2 sshd configurations 1 for internal and 1 external





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}







7















How can I setup open ssh server so that if i'm ssh'ng from a local lan I want it to be via port 22 but if I'm coming externally its via port 12345 for example.



Then for external access I'd like some different (stricter) rules in sshd_config










share|improve this question























  • Please add more details on your network topology. How does the system connect to the outside? does it have more than one network interface? will external connections come from a router and, if so, how does the router handle or translate external connections? (maybe via NAT). Or is routing handled by the server itself, maybe using iptables?

    – roadmr
    Jul 25 '13 at 16:53











  • It works on 18.04

    – VikingGlen
    Dec 11 '18 at 16:10











  • Zeke's answer below worked for me on 18.04. Regarding your external sshd, you can limit users with the AllowUsers option. How strict do you want? Create a user with a password for a username: eR4d092a. Jail him. Limit him to a couple of commands. Require he "su" out to get into your system. Alias the "su" command. For example, "su" becomes "alberny." Make eR4d092a's password 14 to 16 characters. Limit external access only to eR4d092a: AllowUsers eR4d092a No one will ever guess a username-password combination set up this way on a non-standard port.

    – VikingGlen
    Dec 11 '18 at 16:20


















7















How can I setup open ssh server so that if i'm ssh'ng from a local lan I want it to be via port 22 but if I'm coming externally its via port 12345 for example.



Then for external access I'd like some different (stricter) rules in sshd_config










share|improve this question























  • Please add more details on your network topology. How does the system connect to the outside? does it have more than one network interface? will external connections come from a router and, if so, how does the router handle or translate external connections? (maybe via NAT). Or is routing handled by the server itself, maybe using iptables?

    – roadmr
    Jul 25 '13 at 16:53











  • It works on 18.04

    – VikingGlen
    Dec 11 '18 at 16:10











  • Zeke's answer below worked for me on 18.04. Regarding your external sshd, you can limit users with the AllowUsers option. How strict do you want? Create a user with a password for a username: eR4d092a. Jail him. Limit him to a couple of commands. Require he "su" out to get into your system. Alias the "su" command. For example, "su" becomes "alberny." Make eR4d092a's password 14 to 16 characters. Limit external access only to eR4d092a: AllowUsers eR4d092a No one will ever guess a username-password combination set up this way on a non-standard port.

    – VikingGlen
    Dec 11 '18 at 16:20














7












7








7


4






How can I setup open ssh server so that if i'm ssh'ng from a local lan I want it to be via port 22 but if I'm coming externally its via port 12345 for example.



Then for external access I'd like some different (stricter) rules in sshd_config










share|improve this question














How can I setup open ssh server so that if i'm ssh'ng from a local lan I want it to be via port 22 but if I'm coming externally its via port 12345 for example.



Then for external access I'd like some different (stricter) rules in sshd_config







ssh sshd






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Jul 25 '13 at 16:36









parisvparisv

362




362













  • Please add more details on your network topology. How does the system connect to the outside? does it have more than one network interface? will external connections come from a router and, if so, how does the router handle or translate external connections? (maybe via NAT). Or is routing handled by the server itself, maybe using iptables?

    – roadmr
    Jul 25 '13 at 16:53











  • It works on 18.04

    – VikingGlen
    Dec 11 '18 at 16:10











  • Zeke's answer below worked for me on 18.04. Regarding your external sshd, you can limit users with the AllowUsers option. How strict do you want? Create a user with a password for a username: eR4d092a. Jail him. Limit him to a couple of commands. Require he "su" out to get into your system. Alias the "su" command. For example, "su" becomes "alberny." Make eR4d092a's password 14 to 16 characters. Limit external access only to eR4d092a: AllowUsers eR4d092a No one will ever guess a username-password combination set up this way on a non-standard port.

    – VikingGlen
    Dec 11 '18 at 16:20



















  • Please add more details on your network topology. How does the system connect to the outside? does it have more than one network interface? will external connections come from a router and, if so, how does the router handle or translate external connections? (maybe via NAT). Or is routing handled by the server itself, maybe using iptables?

