mina-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From garima jain <jain.garim...@gmail.com>
Subject Re: Partial Disabling of port 22 using apache-mina SSHD
Date Mon, 27 Jun 2016 16:58:08 GMT
Hey,

The whole reason is to accept SFTP over 22 and reject the traffic coming
via SSH.

-Garima Jain.

On Mon, Jun 27, 2016 at 9:00 PM, elijah baley <e_baley@outlook.com> wrote:

> I don't think it is right location for this - it is too late in the
> protocol as the SSH connection has already been established.In any case, I
> am not sure I understand what you are trying to do - are you trying to
> listen on port 22 and reject the connection if it is SSH and accept it if
> it is something else ? If so, then MINA SSHD is NOT what you need (what you
> need is something similar to SSLH - which I wrote in Java but never
> published it). If you want to setup SSHD on non-standard port, then why do
> you need to reject SSHD connections coming to it ?
>
> > From: jain.garima88@gmail.com
> > Date: Mon, 27 Jun 2016 16:02:37 +0530
> > Subject: Re: Partial Disabling of port 22 using apache-mina SSHD
> > To: dev@mina.apache.org
> >
> > Hey,
> >
> > Is there a way I can override the method doAuth under
> > UserAuthPublicKey.java to return back if the connection service is SSH?
> >
> > -Garima Jain.
> >
> > On Wed, Jun 22, 2016 at 9:29 PM, elijah baley <e_baley@outlook.com>
> wrote:
> >
> > > Sorry, mail communication is best I can do for now...
> > >
> > > > Date: Wed, 22 Jun 2016 00:04:31 +0530
> > > > Subject: RE: Partial Disabling of port 22 using apache-mina SSHD
> > > > From: jain.garima88@gmail.com
> > > > To: dev@mina.apache.org
> > > >
> > > > Hey, thanks for the detailed info. Is there any way we can have a
> chat
> > > > other than mail communication in case needed.
> > > >
> > > > -Garima Jain
> > > > On Jun 21, 2016 11:48 PM, "elijah baley" <e_baley@outlook.com>
> wrote:
> > > >
> > > > > The topic is too wide to cover in a short mail message - I suggest
> you
> > > > > look into the code of Apache MINA SSHD (
> > > > > https://github.com/apache/mina-sshd) especially the tests where
> you
> > > will
> > > > > find many examples how to achieve anything you like. However, here
> are
> > > the
> > > > > basics (for client side):
> > > > > - Initialize an SshClient instance- Use that instance to open a
> > > session to
> > > > > your server- Provide username/password or private key and
> authenticate
> > > the
> > > > > session- Once you have the session authenticated there are many
> choices
> > > > > open to you:
> > > > >     * Open a "shell" channel and run interactive commands    *
> Open an
> > > > > "exec" channel and run a single command    * Obtain an SftpClient
> > > instance
> > > > > and access remote files    * Obtain an ScpClient instance and
> > > > > upload/download files    * Create a local/remote tunnel    * Clean
> > > up/close
> > > > > the resources you opened once no longer needed (note: the SshClient
> > > should
> > > > > be stopped/closed once your application no longer needs to access
> SSH
> > > > > servers - usually on application exit...).
> > > > > All this and more using the session you just obtained, or (if you
> > > > > like/need) create a new session for each usage - there are
> advatanges
> > > and
> > > > > disadvantages to each approach. There are many details to take into
> > > > > account, but if you don't have any special requirements then the
> > > defaults
> > > > > you get should be good enough. The vast majority of the APIs have
> > > Javadoc
> > > > > that should help make sense of the options - again, I recommend you
> > > look at
> > > > > how the tests are coded - there are very good chances you will
> find a
> > > > > suitable example similar to what you want to achieve.
> > > > > The same applies for the server side, although it is a bit
> > > tricker...Hope
> > > > > this gives you a good lead how to proceed.
> > > > >
> > > > > > Date: Tue, 21 Jun 2016 22:45:57 +0530
> > > > > > Subject: RE: Partial Disabling of port 22 using apache-mina
SSHD
> > > > > > From: jain.garima88@gmail.com
> > > > > > To: dev@mina.apache.org
> > > > > >
> > > > > > Hey,
> > > > > >
> > > > > > What shell commands can be executed and how? Or how to provide
> > > tunnel?
> > > > > > Can you provide sample code for the same?
> > > > > >
> > > > > > Any methods from sftp class?
> > > > > >
> > > > > > -Garima Jain
> > > > > > On Jun 21, 2016 10:02 PM, "elijah baley" <e_baley@outlook.com>
> > > wrote:
> > > > > >
> > > > > > > No, SFTP is not a protocol that runs on a specific port
it is a
> > > > > > > sub-protocol (actually a subsystem) of SSH. FYI, SSH enables
> > > opening
> > > > > > > multiple channels on the same session. You can run shell
> commands
> > > (what
> > > > > > > many mistakenly call SSH) SFTP and SCP as well as tunnels
> > > concurrently
> > > > > on
> > > > > > > the same SSH session. The port is always 22 (SSH) for SFTP
and
> SCP
> > > > > (and any
