I thought ssh is port #22 ?!!

I thought ssh is port #22 ?!!

[Fajar Priyanto]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi guys,
I'm not really sure about this. I thought ssh is made in port #22?
When I made a ssh session into my server, /var/log/messages showed this:
Apr  1 09:20:20 server2 sshd[2711]: Accepted password for root from 
192.168.0.234 port 32873 ssh2

Why did it use port #32873?
Is there something wrong with my ssh or firewall?
TIA,
- -- 
Fajar Priyanto | Reg'd Linux User #327841 | http://linux.arinet.org
08:31:42 up 36 min, Mandrake Linux release 9.2 (FiveStar) for i586 
public key: https://www.arinet.org/fajar-pub.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFAa3EYkp5CsIXuxqURAluBAKCNiyg8+KXYDu/JuZghSVMXvfrjMgCdG7O2
Bb4SQcbOiAqALl1o9yQ5H1k=
=4uUZ
-----END PGP SIGNATURE-----

Re: I thought ssh is port #22 ?!!

[Daniel Chemko]

32873 is the SOURCE port of the connection, not the DESTINATION port, 
which defaults to 22

Fajar Priyanto wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Hi guys,
>I'm not really sure about this. I thought ssh is made in port #22?
>When I made a ssh session into my server, /var/log/messages showed this:
>Apr  1 09:20:20 server2 sshd[2711]: Accepted password for root from 
>192.168.0.234 port 32873 ssh2
>
>Why did it use port #32873?
>Is there something wrong with my ssh or firewall?
>TIA,
>- -- 
>Fajar Priyanto | Reg'd Linux User #327841 | http://linux.arinet.org
>08:31:42 up 36 min, Mandrake Linux release 9.2 (FiveStar) for i586 
>public key: https://www.arinet.org/fajar-pub.key
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.2.3 (GNU/Linux)
>
>iD8DBQFAa3EYkp5CsIXuxqURAluBAKCNiyg8+KXYDu/JuZghSVMXvfrjMgCdG7O2
>Bb4SQcbOiAqALl1o9yQ5H1k=
>=4uUZ
>-----END PGP SIGNATURE-----
>
>
>  
>

Re: I thought ssh is port #22 ?!!

[cldavis]

You should edit sshd_config with the port command and set it to 22.  If the directive is not present, I've had some versions of ssh listen on everything, others only 22.  

You may also want to use the PermitRootLogin no directive to disable root logins and use a regular user account to log in and then su to root if need be.

As far as the firewall, you may want to setup your firewall to drop all packets except packets sent to needed services.

Hope that helps
Chris
> -----Original Message-----
> From: Fajar Priyanto [mailto:fajarpri@arinet.org]
> Sent: Thursday, April 1, 2004 01:32 AM
> To: netfilter@lists.netfilter.org
> Subject: I thought ssh is port #22 ?!!
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi guys,
> I'm not really sure about this. I thought ssh is made in port #22?
> When I made a ssh session into my server, /var/log/messages showed this:
> Apr  1 09:20:20 server2 sshd[2711]: Accepted password for root from 
> 192.168.0.234 port 32873 ssh2
> 
> Why did it use port #32873?
> Is there something wrong with my ssh or firewall?
> TIA,
> - -- 
> Fajar Priyanto | Reg'd Linux User #327841 | http://linux.arinet.org
> 08:31:42 up 36 min, Mandrake Linux release 9.2 (FiveStar) for i586 
> public key: https://www.arinet.org/fajar-pub.key
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.3 (GNU/Linux)
> 
> iD8DBQFAa3EYkp5CsIXuxqURAluBAKCNiyg8+KXYDu/JuZghSVMXvfrjMgCdG7O2
> Bb4SQcbOiAqALl1o9yQ5H1k=
> =4uUZ
> -----END PGP SIGNATURE-----
> 
> 
> 

RE: I thought ssh is port #22 ?!!

[Martinez, Michael]

[-- Attachment #1: Type: text/plain, Size: 2236 bytes --]

Port 32873 is the return port on the ssh client.

