Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Change the default SSH server port on 10.3 Network
I run SSHd on one of my machines (Remote Administration is what it is called in the OS X preferences) and I would prefer it not run on the default port 22 -- for various reasons. Sure, I know that there is no such thing as security through obscurity, but I would rather not shout to any port scanner out there: "SSH running here!" But also, I am setting up some tunnels for friends and family whose situations preclude them from using port 22.

I have found various discussion searching the net for how to change the default port for sshd, but none of them seemed to work. There is the default port in the /etc/sshd_config file, which is actually ignored unles you invoke sshd MANUALLY. OS X 10.3 actually runs sshd via xinetd. We will not discuss the merits of that here; that is another topic entirely. But if you look in the file /etc/xinetd.d/ssh, you will see a server args value, with a -i variable. Some hints claimed that you could just add the port argument to that (-p [port]). Well, that doesn't work either.

After some messing around I found out why: In Panther, the default sshd port is set in the /etc/services file. In the Terminal (or your favorite command line environment), edit that file using your favorite editor. I use Pico, and you will probably need administrator rights to edit it (using sudo of course, right?). Search for "ssh," which I found between ftp and telnet. The section looked like this:
ftp              21/udp     # File Transfer [Control]
ftp              21/tcp     # File Transfer [Control]
#                          Jon Postel <postel@isi.edu>
ssh              22/udp     # SSH Remote Login Protocol
ssh              22/tcp     # SSH Remote Login Protocol
#                          Tatu Ylonen <ylo@cs.hut.fi>
telnet           23/udp     # Telnet
telnet           23/tcp     # Telnet
The 22 listed in the ssh lines is what will be the default sshd port on your machine when you enable "Remote Administration" in system preferences. Change the "22" in those lines to whatever port you would like to use, as such:
ssh              8855/udp     # SSH Remote Login Protocol
ssh              8855/tcp     # SSH Remote Login Protocol
Then save, and restart sshd with a quick sudo killall -HUP xinetd. Now your SSH server should be running on a new port (other than 22) -- our example used 8855.
    •    
  • Currently 3.67 / 5
  • 1
  • 2
  • 3
  • 4
  • 5
  (3 votes cast)
 
[44,906 views]  

Change the default SSH server port on 10.3 | 37 comments | Create New Account
Click here to return to the 'Change the default SSH server port on 10.3' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Change the default SSH server port on 10.3
Authored by: gerti on Jun 10, '04 12:07:05PM

I don't think changing port numbers in /etc/services is a good idea. The approach of modifying /etc/xinetd.d/ssh is much cleaner. In addition to the added '-p xxx' flag for the server_args parameter (which tells the sshd server what port to use) you also need to let xinetd know which port to use. You can do that by adding a line 'port = xxx' to /etc/xinetd.d/ssh.



[ Reply to This | # ]
Change the default SSH server port on 10.3
Authored by: valkraider on Jun 11, '04 12:09:40AM

I tried adding the "-p 8855" to the args, with no success (see the original hint).

Do I add the "port = 8855" line inside the braces?



[ Reply to This | # ]
Change the default SSH server port on 10.3
Authored by: Accura on Jun 11, '04 12:27:09AM

xinetd will barf out if you don't use the same port for a services as listed in the services file. IIRC. Well, not really barf out, just run the service on the port listed in the services file and not the port you are trying to force it with.

jameso

---
"The time has come," the walrus said. "To talk of many things..."



[ Reply to This | # ]
Change the default SSH server port on 10.3
Authored by: AndyF on Jun 18, '04 03:34:34AM

As it's xinetd that's listening for connections, only it needs to be told a different port number. In addition to the line "port = 12345" (for whatever port number you want), you need to add the line "type = unlisted", otherwise xinetd will check the /etc/services file and make sure the port number matches. The error will show up in /var/log/system.log as "Service ssh expects port 22, not 12345".



[ Reply to This | # ]
Change the default SSH server port on 10.3
Authored by: deeno on Jul 23, '04 11:40:16AM

I used to run ssh on two port simultaneously. The standard port 22 and another one for convenience since many NetAdmins at my clients block port 22 (both inbound but more annoyingly outbound).

I copied /etc/xinetd.d/ssh to /etc/xinetd.d/sshXXX
changed its name, added a "-p XXX" and "port = XXX" and "type = unlisted"
did kill -HUP of xinetd
All is great, ssh on two ports.

