You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@mina.apache.org by garima jain <ja...@gmail.com> on 2016/06/17 09:20:51 UTC
Partial Disabling of port 22 using apache-mina SSHD
Hi,
We are using com.springsource.org.apache.mina-1.0.2.jar in our product.
The requirement is to disable port 22 for all incoming traffic over SSH but
the same port is required to communicate with few IP’s over 22. Is there a
way to handle selective port blocking?
-Garima Jain.
RE: Partial Disabling of port 22 using apache-mina SSHD
Posted by elijah baley <e_...@outlook.com>.
I keep telling you that SFTP is NOT a protocol but rather a subsystem of SSH. You cannot reject SSH and accept SFTP. What you mean is that you want to disable the remote command execution capabilities of SSH (including SCP) and allow only SFTP. This can be done very easily with MINA SSHD:
- Create a default initialized SshServer instance (SshServer.setupDefaultServer)- Null-ify the command and shell factories - server.setCommandFactory(null), server.setShellFactory(null)- Initialize the SftpSubsystem - server.setSubsystemFactories(Collections.<NamedFactory<Command>>singletonList(new SftpSubsystemFactory()));
Voila - you are accepting SSH connections but only the SFTP subsystem is active.
P.S. if you want to allow SCP in addition to SFTP there is a simple way to do this as well.
> From: jain.garima88@gmail.com
> Date: Mon, 27 Jun 2016 22:28:08 +0530
> Subject: Re: Partial Disabling of port 22 using apache-mina SSHD
> To: dev@mina.apache.org
>
> Hey,
>
> The whole reason is to accept SFTP over 22 and reject the traffic coming
> via SSH.
>
> -Garima Jain.
>
> On Mon, Jun 27, 2016 at 9:00 PM, elijah baley <e_...@outlook.com> wrote:
>
> > I don't think it is right location for this - it is too late in the
> > protocol as the SSH connection has already been established.In any case, I
> > am not sure I understand what you are trying to do - are you trying to
> > listen on port 22 and reject the connection if it is SSH and accept it if
> > it is something else ? If so, then MINA SSHD is NOT what you need (what you
> > need is something similar to SSLH - which I wrote in Java but never
> > published it). If you want to setup SSHD on non-standard port, then why do
> > you need to reject SSHD connections coming to it ?
> >
> > > From: jain.garima88@gmail.com
> > > Date: Mon, 27 Jun 2016 16:02:37 +0530
> > > Subject: Re: Partial Disabling of port 22 using apache-mina SSHD
> > > To: dev@mina.apache.org
> > >
> > > Hey,
> > >
> > > Is there a way I can override the method doAuth under
> > > UserAuthPublicKey.java to return back if the connection service is SSH?
> > >
> > > -Garima Jain.
> > >
> > > On Wed, Jun 22, 2016 at 9:29 PM, elijah baley <e_...@outlook.com>
> > wrote:
> > >
> > > > Sorry, mail communication is best I can do for now...
> > > >
> > > > > Date: Wed, 22 Jun 2016 00:04:31 +0530
> > > > > Subject: RE: Partial Disabling of port 22 using apache-mina SSHD
> > > > > From: jain.garima88@gmail.com
> > > > > To: dev@mina.apache.org
> > > > >
> > > > > Hey, thanks for the detailed info. Is there any way we can have a
> > chat
> > > > > other than mail communication in case needed.
