Skip to main content

Mac OS-X tips: How to run SSHD on an alternative port

This tip falls into one of those "I had to spend more than 10 minutes looking for an answer" category, so it's a worthwhile subject for a quick blog post.

Why Run SSH?

Running SSH on Mac OS-X allows you to login to your machine remotely, and also copy file securely via SCP command to and from your Mac OS-X host.

But I am behind my own $50 router/firewall. Can I still connect to my computer from outiside?

Yes. Most off the shelf routers and firewalls will allow you to do two things that are needed for this:

  1. Assign a permanent IP address to your Mac on a local network (see your router documentation for more details)
  2. Create a port forwarding rule on your router. Eg - any request to port 22 on your external IP (provided by your router) can be routed to the specific IP address of your Mac. Exact specifics on this configuration are once again available in your router documentation. Most off the shelf routers support this, including basic Netgear and D-Link.

So let's assume you've set this whole thing up and you are now able to connect from outside to port 22 of your external IP address on your firewall, which is then routed to your Mac port 22. This is great, since now you copy files via SCP from the internet to your computer, connect to it from your work office, etc, etc.

But why would you want to run SSH on alternative port, and not 22?

Simple answer is that port 22 is probably the most obvious port to "probe" from outside. Hackers typically run automated port scans of publicly visible IP addresses, but running it for all 64K ports takes a long time, so typically those scans are just for a small subset of ports. Port 22 is a clear indication of a server system which makes it a likely candidate for an attack. Turn of port 22 and to the outside world your system appears a lot more boring. Boring is good. So I still want to use my SSH connection, but would rather not do it on the default port. More expensive firewalls and routers will allow you to route eg. port 33333 from the outside to port 22 on the inside. But none of the cheap off-the-shelf routers I've seen allow you to do that. They just take input port, and destination IP which means the outside port and inside port must be the same. That's a silly limitation and a small bummer. So to make this work with my cheap a$$ router I have to change the listening port on my Mac. Frankly, this isn't a bad idea either, since whenever you connect your laptop to a public wi-fi network anyone can directly connect to your Mac and probe the open ports. So keeping port 22 open on your Mac is not that great of an idea. So. In order to change the port on Mac OS-X for your SSH daemon, follow the following steps:

  1. Open Terminal and as edit the file /etc/services (as root)
  2. Add a line at the bottom: secret-ssh 43539/tcp # secret SSH port
  3. Edit file /System/Library/LaunchDaemons/ssh.plist and replace the code:
    <key>SockServiceName </key>
    <string>ssh </string>
    
    with
    <key>SockServiceName </key>
    <string>secret-ssh </string>
    
  4. Change your port forwarding configuration on your firewall to route port 43539 instead
  5. Open "Sharing" control panel and ensure that "Remote Login" is checked off (if not uncheck it). Then check it again to start with the new configuration.

Now you should be able to run SSH command to your external IP as follows: ssh -p 43539 ip_address_of_your_server -l username To copy files from remote hosts to your Mac desktop, run the following command:

scp -P 43539 local_file.txt username@ip_address_of_your_server:~/Desktop

Note that "scp" command requires an upper case "P", while regular "ssh" wants a lower case "p" to declare remote server's port. That's it, hope it helps! :)

Comments

deKay said…
Hey, thanks for this - really useful! I have one thing to add though - you (may) need to add an entry to the firewall settings to allow connections.
No worries, glad it was useful. Yes - of course you must enable the port on your firewall, I think I mentioned this too.
daid said…
If I want to choose another port number, how do I determine which numbers are good or bad choices? Could I interfere with other processes if I choose an arbitrary number?
Anonymous said…
This produced an odd warning on Leopard. I see in Console:

3/9/08 10:48:06 PM com.apple.launchd[1] (com.openssh.sshd) Unknown key: SHAuthorizationRight

Seems to work regardless.