    – roadmr
    Jul 25 '13 at 16:53











  • It works on 18.04

    – VikingGlen
    Dec 11 '18 at 16:10











  • Zeke's answer below worked for me on 18.04. Regarding your external sshd, you can limit users with the AllowUsers option. How strict do you want? Create a user with a password for a username: eR4d092a. Jail him. Limit him to a couple of commands. Require he "su" out to get into your system. Alias the "su" command. For example, "su" becomes "alberny." Make eR4d092a's password 14 to 16 characters. Limit external access only to eR4d092a: AllowUsers eR4d092a No one will ever guess a username-password combination set up this way on a non-standard port.

    – VikingGlen
    Dec 11 '18 at 16:20

















Please add more details on your network topology. How does the system connect to the outside? does it have more than one network interface? will external connections come from a router and, if so, how does the router handle or translate external connections? (maybe via NAT). Or is routing handled by the server itself, maybe using iptables?

– roadmr
Jul 25 '13 at 16:53





Please add more details on your network topology. How does the system connect to the outside? does it have more than one network interface? will external connections come from a router and, if so, how does the router handle or translate external connections? (maybe via NAT). Or is routing handled by the server itself, maybe using iptables?

– roadmr
Jul 25 '13 at 16:53













It works on 18.04

– VikingGlen
Dec 11 '18 at 16:10





It works on 18.04

– VikingGlen
Dec 11 '18 at 16:10













Zeke's answer below worked for me on 18.04. Regarding your external sshd, you can limit users with the AllowUsers option. How strict do you want? Create a user with a password for a username: eR4d092a. Jail him. Limit him to a couple of commands. Require he "su" out to get into your system. Alias the "su" command. For example, "su" becomes "alberny." Make eR4d092a's password 14 to 16 characters. Limit external access only to eR4d092a: AllowUsers eR4d092a No one will ever guess a username-password combination set up this way on a non-standard port.

– VikingGlen
Dec 11 '18 at 16:20





Zeke's answer below worked for me on 18.04. Regarding your external sshd, you can limit users with the AllowUsers option. How strict do you want? Create a user with a password for a username: eR4d092a. Jail him. Limit him to a couple of commands. Require he "su" out to get into your system. Alias the "su" command. For example, "su" becomes "alberny." Make eR4d092a's password 14 to 16 characters. Limit external access only to eR4d092a: AllowUsers eR4d092a No one will ever guess a username-password combination set up this way on a non-standard port.

– VikingGlen
Dec 11 '18 at 16:20










3 Answers
3






active

oldest

votes


















7














Eric Carvalho's answer works for pre 15.04 but they deprecated and then removed upstart from Ubuntu, SystemdForUpstartUsers.



These steps have been adapted to work with systemd.





  1. Copy the SSH configuration file:



    sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config_external




  2. Copy the systemd configuration file:



    sudo cp /lib/systemd/system/ssh.service /lib/systemd/system/sshd-external.service



    in the new file (/lib/systemd/system/sshd-external.service) change the line:



    ExecStart=/usr/sbin/sshd -D $SSHD_OPTS



    to:



    ExecStart=/usr/sbin/sshd -D $SSHD_OPTS -f /etc/ssh/sshd_config_external



    and the line:



    Alias=sshd.service



    to:



    Alias=sshd-external.service



  3. Now customize /etc/ssh/sshd_config_external to your needs (e.g. change Port 22 to Port 12345)



  4. enable the service



    sudo ln -s /lib/systemd/system/ssh-external.service /etc/systemd/system/sshd-external.service



    If you have run the above command then run sudo systemctl disable sshd-external.service before running the next command



    sudo systemctl enable sshd-external.service



    sudo service sshd-external start




This has been tested on Ubuntu 16.04 on real hardware and a virtual machine in virtualbox.



Let me know if this doesn't work. I've been known to make typos.






share|improve this answer





















  • 1





    It works on 18.04

    – VikingGlen
    Dec 11 '18 at 16:12



















3














Create another SSH service instance.





