Using non-standard sshd port after 10.8 upgrade

After spending hours tracking down this solution as a result of losing my ssh settings after the upgrade to Mountain Lion, I thought it might be useful to post the steps taken to restore the configuration I used with Snow Leopard.
Changing the sshd default listening port
Disclaimer: This tutorial is specific to Mountain Lion (OS X 10.8). I was able to accomplish this using Snow Leopard (OS X 10.6) in fewer steps, but upgrading required this more involved solution.
Steps:
1.) You must first enable the root user account in order to change the relevant files. This can be done from the terminal, or by going to System Preferences --> Users & Groups. Once there, click on 'Login Options' at the bottom of the Current User list, and 'Join' where it says 'Network Account Server'.
This will bring up a smaller window. Click on 'Open Directory Utility' at the bottom. You will be prompted for your admin password. Now go to the 'Edit' tab at the top of the screen and toggle down to 'Enable Root User'. You will be prompted to enter your admin password twice.
2.) Log out of your regular user account. At the log in screen you will now see an additional entry for 'other'. Click on that and log in with the username 'root' and your admin password. If are inexperienced as a root-level user, be careful as you can cause problems to your system can be difficult to undo.
Once in your root account, the first step is to create a new 'service definition' in the etc/services file. Open the file with text editor of choice and scroll to the current entry for sshd listening port, which will look like this:
ssh    22/udp    # SSH Remote Login Protocol
ssh    22/tcp     # SSH Remote Login Protocol
Overwrite the '22' with the port number you would like sshd to listen on:
ssh    12345/udp   # SSH Remote Login Protocol
ssh    12345/tcp    # SSH Remote Login Protocol
*12345 being our hypothetical, non-standard port.
It is important to note that the new port number will not take by simply adding a new uncommented line to the file (I tried), unless of course you comment the original ssh entries. Easiest way is just to overwrite what is there already. Save changes.
3.) You now need to edit the ssh.plist file, which is located at /System/Library/LaunchDaemons/ssh.plist. A word to those familiar with Linux/BSD environments: changing the default port in the sshd_config file, which exists in OS X, does NOT change the listening port. Simply changing the default port, saving the config file, and restarting the server (the sensible way) won't work. The OS X sshd server (openssh) is configured to get launch instructions from the ssh.plist file, as opposed to sshd_config. If you are more interested in this aspect of OS X, read up on LaunchDaemons (e.g. launchd).
Before altering the ssh.plist file, you should save a backup copy in case of mistakes, or if you need to revert back to it in the future. Name your backup file something like original.ssh.plist, etc.
In the ssh.plist file, locate the SocksServiceName entry and change it from the default:
<key>SockServiceName</key>
<string>ssh</string>
To the following:
<key>SockServiceName</key>
<string>$alternate port number</string>
In our example from above this value would be 12345.
4.) Save your changes, and exit ssh.plist. You now need to move the backup file you created (original.ssh.plist) out of the System/Library/LaunchDaemons path.
The updated sshd port will not take until you have only one ssh.plist file in the LaunchDaemons directory - this has to do with how launchd is configured to load files which is outside the scope of the current discussion. (*If you've found a way around this, please share.)
5.) Restart the sshd server. Easiest way to accomplish this is going to System Preferences --> Sharing and clicking off 'Remote Login', then clicking back on it.
6.) Test the configuration by logging into the machine running the sshd server from another host using:
ssh username@ipaddress -p 12345
There are a few good tutorials out there that capture some of these steps, but many are dated and/or incomplete. If you are running a standard setup of OS X 10.8, this should work for you.
Of course, don't be fooled into thinking that changing the default listening port from the ubiquitously-probed 22 equates to actual security. At best, it will cut down on the number of dubious connection attempts and probing.