> > > > >
> > > > > -Garima Jain
> > > > > On Jun 21, 2016 11:48 PM, "elijah baley" <e_...@outlook.com>
> > wrote:
> > > > >
> > > > > > The topic is too wide to cover in a short mail message - I suggest
> > you
> > > > > > look into the code of Apache MINA SSHD (
> > > > > > https://github.com/apache/mina-sshd) especially the tests where
> > you
> > > > will
> > > > > > find many examples how to achieve anything you like. However, here
> > are
> > > > the
> > > > > > basics (for client side):
> > > > > > - Initialize an SshClient instance- Use that instance to open a
> > > > session to
> > > > > > your server- Provide username/password or private key and
> > authenticate
> > > > the
> > > > > > session- Once you have the session authenticated there are many
> > choices
> > > > > > open to you:
> > > > > > * Open a "shell" channel and run interactive commands *
> > Open an
> > > > > > "exec" channel and run a single command * Obtain an SftpClient
> > > > instance
> > > > > > and access remote files * Obtain an ScpClient instance and
> > > > > > upload/download files * Create a local/remote tunnel * Clean
> > > > up/close
> > > > > > the resources you opened once no longer needed (note: the SshClient
> > > > should
> > > > > > be stopped/closed once your application no longer needs to access
> > SSH
> > > > > > servers - usually on application exit...).
> > > > > > All this and more using the session you just obtained, or (if you
> > > > > > like/need) create a new session for each usage - there are
> > advatanges
> > > > and
> > > > > > disadvantages to each approach. There are many details to take into
> > > > > > account, but if you don't have any special requirements then the
> > > > defaults
> > > > > > you get should be good enough. The vast majority of the APIs have
> > > > Javadoc
> > > > > > that should help make sense of the options - again, I recommend you
> > > > look at
> > > > > > how the tests are coded - there are very good chances you will
> > find a
> > > > > > suitable example similar to what you want to achieve.
> > > > > > The same applies for the server side, although it is a bit
> > > > tricker...Hope
> > > > > > this gives you a good lead how to proceed.
> > > > > >
> > > > > > > Date: Tue, 21 Jun 2016 22:45:57 +0530
> > > > > > > Subject: RE: Partial Disabling of port 22 using apache-mina SSHD
> > > > > > > From: jain.garima88@gmail.com
> > > > > > > To: dev@mina.apache.org
> > > > > > >
> > > > > > > Hey,
> > > > > > >
> > > > > > > What shell commands can be executed and how? Or how to provide
> > > > tunnel?
> > > > > > > Can you provide sample code for the same?
> > > > > > >
> > > > > > > Any methods from sftp class?
> > > > > > >
> > > > > > > -Garima Jain
> > > > > > > On Jun 21, 2016 10:02 PM, "elijah baley" <e_...@outlook.com>
> > > > wrote:
> > > > > > >
> > > > > > > > No, SFTP is not a protocol that runs on a specific port it is a
> > > > > > > > sub-protocol (actually a subsystem) of SSH. FYI, SSH enables
> > > > opening
> > > > > > > > multiple channels on the same session. You can run shell
> > commands
> > > > (what
> > > > > > > > many mistakenly call SSH) SFTP and SCP as well as tunnels
> > > > concurrently
> > > > > > on
> > > > > > > > the same SSH session. The port is always 22 (SSH) for SFTP and
> > SCP
> > > > > > (and any
> > > > > > > > other channel - e.g. PROXY, SOCKS, etc...)..
> > > > > > > >
> > > > > > > > > From: jain.garima88@gmail.com
> > > > > > > > > Date: Tue, 21 Jun 2016 11:42:58 +0530
> > > > > > > > > Subject: Re: Partial Disabling of port 22 using apache-mina
> > SSHD
> > > > > > > > > To: dev@mina.apache.org
> > > > > > > > >
> > > > > > > > > Can I keep the port open for sftp and close for ssh?
> > > > > > > > >
> > > > > > > > > -Garima Jain.
> > > > > > > > >
> > > > > > > > > On Mon, Jun 20, 2016 at 10:33 PM, garima jain <
> > > > > > jain.garima88@gmail.com>
> > > > > > > > > wrote:
> > > > > > > > >
> > > > > > > > > > Thanks. Will use that.
> > > > > > > > > >
> > > > > > > > > > -Garima Jain
> > > > > > > > > > On Jun 20, 2016 10:31 PM, "Ashish" <
> > paliwalashish@gmail.com>
> > > > > > wrote:
> > > > > > > > > >
> > > > > > > > > >> On Mon, Jun 20, 2016 at 9:43 AM, garima jain <
> > > > > > jain.garima88@gmail.com
> > > > > > > > >
> > > > > > > > > >> wrote:
> > > > > > > > > >> > Can we use black list/whitelist feature?