Now my question: can I get xinetd to use the single file /etc/xinetd.d/ssh to use two ports? sshd with -p allows multiple ports. How do I tell this to xinetd?



[ Reply to This | # ]
Change the default SSH server port on 10.3
Authored by: DaveYost on Mar 26, '05 09:37:03PM

I tried this, and it didn't work for me on 10.3.8



[ Reply to This | # ]
Change the default SSH server port on 10.3
Authored by: ynolo on Jun 10, '04 12:10:41PM

Excellent hit. I was planning to do this pretty soon. You saved me time dude.

Thanks.

---
i don\'t have one



[ Reply to This | # ]
Will it mess up your default firewall settings?
Authored by: oink on Jun 10, '04 12:24:11PM

I tried a while back to change the default FTP ports. It didn't work with the default firewall. I remember modifying various files as well as creating an FTP2 entry somewhere in Netinfo.... before giving up. I will definitely try your method. Thanks for sharing



[ Reply to This | # ]
Change the default SSH server port on 10.3
Authored by: foobar104 on Jun 10, '04 12:32:57PM

Better idea: turn off sshd via xinetd, and create a StartupItem for it.

Just change "disable = no" to "disable = yes" in /etc/xinetd.d/ssh. Then create a directory called /Library/StartupItems/SSH. In that directory, create a script called SSH (no file extension) that looks like this:

#!/bin/sh

. /etc/rc.common

StartService ()
{
ConsoleMessage "Starting SSH"
if [ -x /usr/bin/sshd ] ; then
/usr/bin/sshd -p 8855
fi
}

StopService ()
{
if pid=$(GetPID sshd); then
ConsoleMessage "Stopping SSH"
kill -TERM "${pid}"
else
echo "sshd is not running."
fi
}

RestartService ()
{
if pid=$(GetPID sshd); then
ConsoleMessage "Stopping SSH"
kill -HUP "${pid}"
else
echo "sshd is not running."
fi
}

RunService "$1"

Make sure /Library/StartupItems/SSH/SSH is executable. Then, finally, create a StartupParameters.plist file in /Library/StartupItems/SSH.

{
Description = "SSH";
Provides = ("SSH");
OrderPreference = "Late";
}

There you go. That way you can start and stop SSH without having to change the global /etc/services file, which you shouldn't mess with. To start it, do "sudo SystemStarter start SSH".



[ Reply to This | # ]
Change the default SSH server port on 10.3
Authored by: webbix on Jun 10, '04 12:47:27PM

I am not changing my port so I have not tinkered but you may also install Webmin which gives you a webinterface to configure SSH as wel as other builtin servers/services (including your postfix and in the latest version, the firewall)



[ Reply to This | # ]
just say no
Authored by: blueHal on Jun 10, '04 12:41:46PM

Use this hint if you must, but don't expect it will bring you any security. At all. It is perfectly easy for port scanners to find sshd running on a different port. This serves to make life more difficult for (a) you, (b) your network administrator who will look for insecure ssh daemons running on your network.



[ Reply to This | # ]
just say no
Authored by: valkraider on Jun 11, '04 12:14:58AM

It in fact, does bring *some* security - as you have to actually scan the ports to find ssh, as opposed to just trying the *default* ssh port for every ssh client...

Is is a *lot* of security? No. Of course not. Read my original hint, I am not here to debate security through obscurity...

The MAIN reason that I need an alternate port is that some people I am setting up tunnels for are stuck places that block port 22. Also in the original hint...



[ Reply to This | # ]
Change the default SSH server port on 10.3
Authored by: raveldcp on Jun 10, '04 12:58:03PM

This is *such* a bad idea. Modifying /etc/services should not be taken lightly. Any upgrades to the system will potentially break this. The safest, and standard Unix way, is to change the sshd_config file found in /etc

Look for the

#Port 22

and change it to the new port you want to use. It won't prevent port scanners, but does provide a certain level of obfuscation.



[ Reply to This | # ]
Change the default SSH server port on 10.3
Authored by: valkraider on Jun 11, '04 12:21:36AM

Lets see if I can do this without being too inflamitory... (It's just a discussion after all)...

If the only reason that changes in /etc/services are bad simply because an upgrade might break them, then for crying out loud - don't customize your computer at all. LOTS of upgrades have broken LOTS of stuff - ESPECIALLY when it comes to SSH and things like Apache and Firewall configs and stuff like that....

I have not *yet* seen any *good* reasons why people say not to use /etc/services .

