Manually configuring (changing) the ssh ports in sshd_config

Support
1

Information

  • FreedomBox version: FreedomBox version 20.19
  • Hardware: Pioneer Freedombox
  • How did you install FreedomBox?: Downoaded stable image from main freedombox website, then updated from web interface.

Im looking to lock down my freedombox to be a little tighter with security. I am surprised that freedombox allows its ssh ports to be open at first boot, and also surprised that it is using the default ssh port of 22. What compelled me to buy freedombox in the first place, was it being advertised as a box that was highly secure for noobs. But scouring over freedombox I have come to either one of two conclusions:

  1. Freedombox isn’t as safe and secure as it is cracked up to be
    or
  2. I am not as much of a noob as I thought and can spot vulnerabilities that are above average.

At this point, im not sure which one is correct, but to my knowledge, security through obscurity will render a mild to medium increase in security by obfuscating attack vectors.

Therefore, I have manually edited my /etc/ssh/sshd_config file to be more airtight, however, there is one thing I cannot figure out.

When changing the ssh port from 22 to say 38888, with using
“port 38888”
in the sshd_config file, I can’t ssh into freedombox on port 38888 after reloading sshd.

My first thought, was to check iptables with sudo iptables -L, which shows the following empty firewall rules:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Then, I remembered that freedom box has its own firewall in its web interface which acts more like UPnP (another spotted security vulnerability and attack vector), so checked out the /etc/ directory and found a folder named firewalld. I’m assuming, that since freedombox doesn’t seem to use iptables, that its firewall is somehow blocking my NEW ssh port of 38888 from firewalld.

Other than that, I dont have any ideas why changing an ssh port in sshd_config wouldnt work, and seems to be blocked. So to start, could someone explain to me how to change the ssh port in the freedombox firewall to a new ssh port?

If you dont think that the firewall is the problem with changing the ssh port, could you also please advise me as to what could also possibly be the problem?

Thanks for any help and advice!

Dan

1 Like
2

Dan,

Try looking at https://yourfreedomboxipaddress/plinth/help/manual/en/Firewall#idm25, it provides documentation for using Cockpit (or manual settings) to change the port(s) that ssh will use to provide the ssh services externally. Please note that the link in this reply will not work properly, you will need to manually insert your FreedomBox IP address in the first part of the URL in order for it to work. One other thing, you could externally port forward External:38888 to FreedomBox:22 if your FreedomBox is behind a firewall. Please note that “Security through Obscurity” isn’t necessarily “safe”, and FreedomBox has Fail2Ban installed and active by default. I hope this helps.

1 Like
3

Thanks @mtinman, That leads me to a new problem, in which the cockpit url leads me to a blank page after login. After I figure this one out I will report back!

4

IIRC, alternatively, it might also be possible to just let your router port forward some other external port to the freedombox port 22.

5

@mtinman

One other thing, you could externally port forward External:38888 to FreedomBox:22 if your FreedomBox is behind a firewall.

Yes, that is definitely an option, except I already have my router forwarding port 22 to another LAN device, which is one of the other reasons I wanted to configure it on the box itself.

@mtinman

Please note that “Security through Obscurity” isn’t necessarily “safe”, and FreedomBox has Fail2Ban installed and active by default. I hope this helps.

I appreciate the input, and I believe you are correct. Security through obscurity isn’t actually going to make you secure. However, if you like using the most comprehensive security practices, security through obscurity WILL give you an extra .5% bonus points. Although it is a very miniscule countermeasure, it is still valid, if not relied upon as your sole security measure.

Update:
I just figured out my cockpit problem. I guess cockpit and safari dont get along very well, so when trying with firefox, all seems to work now. Now to do some reading into cockpit…

6

Apparently this is a known unresolved issue since 2019. Very dissapointed.
https://discuss.freedombox.org/t/cockpit-server-administration/204/51

7

One other thing, you could externally port forward External:38888 to FreedomBox:22 if your FreedomBox is behind a firewall.

Yes, […] except I already have my router forwarding port 22 to another LAN device, which is one of the other reasons I wanted to configure it on the box itself.

That’s no reason. Two different non-22 ports can be forwarded to 22 on different devices (IPs).

8

Thanks, the Cockpit manual was of great help. I encountered the same problem and after changing the firewall setting manually my modified SSH port works as expected.

Before I had ~ 50-60 failed login attempts / hour. Now it went down to zero.

1 Like
9

Most folks are probably running their box behind a SOHO router and have a relatively modest perceived threat vector. I think making an effort to keep the box as simple to use as possible is probably the way to go, so less experienced users can tinker around and learn without getting bogged down by obscure configuration defaults and locked-down software.

Anyone who really wants to reduce their attack surface further will probably be motivated (like you) to dig a little deeper and learn how to step back from the default configurations. More than likely someone attempting an attack on your FreedomBox would be using a port scanner anyway :unamused:, but there is certainly no harm in learning how to reconfigure your network settings!