0

I am looking for a solution to my use case: I moved my SSH daemon to non-default port and would like to keep all the script kiddies connecting to my SSH via port 22 in the ssh pit (purely just for clarity of logs and to spice their life up, not as security measure).

However, I have come across some git clients that do not allow me to specify ssh port. Other than forgoing ssh operations for git in favor of using solely the git protocol on port 9418, I would like to redirect/reverse proxy client matching specific rule (user=git OR pubkey_auth=true)

  1. Is forwarding such ssh requests even possible without having to man-in-the-middle the connection between client and SSH daemon?
  2. Is the information about user or auth method visible to observer before handshakes complete and connection is established?
  3. Even if I had to have the service mitm the connection, and then make another encrypted tunnel between itself and local service, what kind of service should I be looking for? SSH tunnel, reverse proxy, ssh multiplexing?

I have scoured some resources, mainly splitting the traffic using IPTABLES, reverse ssh tunnel or sshpiper, but I couldn't find a way to make them filter ssh traffic for defined clients only, regardless of their IP of origin (although sshpiper looks promising and I study it further).

Note that I am perfectly fine SSHing to the server on port 2222 for other traffic, or even having the tarpit port exposed to internet, I'm just trying to account for default behaviour of some git clients.

(graphical visualisation below)

       INTERNET
          │
          │
          │
          │
   SSH to │port 22
          │
          ▼
┌───────────────────┐    If user matches,    ┌────────────────────────┐
│                   │ forward the connection │                        │
│  [email protected]  ├────────────────────────►  SSH Daemon Port 2222  │
│                   │                        │                        │
└─────────┬─────────┘                        └────────────────────────┘
          │
┌─────────▼─────────┐   Send everyone else   ┌────────────────────────┐
│                   │    to the SSH tarpit   │                        │
│   *@example.com   ├────────────────────────►  EndleSSH @ Port 2022  │
│                   │                        │                        │
└───────────────────┘                        └────────────────────────┘
Improve this question
3
  • 1
    "I have come across some git clients that do not allow me to specify ssh port" – I expect sane programs using SSH as transport to use ssh under the hood, so /etc/ssh/ssh_config and ~/.ssh/config work and you can name hosts and specify the address and the port for each host there. Don't these clients use ssh like this? Commented Aug 18, 2022 at 4:08
  • Not every git client is using openssl_client implementation, not every user runs on Linux, no one can be expected to configure non-default host and connection parameters ;) 99% will try defaults, get connection refused and turn back. Commented Aug 18, 2022 at 4:25
  • "no one can be expected to configure non-default host and connection parameters" then arguably you shouldn't be running your service on a non-standard port... Commented Aug 18, 2022 at 8:53

0

Reset to default

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.