Difference between revisions of "Changing the Astronaut SSH port"

From VistApedia
Jump to: navigation, search
(Why change the SSH port?)
(Added glossary link to Configuration~)
 
(One intermediate revision by one other user not shown)
Line 1: Line 1:
This is an optional step for more security and for networks where there are multiple servers on the network using SSH connections. (In some networking configurations it is difficult for a router to know to which SSH server it should forward port 22 traffic). This method involves changing the port for the SSH (tunnel) traffic.
+
This is an optional step for more security and for networks where there are multiple servers on the network using SSH connections. (In some networking [[configuration~|Configuration]]s it is difficult for a router to know to which SSH server it should forward port 22 traffic). This method involves changing the port for the SSH (tunnel) traffic.
  
 
== Changing Windows environment variables and shortcuts ==
 
== Changing Windows environment variables and shortcuts ==
Line 26: Line 26:
 
  "C:\Program Files\VistA\Putty\putty.exe" -ssh -l %ASTRO_SSH_clientID% -pw %ASTRO_SSH_CLIENT_PASS% -L %ASTRO_PORT%:127.0.0.1:%ASTRO_PORT% %ASTRO_SSH_HOST% -P %ASTRO_SSH_PORT%
 
  "C:\Program Files\VistA\Putty\putty.exe" -ssh -l %ASTRO_SSH_clientID% -pw %ASTRO_SSH_CLIENT_PASS% -L %ASTRO_PORT%:127.0.0.1:%ASTRO_PORT% %ASTRO_SSH_HOST% -P %ASTRO_SSH_PORT%
  
If using a manual configuration (for [[Astronaut_CPRS_client_package#Installing_in_a_protected_environment|protected environments]] or on a [[Astronaut_Client_on_a_USB_drive|USB drive]], for example) the revised Astronaut SSH shortcut would be similar to:
+
If using a manual [[configuration~|Configuration]] (for [[Astronaut_CPRS_client_package#Installing_in_a_protected_environment|protected environments]] or on a [[Astronaut_Client_on_a_USB_drive|USB drive]], for example) the revised Astronaut SSH shortcut would be similar to:
 
  "C:\Program Files\VistA\Putty\putty.exe" -ssh -l client9260 -pw not#1sostrong -L 9260:127.0.0.1:9260 192.168.56.101 -P 22144
 
  "C:\Program Files\VistA\Putty\putty.exe" -ssh -l client9260 -pw not#1sostrong -L 9260:127.0.0.1:9260 192.168.56.101 -P 22144
  
Line 37: Line 37:
 
  "C:\Program Files\VistA\Putty\putty.exe" -P %ASTRO_SSH_PORT% %ASTRO_SSH_HOST% -l %ASTRO_textID% -pw %ASTRO_TEXT_PASS%
 
  "C:\Program Files\VistA\Putty\putty.exe" -P %ASTRO_SSH_PORT% %ASTRO_SSH_HOST% -l %ASTRO_textID% -pw %ASTRO_TEXT_PASS%
  
If using a manual configuration (for [[Astronaut_CPRS_client_package#Installing_in_a_protected_environment|protected environments]] or on a [[Astronaut_Client_on_a_USB_drive|USB drive]], for example) the revised Text client shortcut would be similar to:
+
If using a manual [[configuration~|Configuration]] (for [[Astronaut_CPRS_client_package#Installing_in_a_protected_environment|protected environments]] or on a [[Astronaut_Client_on_a_USB_drive|USB drive]], for example) the revised Text client shortcut would be similar to:
 
  "C:\Program Files\VistA\Putty\putty.exe" -P 22144 192.168.56.101 -l text9260 -pw not#1sostrong
 
  "C:\Program Files\VistA\Putty\putty.exe" -P 22144 192.168.56.101 -l text9260 -pw not#1sostrong
  
Line 44: Line 44:
 
*See [https://help.ubuntu.com/9.10/serverguide/C/openssh-server.html these instructions for OpenSSH on Ubuntu Server]. The instructions for other Linux operating systems are similar.
 
*See [https://help.ubuntu.com/9.10/serverguide/C/openssh-server.html these instructions for OpenSSH on Ubuntu Server]. The instructions for other Linux operating systems are similar.
  
*In brief, from the Ubuntu Server command-line terminal edit the OpenSSH configuration file:
+
*In brief, from the Ubuntu Server command-line terminal edit the OpenSSH [[configuration~|Configuration]] file:
 
  sudo nano /etc/ssh/sshd_config
 
  sudo nano /etc/ssh/sshd_config
  
Line 61: Line 61:
 
The standard SSH port (22) is scanned constantly for someone using SSH password authentication (which is the default in the Astronaut platform). There are many [http://en.wikipedia.org/wiki/Internet_bot bots on the Internet] that exist just to attempt [http://en.wikipedia.org/wiki/Brute_force_attack brute force cracking] attempts on port 22. I have seen as many as 4000 attempts a day on port 22. Each attempt slows down your network (during the cracking attempts), and, in fact, is a variety of [http://en.wikipedia.org/wiki/Denial-of-service_attack denial of service attack].
 