> > > > > > > > > >>
> > > > > > > > > >> This is what you should use.
> > > > > > > > > >>
> > > > > > > > > >> >
> > > > > > > > > >> > -Garima Jain
> > > > > > > > > >> > On Jun 20, 2016 10:12 PM, "elijah baley" <
> > > > e_baley@outlook.com>
> > > > > > > > wrote:
> > > > > > > > > >> >
> > > > > > > > > >> >> There are many options - depending on the actual setup:
> > > > > > > > > >> >> - You can move SSHD to a non-standard port on all
> > > > interfaces -
> > > > > > > > easy to
> > > > > > > > > >> do
> > > > > > > > > >> >> when setting up the server - just call "setPort" on the
> > > > > > SshServer
> > > > > > > > > >> instance-
> > > > > > > > > >> >> You can bind SSHD to a specific interface (e.g.,
> > > > 127.0.0.1)om
> > > > > > port
> > > > > > > > 22
> > > > > > > > > >> and
> > > > > > > > > >> >> bind SFTP to the public interface on port 22 - easy to
> > do
> > > > just
> > > > > > call
> > > > > > > > > >> >> "setAddress" (or something to that effect) on the
> > > > SshServer
> > > > > > > > instance
> > > > > > > > > >> >> I could think of more exotic options - e.g. similar to
> > > > sslh,
> > > > > > using
> > > > > > > > > >> >> HAPROXY, etc., etc.
> > > > > > > > > >> >> > From: jain.garima88@gmail.com
> > > > > > > > > >> >> > Date: Mon, 20 Jun 2016 12:10:26 +0530
> > > > > > > > > >> >> > Subject: Re: Partial Disabling of port 22 using
> > > > apache-mina
> > > > > > SSHD
> > > > > > > > > >> >> > To: dev@mina.apache.org
> > > > > > > > > >> >> >
> > > > > > > > > >> >> > Hi elijah,
> > > > > > > > > >> >> >
> > > > > > > > > >> >> > The requirement is to block port 22 for SSH and
> > accept
> > > > SFTP
> > > > > > > > > >> connections
> > > > > > > > > >> >> on
> > > > > > > > > >> >> > Port 22. Is there a class/method that can help us
> > > > achieve the
> > > > > > > > aim?
> > > > > > > > > >> >> >
> > > > > > > > > >> >> > -Garima Jain.
> > > > > > > > > >> >> >
> > > > > > > > > >> >> > On Fri, Jun 17, 2016 at 3:27 PM, elijah baley <
> > > > > > > > e_baley@outlook.com>
> > > > > > > > > >> >> wrote:
> > > > > > > > > >> >> >
> > > > > > > > > >> >> > > Is there some reason your code cannot examine the
> > > > incoming
> > > > > > > > client
> > > > > > > > > >> >> address
> > > > > > > > > >> >> > > and reject it if it does not match some specified
> > > > criteria
> > > > > > > > (e.g.,
> > > > > > > > > >> mask,
> > > > > > > > > >> >> > > network, closed group of IPs - whatever...) ?
> > > > > > > > > >> >> > >
> > > > > > > > > >> >> > > > From: jain.garima88@gmail.com
> > > > > > > > > >> >> > > > Date: Fri, 17 Jun 2016 14:50:51 +0530
> > > > > > > > > >> >> > > > Subject: Partial Disabling of port 22 using
> > > > apache-mina
> > > > > > SSHD
> > > > > > > > > >> >> > > > To: dev@mina.apache.org
> > > > > > > > > >> >> > > >
> > > > > > > > > >> >> > > > Hi,
> > > > > > > > > >> >> > > >
> > > > > > > > > >> >> > > >
> > > > > > > > > >> >> > > >
> > > > > > > > > >> >> > > > We are using
> > > > com.springsource.org.apache.mina-1.0.2.jar
> > > > > > in
> > > > > > > > our
> > > > > > > > > >> >> product.
