SA 520 SSH and VLANS

Similar Messages

• ESW-520(s) and VLANs

  Hi guys,
  We have roughly 14 ESW-520 switches through out our network which connect wireless APs. We also have 3 VLAN (VLAN1 data; VLAN4 wireless; VLAN100 voice). The access points need to be getting an IP address from the DHCP server on VLAN4 but they end up getting VLAN1 IPs instead. I am guessing this is because the untagged VLAN1 is by default and we do need all 3 VLANs trunked to the access points because we have SSID for voice and one for data.
  Is there something I can do on the switches so that the APs get VLAN4 IPs?
  Many thanks,
  Dmitry

  Hello Dimawerks,
  On the switch you can only really change the untagged vlan to be 4. The option you are looking for should be available on the AP. Ideally you are wanting the management of the AP to be on vlan 4. The best way to set this is on the AP to have it's management vlan changed to 4 and to then to tag it on the AP and switch or untag it on both.

• ASA 5505 + ASA 5540 static VPN, ssh and rdp problems

  Greetings!
  I've recentely set up a VPN between Cisco ASA 5540(8.4) ana 5505(8.3).
  Everything works fine, but there is a small problem that is really annoying me.
  From the inside network behind ASA 5505 I connect via rdp or ssh to a host inside ASA 5540.
  Then I minimize ssh and rdp windows and don't use it for ten minutes. But I still use VPN for downloading some files.
  Then I open ssh window - the session is inactive, open rdp window - I see a black screen (for 10-15 seconds, and then it shows RDP)
  There are no timeouts on ssh or rdp hosts configured, via GRE tunnel it works perfectly without any hangs.
  What can I do to get rid of this problem?
  Thanks in advance.

  Dear Fedor,
  You could try adding the following commands to your configuration (on both ASAs) in order to increase the timeout values of the specific TCP sessions:
  access-l rdp_ssh permit tcp 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0 eq 22
  access-l rdp_ssh permit tcp 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0 eq 3389
  class-map TCP_TIMEOUT
        match access-list rdp_ssh
  policy-map global_policy
       class TCP_TIMEOUT
            set connection timeout idle 0:30:00
            set connection timeout half 0:30:00
  * Please make sure you define the specific RDP and SSH ports in the ACL and avoid the use of "permit ip any any".
  Let me know.
  Portu.
  Please rate any post you find useful.

• Problem with ssh and bash-completion

  I and a co-worker are having a weird problem with ssh and bash-completion. We have a local config in .ssh/config with hosts we connect everyday. An example:
  host foo
  hostname foo.org
  user foobar
  host foobar
  hostname foobar.org
  user foobar
  When we try to type
  ssh foo<tab><tab>b<tab>
  the console just freeze and we can't type anything, everything we type is ignored, but after about 30 seconds the host is completed.
  This works a some time ago, so some upgrade make this happen. Anyone can reproduce this?

  quigybo wrote:
  Actually thinking about it, rather than using the semi-dodgy fix posted on the bug tracker, we can just test if the daemon is running since we are not on MacOS X. It is cleaner and 250 ms quicker.
  --- bash_completion.orig 2010-09-14 05:33:22.000000000 +0930
  +++ bash_completion 2010-09-14 05:45:04.000000000 +0930
  @@ -1316,10 +1316,12 @@
  # contains ";", it may mistify the result. But on Gentoo (at least),
  # -k isn't available (even if mentioned in the manpage), so...
  if type avahi-browse >&/dev/null; then
  - COMPREPLY=( "${COMPREPLY[@]}" $( \
  - compgen -P "$prefix$user" -S "$suffix" -W \
  - "$( avahi-browse -cpr _workstation._tcp 2>/dev/null | \
  - awk -F';' '/^=/ { print $7 }' | sort -u )" -- "$cur" ) )
  + if [ -n "$(pidof avahi-daemon)" ]; then
  + COMPREPLY=( "${COMPREPLY[@]}" $( \
  + compgen -P "$prefix$user" -S "$suffix" -W \
  + "$( avahi-browse -cpr _workstation._tcp 2>/dev/null | \
  + awk -F';' '/^=/ { print $7 }' | sort -u )" -- "$cur" ) )
  + fi
  fi
  # Add results of normal hostname completion, unless
  This is the same test as was used in bash-completion 1.1.
  Thanks  quigybo, I use your patch, the issue is gone
  Why does so many packages depends on Avahi? Maybe make it optdepends is
  enough?
  my laptop $ pacman -Qi avahi
  Required By : gnome-disk-utility gnome-vfs libcups mpd sane