Hi all, above helped me change the sshd port number, thank you very much.
Just upgraded to OS X 10.9.3 on my macbook pro.
My findings were:
Step 1(become a root user or sudo)
Step 2 (/etc/services)
This may not be required unless you want ssh to work without the "-p XXXX" option to connect to other ssh hosts. I favor such as "ssh -p 2222 user@hostname" just to be sure I know what I am doing and also to leave ssh known port as its default "22".
Step 3 (/System/Library/LaunchDaemons/ssh.plist)
This is required if you want to change the sshd port number, I changed both "ssh" to "2222" in this file.
Step 4 (launchctl)
Below is a must as I understood:
launchctl unload /System/Library/LaunchDaemons/ssh.plist
launchctl load /System/Library/LaunchDaemons/ssh.plist
it should be already working with the new port number.
You can "ssh -p 2222 user@localhost" in the console terminal and see if its working.
Since I am no expert on MacOS X, and it is a macbook pro that I am using, I also rebooted the system and changes were reflected permanantly.
Thank you guys!

Similar Messages

Mailserver using non-standard smtp port

how do i set SMTP to accept connections on a non-standard port (i.e. 2525 or something)?
i'm running a mail server and my residential isp (comcast) after ten years of peaceful coexistence decided that they need to block port 25. so i am setting up a commercial store/forward mail relay service. all i need to do is set up my snow leopard server to accept incoming connections on a port other than 25. sounds easy. it is mentioned in the docs thusly:
"By default SMTP is enabled on port 25. If port 25 is blocked in your environment,
you need to change the port SMTP uses."
... but that's all i can find. specifically, it doesn't say exactly how to change the port.
any help appreciated.

following up to my own post. hoping this info may be useful for others who face the same issue who are running a server and then having email ports blocked by their ISP's.
i worked around this by signing up for a mail relay service (i use the one provided by dnydns.com). they forward incoming mail for my domain over a nonstandard port.
since i never received an answer to my question about how to make SnowLeopardServer email server accept SMTP connections on other ports, i simply used port mapping in my router (Airport Extreme) to redirect this port (i used 2525) on my WAN address to port 25 on my server - an acceptable workaround.
i also did the same port redirection for the other "standard alternative" smtp ports, 465 and 587.
since my ISP blocks port 25 in both directions, i also needed to find a work-around for outgoing mail as well. previously, my mail server simply forwarded to my ISP's smtp server (using the default port 25). here the Server Admin interface worked but with one "trick": under Mail>Settings>General, i left the box for "Relay outgoing mail through host:" checked, and in the field there i put "[smtp.myispdomain.net]:587" (that is with square brackets, and a colon, but no double-quotes - and of course, use your own smtp server's domain name). afaik this is not documented anywhere in the apple-provided docs, but i found the corresponding docs for postfix, and reverse-engineered it.
so now i can read (via IMAP) and send (via SMTP) mail from my home server, both when i am on my LAN and when i am accessing remotely, and effectively work around the bi-directional block of port 25 imposed by my ISP.
i'd still like to know if there is a method of configuring smtp to accept connections on ports other than 25. i can see how to do it by editing /etc/postfix/master.cf, but afaik that file gets overwritten by Server Admin...

Isakmp peers using non-standard port 4500

Hello,
I have a remote site using the Internet to access corporate networks over IPSEC. Set-up is as below:
Remote Router uses public IP across internet --> hits corporate untrusted nework FW --> NAT'ed to private 10.x.x.x IP --> reaches trusted network router.
The problem is that the peer keeps hanging and the only way to reset it is to issue 'clear crypto session' on the central trusted router. I have added isakmp keepalives with the aim of forcing some keepalive traffic:
crypto isakmp keepalive 90 30 periodic
...and this works to some degree (with DPD are u there keepalives). However I have noticed that the far end router uses non-standard ports when trying to set up phase-1 tunnel:
BEVRLY_D_CR184_01#sh crypto isa pee
Peer: 161.x.x.x Port: 4500 Local: 77.x.x.x
Phase1 id: 10.2.0.92
Peer: 161.x.x.x Port: 10456 Local: 77.x.x.x
Phase1 id: 10.2.0.92
Peer: 161.x.x.x Port: 10554 Local: 77.x.x.x
Phase1 id: 10.2.0.92
Peer: 161.x.x.x Port: 10557 Local: 77.x.x.x
Phase1 id: 10.2.0.92
Peer: 161.x.x.x Port: 10580 Local: 77.x.x.x
Phase1 id: 10.2.0.92
Peer: 161.x.x.x Port: 10589 Local: 77.x.x.x
Phase1 id: 10.2.0.92
Peer: 161.x.x.x Port: 10596 Local: 77.x.x.x
Phase1 id: 10.2.0.92
Peer: 161.x.x.x Port: 10600 Local: 77.x.x.x
Phase1 id: 10.2.0.92
These ports (non-4500) will be blocked by our firewalls. Why does it use these, and is there a way of stopping the router using anything other than port 4500?
Thanks
Phil

