"I found a Slackware script that hides the accepted ssh port number while rejecting all others, including 22.
The example script includes: > # First, set SSHD back to the default port 22. > # Next, figure out what port or ports you want to do SSH over. > # Were going to use 99, 88, and 8889 here. > # Now we take care of the Hypothetical Evil Unprivileged User > # by not accepting anything over those ports in the first place. > # This is only effective for port 8889 but well do all three ports for the > # sake of completeness. > /usr/sbin/iptables -t filter -A INPUT -p tcp -m multiport --dports 99,88,8889 > -j REJECT --reject-with tcp-reset > > Why use three port numbers if only the last one will be valid?" I'll attempt to demystify and sum up the techno-jargon. This is common firewall/network security practice. This is an iptables, Linux Firewall script. The idea is not only accept packets inbound to your network on a non-default port such as the 3 destination ports in the the example, 99,88,8889. Only tcp/ip packets with one of those dest. ports will be accepted and then re-routed out of the firewall to a machine on the network that is setup for SSH access on the default port of 22. The idea is that only you, the sys-admin, developers, etc will know to setup ssh access to your internal pc's/servers, etc on those non-default ports that you've chosen. Which hopefully aren't the same port numbers in the example script!!! =) Slackware Docs explains this. Reference - https://docs.slackware.com/howtos:security:ssh /usr/sbin/iptables -t filter -A INPUT -p tcp -m multiport --dports 99,88,8889 -j REJECT --reject-with tcp-reset ######Then, pick a number between 1 and 4294967295 Ill use 0x13F () ######Were going to tell iptables to reject anything without this mark coming into port 22. /usr/sbin/iptables -t filter -A INPUT -p tcp -m tcp --dport 22 -m connmark ! --mark 0x13F -j REJECT --reject-with tcp-reset ######Now well tell iptables what ports we will accept for ssh. /usr/sbin/iptables -t filter -A FORWARD -p tcp -m multiport --dports 99,88,8889 -j ACCEPT ######In the mangleĀ table we slap our mark on these packets. /usr/sbin/iptables -t mangle -A PREROUTING -p tcp -m multiport --dports 99,88,8889 -j CONNMARK --set-mark 0x13F ######Finally in the nat table we tell iptables to send the marked packets back to port 22 /usr/sbin/iptables -t nat -A PREROUTING -p tcp -m multiport --dport 99,88,8889 -j REDIRECT --to-ports 22
