# [CLOSED] Hiding open ports (ssh) via virtual interface (and

## jannis

Hi there,

yesterday I had some funny idea: I'm running a dedicated hosted server with a static, public IPv4-address and use ssh to administer it. If you don't want port 22 to be seen as "open" from the outside there are some possibilities:

- Move sshd to another port

- Use port-knocking so that the port will be opened only for a short while (or one connection) when a specific connect-sequence has reached the server

And my idea now is:

- create a virtual network interface on the server (ip tuntap add mode tun)

- set any non-public (not routed on the internet) IPv4-address on that interface (ip addr add 192.168.123.1/24 dev tun0)

- activate that interface (ifconfig tun0 up)

- config sshd to only bind to that IP-address of the virtual interface and restart/reload sshd

- On the machines you want to connect to the server, add a new route (route add -net 192.168.123.0/24 gw <PUBLIC IP or DOMAIN/HOSTNAME>)

Then you can connect to the server using the virtual IP-address (ssh user@192.168.123.1) and the port won't be seen while port scanning

Initially I expected to configure as masquerading NAT from the physical interface of the server (eth0) to the virtual one (tun0) but that doesn't seem to be necessary.

Now a question to all network/firewalling/security-pros out there: Do I open up any security-hole that way? How do you like the idea?Last edited by jannis on Tue Nov 06, 2012 5:04 pm; edited 1 time in total

----------

## eccerr0r

You don't necessarily have root on all machines you want to connect from, and routers will not necessarily know how to route packets properly to a private net unless you happen to be on the same net - and thus don't need to route?

You might well just firewall everything off and use VPN to connect.

I just leave sshd open and let the storm pass.  Just hoping people all have good passwords...

----------

## py-ro

Most routers will ignore your provided route and just discard your packages.

----------

## jannis

Okay, you are both correct, I didn't really think about the routers in between my client machine and the server. Thanks for your clarification  :Smile: 

----------

## eccerr0r

VPN should be what you want.  It basically does exactly that, transfers from your machine to the server in a tunnel without worrying about the network.  The server has its own private address space associated with the VPN, on which the server only listens to ssh on.  So if the attacker has no VPN access=no ssh access either.  Plus it's an encrypted tunnel, to boot!

Again I just let ssh do what it does.  But I also have VPN that I can use, and it uses a certificate system that I can revoke access to if I lose a key.

----------