• How do I add a Subnet and vlan with a catalyst 3550 and RV120

  Hello Friends.
  I have a scenario that i'm hoping i can get some help with. I'll be as detailed and descriptive as i can.
  This is for a business with 100 employees nodes and 100 camera nodes all needing IP internet through private addressing and public gateway.
  I have a business class gateway with a private range of 12 public addresses. Ther modem does nothing but act as a gateway since i have disabled the firewall and DHCP.
  In place of the firewall and DCHP from the modem i have installed a RV120 Firewall with VPN. When installing i replicated the IP scheme of the modem as to not disturb and distrup the devices assigned addresses from that scheme from the modem. I did this because the owner could not have any down time or any disruption to the business operations.
  The RV120 now acts as firewall , DHCP , and VPN. I'll address the subnet first. I's using 10.0.0.0/24 subnet range.
  DHCP is assigning 10.1.10.50 - 10.1.10.100 the rest are static and i plan to use static DHCP with the IP and MAC assigned to each static DHCP address.
  There are 100 cameras with static IP addresses in the range of 10.1.10.11 - 10.1.10.40, and 10.1.0.1.101 - 10.1.10.170.
  VPN uses PPTP assigned address 10.1.10.6 - 10.1.10.10.
  There are no layer 3 switches that i know of. Just a layer two that is the primary swith and ports have run out, and various out of the box switches and wireless access points connected to the primary switch.
  I want to implement subnets into the network and VLANS as well on a new Layer 3 switche from cisco. Thinking 3550 from Cisco or one of the older layer 2 switches with layer three capabilities.
  I also want to introduce a 192.168.0.0/24 IP range for the existing wireless network and segment the traffic from the rest of the traffic on other ranges.
  I want to replace the 10.0.0.0/24 DHCP alltogether and the static addresses for end user nodes on the same network, but keep that range just for camera nodes segmented.
  I want to implement a NEW end user IP range and VLAN for employee/guest networks using the 172.16.0.0/24 range.
  Iv'e thought of replacing all the wireless nodes with RV120's and use VLAN. Dont know if that strategy works. Need to think it through.
  I want the 192.168.0.0/24 IP range comunicate to with the 172.16.0.0/24 and possibly the 10.0.0.0/24 range.
  Any advice on how to do this?
  As a side note the next step after this is to install a server domain controller as all the computers are all stand alones in their own workgroups. It's a simultaneous project that will introdue a DCHP, WINS, DNS server.

  Hi Omid, it sounds like you're proposing the 3550 switch but you're not decided yet. The 3550 switch is a pretty old device and needs enhanced multilayer image. It may be more prudent to use a more current switch such as small business SG300 or SG500 as the feature set is more rich and it supports around 480 LAN connections.
  To answer the inquiry, the RV120W, when you create a VLAN it will automatically create an IP interface. From this you may assign subnet as you like along with 'enable or disable' for inter vlan routing. Since the RV120W has this feature, a layer 3 switch is not required unless you are looking to keep the routing load smaller by routing locally with the switch.
  With Catalyst or a small business switch you would need to create a VLAN. After creating the VLAN, on a Catalyst you can simply issue "switchport trunk encapsulation dot1q" on the desired interface and all VLAN will passage without issue. For a port connecting a user "switchport mode access" "native vlan xx" This will assign the port as untag member of the desired VLAN.
  If using a small business switch, it is slightly different, you still create the VLAN but the command issue is a bit different  "switchport trunk allowed vlan add xx" for the link to the router, where xx = the VLAN ID to tag to the router. For access client it remains the same as Catalyst.

• Lion server on Mac mini server stop responding to ssh and VNC (other services like mail, ical works well)

  Lion server on Mac mini server stop responding to ssh and VNC (other services like mail, ical works well)
  Version is Lion server 10.7.4
  When I attach a monitor to it, I saw all the buttons and menus stopped responding too. I can only push and hold the power button on the box to shutdown.
  It only started happening recently.
  Anyone has any clue?
  Thanks for the help in advance!!!