Hello,
Yes - there's NAT at the trusted central router end our side of the firewall... the config used is below:
Remote Router end:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
lifetime 180
crypto isakmp key address
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 90 30 periodic
crypto ipsec security-association idle-time 300
crypto ipsec transform-set BEVERLEY_Transform esp-3des esp-md5-hmac
crypto ipsec profile VTI
set security-association lifetime seconds 1800
set transform-set BEVERLEY_Transform
interface Tunnel1
description BEVRLY_CC296_01 F0/8 (10.30.45.29)
ip address x.x.x.x 255.255.255.252
ip helper-address 10.91.6.30
ip helper-address 10.4.162.92
ip mtu 1400
ip ospf message-digest-key 1 md5
load-interval 30
tunnel source Dialer1
tunnel destination
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
Central Router:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
lifetime 180
crypto isakmp key address
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 90 30 periodic
crypto ipsec security-association idle-time 300
crypto ipsec transform-set BEVERLEY_Transform esp-3des esp-md5-hmac
crypto ipsec profile VTI
set security-association lifetime seconds 1800
set transform-set BEVERLEY_Transform
interface Tunnel1
description link to Beverley via internet (BEVERLY_CR184_01 Tun1)
ip address x.x.x.x 255.255.255.252
ip mtu 1400
ip ospf message-digest-key 1 md5
load-interval 30
tunnel source FastEthernet0/1
tunnel destination
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
I believe the DPD keepalives ensure NAT is known and compatible (crypto isakmp keepalive 90 30 periodic) between the peers....
Any help gladly appreciated....
thanks
Phil

CFHTTP GET using non-standard ports

I have an application which goes out and checks links on
various servers to verify that the link still exists, however I
have a few links on servers that use non-standard ports (ie 8001,
7072, 8080, etc). When I dump CFHTTP I get the following:
struct
Charset [empty string]
ErrorDetail I/O Exception: Premature EOF encountered
Filecontent Connection Failure
Header [undefined struct element]
Mimetype Unable to determine MIME type of file.
Responseheader struct [empty]
Statuscode Connection Failure. Status code unavailable.
Text YES
Any ideas?
Thanks.
Mike

Yup, FaceTime was set up on all devices using my home network. It functions correctly pretty much everywhere except on my internal network at the office.
I'm pretty sure this is a firewall issue, not a basic FaceTime problem.

