(This change might cause other problems, so you might not want to do it on a server for example, it would be better to edit the launchd ssh.plist file. You can edit /System/Library/LaunchDaemons/ssh.plist and change the value for the SockServiceName key to a port number (I believe that will work-I haven't tested it), or you can edit /etc/services and change: So to change the port SSH runs on, you need to change the launchd configuration for SSH. When someone tries to connect to it, launchd launches sshd. Essentially, launchd listens on port 22 (the default SSH port). Second, in 10.4, when SSH is "enabled", it actually isn't running until someone actually tries to connect to it. Port 1234 (pick any port within reason, not 1234 or 12345.) Second, if you must have it on, be sure to take the precautions discussed in this article.Ĭhange the SSH port Edit /etc/sshd_config and change If you have SSH enabled then there are several easy tweaks to make the computer more secure: disable protocol 1, setup user access lists, setup IP access lists, change the default port, and turn on the firewall. Use of remote root login, especially to boxes connected to the Internet, has to be one of the absolute dumbest ideas of all time. through weak passwords for SSH-enabled accounts. "A certain institution of higher learning has discovered that fleets of their OS X boxes have been compromised."The machine likely was broken into by someone running a script that repeatedly submitted various, commonly-selected usernames and passwords until it found the right combination to log into an account with administrative privileges on that Macintosh via Remote Login (SSH)." - Berkeley list mail."Weak passwords for SSH and other remote access services can and often do allow unwanted access to a computer" - TruSecure.But googling for "mac os x ssh compromise" shows many interesting finds: On the General tab, from the Startup type drop-down menu, select Automatic. ) In the details pane, double-click OpenSSH SSH Server. In the good old days, SSH meant security. (Select Start, type services.msc in the search box, and then select the Service app or press ENTER. But what if that computer has user accounts on it? It is likely at least one user has a weak password and that means you just unlocked your computer to be hacked. Click it, and you have SSH turned on! That was easy. That should be it.SSH In System Preferences, in the Sharing Pane, is a simple checkbox labeled "Remote Login". Once the system is rebooted from another computer you should be able to ssh to port 22 as normal but also to the new port:Īnd you should be welcomed by our good friend Darwin: So the simplest thing to do is reboot the system. You can do this at the command line, but I can never remember the commands. Ssh2 9222/tcp # SSH Remote Login Protocol added DGĪt this point you need to notify Launch Services to read the new plist and restart SSH. We need to take one more step to enable ssh monitoring of the new port Virus.ġ) Edit the file /etc/services making the following changes: One daemon will listen to port 22 the other to port 9222. What we have done now, is create a new plist that will Launch Services can use to instantiate (or whatever the term is) a new SSH daemon to list for incoming connections. # OpenSSH is to specify options with their default value where # The strategy used for options in the default sshd_config shipped with # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin # This is the sshd server system-wide configuration file. You need admin privileges to do the following and make ssh (remote login) is enabled in the Sharing Preferences Pane:ġ) Edit the file /etc/sshd_config adding/enabling the following line(s): These instructions are for Mac OS X Tiger. Since I recently had to set up ssh monitoring on multiple ports on a test system, I thought I’d share my experience in case someone else may need to do the same thing. All of this can be done on Mac OS X although all of the documentation required to get this to work (under Tiger at least) appears to be spread out over several documents across the web. you used to do /etc/init.d/sshd status /etc/init.d/sshd start /etc/init.d/sshd stop /etc/init. Additionally, sometimes it may be beneficial to have ssh open on multiple ports simultaneously. Back in Redhat 5 (and 6) that was the INIT way using /etc/init.d.Redhat 7 uses systemd and you can spend the rest of your day searching the web and reading articles comparing their differences, pros, cons, and so on. For one reason or another people often find themselves needing to ssh/sftp to an alternate port (default is port 22) on their systems.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |