Suggestion: Improvement on setup process, SSHD Listen port
-
Hello to everyone (feels like I forgot being polite in my other two posts),
I recently installed cauldron on a VPS after having secured said VPS.
Including in securing it was the following :- moving SSH to port 39552 (or something alike)
- installing fail2ban
- whitelisting port 39552
After Cloudron installation, sshd was still listenning on the custom port while cloudron-firewall was blocking it.
It was then impossible to use SSH to adress the issu and the remote KVM of my provider made it hard for me to resolv it the right way.My suggestion is to add the following steps in the setup :
- Check the current listening port of sshd
- Whitelist this port
Regards,
sholan -
@sholan I guess this is same (or related to) https://forum.cloudron.io/topic/10515/suggestion-in-the-doc-linking-ssh-access-securing-and-port-whitelisting ?
-
@sholan do you know a very robust way to detect the port SSHd is using with bare minimum built-in tools? Such detection may cause side-effects if init scripts fail due to parsing errors of config files or VPS provider customize their Ubuntu images. But generally sounds like a good idea, if of course chaning sshd port is a common use-case for our users. So maybe lets wait for other to raise interest.
-
I am not of any help regarding the constraints, I'd go headlong towar parsing /etc/ssh/sshd_config ... grep Listen
But as you said, drawbacks exist.
netstat might not be present on the system and so onI'm just raising an idea, I'm far from having all the constraints in mind
Thank you, this is really nice to be part of it, Cloudron is just a dream come true, wish I had heard about it years ago
-
@nebulon said in Suggestion: Improvement on setup process, SSHD Listen port:
@sholan do you know a very robust way to detect the port SSHd is using with bare minimum built-in tools? Such detection may cause side-effects if init scripts fail due to parsing errors of config files or VPS provider customize their Ubuntu images. But generally sounds like a good idea, if of course chaning sshd port is a common use-case for our users. So maybe lets wait for other to raise interest.
Maybe this is naïve but:
/usr/sbin/sshd -T | grep "^port " | cut -d" " -f 2
or with awk :
/usr/sbin/sshd -T | grep "^port " | awk '{print $2}'