JRE ignores proxy setting for connections to non-standard web ports

Hi,
I've noticed that JRE would not use the proxy settings if the application tries to connect to a web address on a non standard http port. If port 80, 443, 8080 etc is used, the proxy is used but if it's something like 32938 it's not. Is there anyway to disable this behaviour and just have the proxy used for all HTTP traffic, regardless of destination port. Below a trace snippet that shows the behaviour.
guistyle/1049 (signed jarfile)
Browser Java version 1.7.0_67
in Explorer 5 +
on NT-based Windows
network: Connecting https://www.123.com/guistyle/*JEMSEC11424340585918 with proxy=HTTP @ /10.10.12.11:3128
Using port: 43856
network: Connecting http://www.123.com:43856/ with proxy=DIRECT
Socket connection failed: java.net.ConnectException: Connection timed out: connect
Attempting tunneled connection
network: Connecting http://www.123.com:80/*TGD=CS/*EVENT=*JEMTUNNEL/1353036962/response.txt with proxy=HTTP @ /10.10.12.11:3128
TNLRCV unknown block start=null
network: Connecting http://www.123.com:80/*TGD=CS/*EVENT=*JEMTUNNEL/1353036962/response.txt with proxy=HTTP @ /10.10.12.11:3128
network: Connecting http://www.123.com:80/*TGD=CS/*EVENT=*JEMTUNNEL/1353036962/response.txt with proxy=HTTP @ /10.10.12.11:3128
TNLRCV unknown block start=null
Receive failed
Unable to make TCP/IP connection
End guistyle (startup failed)
basic: Applet initialized
basic: Starting applet
basic: completed perf rollup
basic: Applet made visible
basic: Applet started
basic: Told clients applet is started

Hi,
I still get the same error:
[12/Nov/2007:14:34:50] failure (16473) rsdts.mycomp.com: for host i78473.mycomp.com trying to GET http:/lidip/, service-http reports: HTTP7765: error reading response header (Server closed connection)
And:
Bad Gateway
Processing of this request was delegated to a server that is not functioning properly.
I don't get any logs on the other side...

Enhanced security via non-standard ssh port?

I am using my Snow basestation as a NAT router, and I have a pass-through to my machine for ssh. This is working fine now. However, I got to thinking that there is value in changing the ssh public port to a non-standard port, like 14038 and routing that to my mac's private port of 22. Doing so, however, merely breaks my ability to log in (note that I have updated my ssh client to point to the new ssh port of 14038)
Does ssh burp on any port other than 22? Do others have a positive experience running this? Might my ISP (earthlink) be blocking non-standard IP ports?
With much gratitude,
Kyle

I sold the Snow basestation -- so the question is moot now.

Connect to non standard ftp port

Hi ,
Is it possible for PI to connec to non standard ftp port to pick files using ftp adapter??
how abt non standard ftp servers?

Hi Teja,
> Is it possible for PI to connec to non standard ftp port to pick files using ftp adapter??
According to my knowledge it is possible, you have to mention that port in the communication channel.
> how abt non standard ftp servers?
Reffer the below links
http://www.nsoftware.com/kb/tutorials/biztalkftpadapter.aspx
http://wikis.sun.com/display/JavaCAPS/SunAdapterfor+Batch-FTP
Regards
Ramesh

Http probe on non-standard tcp port 8021

I've configured http probe on standard port 80 with no issue. I'm now trying http probe on non-standard tcp port 8021, confirmed with packet capture to confirm that the CSM is indeed probing, status code 403 is returned but the reals are showing "probe failed". Am I missing something? Thank you in advance.
CSM v2.3(3)2
probe 8021 http
request method head
interval 2
retries 2
failed 4
port 8021
serverfarm TEST
nat server
no nat client
real 10.1.2.101
inservice
real 10.1.2.102
inservice
probe 8021
vserver TEST
virtual 10.1.2.100 tcp 8021
serverfarm TEST
replicate csrp connection
persistent rebalance
inservice
VIP and real status:
vserver type prot virtual vlan state conns
Q_MAS_8021 SLB TCP 10.1.2.100/32:8021 ALL OUTOFSERVICE 0
real server farm weight state conns/hits
10.1.2.101 TEST 8 PROBE_FAILED 0
10.1.2.102 TEST 8 PROBE_FAILED 0

you need to specify what HTTP response code you expect.
The command is :
gdufour-cat6k-2(config-slb-probe-http)#expect status ?
<0-999> expected status - minimum value in a range
The default is to expect only 200.
This is why your 403 is not accepted.
Gilles.