And, in the original hint, I specify that changing the port value in /etc/sshd_config ONLY WORKS IF YOU INVOKE SSHD MANUALLY. When Panther invokes sshd it does so using xinetd - and the value in /etc/sshd_config is ignored. Again, I do not want to debate the merit of xinetd, I simply need to know the best way to change the port, and to help others do the same.



[ Reply to This | # ]
Change the default SSH server port on 10.3
Authored by: mweissen on Jun 11, '04 07:19:36AM

I have not *yet* seen any *good* reasons why people say not to use /etc/services .

OK. Open a Terminal window and try to SSH to any other computer. You should fairly quickly see a perfectly good reason not to edit /etc/services.

It's all about namespaces. Conventions, standards, nomenclature, terminology. If you change names or numbers in the /etc/services file, you're effectively crippling your own computer's ability to talk to others on the Internet, and Things Will Break(TM). The fact that making this change also happens to solve your pet problem on this particular operating system is just one unfortunate side effect.

By the way, you can reset the outgoing SSH port to 22 by editing the /etc/ssh_config file. This could be considered kludging the broken setup, though.

--Bud



[ Reply to This | # ]
Change the default SSH server port on 10.3
Authored by: bluehz on Jun 10, '04 01:45:15PM

Heck I'd be happy just to get SSH working again after 10.3.4 update. Can no longer admin my headless Linux box after updating OS X to 10.3.4. Problem is fairly widespread too - but know one has solution. See Apple Discussions...



[ Reply to This | # ]
Change the default SSH server port on 10.3
Authored by: maintain1 on Jun 10, '04 07:05:56PM

I don't have any problems what so ever connecting to my linux machine in ssh. I am using 10.3.4 also.



[ Reply to This | # ]
Change the default SSH server port on 10.3
Authored by: Kip on Jun 10, '04 07:32:25PM

Which Apple Discussion should I be looking at? I'm surprised to hear you're having trouble connecting out to a Linux box from your OS X box via SSH. I literally do this all day long every day and I haven't had any issues.



[ Reply to This | # ]
Change the default SSH server port on 10.3
Authored by: Accura on Jun 11, '04 12:34:50AM

If you did a complete reinstall your ssh key will be different and if ssh is setup on linux to check the key (should be by default?) and deny access for any keys that have changed (related to ip/hostname) then this could be your problem. What sort of error do you get?

jameso

---
"The time has come," the walrus said. "To talk of many things..."



[ Reply to This | # ]
Change the default SSH server port on 10.3
Authored by: ploute on Jun 10, '04 03:10:38PM
Hmm, i agree thad modifying /etc/services is a Bad Idea. gerti's idea seems better. i also strongly agree with Blue Hal : very easy to find ssh on a not-standard port ; this is not even obscurity, just try telnetting your ssh port to see what i mean :-) sshd immediately answers something like "SSH-1.99-OpenSSH_3.6.1p1+CAN-2003-0693" ... BUT : i also *need* to access my sshd through port 443 or 563 for proxy-in-the-middle reason (a proxy that won't accept to do SSL on non-SSL ports). My solution is to redirect port 563 to 22, instead of harming the standard config. To do this, either use something like BrickHouse, or create a /etc/natd.conf file, containing this :
interface en0
use_sockets yes
same_ports yes
redirect_port tcp your.ip.address.here:22 563
(assuming you're connected to the internet through ethernet : en0 ; change this with what you need) and run /usr/sbin/natd -f /etc/natd.conf I won't tell here how to create a startup script for this, use brickhouse if you don't know or just stw :) Then, you can configure your firewall to let in only trusted IPs or what you want.

[ Reply to This | # ]
Change the default SSH server port on 10.3
Authored by: blakers on Jun 10, '04 08:20:42PM

as a higher-security alternative, you may wish to consider the following scenario (which i use ...):

(1) building an instance of OpenSSH with tcp-wrappers turned on
(2) setting up sshd to run NOT as a StartupItem, or Bootstrap Daemon, but rather solely as an xinetd service
(3) block access to specific clients/networks using tcp-wrappers' /etc/hosts* mechanisms
(4) setup serveer's sshd_config and clients to authenticate via PubkeyAuthentication
(5) generate & exchange ssh keys as necessary, 512-bit or better ...

this should 'harden' your ssh access fairly well

you can, as well, add ipfw rules to allow only access to/from specific hosts/networks ...

richard



[ Reply to This | # ]
TCP Wrappers
Authored by: FiercePanda on Jun 11, '04 12:41:38PM

I'm still using Jaguar, but I didn't need to rebuild sshd to get it to use TCP Wrappers. All I had to do was write an /etc/hosts.allow and hosts.deny. Is this different on Panther?