> > > > > > > > > >> >> > > > The requirement is to disable port 22 for all
> > > > incoming
> > > > > > > > traffic
> > > > > > > > > >> over
> > > > > > > > > >> >> SSH
> > > > > > > > > >> >> > > but
> > > > > > > > > >> >> > > > the same port is required to communicate with few
> > > > IP’s
> > > > > > over
> > > > > > > > 22.
> > > > > > > > > >> Is
> > > > > > > > > >> >> there
> > > > > > > > > >> >> > > a
> > > > > > > > > >> >> > > > way to handle selective port blocking?
> > > > > > > > > >> >> > > >
> > > > > > > > > >> >> > > >
> > > > > > > > > >> >> > > > -Garima Jain.
> > > > > > > > > >> >> > >
> > > > > > > > > >> >> > >
> > > > > > > > > >> >>
> > > > > > > > > >>
> > > > > > > > > >>
> > > > > > > > > >>
> > > > > > > > > >> --
> > > > > > > > > >> thanks
> > > > > > > > > >> ashish
> > > > > > > > > >>
> > > > > > > > > >> Blog: http://www.ashishpaliwal.com/blog
> > > > > > > > > >> My Photo Galleries: http://www.pbase.com/ashishpaliwal
> > > > > > > > > >>
> > > > > > > > > >
> > > > > > > >
> > > > > >
> > > >
> > > >
> >
> >
Re: Partial Disabling of port 22 using apache-mina SSHD
Posted by garima jain <ja...@gmail.com>.
Hey,
The whole reason is to accept SFTP over 22 and reject the traffic coming
via SSH.
-Garima Jain.
On Mon, Jun 27, 2016 at 9:00 PM, elijah baley <e_...@outlook.com> wrote:
> I don't think it is right location for this - it is too late in the
> protocol as the SSH connection has already been established.In any case, I
> am not sure I understand what you are trying to do - are you trying to
> listen on port 22 and reject the connection if it is SSH and accept it if
> it is something else ? If so, then MINA SSHD is NOT what you need (what you
> need is something similar to SSLH - which I wrote in Java but never
> published it). If you want to setup SSHD on non-standard port, then why do
> you need to reject SSHD connections coming to it ?
>
> > From: jain.garima88@gmail.com
> > Date: Mon, 27 Jun 2016 16:02:37 +0530
> > Subject: Re: Partial Disabling of port 22 using apache-mina SSHD
> > To: dev@mina.apache.org
> >
> > Hey,
> >
> > Is there a way I can override the method doAuth under
> > UserAuthPublicKey.java to return back if the connection service is SSH?
> >
> > -Garima Jain.
> >
> > On Wed, Jun 22, 2016 at 9:29 PM, elijah baley <e_...@outlook.com>
> wrote:
> >
> > > Sorry, mail communication is best I can do for now...
> > >
> > > > Date: Wed, 22 Jun 2016 00:04:31 +0530
> > > > Subject: RE: Partial Disabling of port 22 using apache-mina SSHD
> > > > From: jain.garima88@gmail.com
> > > > To: dev@mina.apache.org
> > > >
> > > > Hey, thanks for the detailed info. Is there any way we can have a
> chat
> > > > other than mail communication in case needed.
> > > >
> > > > -Garima Jain
> > > > On Jun 21, 2016 11:48 PM, "elijah baley" <e_...@outlook.com>
> wrote:
> > > >
> > > > > The topic is too wide to cover in a short mail message - I suggest
> you
> > > > > look into the code of Apache MINA SSHD (
> > > > > https://github.com/apache/mina-sshd) especially the tests where
> you
> > > will
> > > > > find many examples how to achieve anything you like. However, here
> are
> > > the
> > > > > basics (for client side):
> > > > > - Initialize an SshClient instance- Use that instance to open a
> > > session to
> > > > > your server- Provide username/password or private key and
> authenticate
> > > the
> > > > > session- Once you have the session authenticated there are many
> choices
> > > > > open to you:
> > > > > * Open a "shell" channel and run interactive commands *
> Open an
> > > > > "exec" channel and run a single command * Obtain an SftpClient
> > > instance
> > > > > and access remote files * Obtain an ScpClient instance and
> > > > > upload/download files * Create a local/remote tunnel * Clean
> > > up/close
> > > > > the resources you opened once no longer needed (note: the SshClient
> > > should
> > > > > be stopped/closed once your application no longer needs to access
> SSH
> > > > > servers - usually on application exit...).