Here's how it works. The server listens on port 22. The client opens a
connection to the server, and tells the server which return port to use. If
you do "netstat -an" you will see the server talking on port 22, and the
client talking on some high numbered port like 32873. The high number port
used is random. It will change from one session to the next.

This is true not just for ssh - it is true for most tcp applications.

Michael Martinez
Unix System Administrator

-----Original Message-----
From: cldavis@speakeasy.net [mailto:cldavis@speakeasy.net] 
Sent: Wednesday, March 31, 2004 9:10 PM
To: netfilter@lists.netfilter.org
Cc: Fajar Priyanto
Subject: Re: I thought ssh is port #22 ?!!

You should edit sshd_config with the port command and set it to 22.  If the
directive is not present, I've had some versions of ssh listen on
everything, others only 22.  

You may also want to use the PermitRootLogin no directive to disable root
logins and use a regular user account to log in and then su to root if need
be.

As far as the firewall, you may want to setup your firewall to drop all
packets except packets sent to needed services.

Hope that helps
Chris
> -----Original Message-----
> From: Fajar Priyanto [mailto:fajarpri@arinet.org]
> Sent: Thursday, April 1, 2004 01:32 AM
> To: netfilter@lists.netfilter.org
> Subject: I thought ssh is port #22 ?!!
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi guys,
> I'm not really sure about this. I thought ssh is made in port #22?
> When I made a ssh session into my server, /var/log/messages showed this:
> Apr  1 09:20:20 server2 sshd[2711]: Accepted password for root from 
> 192.168.0.234 port 32873 ssh2
> 
> Why did it use port #32873?
> Is there something wrong with my ssh or firewall?
> TIA,
> - -- 
> Fajar Priyanto | Reg'd Linux User #327841 | http://linux.arinet.org
> 08:31:42 up 36 min, Mandrake Linux release 9.2 (FiveStar) for i586 
> public key: https://www.arinet.org/fajar-pub.key
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.3 (GNU/Linux)
> 
> iD8DBQFAa3EYkp5CsIXuxqURAluBAKCNiyg8+KXYDu/JuZghSVMXvfrjMgCdG7O2
> Bb4SQcbOiAqALl1o9yQ5H1k=
> =4uUZ
> -----END PGP SIGNATURE-----
> 
> 
> 




[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 3732 bytes --]

Re: I thought ssh is port #22 ?!!

[Antony Stone]

On Thursday 01 April 2004 4:14 pm, Martinez, Michael wrote:

> Port 32873 is the return port on the ssh client.
>
> Here's how it works. The server listens on port 22. The client opens a
> connection to the server, and tells the server which return port to use. If
> you do "netstat -an" you will see the server talking on port 22, and the
> client talking on some high numbered port like 32873. The high number port
> used is random. It will change from one session to the next.
>
> This is true not just for ssh - it is true for most tcp applications.

I'd say it's true for all TCP applications, and most UDP applications.

There are some TCP applications (FTP being the most common example) where a 
*second* connection gets opened up on different ports, but that one works in 
exactly the same way as the first - and they each obey the above description.

Regards,

Antony.

-- 
The difference between theory and practice is that in theory there is no 
difference, whereas in practice there is.

                                                     Please reply to the list;
                                                           please don't CC me.

RE: I thought ssh is port #22 ?!!

[Daniel Chemko]

Unfortunately I have the "privilage" of maintaining a customer TCP
protocol which cans you if your source and destination ports aren't as
specified by their fcked up protocol!!

-----Original Message-----
From: Martinez, Michael [mailto:MMARTINEZ@CSREES.USDA.GOV] 
Sent: Thursday, April 01, 2004 7:14 AM
To: cldavis@speakeasy.net; netfilter@lists.netfilter.org
Cc: Fajar Priyanto
Subject: RE: I thought ssh is port #22 ?!!


Port 32873 is the return port on the ssh client.

Here's how it works. The server listens on port 22. The client opens a
connection to the server, and tells the server which return port to use.
If you do "netstat -an" you will see the server talking on port 22, and
the client talking on some high numbered port like 32873. The high
number port used is random. It will change from one session to the next.