[ Reply to This | # ]
TCP Wrappers
Authored by: blakers on Jun 11, '04 06:25:42PM

honestly, that's a good question. i dunno ...

i always rebuild openssh with an up-to-date openssl build, and thus configure it with tcp-wrappers, as well as any other config i like.

if tcp-wrappers are already enabled in sshd, then that _should_ be just fine. i'm not sure at all how to check if it is, other than to try it ... and i've replaced my 'virgin install' instances ...

richard



[ Reply to This | # ]
Change the default SSH server port on 10.3
Authored by: Accura on Jun 11, '04 12:11:37AM

I did this but instead of changing the ssh protocol in the services file i added ussh to the file, copied all the ssh xinetd stuff to the same place but with ussh as the name and then edited any references in the text file. I am not on my machine at home so i can't really copy/paste my files here.

The only missing step is adding ussh to the list in Sharing so i can toggle it without going to the command line. Does any one know how to do that? is it possible?

jameso

ps, if any one wants me write up a formal procedure and submit it as a hint let me know and i will.

---
"The time has come," the walrus said. "To talk of many things..."



[ Reply to This | # ]
Change the default SSH server port on 10.3
Authored by: valkraider on Jun 11, '04 12:52:13PM

How do you start your sshd when you set it up this way?



[ Reply to This | # ]
Change the default SSH server port on 10.3
Authored by: Accura on Jun 14, '04 07:02:09PM

i have a little shell script called shartussh that changes the line "disable = yes" in the file /etc/xinetd.d/ussh to "disable = no", then restart xinetd.

jameso

---
"The time has come," the walrus said. "To talk of many things..."



[ Reply to This | # ]
Change the default SSH server port on 10.3
Authored by: twenex on Jun 12, '04 02:27:22AM

This is a pretty idiotic idea. It breaks other things (as I think others have pointed out). Scanners can easily detect the ssh protocol on other ports, and lots of things break. Ssh (the openssh version) is well updated when ever problems are detected, so the risk/reward on this is really bad.

There's *so* many other places to concentrate to remove potential vulnerabilities with better reward that spending a second on this hint is worthless.

Good grief. Why don't you advise people to change the port of their webservers too while you're at it.



[ Reply to This | # ]
Change the default SSH server port on 10.3
Authored by: valkraider on Jun 12, '04 07:45:47PM
This is a pretty idiotic idea. It breaks other things (as I think others have pointed out).

Like what? People keep saying how terrible this is, without any information. So far, this has not borken ONE SINGLE THING that I use.

Scanners can easily detect the ssh protocol on other ports

No one ever claimed they couldn't. But at least now they HAVE to use a scanner, eh? As opposed to just firing up any SSH client to my server address (which has a domain associated with it).

and lots of things break.

Like what?

There's *so* many other places to concentrate to remove potential vulnerabilities with better reward that spending a second on this hint is worthless.

Did you even read the hint? SOME PEOPLE CAN'T USE PORT 22. Thus, if I want to use SSH into my network from locations where port 22 is blocked, I HAVE TO CHANGE THE PORT, don't I?

Good grief. Why don't you advise people to change the port of their webservers too while you're at it.

This is a completely different concept. SSH is generally access that ONLY USERS OF THE SPECIFIC MACHINE will use - something that users can generally control, and something that the general public has no need to use on my machine - additionally SSH getting hacked has a MUCH greater impact on the overall machine than Apache getting hacked... In contrast My Web Server is for general public access - with no authentication or restriction.

But just for grins, you CAN easily change your web server port and break nothing - as long as users know to put :port after the server name. In fact, most all of the web systems I work with don't use port 80 (WebSphere, WebLogic, SilverStream, etc etc etc - they all default to other ports).

But you obviously know more than IBM, BEA, and Novell....

[ Reply to This | # ]
Change the default SSH server port on 10.3
Authored by: alvarez on Jun 13, '04 03:05:05PM

Yes! I don't care about the security or upgradability aspects of this hint. But I am currently consulting for a merry little financial management and advisory company that firewalls SSH, VPN, Outlook Exchange servers, various instant messenger services, and just about anything that allows me to be more productive on site. I was trying to determine why changing /private/etc/sshd_config was not working just the other day, and this hint comes timely.