  1. Copy the SSH configuration file:



    sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config_external



  2. Copy the upstart configuration file:



    sudo cp /etc/init/ssh.conf /etc/init/ssh-external.conf


    In the new file (ssh-external.conf), change the line:



    mkdir -p -m0755 /var/run/sshd


    to:



    mkdir -p -m0755 /var/run/sshd-external


    And change the line:



    exec /usr/sbin/sshd -D


    to:



    exec /usr/sbin/sshd -D -f /etc/ssh/sshd_config_external



  3. Create the link to upstart:



    sudo ln -s /lib/init/upstart-job /etc/init.d/ssh-external 



Now customize /etc/ssh/sshd_config_external to your needs (e.g. change Port 22 to Port 12345) and start the service:



sudo service ssh-external start





share|improve this answer

































    -1














    thanks so much for the detailed steps. With this I could setup my RaspberryPi to service as an entry point from the internet, one port is forwarded from router, with 2-factor authentication, the other for internal access. The setup was really smooth.






    share|improve this answer



















    • 2





      Welcome to Ask Ubuntu. This is a question answer site. Your answer does not provide a solution. "Thank you" is not a valid answer.

      – user68186
      1 hour ago












    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "89"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f324503%2f2-sshd-configurations-1-for-internal-and-1-external%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    3 Answers
    3






    active

    oldest

    votes








    3 Answers
    3






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    7














    Eric Carvalho's answer works for pre 15.04 but they deprecated and then removed upstart from Ubuntu, SystemdForUpstartUsers.



    These steps have been adapted to work with systemd.





    1. Copy the SSH configuration file:



      sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config_external




    2. Copy the systemd configuration file:



      sudo cp /lib/systemd/system/ssh.service /lib/systemd/system/sshd-external.service



      in the new file (/lib/systemd/system/sshd-external.service) change the line:



      ExecStart=/usr/sbin/sshd -D $SSHD_OPTS



      to:



      ExecStart=/usr/sbin/sshd -D $SSHD_OPTS -f /etc/ssh/sshd_config_external



      and the line:



      Alias=sshd.service



      to:



      Alias=sshd-external.service



    3. Now customize /etc/ssh/sshd_config_external to your needs (e.g. change Port 22 to Port 12345)



    4. enable the service



      sudo ln -s /lib/systemd/system/ssh-external.service /etc/systemd/system/sshd-external.service



      If you have run the above command then run sudo systemctl disable sshd-external.service before running the next command



      sudo systemctl enable sshd-external.service



      sudo service sshd-external start




    This has been tested on Ubuntu 16.04 on real hardware and a virtual machine in virtualbox.



    Let me know if this doesn't work. I've been known to make typos.






    share|improve this answer





















    • 1





      It works on 18.04

      – VikingGlen
      Dec 11 '18 at 16:12
















    7














    Eric Carvalho's answer works for pre 15.04 but they deprecated and then removed upstart from Ubuntu, SystemdForUpstartUsers.



    These steps have been adapted to work with systemd.





    1. Copy the SSH configuration file:



      sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config_external




    2. Copy the systemd configuration file:



      sudo cp /lib/systemd/system/ssh.service /lib/systemd/system/sshd-external.service



      in the new file (/lib/systemd/system/sshd-external.service) change the line:



      ExecStart=/usr/sbin/sshd -D $SSHD_OPTS



      to:



      ExecStart=/usr/sbin/sshd -D $SSHD_OPTS -f /etc/ssh/sshd_config_external



      and the line:



      Alias=sshd.service



      to:



      Alias=sshd-external.service



    3. Now customize /etc/ssh/sshd_config_external to your needs (e.g. change Port 22 to Port 12345)



    4. enable the service



      sudo ln -s /lib/systemd/system/ssh-external.service /etc/systemd/system/sshd-external.service



      If you have run the above command then run sudo systemctl disable sshd-external.service before running the next command



      sudo systemctl enable sshd-external.service



      sudo service sshd-external start




    This has been tested on Ubuntu 16.04 on real hardware and a virtual machine in virtualbox.



    Let me know if this doesn't work. I've been known to make typos.






    share|improve this answer





















    • 1





      It works on 18.04

      – VikingGlen
      Dec 11 '18 at 16:12














    7












    7








    7







    Eric Carvalho's answer works for pre 15.04 but they deprecated and then removed upstart from Ubuntu, SystemdForUpstartUsers.



    These steps have been adapted to work with systemd.





