Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

10.4: Change the default sshd port Network
Tiger only hintThe changes induced with Tiger seem to be causing great pain to many in regards to sshd and changing the default port. A hint is already on file for doing this in 10.3, which even so, seems to have caused a bit of a stir. To note -- I'm not endorsing security through obscurity, but this is still a useful exercise and one that can reduce the number of people probing the standard ssh port.

In 10.4, the mechanism for launching sshd changed from using xinetd to launchd. This dramatically changed how sshd is launched, what ports are listened to, etc. Logically, you would think you could just edit /etc/sshd_config and be done with it. Sorry, but it's not that easy. sshd_config is read on launch of sshd, but launchd launches sshd when the appropriate port is "tickled." Here's the deal. launchd has an "on-demand" mode, where services that need to be launched upon being "tickled" on a particular port are launched. In /System/Library/LaunchDaemons is a file called ssh.plist which defines the on-demand configuration for sshd.

In general, in most on-demand plists for launchd, a key can be found called SockServiceName. In the ssh.plist file, this is defined as follows:
  <key>SockServiceName</key>
  <string>ssh</string>
No, it doesn't list a port number; it lists a service name that is looked up by the getAddrInfo() function call. This, in turn, looks up the service in the /etc/services file. This file has been key to a long-raging debate on the proper way to change the port that sshd listens too.

However, you can easily just add an entry to /etc/services such as ssh2, pointing to a second port (or using an existing services entry that isn't being listened too), then modify the ssh.plist file to use that entry for SockServiceName. By doing so, sshd will only listen to that port, yet leaving ssh client activity unaffected. So, in my case, I added the following to /etc/services:
  ssh2              10022/udp 
  ssh2              10022/tcp
Next I modified my /System/Library/LaunchDaemons/ssh.plist, changing the SockServiceName lines from what's shown above to this:
  <key>SockServiceName</key>
  <string>ssh2</string>
If you want to listen to both ports, just duplicate your ssh.plist to ssh2.plist, then modify the ssh2.plist file to use your second port -- and also change the Label string to something else (to give it a different name):
  <key>Label</key>
  <string>com.openssh.sshd2</string>
This can be useful if you block port 22 at your router, then port forward (or just plain open) some other port to your machine for ssh access. Machines inside can still access the machine through port 22, but those outside can access through the alternate port only. Note that you will need to refresh launchd for these changes to take effect. A reboot is the surest way (but using launchctl to load the script seems to work fine if you didn't add a new services entry). Also, make sure to open the firewall port on the Mac OS X firewall if you are running it.
    •    
  • Currently 3.73 / 5
  You rated: 2 / 5 (11 votes cast)
 
[99,231 views]  

10.4: Change the default sshd port | 15 comments | Create New Account
Click here to return to the '10.4: Change the default sshd port' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.4: Change the default sshd port
Authored by: macubergeek on Jul 19, '05 07:07:17AM

This writeup is interesting BUT....
changing the sshd port adds nothing to one's security posture. A quick nmap of the ports and a netcatting will quickly identify the new sshd port.
Adding appropriate firewall rules controlling the source port that can reach sshd would add a little more security. Authenticating via RSA SecurID would add still more.



[ Reply to This | # ]
10.4: Change the default sshd port
Authored by: macshome on Jul 19, '05 09:27:03AM

Running ssh on a different port though will stop the ENDLESS ssh scans that seem to blight the internet these days from pounding your Mac.

It, as well as disabling ssh login for root, will prevent OD replica _creation_ on Mac OS X Server, so watch out for that. Once you have a replica created you can re-diddle ssh.

Josh

---
http://www.afp548.com
Breaking my server to save yours.



[ Reply to This | # ]
10.4: Change the default sshd port
Authored by: Anonymous on Jul 20, '05 03:12:00AM

I agree, changing port numbers is not a security measure. However, it can be useful in a number of situations. For example: traffic on port 22 may be blocked or considered suspicious by ISPs or a workplace thus choosing a different port (such as 443) can be a great alternative.



[ Reply to This | # ]
10.4: Change the default sshd port
Authored by: JLG on Nov 20, '08 02:37:21PM

Not to disagree for the sake of disagreeing, but changing the ssh port is definitely a security measure, for the reason Josh mentions. Those ssh bots hammer port 22 on any server running ssh on the default port, to the point that they can overwhelm DirectoryServices, creating a DOS attack. If the scans are successful in guessing a password, your system is hacked. By changing the ssh port, you remove the server's exposure to these bots--so yes, it is a security measure.



[ Reply to This | # ]
10.4: Change the default sshd port
Authored by: paulsomm on Nov 08, '05 08:21:46PM

Perhaps, but the point of this really isn't for added security so much as obsfucation. I have passwords disabled, rely solely on keys, and have my account as the only one allowed to ssh and only from set machines. I'm not worried about someone getting in. But I do want to stop the endless script kiddie attacks as each attempt to log in spawns a new SSHD service. Watching the traffic hit port 22, I can see sometimes dozens of SSHD processes running.

