Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

How to specify port when ssh to server

Hi all.

I have a server that I am configuring, and one of the steps I'm taking is to change the default ssh port from 22 to another port to elude the script kiddies.

When I ssh to the server in Terminal, I'm having issues connecting (while I don't using Putty in winblows).

I think it is because I'm not specifying the port correctly.

Does anyone here know the correct syntax in Terminal to specify a different port than 22?

I've used ":" and "[]", so I'm at a loss at the moment...

PowerBook G4

Posted on Jan 4, 2007 7:58 PM

Reply
Question marked as Best reply

Posted on Jan 4, 2007 9:07 PM

According to man ssh:

<pre class=command> -p port
Port to connect to on the remote host. This can be specified on
a per-host basis in the configuration file.
</pre>

So you should be looking at:

<pre class=command>ssh -p 1234 user@host</pre>

to connect to port 1234.

However, I don't rate it much as a technique to counter script kiddies. It won't hurt, but it won't help. It'll take a kiddie about 10 seconds to realize there's an SSH server running on the port, and it'll only pique his interest as to why you've changed it from the default.
5 replies
Question marked as Best reply

Jan 4, 2007 9:07 PM in response to El Flocko

According to man ssh:

<pre class=command> -p port
Port to connect to on the remote host. This can be specified on
a per-host basis in the configuration file.
</pre>

So you should be looking at:

<pre class=command>ssh -p 1234 user@host</pre>

to connect to port 1234.

However, I don't rate it much as a technique to counter script kiddies. It won't hurt, but it won't help. It'll take a kiddie about 10 seconds to realize there's an SSH server running on the port, and it'll only pique his interest as to why you've changed it from the default.

Jan 4, 2007 9:19 PM in response to El Flocko

Hi--

Does anyone here know the correct syntax in Terminal
to specify a different port than 22?


<pre class="command">ssh -p 1234 username@domain.com</pre>assuming you're just doing a straight login to a command-line, has always worked for me.

By the way, if you're new to the Terminal, most of the commands you'll run in the Terminal have really good man pages. Just type:

<pre class="command">man ssh</pre>to see it.

If you know what you're looking for, it's right there in the last line of the synopsis:

<pre class="command">SYNOPSIS
ssh [-1246AaCfgkNnqsTtVvXxY] [-b bind_address] [-c cipher_spec] [-D port]
[-e escape_char] [-F configfile] [-i identity_file]
[-L port:host:hostport] [-l login_name] [-m mac_spec] [-o option]
[-p port] [-R port:host:hostport] [user@]hostname [command]
</pre>If you're not sure what you're looking for, you can often find it a bit lower down. Unfortunately, in the case of ssh, it has a long man page, so you have to go quite a bit further down to find it:

<pre class="command"> -p port
Port to connect to on the remote host. This can be specified on
a per-host basis in the configuration file.</pre>

Have fun,

charlie

Jan 4, 2007 9:25 PM in response to El Flocko

Great!

Thank you both very much.

I did read the man pages, but must have glazed over and missed it by the time I actually got to the information.

And I know that changing the port won't do that much to keep the kiddies with a brain away, but hopefully it will stunt some of the scripts running out there and decrease the number of notification emails I get...

Jan 4, 2007 9:39 PM in response to Camelot

However, I don't rate it much as a technique to
counter script kiddies. It won't hurt, but it won't
help. It'll take a kiddie about 10 seconds to realize
there's an SSH server running on the port, and it'll
only pique his interest as to why you've changed it
from the default.


While I agree it's not a good idea to rely on it, from experience, I'll say it really cuts down on junk in the logs. Almost exactly two years ago, I started seeing the scripted login attempts both on my Mac at home and on the web servers where I work. I switched my Mac's port and haven't gotten a single attempt in two years. Same with the servers at work. So I'm all for changing the port.

And, the way I see it, if they do try the new port, you'll see who's serious and not just a "looky-loo".

caharlie

Jan 6, 2007 2:22 PM in response to Camelot

However, I don't rate it much as a technique to
counter script kiddies. It won't hurt, but it won't
help. It'll take a kiddie about 10 seconds to realize
there's an SSH server running on the port, and it'll
only pique his interest as to why you've changed it
from the default.


Done correctly, it is actually more effective than you might think.

Port scanning takes time, and most port scanners default to the lowest 1024 or 4096 ports. Script kiddies are interested in bulk-owning machines, not owning a single specific machine (unless it is high profile); the common technique is to scan the first 1024 ports (which can only be opened by root) and any specific higher ports whose services have known vulnerabilities.

Running ssh on a high-numbered port (e.g. in the dynamic range of 50-65K) is therefore quite effective. Modification (entailing a custom build) or wrapping of ssh to change the banner can prevent the port scanner's application detection system, which combines well with a dynamic port number (though setup and maintenance are difficult).

As usual, any determined attacker will find the port, just like any determined attacker will get in. The key is in threat modelling: are you more likely to be attacked by a determined hacker, or a script kiddie?

How to specify port when ssh to server

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.