Setting up an SSH Server on Port 80

2

I'd like to set up an SSH Server to the public internet on port 80.

I've got SSH for Windows installed on my machine, and I can use Putty to SSH into localhost.

In my router config, I set up a "Virtual Server" to forward TCP and UDP from public port 80 to my local machine on port 22.

But when I use shields up it tells me that port 80 is closed stealth.

I'm using a D-Link router. Anything I might be missing?

Why port 80? I'm trying to access some files on my home machine from another computer behind a firewall that blocks port 22. Not sure if 443 or 8080 are blocked.

Ryan

Posted 2009-08-11T17:17:19.393

Reputation: 1 728

Answers

3

Using Port 433 is a good Idea for ssh as the packets are indistinguishable from https.

If shields up tells you that the port is closed, it either means that

  1. The firewall on your router correctly lets the packets pass to your LAN, but they don't get picked up by the daemon on your machine.
  2. The firewall on your router is not configured to just drop packets to unwanted ports.

The second point is very unlikely - firewalls usually just drop unwanted packets, as a reply would mean sending just more unecessary traffic through the pipes, an attacker might gain knowledge from the reply, or the source IP may be spoofed (that could even mean somebody is using you to attack someone else..).

So assuming that 1. is true, it is possible that

  1. You have a personal firewall of some sort running on your box that is replying to the packets.
  2. Your ssh daemon does not accept the connection (maybe it is configured to only accept connections from certain devices, subnets, etc.)

If shields up tells you that the port is "stealth", it means that a firewall on the way silently drops the packets. This either means that your router is misconfigured or that you are behind another NAT of some sort.

You could have added information about your way of connecting to the internet and your ISP on your question, that might have helped..

0x89

Posted 2009-08-11T17:17:19.393

Reputation: 969

Ah, yes it was stealth not closed. Edited the original Question for clarity. Thanks. – Ryan – 2009-08-11T18:05:13.277

3

There are a few reasons:

  1. Some d-link routers don't like to port forward 80. You might be able to get around this by changing the port used by the router's interface to something like 8080 - your rule might work then.

  2. Some ISP's don't allow inbound traffic on port 80 - this is more than likely the overall reason you're not seeing it allowed.

Why do you need to use port 80? Can you use another port?

EvilChookie

Posted 2009-08-11T17:17:19.393

Reputation: 4 519

@Johan: 8080 is likely not a random choice as it seems to be more commonly used than 81 (which was a common alternate/secondary back in the 1990s), but +1 for "high" none-the-less. – Randolf Richardson – 2011-06-23T03:48:49.867

2

Your ISP may block traffic on port 80 to stop you from running a web server, try a high port like 48928

Jared

Posted 2009-08-11T17:17:19.393

Reputation: 2 175

2

D'oh! Turns out that Windows Firewall was on.

Not quite a victory, however, because the client's http proxy does not support CONNECT, which means I can't ssh in.

Ryan

Posted 2009-08-11T17:17:19.393

Reputation: 1 728

1No CONNECT, hmmm. So you cannot access any regular HTTPS pages either? – Arjan – 2009-09-14T12:29:54.810

1

You are on the right track for sure!

The suggestion that was posed earlier about the router not happily relinquishing port 80 is a valid concern. I have dealt with problems like this before with good success so I will share my experience with you.

I would recommend using a port that you are guaranteed to find open on your ISPs egress firewall.

Port 443 

This port is always my first choice. Your ISP cannot lock this port down without breaking every website that allows you to buy something online.

Port 53  

This Port is almost always open as well.

Axxmasterr

Posted 2009-08-11T17:17:19.393

Reputation: 7 584

1Actually, this isn't quite accurate. The ISP can indeed block incoming 443 traffic - so long as the traffic doesn't have a request from inside their network. This is the basics of NAT routing - after all, by default, most routers do not allow incoming traffic on 443 or 80, but you can still browse and make secure transactions, yes? – EvilChookie – 2009-08-11T17:56:15.617