Hi all!
I'm wanting to close port 22 (ssh) on my home router, and I don't see
any
facilities in its GUI for doing that.
I don't mind learning how to write an iptables rule for that, but I'd
rather not have to fool around with commandline stuff on the router,
especially things that require extra steps to make it peresist across
boots.
So, I'm trying this (please tell me if it makes sense to do it this way):
I've set up a port forwarding rule on the router that forwards incoming
port 22 to port 9 on the LAN side of the router. As I understand it, port
9 is a /dev/null equivalent, and it seems to block the port well enough,
but are there caveats I should be aware of?
thanks!
BTW, this is an Asus RT-N16 router using their latest released firmware.
Fred
--
---- Fred Smith -- fredex at fcshome.stoneham.ma.us
-----------------------------
The Lord is like a strong tower.
Those who do what is right can run to him for safety.
--------------------------- Proverbs 18:10 (niv) -----------------------------
On 9/12/2015 4:16 PM, Fred Smith wrote:> I'm wanting to close port 22 (ssh) on my home router, and I don't see any > facilities in its GUI for doing that.inbound ports that aren't forwarded are closed by default on most any/all NAT routers, unless the router itself is listening to said port. -- john r pierce, recycling bits in santa cruz
On Sat, Sep 12, 2015 at 04:26:09PM -0700, John R Pierce wrote:> On 9/12/2015 4:16 PM, Fred Smith wrote:> >I'm wanting to close port 22 (ssh) on my home router, and I don't see any > >facilities in its GUI for doing that. > > inbound ports that aren't forwarded are closed by default on most > any/all NAT routers, unless the router itself is listening to said > port.Isn't there any sort of portforwarding thing? Such as forward port 2222 (I wouldn't use that one, it's too common, but as an example) to 192.168.1.5, and then have 192.168.1.5 listen on port 2222? Then have a firewall rule to allow access on that port and edit /etc/ssh/sshd_config to listen on 2222 instead of 22. Looking at http://nextgendigitalhome.com/1829/home-network/scalable-gateway/the-asus-rt-n16-router-firmware-part-4-advanced-wan-settings/ it seems as if it would allow this and it's described in the section WAN Virtual Server/Port Fowarding. -- Scott Robbins PGP keyID EB3467D6 ( 1B48 077D 66F6 9DB0 FDC2 A409 FA54 EB34 67D6 ) gpg --keyserver pgp.mit.edu --recv-keys EB3467D6
On 09/12/2015 04:16 PM, Fred Smith wrote:> So, I'm trying this (please tell me if it makes sense to do it this way): > I've set up a port forwarding rule on the router that forwards incoming > port 22 to port 9 on the LAN side of the router.I'd suggest that you test it, but that does seem reasonable. Note that there is nothing special about port 9. There is a "discard" service that you can run on that port to consume data and discard it, but it's normally not running. In the normal state, with no service listening on port 9, it's just the same as any other port that isn't listening.
On Sun, Sep 13, 2015 at 4:46 AM, Fred Smith <fredex at fcshome.stoneham.ma.us> wrote:> Hi all! > > I'm wanting to close port 22 (ssh) on my home router, and I don't see any > facilities in its GUI for doing that. >man sshd_config; this option is perhaps your solution "ListenAddress." So explicitly mention your LAN port(s). <quote> ListenAddress Specifies the local addresses sshd(8) should listen on. The following forms may be used: ListenAddress host|IPv4_addr|IPv6_addr ListenAddress host|IPv4_addr:port ListenAddress [host|IPv6_addr]:port If port is not specified, sshd will listen on the address and all prior Port options specified. The default is to listen on all local addresses. Multiple ListenAddress options are permitted. Addition- ally, any Port options must precede this option for non-port qualified addresses. </quote> HTH -- Arun Khan