  Found that the second hard drive is broken. I have to go to the apple store to have it replaced.
  I had to press the power button to turn the server off for several times, then the broken hard drive went disappeared. After that, I had to disable the Spotlight. Then the server went back to work normally.
  Now I made a CCC copy of the primary hard drive, and would like to have the server run on the external raid disk (connected through thunderbolt). Does anyone have previous experience with it? Any expectable drawback or issue with this setup?

• Logical network to physical network mapping (subnets and VLANS) in SCVMM 2012 R2

  In much of the blogs, documentation and literature on VMM, there are examples of deploying multiple logical networks onto one physical network i.e. Cluster (logical) + Storage (logical) + Backup (logical) + Live Migration (logical) + Management
  (logical) on top of Datacenter (physical).
  Does this mean it would be possible to have one (physical) flat VLAN-less network with one subnet and then have all those logical networks (with subnets and VLANs) on top of it? Even with a simple unmanaged L2 switch that doesn't support VLANs itself?
  If not, just how do you map multiple logical networks to just one physical network? How does that work in practice? Is a L3 switch needed to route traffic between logical networks for example?

  Hi. VMM Networking may be overwhelmed for the most, at first. But you really need to understand the modeling here and how things are related to each other. Especially if using NIC teaming in WS 2012 (and R2) together with this mix.
  I suggest that you read the following whitepaper where we explain how to setup networking in VMM (also to support network virtualization, but that is absolutely not mandatory): http://gallery.technet.microsoft.com/Hybrid-Cloud-with-NVGRE-aa6e1e9a
  -kn
  Kristian (Virtualization and some coffee: http://kristiannese.blogspot.com )

• Sgd + ldap auth + ssh and numeric usernames

  Hi there, sorry if there is a well known answer to my problem, bu tI have not found it.
  anyway, We have a problem where our customer wants to use purelly numeric usernames to logg in to secure global desktop
  From the point of secure global desktop we don't have any problems with this, the problem happens later on with the ssh to solaris (which is set up with ldap authentication) in that I have not been able to get purely numerical logins to work with solaris pam_ldap. Now some of you think that this is not an SGD problem, and that is true, but I was wondering if SGD could help me solve this.
  My question is simple, can SGD use a "different" username taken from ldap after it has logged in the user instead of the username tha tthe user provided.
  ex.
  the user loggs in to SGD with the username 173651
  when starting the application , instead of logging in to the application server (via ssh) with username 173651 it should take an other field from ldap that holds the solaris username.
  thanks for any answers and hints.

  Sorry, but you missunderstood my question a bit :-)
  What you suggest is a way for the users to type in an other username after logged in to Secure Global desktop, tha tis now what we want
  We want this to be done automaticly for us.
  First we have changed a bit how the login procedure works, when the user surfs to the SGD server they will not be presented with any choices, they wil be presented with a single login screen, when they have logged in SGD will automaticly start our application.
  the problem we have is that we want to use only digits as the login name in SGD, but unforutunally Solaris have some problems with using digits alone in usernames (and especially usernames longer then 8 characters)
  so I was hoping that SGD could read from LDAP (we are using LDAP user store, not UNIX) another value that it would use to login to the app server thorugh SSH
  for example, when logging in to SGD it loggs in towards the LDAP uid field, but when it starts the application SGD reads some other property from LDAP and sends that to ssh. Solaris is then also authenticating towards SSH and uses the second property to authenticate.
  If this cannot be done in Secure global Desktop, I think we will look at using a third party authenticator that can do what we want (hopefully OpenSSO can do this)

• WLC2112 with Guest / Web-Auth and vlan

  Hi
  I'm trying to configure my WLC with guest SSID and vlan 10.
  The security is only set to Web-auth, and it is all working if the guest network is set to nativ vlan (1) But it seems that the http(s)://1.1.1.1/login.html is not reacheble from the guest SSID/VLAN??
  Please help.
  Management IP Address 192.168.14.252
  Software Version 6.0.182.0
  Emergency Image Version
  I have tried with ver. 5.2 also -

  I think that 1.1.1.1 is only reachable from a wireless client during webauth. They should not be able to reach that address once they have passed through the web auth page.
  Don't know if that helps, or not.

• Port forwarding, NAT, SSH and Transmission.