> > > > > All this and more using the session you just obtained, or (if you
> > > > > like/need) create a new session for each usage - there are
> advatanges
> > > and
> > > > > disadvantages to each approach. There are many details to take into
> > > > > account, but if you don't have any special requirements then the
> > > defaults
> > > > > you get should be good enough. The vast majority of the APIs have
> > > Javadoc
> > > > > that should help make sense of the options - again, I recommend you
> > > look at
> > > > > how the tests are coded - there are very good chances you will
> find a
> > > > > suitable example similar to what you want to achieve.
> > > > > The same applies for the server side, although it is a bit
> > > tricker...Hope
> > > > > this gives you a good lead how to proceed.
> > > > >
> > > > > > Date: Tue, 21 Jun 2016 22:45:57 +0530
> > > > > > Subject: RE: Partial Disabling of port 22 using apache-mina SSHD
> > > > > > From: jain.garima88@gmail.com
> > > > > > To: dev@mina.apache.org
> > > > > >
> > > > > > Hey,
> > > > > >
> > > > > > What shell commands can be executed and how? Or how to provide
> > > tunnel?
> > > > > > Can you provide sample code for the same?
> > > > > >
> > > > > > Any methods from sftp class?
> > > > > >
> > > > > > -Garima Jain
> > > > > > On Jun 21, 2016 10:02 PM, "elijah baley" <e_...@outlook.com>
> > > wrote:
> > > > > >
> > > > > > > No, SFTP is not a protocol that runs on a specific port it is a
> > > > > > > sub-protocol (actually a subsystem) of SSH. FYI, SSH enables
> > > opening
> > > > > > > multiple channels on the same session. You can run shell
> commands
> > > (what
> > > > > > > many mistakenly call SSH) SFTP and SCP as well as tunnels
> > > concurrently
> > > > > on
> > > > > > > the same SSH session. The port is always 22 (SSH) for SFTP and
> SCP
> > > > > (and any
> > > > > > > other channel - e.g. PROXY, SOCKS, etc...)..
> > > > > > >
> > > > > > > > From: jain.garima88@gmail.com
> > > > > > > > Date: Tue, 21 Jun 2016 11:42:58 +0530
> > > > > > > > Subject: Re: Partial Disabling of port 22 using apache-mina
> SSHD
> > > > > > > > To: dev@mina.apache.org
> > > > > > > >
> > > > > > > > Can I keep the port open for sftp and close for ssh?
> > > > > > > >
> > > > > > > > -Garima Jain.
> > > > > > > >
> > > > > > > > On Mon, Jun 20, 2016 at 10:33 PM, garima jain <
> > > > > jain.garima88@gmail.com>
> > > > > > > > wrote:
> > > > > > > >
> > > > > > > > > Thanks. Will use that.
> > > > > > > > >
> > > > > > > > > -Garima Jain
> > > > > > > > > On Jun 20, 2016 10:31 PM, "Ashish" <
> paliwalashish@gmail.com>
> > > > > wrote:
> > > > > > > > >
> > > > > > > > >> On Mon, Jun 20, 2016 at 9:43 AM, garima jain <
> > > > > jain.garima88@gmail.com
> > > > > > > >
> > > > > > > > >> wrote:
> > > > > > > > >> > Can we use black list/whitelist feature?
> > > > > > > > >>
> > > > > > > > >> This is what you should use.