    1. Copy the SSH configuration file:



      sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config_external




    2. Copy the systemd configuration file:



      sudo cp /lib/systemd/system/ssh.service /lib/systemd/system/sshd-external.service



      in the new file (/lib/systemd/system/sshd-external.service) change the line:



      ExecStart=/usr/sbin/sshd -D $SSHD_OPTS



      to:



      ExecStart=/usr/sbin/sshd -D $SSHD_OPTS -f /etc/ssh/sshd_config_external



      and the line:



      Alias=sshd.service



      to:



      Alias=sshd-external.service



    3. Now customize /etc/ssh/sshd_config_external to your needs (e.g. change Port 22 to Port 12345)



    4. enable the service



      sudo ln -s /lib/systemd/system/ssh-external.service /etc/systemd/system/sshd-external.service



      If you have run the above command then run sudo systemctl disable sshd-external.service before running the next command



      sudo systemctl enable sshd-external.service



      sudo service sshd-external start




    This has been tested on Ubuntu 16.04 on real hardware and a virtual machine in virtualbox.



    Let me know if this doesn't work. I've been known to make typos.






    share|improve this answer















    Eric Carvalho's answer works for pre 15.04 but they deprecated and then removed upstart from Ubuntu, SystemdForUpstartUsers.



    These steps have been adapted to work with systemd.





    1. Copy the SSH configuration file:



      sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config_external




    2. Copy the systemd configuration file:



      sudo cp /lib/systemd/system/ssh.service /lib/systemd/system/sshd-external.service



      in the new file (/lib/systemd/system/sshd-external.service) change the line:



      ExecStart=/usr/sbin/sshd -D $SSHD_OPTS



      to:



      ExecStart=/usr/sbin/sshd -D $SSHD_OPTS -f /etc/ssh/sshd_config_external



      and the line:



      Alias=sshd.service



      to:



      Alias=sshd-external.service



    3. Now customize /etc/ssh/sshd_config_external to your needs (e.g. change Port 22 to Port 12345)



    4. enable the service



      sudo ln -s /lib/systemd/system/ssh-external.service /etc/systemd/system/sshd-external.service



      If you have run the above command then run sudo systemctl disable sshd-external.service before running the next command



      sudo systemctl enable sshd-external.service



      sudo service sshd-external start




    This has been tested on Ubuntu 16.04 on real hardware and a virtual machine in virtualbox.



    Let me know if this doesn't work. I've been known to make typos.







    share|improve this answer














    share|improve this answer



    share|improve this answer








    edited Jul 6 '17 at 23:54

























    answered Dec 29 '16 at 14:53









    silverducksilverduck

    7315




    7315








    • 1





      It works on 18.04

      – VikingGlen
      Dec 11 '18 at 16:12














    • 1





      It works on 18.04

      – VikingGlen
      Dec 11 '18 at 16:12








    1




    1





    It works on 18.04

    – VikingGlen
    Dec 11 '18 at 16:12





    It works on 18.04

    – VikingGlen
    Dec 11 '18 at 16:12













    3














    Create another SSH service instance.





    1. Copy the SSH configuration file:



      sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config_external



    2. Copy the upstart configuration file:



      sudo cp /etc/init/ssh.conf /etc/init/ssh-external.conf


      In the new file (ssh-external.conf), change the line:



      mkdir -p -m0755 /var/run/sshd


      to:



      mkdir -p -m0755 /var/run/sshd-external


      And change the line:



      exec /usr/sbin/sshd -D


      to:



      exec /usr/sbin/sshd -D -f /etc/ssh/sshd_config_external



    3. Create the link to upstart:



      sudo ln -s /lib/init/upstart-job /etc/init.d/ssh-external 



    Now customize /etc/ssh/sshd_config_external to your needs (e.g. change Port 22 to Port 12345) and start the service:



    sudo service ssh-external start





    share|improve this answer






























      3














      Create another SSH service instance.





      1. Copy the SSH configuration file:



        sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config_external



      2. Copy the upstart configuration file:



        sudo cp /etc/init/ssh.conf /etc/init/ssh-external.conf


        In the new file (ssh-external.conf), change the line:



        mkdir -p -m0755 /var/run/sshd


        to:



        mkdir -p -m0755 /var/run/sshd-external


        And change the line:



        exec /usr/sbin/sshd -D


        to:



        exec /usr/sbin/sshd -D -f /etc/ssh/sshd_config_external



      3. Create the link to upstart:



        sudo ln -s /lib/init/upstart-job /etc/init.d/ssh-external 



      Now customize /etc/ssh/sshd_config_external to your needs (e.g. change Port 22 to Port 12345) and start the service:



      sudo service ssh-external start





      share|improve this answer




























        3












        3








        3







        Create another SSH service instance.