  A couple of days ago I decided to setup the Transmission daemon, along with automatization for my downloads. Recently, however, to put a layer of security around my laptop, I set up a wireless router I had lying around that is now connected with a wire to my laptop. The reason for this is that I have no idea how iptables work yet, and until then I decided this will suffice for the moment. One of the problems though (yes, problems seems to come in twenty-fold where my luck is concerned), is that when I rewire my laptop directly to the internet, without the router, NetworkManager or Archlinux doesn't reset the ip address, which for some reason jumps to 192.168.1.122, which it never uses otherwise. I haven't yet tried reinstalling networkmanager, but when I did turn it off, dhcpdcd assigned the same address... The problem here being that it shouldn't assign a LAN-address, I'm directly connected to the internet. Sidenote here though; my internet connection is just a plug in the wall, the operators here (I live on a kind of campus), probably only use a network-switch to relay the traffic to the socket.
  That's that, my wired network doesn't work directly, only via the wireless router, wired or wireless. Because of this, I have to use port-forwarding for SSH (to test if the port forwarding works), and the Transmission daemon with an rcmp port of 9091., which was my intention in the first place. I have no idea if logging into my.ip.address.here:9091 in a browser would work, I just used localhost:9091.
  Now for the results:
  $ nmap -sT xx.xxx.xx.xx
  Starting Nmap 5.21 ( http://nmap.org ) at 2010-06-14 19:42 CEST
  Nmap scan report for xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  Host is up (0.038s latency).
  Not shown: 996 closed ports
  PORT STATE SERVICE
  22/tcp filtered ssh
  53/tcp open domain
  80/tcp open http
  9091/tcp filtered unknown
  Here it shows that the ports are actually not closed, but they're not exactly opened either, from what I gathered from the internet.
  SSH shows the true problem:
  $ ssh neal@xxxxxxxx
  ssh: connect to host xxxxxxxx port 22: Connection timed out
  SSH-ing to 192.168.0.102 (my internal ip) works, as does to localhost, same for Transmission webGUI. Before I used port-forwarding ssh would correctly say that it couldn't get traffic from the router.
  My router is a cheap solution to another problem I had, but it should work like any router. It's a Sitecom WL-607. I disabled login authentication for the moment. Also, there is no filtering going on in the firewall. Like I said earlier, I don't get iptables, so that's not being used. The hosts file allows all and denies nothing.
  TLDR version; I'm using port-forwarding on my Sitecom WL-607, but all ports except http and the 53 port are being blocked.
  Is there something I'm missing here?
  Thanks in advance,
  Neal van Veen.

  by default, all routers assign there clients an ip address from there internal pool of addresses, your wireless router is assigning you that address and then NAT's the connection with the WAN side, but even after directly plugging in to the wall socket you still dont get a new ip address, use dhcpcd <mydev> in terminal to reresh dhcp lease. if not then your campus/location/etc may also be using NAT on there own side.
  as for the ports, iptables doesnt block any traffic by default, it allows everything. if there is filtering, it is from your wireless router.
  on the above ssh and nmap scans, did u use your lan ip, or your public ip.

