Synology Inc. Online Community Forum

[mvalent]

Is it possible to change the SSH port number ?
It is for security reason. The port 22 is the classic SSH Port so all attacks go there by default...

[mischaq]

well - i'd be interested in this too.

What are your experiences: Is the DS waked more often when port 22 is open? I get the impression, that my DS get's scanned (and thus wakes up from hibernation) more often when i have port 22 open.

Particularly because this is the only standard-port which i have open to my lan (for http and ftp i have configured alternative ports for security reasons).

Any comments?
cheers, mischaq

[Svuppe]

I don't get many attacks on port 22. Once or twice per month, that is all.
I have thought of restricting access to port 22 to a few known IP address ranges, namely the ones I usually connect from. This is possible to setup in my router. But I opted not to do this, as I one day may find myself in need of access from somewhere else.
Instead I have changed the ssh setup in my 107+ (and before that, my 101j) to only allow key authentication, and not passwords. So hackers may try as many passwords as they like. Even if they should happen to guess my root password, they are still not getting in

The only drawback of this solution is that I will need to have my keyfile with me, but that is no problem as I usually have a small USB flashdrive on me already.

[mischaq]

sounds to be a good idea with the key authentication.

would you explain to me how this can be done on my 101j?

[mvalent]

I ask the question because on another computer I was having automatic dictionary attacks (many many tries per minute) and the only solution I found was to change the port.

[mischaq]

@mvalent:

how did you find out that you were subject to automatic dictionary attacks? Is there a ssh-connections protocol somewhere, that logs all logins? If so, how can i read it?

The only way why I am suspecting ssh-attacks is because my DS wakes up from hibernation when no other machines are active on the lan (and there are very few people out there who are accessing my ds remotely at 1am). That wasn't so before I opened port 22.

thanks!
mischaq

[Svuppe]

would you explain to me how this can be done on my 101j?

Sure. Take a look at this old thread:
http://www.synology.com/enu/forum/viewtopic.php?t=1410

It contains quite a bit about enabling ssh in the first place (which was present but not enabled in the old firmwares). After the new 518 firmware and the ssh patch, disregard all of that. You only need to edit the /etc/ssh/sshd_config file, and then generate and install the key set.

The config only needs minor changes. This is what I've done to mine:

Uncomment these two lines:
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

Uncommenting the above two lines may not even be needed, as this should be the default settings anyway, but it doesn't hurt.

Then uncomment the PasswordAuthentication line, and change the yes to no.
Now you can't use passwords anymore, so you are forced to authenticate with keys. NOTE: This may very well interfere with the rsync encrypted backup feature that some diskstation models have. If you need this feature, then don't attempt this modification at all !!!

Lastly, almost at the bottom of the file, uncomment DenyUsers and change admin to none.
Save and close.

Now go on and generate a key set and install it as described here:
http://www.nslu2-linux.org/wiki/HowTo/UseOpenSSHForRemoteAccess#client

[mvalent]

@mvalent:
how did you find out that you were subject to automatic dictionary attacks?

It was in a computer with Mandiva Linux and I noticed this attack by reading some security log with "Webmin". Very scary...

[mischaq]

thanks svuppe!
some questions....

-why do i need to uncomment user admin?
-on the second link - can i type exactly the commands as stated there...stuff like "slug" etc? ...make directories? ...as stated in the chapter "Configure SSH Server for Public Key Access"


...hm - then maybe thats a bit too much for me newbie.
would there be an easy way to come back if something goes wrong?

thanks!
mischaq

[Svuppe]

Actually I don't know if "deny none" is needed or not. I just found it on a webpage back when I did the modification.

I don't really see any commands with "slug" in them. Whenever the text says "slug" or "NSLU2", just imagine it says diskstation instead.
The first commands shouldn't be needed, as the diskstation already has a /root directory. You do need to run the following commands (mkdir .ssh and so on) exactly as stated.
When you reach the "nano" command, you don't need to do the rest, if you have already changed /etc/ssh/sshd_config as I've described yesterday.
Now you can reboot. There is a script somewhere that can restart the sshd server without rebooting, but I can't remember exactly where that is on the Synology. It isn't as the webpage states. Just reboot, that is much easier.

In case of anything going wrong: Make sure you can access the diskstation with ordinary telnet before you begin. If you only have ssh access, and you screw up something with ssh, you're in deep cow dung. But with telnet, you can access the diskstation without ssh, and fix whatever has happened.
And to be able to fix things, make sure you keep a copy of the original /etc/ssh/sshd_config file. Just make a copy before you start editing it, like this:
"cp /etc/ssh/sshd_config /etc/ssh/sshd_config.original"

And perhaps we should start thinking of moving to the appropriate "modding" section

[mischaq]

thanks again for your time - i'll give it a try on the weekend.

but before i need to know more about:
---
Finally, check that the authorized_keys file is not accessible by anyone but the current user (i.e. have a mask like -rw------- when you do an ls -l):

chmod og= authorized_keys
---

how does this masking with "-rw---------" work? a
nd what is chmod og?


if anything more i'll post for help...hope not to screw up my neatly running ds!

cheers!
mischaq

[Svuppe]

This page (and many others out there) explains it a lot better than I would be able to:
http://www.freeos.com/articles/3127/

[mischaq]

the initial question of this thread was if it wasnt possible to change the ssh port to something else than 22 (which i'd also like to do).

in the above mentionned link (viewtopic.php?t=1410) there is a print of the file etc/ssh/sshd_config.
in this file, at the beginning, there is port 22 defined as ssh-port.

does someone know, if it is possible to simply put another port in there and then ssh will run on another port? that would be just great (and might also work for other services, such as mail-notification ans filestation: see viewtopic.php?t=5241&highlight=).

if someone can confirm this???

updt:
alright - i see that this port nummer in etc/ssh/sshd_config is commented (#); does that mean this line does not have any significance to the running ssh-server right now?


cheers, mischaq

[Laurence Benjamin]

Yes, this will work. I did this myself some months ago. To ssh to your box afterwards, you'll have to manually set the port in putty's "Session" area or use "ssh -p [port number] [user]@[server]. If you check /var/log/messages after this, you should see a dramatic decrease in ssh based attacks.

Laurence

[mischaq]

@Laurence Benjamin:
well - thats some really cool news!!!

just to be sure:
-are you refering to ssh as installed with 518/ssh-patch (not the before-518 openssh install which is very similar as far as I know).

-so it's necessary to uncomment the port-line in etc/ssh/sshd_config and change the number to whatever available port wished (and respectively change this in putty).

-all logins if successful or not are logged in /var/log/messages? whats the best way to open messages, maybe vi?


thanks a lot - another good one - as well as the temperature gauge, which i like myself very much.

cheers, mischaq