[ Reply to This | # ]
Change the default SSH server port on 10.3
Authored by: mweissen on Jun 14, '04 09:39:03AM

This is a pretty idiotic idea. It breaks other things (as I think others have pointed out).

Like what? People keep saying how terrible this is, without any information. So far, this has not borken ONE SINGLE THING that I use.

and lots of things break.

Like what?

Like the ssh client. OK? And all tools that depend on it.

Just like the server, the client uses the POSIX API to get the port number from the /etc/services file. Since pretty much everybody uses the standard port 22, and not port 8855, the client won't be able to connect anywhere unless you *explicitly* specify port 22 either on the command line or in /etc/ssh_config. The default /etc/ssh_config on Mac OS X does not specify this, nor do users normally add "-p 22" to their ssh command lines, as far as I know. Ergo, broken SSH client, QED.

If you can't see this problem, you have apparently inadvertantly unborked the client config while you borked the server, so it happens to work for you. Or then you've simply not even tried SSH:ing out?

--Bud



[ Reply to This | # ]
Change the default SSH server port on 10.3
Authored by: alvarez on Jun 13, '04 06:48:43PM
Good grief. Why don't you advise people to change the port of their webservers too while you're at it.

Ha! I missed this the first time around. I had to do this too, not because of my current gig, but because of the paranoia of my veritable DSL providers, who block all incoming port 80 traffic.

[ Reply to This | # ]

Change the default SSH server port on 10.3
Authored by: PygmySurfer on Jun 13, '04 08:17:02AM

I don't know how /etc/services works on OS X, but on typical UNIX systems, that file is basically just a hints file - it associates protocols and port numbers. Basically, it's just tells an application what the default port for that particular service is.

For example, ftp is on port 21 by default. from the commandline, I can type "ftp <hostname>" and, the application will try to make the connection on port 21, because that's what it says in /etc/services. If I modify /etc/services, and change ftp to port 666, and try to run "ftp <hostname>", it's going to attempt to make the connection on port 666, instead of port 21. Maybe things are different in OS X, however.



[ Reply to This | # ]
Change the default SSH server port on 10.3
Authored by: ynolo on Jun 14, '04 11:33:07AM

After changing port 22 to what the author of this hint recommends i can no longer connect from this same machine to other ssh servers running on port 22. So i had to revert to 22.

I will do the startup suggestions that some one recommended instead.

---
i don\'t have one



[ Reply to This | # ]
Change the default SSH server port on 10.3
Authored by: LooseBruce on Sep 16, '04 07:10:15PM

I think the most obvious solution has been overlooked.

I simply configured my router to forward port xxxx to port 22 and furnished port xxxx to the users that have a need to login via ssh. Of course, they login with 'ssh -p xxxx user@server.com'

Using this method, no changes were necessary on the server whatsoever. Port 22 is blocked on the WAN side of the router so this method achieves the port obscurity that you're after.

Maybe *I* missed something ????



[ Reply to This | # ]
Change the default SSH server port on 10.3
Authored by: turtle777 on Nov 12, '04 11:12:52PM

My router doesn't have the capability of forwarding one port to another.

I can only specify that a port will be forwarded to an internal IP.

Too bad. Your solution sounded too easy and good to be true.



[ Reply to This | # ]
Use two ssh ports at the same time
Authored by: turtle777 on Nov 24, '04 11:39:00PM

Ok, I got it finally working:

1) added line in /etc/services
sshd 81/udp
sshd 81/tcp

2) added /etc/xinetd.d/sshd (modified copy from ssh)
service ssh
{
disable = no
socket_type = stream
wait = no
user = root
server = /usr/libexec/sshd-keygen-wrapper
server_arg = -p 81
port = 81
type = unlisted
groups = yes
flags = REUSE IPv6
session_create = yes
}

3) added line in /etc/sshd_config
Port 81

4) restart daemon
sudo killall -HUP xinetd

Hope that helps.

-t



[ Reply to This | # ]
Use two ssh ports at the same time
Authored by: wsdr on Nov 10, '06 07:29:11AM

Ooops, typo. In this:

2) added /etc/xinetd.d/sshd (modified copy from ssh)
service ssh
{
disable = no
socket_type = stream



Change "service ssh" to "service sshd"



[ Reply to This | # ]