• Mounting samba share starts avahi, ssh and sftp at client

  The problem is at the client. When i mount a samba share (with # mount), avahi is started, which starts ssh and sftp. This is wrong on many levels.
  Not sure how long this has been going on, someone else already asked this on stackexchange on 11.2.15, but didn't get any answers.
  Journal output immediatly after mounting (hostname, ip etc. removed):
  Mär 18 01:35:51 hostname dbus[434]: [system] Activating via systemd: service name='org.freedesktop.Avahi' unit='dbus-org.freedesktop.Avahi.service'
  Mär 18 01:35:51 hostname systemd[1]: Cannot add dependency job for unit boot.automount, ignoring: Unit boot.automount is masked.
  Mär 18 01:35:51 hostname systemd[1]: Listening on Avahi mDNS/DNS-SD Stack Activation Socket.
  Mär 18 01:35:51 hostname systemd[1]: Starting Avahi mDNS/DNS-SD Stack Activation Socket.
  Mär 18 01:35:51 hostname systemd[1]: Starting Avahi mDNS/DNS-SD Stack...
  Mär 18 01:35:51 hostname avahi-daemon[2583]: Found user 'avahi' (UID 84) and group 'avahi' (GID 84).
  Mär 18 01:35:51 hostname avahi-daemon[2583]: Successfully dropped root privileges.
  Mär 18 01:35:51 hostname avahi-daemon[2583]: avahi-daemon 0.6.31 starting up.
  Mär 18 01:35:51 hostname avahi-daemon[2583]: WARNING: No NSS support for mDNS detected, consider installing nss-mdns!
  Mär 18 01:35:51 hostname dbus[434]: [system] Successfully activated service 'org.freedesktop.Avahi'
  Mär 18 01:35:51 hostname systemd[1]: Started Avahi mDNS/DNS-SD Stack.
  Mär 18 01:35:51 hostname avahi-daemon[2583]: Successfully called chroot().
  Mär 18 01:35:51 hostname avahi-daemon[2583]: Successfully dropped remaining capabilities.
  Mär 18 01:35:51 hostname avahi-daemon[2583]: Loading service file /services/sftp-ssh.service.
  Mär 18 01:35:51 hostname avahi-daemon[2583]: Loading service file /services/ssh.service.
  Mär 18 01:35:51 hostname avahi-daemon[2583]: Joining mDNS multicast group on interface enp1234.IPv4 with address myip.
  Mär 18 01:35:51 hostname avahi-daemon[2583]: New relevant interface enp1234.IPv4 for mDNS.
  Mär 18 01:35:51 hostname avahi-daemon[2583]: Network interface enumeration completed.
  Mär 18 01:35:51 hostname avahi-daemon[2583]: Registering new address record for myip on enp1234.IPv4.
  Mär 18 01:35:51 hostname avahi-daemon[2583]: Registering HINFO record with values 'X86_64'/'LINUX'.
  Mär 18 01:35:52 hostname avahi-daemon[2583]: Server startup complete. Host name is hostname.local. Local service cookie is 123.
  Mär 18 01:35:53 hostname avahi-daemon[2583]: Service "hostname" (/services/ssh.service) successfully established.
  Mär 18 01:35:53 hostname avahi-daemon[2583]: Service "hostname" (/services/sftp-ssh.service) successfully established.

  Thanks for your answer.
  snakeroot wrote:Are you sure it is actually starting ssh and ssftp or is it just having avahi advertise them as existing?
  I'm not sure if anything is started, the term "Service ssh successfully established" sounds like the ssh serrver is started to me, but it might just be strange wording. What does "advertise as existing" mean?
  From the snippet you quoted, it looks like the latter. Unless you have alread started socket activation for ssh or sftp, whether via systemd *.socket or inetd, I'm not sure it would actually be started.
  I didn't enable anything manually.
  I think you can rm/mv the sftp-ssh.service and ssh.service files /etc/avahi/services/ and prevent those services from being advertised.
  OK thanks for the hint. Nontheless i would rather stop avahi from starting than configuring it.
  Begin rant...
  I'm a bit annoyed that avahi is starting without my permission. Seems like systemd is getting a bit overzealous with starting services. Interestingly this was one of the big problems with upstart, and was supposed to be solved with systemd. I still like systemd.

• Help with wireless controller and VLANs

  Hi I'm trying to setup a wireless controller in preparation for a large site go live later this year. I'm struggling to get the controller and the WLAN using the correct VLAN. I want the controller on VLAN 100 and the clients on the WLAN on VLAN 200.                 
  My thought is that I would need a config similar to:
  Switchport for wireless controller management port set to trunk VLAN 100 and 200 with no native VLAN set.
  The management interface on the controller set to VLAN 100.
  A dynamic interface created on VLAN 200.
  When setup like this I can get to the controller on its management address but only from VLAN100 not from another VLAN on site or from other sites over the WAN.
  I have setup a WLAN which is set to use the dynamic interface on VLAN 200.
  I have set the AP to use HREAP and set the native VLAN as 200 and added the dynamic interface into the VLAN mappings
  When I connecting a client to the WLAN I get an address on VLAN 100.
  The switchport for the AP is set to native VLAN 100 and trunk 200 – this setup works for standalone APs at other sites.
  What am I missing?
  Also any idea why the management interface address is not routing? The netmask and gateway are set correctly.
  Thanks
  Paul

  Just to add to Steve's post... You only need to create a dynamic interface for vlan 200 if you have ap's also in local mode.  If your ap's are in H-REAP/FlexConnect mode, you don't need a dynamic interface for vlan 200.
  In you H-REAP/FlexConnect ap, you would set the wlan to vlan mapping there and the switchport configuration would be a trunk allowing vlan 100 (im assuming your native vlan for your ap) and vlan 200.  You should see something like the following:
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• VRF configuration on subinterface and VLAN subinterface