> > > > > > > other channel - e.g. PROXY, SOCKS, etc...)..
> > > > > > >
> > > > > > > > From: jain.garima88@gmail.com
> > > > > > > > Date: Tue, 21 Jun 2016 11:42:58 +0530
> > > > > > > > Subject: Re: Partial Disabling of port 22 using apache-mina
> SSHD
> > > > > > > > To: dev@mina.apache.org
> > > > > > > >
> > > > > > > > Can I keep the port open for sftp and close for ssh?
> > > > > > > >
> > > > > > > > -Garima Jain.
> > > > > > > >
> > > > > > > > On Mon, Jun 20, 2016 at 10:33 PM, garima jain <
> > > > > jain.garima88@gmail.com>
> > > > > > > > wrote:
> > > > > > > >
> > > > > > > > > Thanks. Will use that.
> > > > > > > > >
> > > > > > > > > -Garima Jain
> > > > > > > > > On Jun 20, 2016 10:31 PM, "Ashish" <
> paliwalashish@gmail.com>
> > > > > wrote:
> > > > > > > > >
> > > > > > > > >> On Mon, Jun 20, 2016 at 9:43 AM, garima jain
<
> > > > > jain.garima88@gmail.com
> > > > > > > >
> > > > > > > > >> wrote:
> > > > > > > > >> > Can we use black list/whitelist feature?
> > > > > > > > >>
> > > > > > > > >> This is what you should use.
> > > > > > > > >>
> > > > > > > > >> >
> > > > > > > > >> > -Garima Jain
> > > > > > > > >> > On Jun 20, 2016 10:12 PM, "elijah baley"
<
> > > e_baley@outlook.com>
> > > > > > > wrote:
> > > > > > > > >> >
> > > > > > > > >> >> There are many options - depending
on the actual setup:
> > > > > > > > >> >> - You can move SSHD to a non-standard
port on all
> > > interfaces -
> > > > > > > easy to
> > > > > > > > >> do
> > > > > > > > >> >> when setting up the server - just
call "setPort" on the
> > > > > SshServer
> > > > > > > > >> instance-
> > > > > > > > >> >> You can bind SSHD to a specific
interface (e.g.,
> > > 127.0.0.1)om
> > > > > port
> > > > > > > 22
> > > > > > > > >> and
> > > > > > > > >> >> bind SFTP to the public interface
on port 22 - easy to
> do
> > > just
> > > > > call
> > > > > > > > >> >> "setAddress" (or something to that
effect)  on the
> > > SshServer
> > > > > > > instance
> > > > > > > > >> >> I could think of more exotic options
- e.g. similar to
> > > sslh,
> > > > > using
> > > > > > > > >> >> HAPROXY, etc., etc.
> > > > > > > > >> >> > From: jain.garima88@gmail.com
> > > > > > > > >> >> > Date: Mon, 20 Jun 2016 12:10:26
+0530
> > > > > > > > >> >> > Subject: Re: Partial Disabling
of port 22 using
> > > apache-mina
> > > > > SSHD
> > > > > > > > >> >> > To: dev@mina.apache.org
> > > > > > > > >> >> >
> > > > > > > > >> >> > Hi elijah,
> > > > > > > > >> >> >
> > > > > > > > >> >> > The requirement is to block
port 22 for SSH and
> accept
> > > SFTP
> > > > > > > > >> connections
> > > > > > > > >> >> on
> > > > > > > > >> >> > Port 22. Is there a class/method
that can help us
> > > achieve the
> > > > > > > aim?
> > > > > > > > >> >> >
> > > > > > > > >> >> > -Garima Jain.
> > > > > > > > >> >> >
> > > > > > > > >> >> > On Fri, Jun 17, 2016 at 3:27
PM, elijah baley <
> > > > > > > e_baley@outlook.com>
> > > > > > > > >> >> wrote:
> > > > > > > > >> >> >
> > > > > > > > >> >> > > Is there some reason your
code cannot examine the
> > > incoming
> > > > > > > client
> > > > > > > > >> >> address
> > > > > > > > >> >> > > and reject it if it does
not match some specified
> > > criteria
> > > > > > > (e.g.,
> > > > > > > > >> mask,
> > > > > > > > >> >> > > network, closed group
of IPs - whatever...) ?
> > > > > > > > >> >> > >
> > > > > > > > >> >> > > > From: jain.garima88@gmail.com
> > > > > > > > >> >> > > > Date: Fri, 17 Jun
2016 14:50:51 +0530
> > > > > > > > >> >> > > > Subject: Partial
Disabling of port 22 using
> > > apache-mina
> > > > > SSHD
> > > > > > > > >> >> > > > To: dev@mina.apache.org
> > > > > > > > >> >> > > >
> > > > > > > > >> >> > > > Hi,
> > > > > > > > >> >> > > >
> > > > > > > > >> >> > > >
> > > > > > > > >> >> > > >
> > > > > > > > >> >> > > > We are using
> > > com.springsource.org.apache.mina-1.0.2.jar
> > > > > in
> > > > > > > our
> > > > > > > > >> >> product.
> > > > > > > > >> >> > > > The requirement is
to disable port 22 for all
> > > incoming
> > > > > > > traffic
> > > > > > > > >> over
> > > > > > > > >> >> SSH
> > > > > > > > >> >> > > but
> > > > > > > > >> >> > > > the same port is
required to communicate with few
> > > IP’s
> > > > > over
> > > > > > > 22.
> > > > > > > > >> Is
> > > > > > > > >> >> there
> > > > > > > > >> >> > > a
> > > > > > > > >> >> > > > way to handle selective
port blocking?
> > > > > > > > >> >> > > >
> > > > > > > > >> >> > > >
> > > > > > > > >> >> > > > -Garima Jain.
> > > > > > > > >> >> > >
> > > > > > > > >> >> > >
> > > > > > > > >> >>
> > > > > > > > >>
> > > > > > > > >>
> > > > > > > > >>
> > > > > > > > >> --
> > > > > > > > >> thanks
> > > > > > > > >> ashish
> > > > > > > > >>
> > > > > > > > >> Blog: http://www.ashishpaliwal.com/blog
> > > > > > > > >> My Photo Galleries: http://www.pbase.com/ashishpaliwal
> > > > > > > > >>
> > > > > > > > >
> > > > > > >
> > > > >
> > >
> > >
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message