How To Configure non-standard SMTP port

My ISP has blocked port 25. I have a service that will deliver mail to the port of my choosing. How do I configure Leopard Server to listen on a non-standard SMTP port? 2525 for example.
Also, I assume all I have to do on my Airport Express is set up NAT to rake external port 2525 and point it to the private address of my email server on port 2525. Is this correct?
Thanks,
-ernie

Assuming such is offered, look to acquire a business-class ISP service level, and move on to the next issue? The business-class services typically provide static IP address(es), opens up server ports, and sets up DNS and ISP-side server connections for your hosts. And you can call your ISP or other assistance when your network craters; non-standard connections are (as you've found) harder to support.
One subtlety here: in a number of cases, simply having a business-class service means you're supported by a different group within (larger) ISPs. This can be a significant advantage at times, given that the scripts and tools and such that are available for the business group will be rather more targeted than the scripts that are available for the residential services group at the ISP.
There are a number of folks that have sought and have tried this (try a few Google searches for SMTP and non-standard port), and it mostly works. But it is fragile, and tends to be derailed when something goes weird, or when the ISP spots and shapes or blocks the server traffic.
Also check your ISP's terms of service here, lest your network pipe be subject to summary disconnection.
The other option is to VPN or tunnel into to a co-lo or dedicated server or a virtual hosting service; to run your servers or virtual servers somewhere without firewalls blocking the standard ports.

How to use non-standard port for vnc?

Our Windows users who use RDC to connect to their desktops from off-site come in on a non-standard port number. Part of our security setup.
I'd like to do the same with Mac users who use screen sharing and vnc to connect remotely.
How can I specify another port number at both ends to accomplish this?
I can find nothing in the Network Utility app, or in the KB.
Surely there's a short sequence of Terminal commands that will do this?

I haven't tried this so don't know whether it will work. But I think it will. Presuming the target machine is a Mac, see if editing its /etc/services file will do it. Find the two lines that start with "vnc-server" and change the port number there. Launch Terminal.app as an administratively privileged user, sudo pico /etc/services, ^w to search for vnc-server, make the changes, ^x to exit, y to save and overwrite. Also, you will need to have screen sharing enabled in the target machine's System Preferences' Sharing, and the authorized users defined there, too. Reboot. Now, on the remote client, assuming it is also a Mac, the user would type ⌘k in the Finder (or mouse to Finder > Go > Connect to Server), and enter something like vnc://123.45.67.89:55900 where you substitute the actual IP address or host name for where I have entered 123.45.67.89, and where you substitute the actual alternate port number where I have entered 55900. Of course, in the clients' Screen Sharing's Preferences, they should choose to encrypt the entire session, not just the login. Like I said, I haven't tried this because I just tunnel my vnc stuff through ssh, but I'm thinking that this should work.

CSS 11501 ftp server setup problem using non-standard port

Dear Expert,
we would like to setup FTP server over CSS where our member sever use non-std-port to open both control/data channel (i.e. 6370 as ctrl and 6369 as data this case.) but seems we only get Passive mode FTP mode work only but not for Active mode FTP case for data channel establishement for server back to client...is there any professional advise can help on this case...? here is our setup info FYI
# sh ver
Version:               sg0820501 (08.20.5.01)
Flash (Locked):        08.10.1.06
Flash (Operational):   08.20.5.01
Type:                  PRIMARY
Licensed Cmd Set(s):   Standard Feature Set
                       Secure Management
CVDM Version:          cvdm-css-1.0_K9
!*************** Global
ftp data-channel-timeout 10
ftp non-standard-ports
!************************** SERVICE **************************
service ftp_ftpgtw
keepalive maxfailure 2
keepalive frequency 15
keepalive retryperiod 2
keepalive type tcp
ip address 192.168.52.170
protocol tcp
keepalive port 6370
port 6370
active
# sh run group drfusegtwftp_grp
!*************************** GROUP ***************************
group gtwftp_grp
vip address 192.168.52.28
add service ftp_ftpgtw
active
content ftp_gtwpkg-ftpgtw
    add service ftp_ftpgtw
    vip address 192.168.52.28
    port 21
    protocol tcp
    application ftp-control
    active

