Using Source While Forwarding SSH



  • We have a company that regularly remotes in past our firewall to do maintenance on one of servers via SSH.

    I could keep a rule forwarding port 22, but I worry about the security of our internal server.

    My first question is: is it any more safe to forward an arbitrary port (ex: 40000) to port 22 in an effort to avoid port scanners?

    My second question: is there a way to use "source" in the NAT rule to specify a source IP address? I can't find much documentation on the source feature. For instance is "single host" the correct option to specify the source IP address?

    Thanks for your time.



  • It's slightly safer to use a port in the ephemeral range or higher in that 22 is the known SSH port and is heavily targeted by scans.  Someone would have to o a complete port scan to find your SSH server up at 40000.

    Yes, Single host or alias is the one to use.  You can create an alias that holds the IP(s) or IP ranges you expect them to come in on.


  • Rebel Alliance Global Moderator

    Yes locking the forward rule down to their source IP would be one way to do it.  Changing ports is not reallly security – famous quote "security through obscurity is not security"

    If looking to reduce logs, then sure changing ports can reduce those.  But you would be better off making sure your ssh is secure - say for example only allow public key auth.  Don't even allow passwords.  On the host put in something like fail2ban so that at most your logs will only have say 4 entries before the host blocks that IP, etc.