> > > > > > > > >>
> > > > > > > > >> >
> > > > > > > > >> > -Garima Jain
> > > > > > > > >> > On Jun 20, 2016 10:12 PM, "elijah baley" <
> > > e_baley@outlook.com>
> > > > > > > wrote:
> > > > > > > > >> >
> > > > > > > > >> >> There are many options - depending on the actual setup:
> > > > > > > > >> >> - You can move SSHD to a non-standard port on all
> > > interfaces -
> > > > > > > easy to
> > > > > > > > >> do
> > > > > > > > >> >> when setting up the server - just call "setPort" on the
> > > > > SshServer
> > > > > > > > >> instance-
> > > > > > > > >> >> You can bind SSHD to a specific interface (e.g.,
> > > 127.0.0.1)om
> > > > > port
> > > > > > > 22
> > > > > > > > >> and
> > > > > > > > >> >> bind SFTP to the public interface on port 22 - easy to
> do
> > > just
> > > > > call
> > > > > > > > >> >> "setAddress" (or something to that effect) on the
> > > SshServer
> > > > > > > instance
> > > > > > > > >> >> I could think of more exotic options - e.g. similar to
> > > sslh,
> > > > > using
> > > > > > > > >> >> HAPROXY, etc., etc.
> > > > > > > > >> >> > From: jain.garima88@gmail.com
> > > > > > > > >> >> > Date: Mon, 20 Jun 2016 12:10:26 +0530
> > > > > > > > >> >> > Subject: Re: Partial Disabling of port 22 using
> > > apache-mina
> > > > > SSHD
> > > > > > > > >> >> > To: dev@mina.apache.org
> > > > > > > > >> >> >
> > > > > > > > >> >> > Hi elijah,
> > > > > > > > >> >> >
> > > > > > > > >> >> > The requirement is to block port 22 for SSH and
> accept
> > > SFTP
> > > > > > > > >> connections
> > > > > > > > >> >> on
> > > > > > > > >> >> > Port 22. Is there a class/method that can help us
> > > achieve the
> > > > > > > aim?
> > > > > > > > >> >> >
> > > > > > > > >> >> > -Garima Jain.
> > > > > > > > >> >> >
> > > > > > > > >> >> > On Fri, Jun 17, 2016 at 3:27 PM, elijah baley <
> > > > > > > e_baley@outlook.com>
> > > > > > > > >> >> wrote:
> > > > > > > > >> >> >
> > > > > > > > >> >> > > Is there some reason your code cannot examine the
> > > incoming
> > > > > > > client
> > > > > > > > >> >> address
> > > > > > > > >> >> > > and reject it if it does not match some specified
> > > criteria
> > > > > > > (e.g.,
> > > > > > > > >> mask,
> > > > > > > > >> >> > > network, closed group of IPs - whatever...) ?
> > > > > > > > >> >> > >
> > > > > > > > >> >> > > > From: jain.garima88@gmail.com
> > > > > > > > >> >> > > > Date: Fri, 17 Jun 2016 14:50:51 +0530
> > > > > > > > >> >> > > > Subject: Partial Disabling of port 22 using
> > > apache-mina
> > > > > SSHD
> > > > > > > > >> >> > > > To: dev@mina.apache.org
> > > > > > > > >> >> > > >
> > > > > > > > >> >> > > > Hi,
> > > > > > > > >> >> > > >
> > > > > > > > >> >> > > >
> > > > > > > > >> >> > > >
> > > > > > > > >> >> > > > We are using
> > > com.springsource.org.apache.mina-1.0.2.jar
> > > > > in
> > > > > > > our
> > > > > > > > >> >> product.
> > > > > > > > >> >> > > > The requirement is to disable port 22 for all
> > > incoming
> > > > > > > traffic
> > > > > > > > >> over
> > > > > > > > >> >> SSH
> > > > > > > > >> >> > > but
> > > > > > > > >> >> > > > the same port is required to communicate with few
> > > IP’s
> > > > > over
> > > > > > > 22.
