Suggestion: Improvement on setup process, SSHD Listen port

sholan

Hello to everyone (feels like I forgot being polite in my other two posts),

I recently installed cauldron on a VPS after having secured said VPS.
Including in securing it was the following :

• moving SSH to port 39552 (or something alike)
• installing fail2ban
• whitelisting port 39552

After Cloudron installation, sshd was still listenning on the custom port while cloudron-firewall was blocking it.
It was then impossible to use SSH to adress the issu and the remote KVM of my provider made it hard for me to resolv it the right way.

My suggestion is to add the following steps in the setup :

• Check the current listening port of sshd
• Whitelist this port

Regards,
sholan

girish

@sholan I guess this is same (or related to) https://forum.cloudron.io/topic/10515/suggestion-in-the-doc-linking-ssh-access-securing-and-port-whitelisting ?

sholan

@girish indeed, it is related.

The idea here is to prevent locking out an admin, while the other topic is to help such admin do the same but after Cloudron installation

nebulon

@sholan do you know a very robust way to detect the port SSHd is using with bare minimum built-in tools? Such detection may cause side-effects if init scripts fail due to parsing errors of config files or VPS provider customize their Ubuntu images. But generally sounds like a good idea, if of course chaning sshd port is a common use-case for our users. So maybe lets wait for other to raise interest.

nebulon

ah and welcome to the community!

sholan

@nebulon

I am not of any help regarding the constraints, I'd go headlong towar parsing /etc/ssh/sshd_config ... grep Listen

But as you said, drawbacks exist.
netstat might not be present on the system and so on

I'm just raising an idea, I'm far from having all the constraints in mind

Thank you, this is really nice to be part of it, Cloudron is just a dream come true, wish I had heard about it years ago

sholan

@nebulon said in Suggestion: Improvement on setup process, SSHD Listen port:

@sholan do you know a very robust way to detect the port SSHd is using with bare minimum built-in tools? Such detection may cause side-effects if init scripts fail due to parsing errors of config files or VPS provider customize their Ubuntu images. But generally sounds like a good idea, if of course chaning sshd port is a common use-case for our users. So maybe lets wait for other to raise interest.

Maybe this is naïve but:
/usr/sbin/sshd -T | grep "^port " | cut -d" " -f 2
or with awk :
/usr/sbin/sshd -T | grep "^port " | awk '{print $2}'

nebulon

right, so in the cases I've tested it just exits with:

/usr/sbin/sshd -T
sshd: no hostkeys available -- exiting.