Re: Partial Disabling of port 22 using apache-mina SSHD
Also, the jars used are sshd-core-0.9.0.jar, sshd-sftp-0.9.0.jar. -Garima Jain. On Tue, Jun 21, 2016 at 11:42 AM, garima jain wrote: > Can I keep the port open for sftp and close for ssh? > > -Garima Jain. > > On Mon, Jun 20, 2016 at 10:33 PM, garima jain > wrote: > >> Thanks. Will use that. >> >> -Garima Jain >> On Jun 20, 2016 10:31 PM, "Ashish" wrote: >> >>> On Mon, Jun 20, 2016 at 9:43 AM, garima jain >>> wrote: >>> > Can we use black list/whitelist feature? >>> >>> This is what you should use. >>> >>> > >>> > -Garima Jain >>> > On Jun 20, 2016 10:12 PM, "elijah baley" wrote: >>> > >>> >> There are many options - depending on the actual setup: >>> >> - You can move SSHD to a non-standard port on all interfaces - easy >>> to do >>> >> when setting up the server - just call "setPort" on the SshServer >>> instance- >>> >> You can bind SSHD to a specific interface (e.g., 127.0.0.1)om port 22 >>> and >>> >> bind SFTP to the public interface on port 22 - easy to do just call >>> >> "setAddress" (or something to that effect) on the SshServer instance >>> >> I could think of more exotic options - e.g. similar to sslh, using >>> >> HAPROXY, etc., etc. >>> >> > From: jain.garim...@gmail.com >>> >> > Date: Mon, 20 Jun 2016 12:10:26 +0530 >>> >> > Subject: Re: Partial Disabling of port 22 using apache-mina SSHD >>> >> > To: dev@mina.apache.org >>> >> > >>> >> > Hi elijah, >>> >> > >>> >> > The requirement is to block port 22 for SSH and accept SFTP >>> connections >>> >> on >>> >> > Port 22. Is there a class/method that can help us achieve the aim? >>> >> > >>> >> > -Garima Jain. >>> >> > >>> >> > On Fri, Jun 17, 2016 at 3:27 PM, elijah baley >>> >> wrote: >>> >> > >>> >> > > Is there some reason your code cannot examine the incoming client >>> >> address >>> >> > > and reject it if it does not match some specified criteria (e.g., >>> mask, >>> >> > > network, closed group of IPs - whatever...) ? >>> >> > > >>> >> > > > From: jain.garim...@gmail.com >>> >> > > > Date: Fri, 17 Jun 2016 14:50:51 +0530 >>> >> > > > Subject: Partial Disabling of port 22 using apache-mina SSHD >>> >> > > > To: dev@mina.apache.org >>> >> > > > >>> >> > > > Hi, >>> >> > > > >>> >> > > > >>> >> > > > >>> >> > > > We are using com.springsource.org.apache.mina-1.0.2.jar in our >>> >> product. >>> >> > > > The requirement is to disable port 22 for all incoming traffic >>> over >>> >> SSH >>> >> > > but >>> >> > > > the same port is required to communicate with few IP’s over 22. >>> Is >>> >> there >>> >> > > a >>> >> > > > way to handle selective port blocking? >>> >> > > > >>> >> > > > >>> >> > > > -Garima Jain. >>> >> > > >>> >> > > >>> >> >>> >>> >>> >>> -- >>> thanks >>> ashish >>> >>> Blog: http://www.ashishpaliwal.com/blog >>> My Photo Galleries: http://www.pbase.com/ashishpaliwal >>> >> >
Re: Partial Disabling of port 22 using apache-mina SSHD
Can I keep the port open for sftp and close for ssh? -Garima Jain. On Mon, Jun 20, 2016 at 10:33 PM, garima jain wrote: > Thanks. Will use that. > > -Garima Jain > On Jun 20, 2016 10:31 PM, "Ashish" wrote: > >> On Mon, Jun 20, 2016 at 9:43 AM, garima jain >> wrote: >> > Can we use black list/whitelist feature? >> >> This is what you should use. >> >> > >> > -Garima Jain >> > On Jun 20, 2016 10:12 PM, "elijah baley" wrote: >> > >> >> There are many options - depending on the actual setup: >> >> - You can move SSHD to a non-standard port on all interfaces - easy to >> do >> >> when setting up the server - just call "setPort" on the SshServer >> instance- >> >> You can bind SSHD to a specific interface (e.g., 127.0.0.1)om port 22 >> and >> >> bind SFTP to the public interface on port 22 - easy to do just call >> >> "setAddress" (or something to that effect) on the SshServer instance >> >> I could think of more exotic options - e.g. similar to sslh, using >> >> HAPROXY, etc., etc. >> >> > From: jain.garim...