> > > > > > > > >> Is
> > > > > > > > >> >> there
> > > > > > > > >> >> > > a
> > > > > > > > >> >> > > > way to handle selective port blocking?
> > > > > > > > >> >> > > >
> > > > > > > > >> >> > > >
> > > > > > > > >> >> > > > -Garima Jain.
> > > > > > > > >> >> > >
> > > > > > > > >> >> > >
> > > > > > > > >> >>
> > > > > > > > >>
> > > > > > > > >>
> > > > > > > > >>
> > > > > > > > >> --
> > > > > > > > >> thanks
> > > > > > > > >> ashish
> > > > > > > > >>
> > > > > > > > >> Blog: http://www.ashishpaliwal.com/blog
> > > > > > > > >> My Photo Galleries: http://www.pbase.com/ashishpaliwal
> > > > > > > > >>
> > > > > > > > >
> > > > > > >
> > > > >
> > >
> > >
>
>
RE: Partial Disabling of port 22 using apache-mina SSHD
Posted by elijah baley <e_...@outlook.com>.
I don't think it is right location for this - it is too late in the protocol as the SSH connection has already been established.In any case, I am not sure I understand what you are trying to do - are you trying to listen on port 22 and reject the connection if it is SSH and accept it if it is something else ? If so, then MINA SSHD is NOT what you need (what you need is something similar to SSLH - which I wrote in Java but never published it). If you want to setup SSHD on non-standard port, then why do you need to reject SSHD connections coming to it ?
> From: jain.garima88@gmail.com
> Date: Mon, 27 Jun 2016 16:02:37 +0530
> Subject: Re: Partial Disabling of port 22 using apache-mina SSHD
> To: dev@mina.apache.org
>
> Hey,
>
> Is there a way I can override the method doAuth under
> UserAuthPublicKey.java to return back if the connection service is SSH?
>
> -Garima Jain.
>
> On Wed, Jun 22, 2016 at 9:29 PM, elijah baley <e_...@outlook.com> wrote:
>
> > Sorry, mail communication is best I can do for now...
> >
> > > Date: Wed, 22 Jun 2016 00:04:31 +0530
> > > Subject: RE: Partial Disabling of port 22 using apache-mina SSHD
> > > From: jain.garima88@gmail.com
> > > To: dev@mina.apache.org
> > >
> > > Hey, thanks for the detailed info. Is there any way we can have a chat
> > > other than mail communication in case needed.
> > >
> > > -Garima Jain
> > > On Jun 21, 2016 11:48 PM, "elijah baley" <e_...@outlook.com> wrote:
> > >
> > > > The topic is too wide to cover in a short mail message - I suggest you
> > > > look into the code of Apache MINA SSHD (
> > > > https://github.com/apache/mina-sshd) especially the tests where you
> > will
> > > > find many examples how to achieve anything you like. However, here are
> > the
> > > > basics (for client side):
> > > > - Initialize an SshClient instance- Use that instance to open a
> > session to
> > > > your server- Provide username/password or private key and authenticate
> > the
> > > > session- Once you have the session authenticated there are many choices
> > > > open to you:
> > > > * Open a "shell" channel and run interactive commands * Open an
> > > > "exec" channel and run a single command * Obtain an SftpClient
> > instance
> > > > and access remote files * Obtain an ScpClient instance and
> > > > upload/download files * Create a local/remote tunnel * Clean
> > up/close
> > > > the resources you opened once no longer needed (note: the SshClient
> > should
> > > > be stopped/closed once your application no longer needs to access SSH
> > > > servers - usually on application exit...).
> > > > All this and more using the session you just obtained, or (if you
> > > > like/need) create a new session for each usage - there are advatanges
> > and
> > > > disadvantages to each approach. There are many details to take into
> > > > account, but if you don't have any special requirements then the
> > defaults
> > > > you get should be good enough. The vast majority of the APIs have
> > Javadoc
> > > > that should help make sense of the options - again, I recommend you
> > look at
> > > > how the tests are coded - there are very good chances you will find a
> > > > suitable example similar to what you want to achieve.