Thanks for your confirmation on no prob found in config level 1st..:P..as to save us a lot of time in isolating problem at this level.
What we can notice is seems the data port connection is fail to open for server back to client....for our general sense..... the flow expected should be:
TCP session A -- Client:1234 --> VIP:21 --> member svr:6370
TCP session B -- Client: 5678 <--> VIP:20 <--> member Svr: 6379 [on demand generated between server/client]
but we can only see session B fail to setup when client side access VIP site on CSS..even we try to put the most standard case as below
TCP session A -- Client:1234 --> VIP:21 --> member svr:21
TCP session B -- Client: 5678 <--> VIP:20 <--> member Svr: 20
we still unable to make the Active mode FTP access work either...hence we got no idea on how CSS handle FTP access when it involve services over multiple tcp ports..
and from CSS xlate view...the problem is we can only see what NAT IP that used in CSS connect to client...but no way to confirm for which port for VIP using outgoing to client. neither it is dropped by CSS..nor it is never setup from VIP to Client side.

Alert emails to a non standard SMTP port

Is it possible to configure LiveCycle ES 8.2 to send its alert emails to an SMTP server on a non standard port? In the AdminUI there is a field for the server but not for the port.
Thanks,

Hi Jon
Sorry, I thought we were talking about Task Notifications not Administrator Notifications.
Changing the port in the Email Notifications process will work for Task Notifications.
Administrator Notifications use the Java mail default, which is port 25 unless otherwise specified on your system.
Are you using the JBoss Turnkey?
if so, you can try this:
1. Navigate to C:\Adobe\LiveCycle8.2\jboss\server\all\deploy
2. Locate the properties-service.xml file.
3. uncomment the following block and set the property as follows:
    
    <attribute name="Properties">
          smtp.mail.port =<your port #>
    </attribute>
4. You don't need to restart JBoss.
The only downside is that this is now the smtp port for that server and any other apps on that server.
If you can live with that, it's an easy workaround.
Diana

Non-Standard HTTP Ports

We have a non-Windows server running Cold Fusion and two
separate websites. One uses a the standard HTTP port, the other one
uses a different port. How do you get Cold Fusion to recognize the
second port in addition to the first port?

Hi,
It inserts this header in HTTP which normally listens on 80. Even though HTTP is listening on any different port, we should be able to insert the header. This should work fine.
Regards,
Kanwal
Note: Please mark answers if they are helpful.

SPA3102 Non-standard SIP port in dial plan

Hi, a VoIP provider uses port 5068 instead of standard 5060. I tried to use it in the dial plan of SPA3102, but failed. Using another provider that uses standard 5060 port I've narrowed down the problem to the following:
This one works:
(7495x.<:@sipnet.ru;usr="xxx";pwd="xxx";nat="yes">)
Adding a SIP port prevents it from working: (7495x.<:@sipnet.ru:5060;usr="xxx";pwd="xxx";nat="yes">)
Can anyone give any clues how to specify a port in the dial plan?
Message Edited by V_l_a_d on 06-21-2008 06:45 AM

As far as I know you just have to change the port.
(S0 < :userid@spa2_WAN_EXTERNAL_IP:5061 >)
< 011852,: >xxxxxxx< :@gw.macau-tel.com:5080;usr=Joe;pwd="90f-fkd";nat=yes >

SCSM setup with non-standard SQL port

Trying to install SCSM 2012R2 management server, and the SQL server I need to use is listening on port 5500 instead of the standard one. For internal reasons I don't think I can change this.
Is there a way to get the install to pick this up properly?
Currently it doesn't find the instance at all...
Thanks.
No sig is a good sig

Hi Andrew,
unfortunately the ports from SCSM Management server (and DW) to the SQL server are not configurable, so it has to be TCP: 1433
http://technet.microsoft.com/en-us/library/hh495567.aspx
Quote: "As part of your security infrastructure, you may want to keep track of port numbers that are used throughout your System Center 2012 – Service Manager environment. And while, in this release, these port numbers
are not configurable"

Using non-standard sshd port after 10.8 upgrade

Similar Messages

Maybe you are looking for