This is true not just for ssh - it is true for most tcp applications.

Michael Martinez
Unix System Administrator

-----Original Message-----
From: cldavis@speakeasy.net [mailto:cldavis@speakeasy.net] 
Sent: Wednesday, March 31, 2004 9:10 PM
To: netfilter@lists.netfilter.org
Cc: Fajar Priyanto
Subject: Re: I thought ssh is port #22 ?!!

You should edit sshd_config with the port command and set it to 22.  If
the directive is not present, I've had some versions of ssh listen on
everything, others only 22.  

You may also want to use the PermitRootLogin no directive to disable
root logins and use a regular user account to log in and then su to root
if need be.

As far as the firewall, you may want to setup your firewall to drop all
packets except packets sent to needed services.

Hope that helps
Chris
> -----Original Message-----
> From: Fajar Priyanto [mailto:fajarpri@arinet.org]
> Sent: Thursday, April 1, 2004 01:32 AM
> To: netfilter@lists.netfilter.org
> Subject: I thought ssh is port #22 ?!!
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi guys,
> I'm not really sure about this. I thought ssh is made in port #22? 
> When I made a ssh session into my server, /var/log/messages showed 
> this: Apr  1 09:20:20 server2 sshd[2711]: Accepted password for root 
> from 192.168.0.234 port 32873 ssh2
> 
> Why did it use port #32873?
> Is there something wrong with my ssh or firewall?
> TIA,
> - --
> Fajar Priyanto | Reg'd Linux User #327841 | http://linux.arinet.org
> 08:31:42 up 36 min, Mandrake Linux release 9.2 (FiveStar) for i586 
> public key: https://www.arinet.org/fajar-pub.key
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.3 (GNU/Linux)
> 
> iD8DBQFAa3EYkp5CsIXuxqURAluBAKCNiyg8+KXYDu/JuZghSVMXvfrjMgCdG7O2
> Bb4SQcbOiAqALl1o9yQ5H1k=
> =4uUZ
> -----END PGP SIGNATURE-----
> 
> 
> 

RE: I thought ssh is port #22 ?!!

[Tony Earnshaw]

tor, 01.04.2004 kl. 19.20 skrev Daniel Chemko:

> > Here's how it works. The server listens on port 22. The client opens a
> > connection to the server, and tells the server which return port to use.
> > If you do "netstat -an" you will see the server talking on port 22, and
> > the client talking on some high numbered port like 32873. The high
> > number port used is random. It will change from one session to the next.
> >
> > This is true not just for ssh - it is true for most tcp applications.

> Unfortunately I have the "privilage" of maintaining a customer TCP
> protocol which cans you if your source and destination ports aren't as
> specified by their fcked up protocol!!

Nevertheless, that's how TCP works, for every customer in the Universe.
Sack your customer, and get another?.

It would be better if you learned not to top post and to quote
correctly.

--Tonni

-- 

mail: billy - at - billy.demon.nl
http://www.billy.demon.nl

RE: I thought ssh is port #22 ?!!

[Cedric Blancher]

Le jeu 01/04/2004 à 20:27, Tony Earnshaw a écrit :
> It would be better if you learned not to top post and to quote
> correctly.

What an amazingly useful post !

Reproaching someone within the list with quoting incorrectly in a post
that contains nearly three time more quoting lines than effective ones
is definitly a must do.

At least the "top poster who badly quotes" posted something useful, and
on this point, I fully agree Antony's reaction*.


* one day, I will stop agree Antony's point all the time :)

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

Re: I thought ssh is port #22 ?!!

[Antony Stone]

On Thursday 01 January 1970 12:59 am, Cedric Blancher wrote:

> * one day, I will stop agree Antony's point all the time :)

I bet you won't :)

Antony.

-- 
The idea that Bill Gates appeared like a knight in shining armour to lead all 
customers out of a mire of technological chaos neatly ignores the fact that 
it was he who, by peddling second-rate technology, led them into it in the 
first place.