Best explanation I can find:

http://www.nabble.com/The-mysterious-SHAuthorizationRight-key-td14115115.html




Re: The mysterious SHAuthorizationRight key
by Dave Zarzycki Dec 03, 2007; 01:01pm :: R
...
A project at Apple is overloading the launchd configuration file
schema to store non-launchd preferences. We hope to resolve this
matter in the next major version of Mac OS X.

davez
buzzyapyear said…
Thanks for the tips. For what it's worth, people with the excellent linux-based Linksys 54g router (and variations of that router) can use a few awesome open source firmwares that will give the ability to port map, along with lots of other juicy stuff.

http://www.dd-wrt.com

You basically get a very expensive router in the body of a standard, cheap router.
daid said…
I posted awhile back asking how to know what port numbers are allocated to programs, and which are not. The answer is determined by the IANA, and you can see a full list of ports at: http://www.iana.org/assignments/port-numbers

The list includes all 64,000 ports, so it is long. But if you had a particular number in mind you like to try, you can scroll and see if it is unallocated or not.

My only original problem with this hack is that, well, you're telling everyone what port is being used, which sort of defeats the whole purpose!
Wes said…
Thanks, this worked for me :)
Anonymous said…
Telling everybody what port? Gawd, come on! If you're not smart enough to infer that the port number is an example--you have 64,000 to choose from in your own setup--the you probably shouldn't be screwing with SSH in the first place.
Anonymous said…
how do you as edit /etc/services? (im new to bash)
Anonymous said…
Use vi, of course!
muphin said…
sudo vi /etc/services
:wq

:w (saves the file)
:q (quits the file)
MacNetDaemon said…
I know this post is a few years old but I found this information very useful to implement on my snow leopard server after discovering repeated attempts by person(s) unknown to hack into my server via port 22. The only additions I made were adding a reference to the UDP port and of course choosing a different port. Thank you for this info.
Thanks this was very easy to follow.
Anonymous said…
why not just edit these lines and change the port from 22 to whatever instead of adding secret-ssh?

ssh 22/udp # SSH Remote Login Protocol
ssh 22/tcp # SSH Remote Login Protocol

Cheers,
Frank
Rob said…
Thanks for this!

Popular posts from this blog

Car or Auto Make-Model-Year Database : For Breakfast

Make Model What?If you like me were tasked with loading a database of recent car makes/models/years, you would start by looking on the web and seeing if someone else just has it out there, readily available, hopefully for free, but perhaps for a tiny nominal fee.?If only it was that simple... I looked and looked, and couldn't find anything that would fit the above requirements. So I thought, who would know about US car models better than Kelly Blue Book? So I went on their site, and sure enough they have a javascript file that lists all known to them makes and models of used cars. Since the file is public, I figured it's not really "evil" if I scrape and parse it for my own benefit. Disagree? Have a better source? Then leave a comment.Anyway, to cut the long story short, I'm hoping to save a day or so to someone else who may, like me, be looking for this information. The ruby module shown below retrieves and parses the javascript from KBB site into a Ruby da…

Why I Like PostgreSQL

Today I gave a short presentation at work about PostgreSQL, and why I much prefer it to MySQL.

PostgreSQL vs MySQL: Eternal Battle
I may be misreading this, but it seems that there is a recent trend within startups to move away from MySQL, probably thanks to folks like Heroku on one side (who use PostgreSQL to the extreme, and help and contribute to it's development), vs folks like Oracle on the other side, tainting the "open source pureness" of MySQL :)

At my work we currently use a mid-sized MySQL 5.1 Percona instance, which is holding up quite well I must admit. Both PostgreSQL and MySQL have definitely converged to cover most features that people want, but my leaning is still towards PostgreSQL. I just agree with it's focus on data integrity, recovery, constraints, extensibility, while some of the early decisions in MySQL's design do not agree with me at all (like truncating long strings, 1/0 instead of booleans, ambiguous group by, etc). I think that data …