The standard SSH port (22) is scanned constantly for someone using SSH password authentication (which is the default in the Astronaut platform). There are many [http://en.wikipedia.org/wiki/Internet_bot bots on the Internet] that exist just to attempt [http://en.wikipedia.org/wiki/Brute_force_attack brute force cracking] attempts on port 22. I have seen as many as 4000 attempts a day on port 22. Each attempt slows down your network (during the cracking attempts), and, in fact, is a variety of [http://en.wikipedia.org/wiki/Denial-of-service_attack denial of service attack].
  
While there are bots that scan for open ports (even if you do change to another port), and bots that attempt password cracking, it takes a good deal of network time and computing power to scan for open ports (which takes a few seconds to do each time), recognize that a discovered open port is accepting SSH connections, and then initiate a password attempt, so the number of attacks are far fewer.
+
While there are bots that [http://en.wikipedia.org/wiki/Port_scanning scan for open ports] (even if you do change to another port), and bots that attempt password cracking, it takes a good deal of network time and computing power to scan for open ports (which takes a few seconds to do each time), recognize that a discovered open port is accepting SSH connections, and then initiate a password attempt, so the number of attacks are far fewer.

Latest revision as of 20:56, 10 October 2012

This is an optional step for more security and for networks where there are multiple servers on the network using SSH connections. (In some networking Configurations it is difficult for a router to know to which SSH server it should forward port 22 traffic). This method involves changing the port for the SSH (tunnel) traffic.

Changing Windows environment variables and shortcuts

Start Menu -> Control Panel -> Settings -> Advanced system settings -> Advanced -> Environment variables

There is also an Astronaut utility that brings up the environment variables:

Start Menu -> Programs -> Astronaut -> Sessions -> Client Variables -> Environment Variables

A list of the environment variables is displayed.

-> System variables: New... ->
-> Variable Name: ASTRO_SSH_PORT
-> Variable Value: 22144
Although in this example I used the value 22144 (instead of the default value 22) for the SSH port, obviously this is the (somewhat arbitrary) value that is going to be chosen as your private SSH port number. Clearly whichever port value you choose will need to be forwarded by your LAN router and firewalls appropriately opened to allow traffic on this port.

Change Astronaut SSH shortcut

The "Astronaut SSH" shortcut that is used to invoke the PuTTY SSH client uses a command line:

"C:\Program Files\VistA\Putty\putty.exe" -ssh -l %ASTRO_SSH_clientID% -pw %ASTRO_SSH_CLIENT_PASS% -L %ASTRO_PORT%:127.0.0.1:%ASTRO_PORT% %ASTRO_SSH_HOST%

This must be changed to add the additional variable:

"C:\Program Files\VistA\Putty\putty.exe" -ssh -l %ASTRO_SSH_clientID% -pw %ASTRO_SSH_CLIENT_PASS% -L %ASTRO_PORT%:127.0.0.1:%ASTRO_PORT% %ASTRO_SSH_HOST% -P %ASTRO_SSH_PORT%

If using a manual Configuration (for protected environments or on a USB drive, for example) the revised Astronaut SSH shortcut would be similar to:

"C:\Program Files\VistA\Putty\putty.exe" -ssh -l client9260 -pw not#1sostrong -L 9260:127.0.0.1:9260 192.168.56.101 -P 22144

Change Text client shortcut

The "Text client" shortcut that is used to invoke the Text client uses a command line:

"C:\Program Files\VistA\Putty\putty.exe" -P 22 %ASTRO_SSH_HOST% -l %ASTRO_textID% -pw %ASTRO_TEXT_PASS%

The revised Text client shortcut would therefore be:

"C:\Program Files\VistA\Putty\putty.exe" -P %ASTRO_SSH_PORT% %ASTRO_SSH_HOST% -l %ASTRO_textID% -pw %ASTRO_TEXT_PASS%

If using a manual Configuration (for protected environments or on a USB drive, for example) the revised Text client shortcut would be similar to:

"C:\Program Files\VistA\Putty\putty.exe" -P 22144 192.168.56.101 -l text9260 -pw not#1sostrong

Changing the OpenSSH listening port on the VistA server

  • In brief, from the Ubuntu Server command-line terminal edit the OpenSSH Configuration file:
sudo nano /etc/ssh/sshd_config
  • Change the line:
port 22
to the port of your desired SSH tunnel:
port 22144
  • Restart OpenSSH:
sudo /etc/init.d/ssh restart
  • Don't forget to configure your firewall (if any) on the Ubuntu Server to allow the new SSH port (e.g. 22144) through.

Why change the SSH port?

The standard SSH port (22) is scanned constantly for someone using SSH password authentication (which is the default in the Astronaut platform). There are many bots on the Internet that exist just to attempt brute force cracking attempts on port 22. I have seen as many as 4000 attempts a day on port 22. Each attempt slows down your network (during the cracking attempts), and, in fact, is a variety of denial of service attack.

While there are bots that scan for open ports (even if you do change to another port), and bots that attempt password cracking, it takes a good deal of network time and computing power to scan for open ports (which takes a few seconds to do each time), recognize that a discovered open port is accepting SSH connections, and then initiate a password attempt, so the number of attacks are far fewer.