# inetd/sshd issues...



## zeltus (Apr 6, 2010)

Hi

I have been running sshd under the control of inetd, using the default port of 22

And of course, it all works fine. I know the man page for sshd suggests that I'd be more efficient running sshd direcctly but my way, I get to play with hosts.allow and all it's rules - I can mostly watch the script kiddies trying to hit me and hosts.allow rules separate all their attempts into various categories. Which is interesting.

I do use key-based, not password-based authentication, by the way.

But when I try to change the port to a higher, non-standard port (by adding Port 12345 in sshd.config as well as a Port 22 line) and restart inetd, sockstat -l still only shows inetd listening on 22. I can't get in to the system via the higher port.

a. I haven't changed sshd_config to just a single Port 12345 yet. 'cos I have already locked myself out of the system once and really on remote admins to let me back in. So I don't know if this works.

b. Do the rules in hosts.allow mean much for a secure and tight sshd implementation. Or am I really better off firing up sshd direct? If so, can I get sshd to log unsuccessful login attempts a la inetd?

c. Finally, is there a way to force inetd to listen to a higher port for sshd as well as the default port 22? I want to do this and when I know all is well, I'll disable port 22 access.

But Ineed to be careful in my setup and testing as when I screw up, I have to beg remote admins to bail me out. Like now! :-(

Cheers

Bill


----------



## zeltus (Apr 6, 2010)

*Possible solution?*

It seems I can use -p 22 -p 12345 on the command line to sshd within inetd.conf.

Well, according to themanpage that is. And that this overrides Port statements in sshd.config.

But I really cannot experiemtn on this server - it is live and I can't mess with it too much.

So if anyone has a definitive answer, I'd appreciate ti.

Bill


----------



## SirDice (Apr 6, 2010)

Don't use inetd for sshd. As for being hit on port 22, welcome to the Internet. Now install security/sshguard-pf and forget about it.


----------



## knarf (Apr 6, 2010)

sshd is linked against libwrap, it honors /etc/hosts.allow without inetd.


----------



## z662 (Apr 6, 2010)

I would follow the advice given above.  In addition to your other questions you need change the sshd.conf file to allow for sshd to listen on the proper port as well...  Also make sure your firewall has the proper rules to allow the forwarding.


----------



## zeltus (Apr 9, 2010)

Thanks for all the answers.

Somehow, I got hung up on the misconception that only inetd used hosts.allow. Which is why I was originally running sshd from there. 

But of course, your answers here and RTFM'ing soon put me straight! I'm nice and secure now (subject to continued and jaundiced inspections!)

Cheers


----------