        1. Copy the SSH configuration file:



          sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config_external



        2. Copy the upstart configuration file:



          sudo cp /etc/init/ssh.conf /etc/init/ssh-external.conf


          In the new file (ssh-external.conf), change the line:



          mkdir -p -m0755 /var/run/sshd


          to:



          mkdir -p -m0755 /var/run/sshd-external


          And change the line:



          exec /usr/sbin/sshd -D


          to:



          exec /usr/sbin/sshd -D -f /etc/ssh/sshd_config_external



        3. Create the link to upstart:



          sudo ln -s /lib/init/upstart-job /etc/init.d/ssh-external 



        Now customize /etc/ssh/sshd_config_external to your needs (e.g. change Port 22 to Port 12345) and start the service:



        sudo service ssh-external start





        share|improve this answer















        Create another SSH service instance.





        1. Copy the SSH configuration file:



          sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config_external



        2. Copy the upstart configuration file:



          sudo cp /etc/init/ssh.conf /etc/init/ssh-external.conf


          In the new file (ssh-external.conf), change the line:



          mkdir -p -m0755 /var/run/sshd


          to:



          mkdir -p -m0755 /var/run/sshd-external


          And change the line:



          exec /usr/sbin/sshd -D


          to:



          exec /usr/sbin/sshd -D -f /etc/ssh/sshd_config_external



        3. Create the link to upstart:



          sudo ln -s /lib/init/upstart-job /etc/init.d/ssh-external 



        Now customize /etc/ssh/sshd_config_external to your needs (e.g. change Port 22 to Port 12345) and start the service:



        sudo service ssh-external start






        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Jul 2 '17 at 5:14









        Raphael

        6,11922243




        6,11922243










        answered Jul 25 '13 at 17:06









        Eric CarvalhoEric Carvalho

        42.5k17118148




        42.5k17118148























            -1














            thanks so much for the detailed steps. With this I could setup my RaspberryPi to service as an entry point from the internet, one port is forwarded from router, with 2-factor authentication, the other for internal access. The setup was really smooth.






            share|improve this answer



















            • 2





              Welcome to Ask Ubuntu. This is a question answer site. Your answer does not provide a solution. "Thank you" is not a valid answer.

              – user68186
              1 hour ago
















            -1














            thanks so much for the detailed steps. With this I could setup my RaspberryPi to service as an entry point from the internet, one port is forwarded from router, with 2-factor authentication, the other for internal access. The setup was really smooth.






            share|improve this answer



















            • 2





              Welcome to Ask Ubuntu. This is a question answer site. Your answer does not provide a solution. "Thank you" is not a valid answer.

              – user68186
              1 hour ago














            -1












            -1








            -1







            thanks so much for the detailed steps. With this I could setup my RaspberryPi to service as an entry point from the internet, one port is forwarded from router, with 2-factor authentication, the other for internal access. The setup was really smooth.






            share|improve this answer













            thanks so much for the detailed steps. With this I could setup my RaspberryPi to service as an entry point from the internet, one port is forwarded from router, with 2-factor authentication, the other for internal access. The setup was really smooth.







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered 1 hour ago









            Ben Z.Ben Z.

            413




            413








            • 2





              Welcome to Ask Ubuntu. This is a question answer site. Your answer does not provide a solution. "Thank you" is not a valid answer.

              – user68186
              1 hour ago














            • 2





              Welcome to Ask Ubuntu. This is a question answer site. Your answer does not provide a solution. "Thank you" is not a valid answer.

              – user68186
              1 hour ago








            2




            2





            Welcome to Ask Ubuntu. This is a question answer site. Your answer does not provide a solution. "Thank you" is not a valid answer.

            – user68186
            1 hour ago





            Welcome to Ask Ubuntu. This is a question answer site. Your answer does not provide a solution. "Thank you" is not a valid answer.

            – user68186
            1 hour ago


















            draft saved

            draft discarded




















































            Thanks for contributing an answer to Ask Ubuntu!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f324503%2f2-sshd-configurations-1-for-internal-and-1-external%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            GameSpot

            日野市

            Tu-95轟炸機