Semi-newbie, so flame-throwers to 'singe only' please. 😉
I have machine A at work, which I'd like to SSH into from a machine at home (call it machine B) — machine A is behind our corporate firewall, which has only port 22 and port 80 open. On the machine A side of things, I want to change the port for SSH on machine A from 22 to (say) 2200, to minimize the number of script kiddies hammering away on port 22 (I have other SSH hardening policies in place, but would like to add moving the default SSH port from 22 to (say) 2200. This is easy enough within the SSHD config, but doing so kills anything inbound since port 2200 is blocked at the edge.
So, some sort of forwarding/tunnelling option. I've tried a few permutations on both the machine A and machine B side, but haven't found the magic combination. I was hoping one of the more learned types on this forum could advise:
1\ what do I need to set up for forwarding/port config on machine A?
2\ in terms of establishing the tunnel from machine B, what is the basic SSH command structure I need to try?
Apologies in advance for the extremely 'basic' level of the questions (and, if they've been answered before, apologies again, because what answers I could find weren't entirely accessible to someone at my level).
Many thanks in advance.
Best Answer
Your corporate firewall only permits ports 22 and 80...so you can only run services on ports 22 and 80. If you want to establish port forwarding over ssh to access otherwise inaccessible ports, you first need to connect to the remote host, which you can't do unless you're able to traverse the corporate firewall.
In other words, you're going to have to leave ssh running on port 22. Your best bet, if you're worried about those ever industrious script kiddies, is to simply disable password authentication and always use ssh keys. This will render the system largely invulnerable to password-based brute-force attacks. It obviously doesn't help if someone were to discover some sort of ssh vulnerability that could be exploited pre-authentication, but it's probably the best you're going to get in your situation.