Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Using Source While Forwarding SSH

    Scheduled Pinned Locked Moved NAT
    3 Posts 3 Posters 761 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      matthew.c.tx
      last edited by

      We have a company that regularly remotes in past our firewall to do maintenance on one of servers via SSH.

      I could keep a rule forwarding port 22, but I worry about the security of our internal server.

      My first question is: is it any more safe to forward an arbitrary port (ex: 40000) to port 22 in an effort to avoid port scanners?

      My second question: is there a way to use "source" in the NAT rule to specify a source IP address? I can't find much documentation on the source feature. For instance is "single host" the correct option to specify the source IP address?

      Thanks for your time.

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        It's slightly safer to use a port in the ephemeral range or higher in that 22 is the known SSH port and is heavily targeted by scans.  Someone would have to o a complete port scan to find your SSH server up at 40000.

        Yes, Single host or alias is the one to use.  You can create an alias that holds the IP(s) or IP ranges you expect them to come in on.

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          Yes locking the forward rule down to their source IP would be one way to do it.  Changing ports is not reallly security – famous quote "security through obscurity is not security"

          If looking to reduce logs, then sure changing ports can reduce those.  But you would be better off making sure your ssh is secure - say for example only allow public key auth.  Don't even allow passwords.  On the host put in something like fail2ban so that at most your logs will only have say 4 entries before the host blocks that IP, etc.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.