 - Douglas Adams in The Guardian, 25th August 1995

                                                     Please reply to the list;
                                                           please don't CC me.

RE: I thought ssh is port #22 ?!!

[Daniel Chemko]

> It would be better if you learned not to top post and to quote
> correctly. 

If it pisses you off so much, then maybe i'll just stop posting, how's
that?

Re: I thought ssh is port #22 ?!!

[Antony Stone]

On Thursday 01 April 2004 8:41 pm, Daniel Chemko wrote:

> > It would be better if you learned not to top post and to quote
> > correctly.
>
> If it pisses you off so much, then maybe i'll just stop posting, how's
> that?

How about you carry on posting, and those of us who don't mind the way you do 
it can carry on reading what you write; anyone who doesn't like your email 
style can delete the posting?

Regards,

Antony (who doesn't like top-posting either, but would rather someone posted 
something useful like that rather than not at all)

-- 
It is also possible that putting the birds in a laboratory setting 
inadvertently renders them relatively incompetent.

 - Daniel C Dennet

                                                     Please reply to the list;
                                                           please don't CC me.

RE: I thought ssh is port #22 ?!!

[T. Horsnell (tsh)]

>> > Here's how it works. The server listens on port 22. The client opens a
>> > connection to the server, and tells the server which return port to use.
>> > If you do "netstat -an" you will see the server talking on port 22, and
>> > the client talking on some high numbered port like 32873. The high
>> > number port used is random. It will change from one session to the next.
>> >
>> > This is true not just for ssh - it is true for most tcp applications.
>
>> Unfortunately I have the "privilage" of maintaining a customer TCP
>> protocol which cans you if your source and destination ports aren't as
>> specified by their fcked up protocol!!
>
>Nevertheless, that's how TCP works, for every customer in the Universe.
>Sack your customer, and get another?.


Hmmm. I thought it went like this:

The client application requests a random high port
on the client machine (a socket). Then, using this
socket it makes a request to the required well-known
port (e.g. 22 for ssh) on the server machine.
Since no other application on the client box will ever
be given the same high-numbered port as any other
application on that box, the client-ipaddr/highPort + 
server-ipaddr/wellKnownPort combination defines a unique
'circuit' over which further communication takes place.
The client doesnt have to do special things to tell the
server what its connecting port-number is.
Until along comes ftp, which has a command channel and
a data channel. So having made a connection in the
above way for the command channel, the client and server
have to make further negotiations for a data channel.
And firewalls have to be aware of this.

Thats my two penn'orth

Cheers,
Terry.

Re: I thought ssh is port #22 ?!!

[Antony Stone]

On Thursday 01 April 2004 9:22 pm, T. Horsnell (tsh) wrote:

> Hmmm. I thought it went like this:
>
> The client application requests a random high port
> on the client machine (a socket). Then, using this
> socket it makes a request to the required well-known
> port (e.g. 22 for ssh) on the server machine.
> Since no other application on the client box will ever

"Ever" is not quite right - "simultaneously" or "concurrently" would be 
better.   Another application might be given the same port number sometime 
later, once this connection is over and done with.

> be given the same high-numbered port as any other
> application on that box, the client-ipaddr/highPort +
> server-ipaddr/wellKnownPort combination defines a unique
> 'circuit' over which further communication takes place.

Yes, and it is this four-part combination which makes up a connection tracking 
table entry in netfilter.

> The client doesnt have to do special things to tell the
> server what its connecting port-number is.

The source port is included in the TCP packet header (as is the destination 
port).   That's how the server knows which port to send the response back to 
on the client.

> Until along comes ftp, which has a command channel and
> a data channel. So having made a connection in the
> above way for the command channel, the client and server
> have to make further negotiations for a data channel.

Yes.   Whoever thought that was a good way to do things wasn't thinking about 
security.

> And firewalls have to be aware of this.

Indeed :(

Regards,

Antony.

-- 
I don't know, maybe if we all waited then cosmic rays would write all our 
software for us. Of course it might take a while.

 - Ron Minnich, Los Alamos National Laboratory

                                                     Please reply to the list;
                                                           please don't CC me.