By obsfucating the port, at least the worms/zombies/script kiddies trying port 22 will not even get to my machine.



[ Reply to This | # ]
10.4: Change the default sshd port
Authored by: rexroof on Jul 26, '05 03:48:38PM
thanks! I was just looking for this. I added an ssh service called ssh-dns, and in order to get it started without rebooting, I ran:
launchctl load /System/Library/LaunchDaemons/ssh-dns.plist
that seemed to work like a charm. is there a command for refreshing?

[ Reply to This | # ]
10.4: Change the default sshd port
Authored by: paulsomm on Nov 08, '05 08:23:57PM

before calling the load, be sure to unload, and it's just ssh.plist:

launchctl unload /System/Library/LaunchDaemons/ssh.plist
launchctl load /System/Library/LaunchDaemons/ssh.plist



[ Reply to This | # ]
10.4: Change the default sshd port
Authored by: TigerKR on Oct 19, '05 11:47:59PM

Great hint. I guess Tiger doesn't log ssh connections (success and failures) by default. In order to enable the logging, I followed this hint:

http://www.macosxhints.com/article.php?story=20051012162448301

After checking the logs, I decided to change the default port for the outside interface.



[ Reply to This | # ]
10.4: Change the default sshd port
Authored by: n9az on Nov 24, '05 12:14:41PM

Has anyone managed to set up ssh on multiple ports? I tried following the instructions listed here, but ssh still only listens on port 22. I want it to listen on both port 22 and another that I specify. I've tried stopping and restarting ssh, and I've double and triple checked everything, but I can't figure it out. Thanks!



[ Reply to This | # ]
10.4: Change the default sshd port
Authored by: n9az on Nov 24, '05 12:42:49PM
Man, I hate it when I post a question and then quickly manage to find the answers myself.... :-)

The trick is to create a secondary plist file as described above, add the extra lines in /etc/services and then remember to do the following:

1) in Terminal.app run

launchctl load /System/Library/LaunchDaemons/ssh2.plist
2) if you have OSX's built-in firewall on like I do, make sure to add an entry in System Preferences -> Sharing -> Firewall (tab) for the secondary ssh port
3) if you're using a router with firewall, obviously you must route that port as well

I managed to forget to do #1 and then #2. Oops!

This is useful for me because I have my router send traffic on port 22 to one machine and traffic on the seconday port to my Mac, so when I'm not home I can ssh directly into either machine just by specifying which port I want to use.

Sorry about the extra post, everyone...

[ Reply to This | # ]

Adding 2nd port w/o restart
Authored by: astyanax on Jul 14, '06 02:51:02PM

It is worth pointing out that you can add a second service/port without a reboot with the following commands:

service ssh stop
launchctl unload /System/Library/LaunchDaemons/ssh.plist
launchctl load /System/Library/LaunchDaemons/ssh.plist
launchctl load /System/Library/LaunchDaemons/ssh2.plist
service ssh start
service ssh2 start

You probably dont even need this many steps, but this was what i did so...



[ Reply to This | # ]
10.4: Change the default sshd port
Authored by: macsolve on Nov 07, '07 03:07:59PM

This method works for me in Leopard too.



[ Reply to This | # ]
10.4: Multiple sshd ports, one plist file.
Authored by: don_coleman on Feb 15, '08 07:43:41AM

If you want to listen on multiple ports, you do not need multiple .plist files, nor multiple service names... one will do.

Find the following lines in the ssh.plist file:

----
<key>Sockets</key>
<dict>
<key>Listeners</key>
----

Add new lines as shown below, with the new lines marked with "+":

----
<key>Sockets</key>
<dict>
+ <key>Alternate Listeners</key>
+ <dict>
+ <key>SockServiceName</key>
+ <string>ssh2</string>
+ </dict>
<key>Listeners</key>
----

This assumes you have already edited /etc/services to add ssh2 -- you can also just use a number directly (ie: "222") rather then specifying "ssh2".

If you want more then two port numbers, just change "Alternate Listeners" in the first new line to something unique, and duplicate the 5 additional lines again.

The instructions above about stopping/starting the service and also modifying the firewall still apply.



[ Reply to This | # ]
10.4: Change the default sshd port
Authored by: calfaro on May 02, '08 09:59:45AM

I was able to get the port changed in Leopard and I can ssh from my own computer locally to the new port, however I am still unable to ssh to the new port from a remote computer. I'm guessing the firewall in Leopard is blocking the new port. Any suggestions of how to open the new port and close the default one?



[ Reply to This | # ]
10.4: Change the default sshd port
Authored by: ryancousins on Jan 11, '12 09:38:00AM

Why do you need to create a new service? Why can't you just change the port for ssh in the /etc/services file?



[ Reply to This | # ]