@gmail.com >> >> > Date: Mon, 20 Jun 2016 12:10:26 +0530 >> >> > Subject: Re: Partial Disabling of port 22 using apache-mina SSHD >> >> > To: dev@mina.apache.org >> >> > >> >> > Hi elijah, >> >> > >> >> > The requirement is to block port 22 for SSH and accept SFTP >> connections >> >> on >> >> > Port 22. Is there a class/method that can help us achieve the aim? >> >> > >> >> > -Garima Jain. >> >> > >> >> > On Fri, Jun 17, 2016 at 3:27 PM, elijah baley >> >> wrote: >> >> > >> >> > > Is there some reason your code cannot examine the incoming client >> >> address >> >> > > and reject it if it does not match some specified criteria (e.g., >> mask, >> >> > > network, closed group of IPs - whatever...) ? >> >> > > >> >> > > > From: jain.garim...@gmail.com >> >> > > > Date: Fri, 17 Jun 2016 14:50:51 +0530 >> >> > > > Subject: Partial Disabling of port 22 using apache-mina SSHD >> >> > > > To: dev@mina.apache.org >> >> > > > >> >> > > > Hi, >> >> > > > >> >> > > > >> >> > > > >> >> > > > We are using com.springsource.org.apache.mina-1.0.2.jar in our >> >> product. >> >> > > > The requirement is to disable port 22 for all incoming traffic >> over >> >> SSH >> >> > > but >> >> > > > the same port is required to communicate with few IP’s over 22. >> Is >> >> there >> >> > > a >> >> > > > way to handle selective port blocking? >> >> > > > >> >> > > > >> >> > > > -Garima Jain. >> >> > > >> >> > > >> >> >> >> >> >> -- >> thanks >> ashish >> >> Blog: http://www.ashishpaliwal.com/blog >> My Photo Galleries: http://www.pbase.com/ashishpaliwal >> >
Restrict PORT to connect to original client only
Hi, I'm looking at securing our embedded ftp server from port bounce attacks (CA-1997-27) and following the advice at https://www.cert.org/historical/advisories/CA-1997-27.cfm? I have removed the anonymous user, but I want to configure the server to only allow the PORT command to connect back to the originating client. Is there a setting for this or is this the default behaviour? Kind regards Simon
Re: Partial Disabling of port 22 using apache-mina SSHD
Thanks. Will use that. -Garima Jain On Jun 20, 2016 10:31 PM, "Ashish" wrote: > On Mon, Jun 20, 2016 at 9:43 AM, garima jain > wrote: > > Can we use black list/whitelist feature? > > This is what you should use. > > > > > -Garima Jain > > On Jun 20, 2016 10:12 PM, "elijah baley" wrote: > > > >> There are many options - depending on the actual setup: > >> - You can move SSHD to a non-standard port on all interfaces - easy to > do > >> when setting up the server - just call "setPort" on the SshServer > instance- > >> You can bind SSHD to a specific interface (e.g., 127.0.0.1)om port 22 > and > >> bind SFTP to the public interface on port 22 - easy to do just call > >> "setAddress" (or something to that effect) on the SshServer instance > >> I could think of more exotic options - e.g. similar to sslh, using > >> HAPROXY, etc., etc. > >> > From: jain.garim...