22 Jul Casper Remote – Using Custom SSH Port
Overview
Casper Remote is an application from JAMF Software that allows you to immediately perform remote management tasks on computers, such as installing packages, running scripts, and binding to directory services. All of these tasks can be performed via policy in the JAMF Software Server (JSS), however Casper Remote allows you to initiate them immediately.
Details
% ssh -V OpenSSH_6.9p1, LibreSSL 2.1.8
- Only Use SSH Protocol 2
- Limit Users’ SSH Access
- Configure Idle Log Out Timeout Interval
- Disable .rhosts Files
- Disable Host-Based Authentication
- Disable root Login via SSH
- Enable a Warning Banner
- Firewall SSH Port(s)
- Use Strong SSH Passwords and Passphrase
- Use Public Key Based Authentication
- Use Keychain Based Authentication
- Chroot SSHD (lock down users to their home directories)
- Disable Empty Passwords
- Use TCP Wrappers
- Thwart SSH Crackers (brute force attack)
- Rate-limit Incoming SSH Port Connections
- Use Port Knocking
- Use Log Analyzer
- Patch OpenSSH and Operating Systems
Casper Remote – Custom SSH Configuration
Casper Remote will use the standard SSH port of 22, unless you follow the steps below to have Casper Remote use your custom SSH port.
In current user’s home folder running the Casper Remote application, you need the following folder:
~/.ssh
That contains a file named “config” with the following configuration:
Host * Port [CUSTOM SSH PORT]
Multiple SSH Configurations
You can setup multiple ssh configurations based on hostname or pattern, etc. and assign a specific port or other ssh configuraiton options.
Host Restricts the following declarations (up to the next Host key- word) to be only for those hosts that match one of the patterns given after the keyword. If more than one pattern is provided, they should be separated by whitespace. A single `*' as a pat- tern can be used to provide global defaults for all hosts. The host is the hostname argument given on the command line (i.e. the name is not converted to a canonicalized host name before match- ing). A pattern entry may be negated by prefixing it with an exclama- tion mark (`!'). If a negated entry is matched, then the Host entry is ignored, regardless of whether any other patterns on the line match. Negated matches are therefore useful to provide exceptions for wildcard matches. ... HostName Specifies the real host name to log into. This can be used to specify nicknames or abbreviations for hosts. If the hostname contains the character sequence `%h', then this will be replaced with the host name specified on the command line (this is useful for manipulating unqualified names). The default is the name given on the command line. Numeric IP addresses are also permit- ted (both on the command line and in HostName specifications). ... PATTERNS A pattern consists of zero or more non-whitespace characters, `*' (a wildcard that matches zero or more characters), or `?' (a wildcard that matches exactly one character). For example, to specify a set of decla- rations for any host in the ``.co.uk'' set of domains, the following pat- tern could be used: Host *.co.uk The following pattern would match any host in the 192.168.0.[0-9] network range: Host 192.168.0.? A pattern-list is a comma-separated list of patterns. Patterns within pattern-lists may be negated by preceding them with an exclamation mark (`!'). For example, to allow a key to be used from anywhere within an organisation except from the ``dialup'' pool, the following entry (in authorized_keys) could be used: from="!*.dialup.example.com,*.example.com"
So, if you want to use multiple SSH configurations like the server you use the SSH standard port “22”, but everything else use custom port, you can use the following in your ssh config file:
Host myserver.domain.edu Port 22 Host * Port[CUSTOM SSH PORT]
You can create the above “config” file and configuration with the following command:
printf "Host server.domain.edu\nPort 22\n\nHost *\nPort [CUSTOM SSH PORT]" > ~/.ssh/config
Then you would not need to specify the port option everytime you use SSH to connect to a server or client that uses the standard SSH port.
ssh [USERNAME]@myserver.domain.edu -p 22
OS X – Changing Default SSH Port
Here is one method of changing the default SSH port on a OS X client or server.
Edit Services File
Open the services files located at:
/private/etc/services
You should already see the following lines in the file:
# Jon Postel <postel@isi.edu> ssh 22/udp # SSH Remote Login Protocol ssh 22/tcp # SSH Remote Login Protocol
Add the following two ssh lines to the bottom of the file, but change the port number 22 to something else chosen from the list of unassigned ports, and created a new name for your SSH service.
For example:
# Custom SSH Port ssh-cust-port [CUSTOM SSH PORT]/udp # SSH Remote Login Protocol ssh-cust-port [CUSTOM SSH PORT]/tcp # SSH Remote Login Protocol
Next, make a copy of Apple’s default SSH plist file:
cp /System/Library/LaunchDaemons/ssh.plist /System/Library/LaunchDaemons/ssh-cust-port.plist
Change the label to match your plist name, for example:
<key>Label</key> <string>ssh-cust-port</string>
To prevent Bonjour from advertising your new service by deleting these lines:
<key>Bonjour</key>
<array>
<string>ssh</string>
<string>sftp-ssh</string>
</array>
Next, specify the service name so it matches what you added to /etc/services file by editing under the ‘Sockets’ key:
<key>Sockets</key>
<dict>
<key>Listeners</key>
<dict>
<key>SockServiceName</key>
<string>ssh-cust-port</string>
</dict>
</dict>
Load Custom Property List File
Next, load your custom property list file using the following command:
launchctl load -w /Library/LaunchDaemons/ssh_your_custom_name.plist
For example:
launchctl load -w /System/Library/LaunchDaemons/ssh-cust-port.plist
Testing Custom SSH Port
Next, you want to test the custom SSH port using the following command:
ssh -p [CUSTOM SSH PORT] -l [USERNAME] [SERVER HOSTNAME]
No Comments