected user(s) can access only one of the two SSH ports, but not the other, standard (22) port. This will be coupled with fail2ban rules making port scans impractical.
You can use iptables rules to access xyz port only from selected IP address and deny all other IPs.
For permission you can create a user accounts with less permission.
Sorry, but thats rarely a good idea.
Anyhow, its still not clear why not everyone should use the same SSH service.
I want to keep the standard port 22 open, but with no system user permitted to authenticate, hence a kind of passive "honeypot".
On this opinions vary. My take on this is that an additional layer of security never hurts.
EDIT: I know how to specify enumerated users access in sshd_config. My question is: how to limit their access only to one of the open ports?
Just run the actual SSH service on your desired port and a honeypot service on 22. Even though I wonder if it is a good idea to run a honeypot service on a machine which is not a dedicated honeypot (or is it?).
Security through obscurity can be in certain cases a legitimate tool, one has to be rather careful and experienced though.
Indeed. Hence, I'm not keen on employing a classic honeypot, something I have no experience with, nor need for. I'm not interested in "playing" with attackers, only a little misdirection, allowing them to waste resources on attacking the standard SSH port, configured, however, to make it practically impossible to break in.
In this case I'd really suggest to use a service which was specifically developed for honeypot services instead of trying to configure a regular service to work in such a restricted mode (on mistake and your system would be open).
But then again, I'd run this only on a dedicated honeypot machine.
My god, is it so hard to stick to the OP question instead of always repeating this obscurity, no security, omg-bs?
@aglodek
This is probably what you are looking for: https://support.ssh.com/manuals/server-admin/44/Restricting_User_Logins.html
If you are using OpenSSH (probably), you can read the man page: http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/sshd_config.5?query=sshd_config&sec=5
You can have multiple ssh services running, and different configs for them.
The problem I see is that legitimate users may try to login on port 22 and get blocked, blacklisted, redirected or whatever. Frustrating for the user and more work for you.
You might want to leave LET straight away, without ever looking back, if you already have such a problem with a simple and valid remark concerning security ....
Well, the nice thing about securing a service like SSH is that legitimate users are aware where to go. And if not, then they are not legitimate. It's that simple
No, I won't leave LET just because you are telling me so. I do not have any problems with security, I am just bothered that a question is not answered properly, because people feel the need to play teachers all the times on this forum. If he wants to do it, just let him. If he makes a mistake, he will learn from it and pay the consequences like anybody else does in this world.
Actually, I don't mind different opinions - even if I strongly disagree with them
This said, my thanks for your straight and to the point reply and pointing me in the right direction
I didnt tell you anything. You just wont make it long on this forum if you're already annoyed by such legitimate concerns ....
Thats the difference between simply answering a question and letting the other - for lack of interest - head straight for disaster, and trying to understand the problem to find the most appropriate solution.
No offence please, but your response did not provide all that much insight either. The first link was to a commercial product (which the OP most probably does not use) and the second to a .... manpage.
Yeah, well, nevertheless, @DarioX pointed me in the right direction. Something I should have thought of myself, but there you have it. It will be interesting to see if there is any feedback from anyone who had actually implemented something like this in practice. Coupled with a few other things I have in mind, sure seems like a simple and elegant way of making things a little harder for would-be attackers (read: motivating them to direct their attentions elsewhere).
The manpage? I rest my case if you allow me so
You are aware that there are multiple ssh servers available and one is not forced to use openssh, right? The first link gives him an idea on how to use the features he needs and the second one for specifically for openssh (which actually is almost identical) and even told him what he could do. Quote: "You can have multiple ssh services running, and different configs for them."
Do I have to be more specific? I believe the problem is that you like to treat people like infants, when they are not. I gave him all he needs to succeed in what he's trying to do. A "manpage" (how you like to call it) actually is the most useful thing when trying to understand a software and I'm quite upset to see that someone that "made it that far on LET" demolishes it as "just a manpage"...
@DarioX, @alessio: Simmer down, guys. I'm grateful for all pointers from the both of you. Don't waste time in pointless barbs. Life's too short for that really
I believe that you are making a mountain out of a molehill. The only one coming across as rather rude and patronising is you I am afraid.
I suggested one viable approach at http://www.lowendtalk.com/discussion/comment/771695/#Comment_771695 and still stand by it. One mistake in the honeypot configuration and the machine might be wide open. There is a reason why there are dedicated services for this, such as kippo.
I am certainly not saying you have to second my response and preach it from this day onwards, but a complaint in aforementioned manner is particularly in the context of LET somewhat funny.
Thats not how I like to call it I am afraid, but how it is called ....
Already implemented both on all apps boxes. However, this is not practical on gateway boxes, serving as dedicated IP access points.
We obviously have different opinions and approaches on how to help people. I'm sorry if I somehow offended you or seemed rude to you, it wasn't my intention.
I hope OP is going to succeed in what he is trying to do and wish him all the best for that.
PS: It's "man page", not a single word.
Agreed.
So the stumbling block was a missing blank? Please do tell Ubuntu too