@gmail.com > >> > Date: Mon, 20 Jun 2016 12:10:26 +0530 > >> > Subject: Re: Partial Disabling of port 22 using apache-mina SSHD > >> > To: dev@mina.apache.org > >> > > >> > Hi elijah, > >> > > >> > The requirement is to block port 22 for SSH and accept SFTP > connections > >> on > >> > Port 22. Is there a class/method that can help us achieve the aim? > >> > > >> > -Garima Jain. > >> > > >> > On Fri, Jun 17, 2016 at 3:27 PM, elijah baley > >> wrote: > >> > > >> > > Is there some reason your code cannot examine the incoming client > >> address > >> > > and reject it if it does not match some specified criteria (e.g., > mask, > >> > > network, closed group of IPs - whatever...) ? > >> > > > >> > > > From: jain.garim...@gmail.com > >> > > > Date: Fri, 17 Jun 2016 14:50:51 +0530 > >> > > > Subject: Partial Disabling of port 22 using apache-mina SSHD > >> > > > To: dev@mina.apache.org > >> > > > > >> > > > Hi, > >> > > > > >> > > > > >> > > > > >> > > > We are using com.springsource.org.apache.mina-1.0.2.jar in our > >> product. > >> > > > The requirement is to disable port 22 for all incoming traffic > over > >> SSH > >> > > but > >> > > > the same port is required to communicate with few IP’s over 22. Is > >> there > >> > > a > >> > > > way to handle selective port blocking? > >> > > > > >> > > > > >> > > > -Garima Jain. > >> > > > >> > > > >> > > > > -- > thanks > ashish > > Blog: http://www.ashishpaliwal.com/blog > My Photo Galleries: http://www.pbase.com/ashishpaliwal >
Re: Partial Disabling of port 22 using apache-mina SSHD
On Mon, Jun 20, 2016 at 9:43 AM, garima jain wrote: > Can we use black list/whitelist feature? This is what you should use. > > -Garima Jain > On Jun 20, 2016 10:12 PM, "elijah baley" wrote: > >> There are many options - depending on the actual setup: >> - You can move SSHD to a non-standard port on all interfaces - easy to do >> when setting up the server - just call "setPort" on the SshServer instance- >> You can bind SSHD to a specific interface (e.g., 127.0.0.1)om port 22 and >> bind SFTP to the public interface on port 22 - easy to do just call >> "setAddress" (or something to that effect) on the SshServer instance >> I could think of more exotic options - e.g. similar to sslh, using >> HAPROXY, etc., etc. >> > From: jain.garim...@gmail.com >> > Date: Mon, 20 Jun 2016 12:10:26 +0530 >> > Subject: Re: Partial Disabling of port 22 using apache-mina SSHD >> > To: dev@mina.apache.org >> > >> > Hi elijah, >> > >> > The requirement is to block port 22 for SSH and accept SFTP connections >> on >> > Port 22. Is there a class/method that can help us achieve the aim? >> > >> > -Garima Jain. >> > >> > On Fri, Jun 17, 2016 at 3:27 PM, elijah baley >> wrote: >> > >> > > Is there some reason your code cannot examine the incoming client >> address >> > > and reject it if it does not match some specified criteria (e.g., mask, >> > > network, closed group of IPs - whatever...) ? >> > > >> > > > From: jain.garim...@gmail.com >> > > > Date: Fri, 17 Jun 2016 14:50:51 +0530 >> > > > Subject: Partial Disabling of port 22 using apache-mina SSHD >> > > > To: dev@mina.apache.org >> > > > >> > > > Hi, >> > > > >> > > > >> > > > >> > > > We are using com.springsource.org.apache.mina-1.0.2.jar in our >> product. >> > > > The requirement is to disable port 22 for all incoming traffic over >> SSH >> > > but >> > > > the same port is required to communicate with few IP’s over 22. Is >> there >> > > a >> > > > way to handle selective port blocking? >> > > > >> > > > >> > > > -Garima Jain. >> > > >> > > >> -- thanks ashish Blog: http://www.ashishpaliwal.com/blog My Photo Galleries: http://www.pbase.com/ashishpaliwal
RE: Partial Disabling of port 22 using apache-mina SSHD