  Hi
  Can I configure VRFs on subinterface (physical and VLAN) basis in a normal BGP/MPLS VPN configuration.
  Thanks
  VK

  Hi Sultan,
  You are very welcomed, i'd be more than glade to help you out your confusion, below is the output of one of my lab PEs, and moreover i've in production customers running with this setup, i've never faced the issue you are describing, if you can regenerate the test you are describing we can elaborate on it:
  interface FastEthernet0/0
  no ip address
  interface FastEthernet0/0.1
  encapsulation dot1Q 101
  ip vrf forwarding a
  ip address 101.101.101.1 255.255.255.252
  interface FastEthernet0/0.2
  encapsulation dot1Q 202
  ip vrf forwarding b
  ip address 202.202.202.1 255.255.255.252
  This is a 7200VXR (NPE-300) running "c7200-p-mz.122-25.S14.bin".
  BR,
  Mohammed Mahmoud.

• Native SSH and SFTP in LabVIEW

  At the risk of re-opening a can of worms, is there any consideration for adding native SSH and SFTP support for LabVIEW?
  Using PuTTy/plink is cumbersome and not cross-platform.
  Calling a .NET (or any other) external assembly is cumbersome and not cross-platform.
  Labwerx SSH has a terrible licensing model (not to mention the additional cost).
  It is 2015, and SSH/SFTP is ubiquitous and not going away. These protocols should be natively supported in LabVIEW.
  I have seen this idea on the exchange (http://forums.ni.com/t5/LabVIEW-Idea-Exchange/Native-SSH-and-SFTP-Support/idi-p/1141529), but there hasn't been any movement in 5 years. I would appreciate any news from NI here, even in the negative. If LabVIEW isn't going to support SSH anytime soon, it would be better to find out now.
  Solved!
  Go to Solution.

  I doubt it is likely to happen any time soon - the LabSSH toolkit is pretty reasonably priced when you compare it to how long it would take you to implement the functionality yourself and there is nothing to stop you from implementing it yourself using the TCP/IP functions which are in LabVIEW. You can of course use the command-line interface to something like WinSCP / PuTTy as well.
  I did also find a wrapper that someone had made for an Open Source .NET SSH library called Renci
  I downloaded a copy from this thread: http://forums.ni.com/t5/LabVIEW/Plink-PuTTY-works-30-of-the-time-using-System-Exec-vi/td-p/3002261
  There is also another implementation of the wrapper here: https://decibel.ni.com/content/docs/DOC-41388
  Certified LabVIEW Architect, Certified TestStand Developer
  NI Days (and A&DF): 2010, 2011, 2013, 2014
  NI Week: 2012, 2014
  Knowledgeable in all things Giant Tetris and WebSockets

• Secured server with SSH and VPN?

  Hi,
  Have an Archbox at home and when I'm traveling I would like to connect to my Archlinux box at home to grab files and such things.
  Using ADSL with a static IP and a D-Link router.
  If I create a portfowarding rule of port 443 to my Archlinux box and user it to connect with SSH and VPN is that secured enought?
  I have family photos and stuff on the server that I don't want to be hacked or spread. Not a high target for hackers but for scriptkiddies!
  So, will a portforwarding rule and a use of SSH daemon and a VPN Server software make me secure all the way, the VPN and SSH is encrypted right?
  Any suggestions of a good VPN application?
  Server daemon for the "archserver" and clients for my laptop with dualboot, vista and archlinux.

  Yeah, SSH or OpenVPN should be perfectly fine.
  However, why port 443? If someone is scanning a large range of IP-addresses for commonly open ports to find active servers, they will most likely scan port 21, 22, 25, 80, 110, 443, etc. as these ports usually run the most interesting services.
  Since it has no impact on the usability, choose a high port, between 10000-65000, which is not commonly used. That way your system will not be identified as active by a simple portscan searching for active servers.
  You don't have to be worried about attacks targeted directly against you, if you don't have anything interesting on your system, a cracker wouldn't spend time on manually breaking into your system. Just mask yourself from worms etc. by using uncommon ports. Using SSH or OpenVPN will handle encryption, which ensures data integrity, even when you're connected to an unencrypted hotspot somewhere in the world on your vacation
  If you setup OpenVPN, you'll also have the possibility of routing all your Internet traffic throught your home system, which can be very handy in terms of surfing and checking mail from unencrypted hotspots around the world.