Can we use black list/whitelist feature? -Garima Jain On Jun 20, 2016 10:12 PM, "elijah baley" wrote: > There are many options - depending on the actual setup: > - You can move SSHD to a non-standard port on all interfaces - easy to do > when setting up the server - just call "setPort" on the SshServer instance- > You can bind SSHD to a specific interface (e.g., 127.0.0.1)om port 22 and > bind SFTP to the public interface on port 22 - easy to do just call > "setAddress" (or something to that effect) on the SshServer instance > I could think of more exotic options - e.g. similar to sslh, using > HAPROXY, etc., etc. > > From: jain.garim...@gmail.com > > Date: Mon, 20 Jun 2016 12:10:26 +0530 > > Subject: Re: Partial Disabling of port 22 using apache-mina SSHD > > To: dev@mina.apache.org > > > > Hi elijah, > > > > The requirement is to block port 22 for SSH and accept SFTP connections > on > > Port 22. Is there a class/method that can help us achieve the aim? > > > > -Garima Jain. > > > > On Fri, Jun 17, 2016 at 3:27 PM, elijah baley > wrote: > > > > > Is there some reason your code cannot examine the incoming client > address > > > and reject it if it does not match some specified criteria (e.g., mask, > > > network, closed group of IPs - whatever...) ? > > > > > > > From: jain.garim...@gmail.com > > > > Date: Fri, 17 Jun 2016 14:50:51 +0530 > > > > Subject: Partial Disabling of port 22 using apache-mina SSHD > > > > To: dev@mina.apache.org > > > > > > > > Hi, > > > > > > > > > > > > > > > > We are using com.springsource.org.apache.mina-1.0.2.jar in our > product. > > > > The requirement is to disable port 22 for all incoming traffic over > SSH > > > but > > > > the same port is required to communicate with few IP’s over 22. Is > there > > > a > > > > way to handle selective port blocking? > > > > > > > > > > > > -Garima Jain. > > > > > > >
RE: Partial Disabling of port 22 using apache-mina SSHD
There are many options - depending on the actual setup: - You can move SSHD to a non-standard port on all interfaces - easy to do when setting up the server - just call "setPort" on the SshServer instance- You can bind SSHD to a specific interface (e.g., 127.0.0.1)om port 22 and bind SFTP to the public interface on port 22 - easy to do just call "setAddress" (or something to that effect) on the SshServer instance I could think of more exotic options - e.g. similar to sslh, using HAPROXY, etc., etc. > From: jain.garim...@gmail.com > Date: Mon, 20 Jun 2016 12:10:26 +0530 > Subject: Re: Partial Disabling of port 22 using apache-mina SSHD > To: dev@mina.apache.org > > Hi elijah, > > The requirement is to block port 22 for SSH and accept SFTP connections on > Port 22. Is there a class/method that can help us achieve the aim? > > -Garima Jain. > > On Fri, Jun 17, 2016 at 3:27 PM, elijah baley wrote: > > > Is there some reason your code cannot examine the incoming client address > > and reject it if it does not match some specified criteria (e.g., mask, > > network, closed group of IPs - whatever...) ? > > > > > From: jain.garim...@gmail.com > > > Date: Fri, 17 Jun 2016 14:50:51 +0530 > > > Subject: Partial Disabling of port 22 using apache-mina SSHD > > > To: dev@mina.apache.org > > > > > > Hi, > > > > > > > > > > > > We are using com.springsource.org.apache.mina-1.0.2.jar in our product. > > > The requirement is to disable port 22 for all incoming traffic over SSH > > but > > > the same port is required to communicate with few IP’s over 22. Is there > > a > > > way to handle selective port blocking? > > > > > > > > > -Garima Jain. > > > >