> > > > The same applies for the server side, although it is a bit
> > tricker...Hope
> > > > this gives you a good lead how to proceed.
> > > >
> > > > > Date: Tue, 21 Jun 2016 22:45:57 +0530
> > > > > Subject: RE: Partial Disabling of port 22 using apache-mina SSHD
> > > > > From: jain.garima88@gmail.com
> > > > > To: dev@mina.apache.org
> > > > >
> > > > > Hey,
> > > > >
> > > > > What shell commands can be executed and how? Or how to provide
> > tunnel?
> > > > > Can you provide sample code for the same?
> > > > >
> > > > > Any methods from sftp class?
> > > > >
> > > > > -Garima Jain
> > > > > On Jun 21, 2016 10:02 PM, "elijah baley" <e_...@outlook.com>
> > wrote:
> > > > >
> > > > > > No, SFTP is not a protocol that runs on a specific port it is a
> > > > > > sub-protocol (actually a subsystem) of SSH. FYI, SSH enables
> > opening
> > > > > > multiple channels on the same session. You can run shell commands
> > (what
> > > > > > many mistakenly call SSH) SFTP and SCP as well as tunnels
> > concurrently
> > > > on
> > > > > > the same SSH session. The port is always 22 (SSH) for SFTP and SCP
> > > > (and any
> > > > > > other channel - e.g. PROXY, SOCKS, etc...)..
> > > > > >
> > > > > > > From: jain.garima88@gmail.com
> > > > > > > Date: Tue, 21 Jun 2016 11:42:58 +0530
> > > > > > > Subject: Re: Partial Disabling of port 22 using apache-mina SSHD
> > > > > > > To: dev@mina.apache.org
> > > > > > >
> > > > > > > Can I keep the port open for sftp and close for ssh?
> > > > > > >
> > > > > > > -Garima Jain.
> > > > > > >
> > > > > > > On Mon, Jun 20, 2016 at 10:33 PM, garima jain <
> > > > jain.garima88@gmail.com>
> > > > > > > wrote:
> > > > > > >
> > > > > > > > Thanks. Will use that.
> > > > > > > >
> > > > > > > > -Garima Jain
> > > > > > > > On Jun 20, 2016 10:31 PM, "Ashish" <pa...@gmail.com>
> > > > wrote:
> > > > > > > >
> > > > > > > >> On Mon, Jun 20, 2016 at 9:43 AM, garima jain <
> > > > jain.garima88@gmail.com
> > > > > > >
> > > > > > > >> wrote:
> > > > > > > >> > Can we use black list/whitelist feature?
> > > > > > > >>
> > > > > > > >> This is what you should use.
> > > > > > > >>
> > > > > > > >> >
> > > > > > > >> > -Garima Jain
> > > > > > > >> > On Jun 20, 2016 10:12 PM, "elijah baley" <
> > e_baley@outlook.com>
> > > > > > wrote:
> > > > > > > >> >
> > > > > > > >> >> There are many options - depending on the actual setup:
> > > > > > > >> >> - You can move SSHD to a non-standard port on all
> > interfaces -
> > > > > > easy to
> > > > > > > >> do
> > > > > > > >> >> when setting up the server - just call "setPort" on the
> > > > SshServer
> > > > > > > >> instance-
> > > > > > > >> >> You can bind SSHD to a specific interface (e.g.,
> > 127.0.0.1)om
> > > > port
> > > > > > 22
> > > > > > > >> and
> > > > > > > >> >> bind SFTP to the public interface on port 22 - easy to do
> > just
> > > > call
> > > > > > > >> >> "setAddress" (or something to that effect) on the
> > SshServer
> > > > > > instance
> > > > > > > >> >> I could think of more exotic options - e.g. similar to
> > sslh,
> > > > using
> > > > > > > >> >> HAPROXY, etc., etc.
> > > > > > > >> >> > From: jain.garima88@gmail.com
> > > > > > > >> >> > Date: Mon, 20 Jun 2016 12:10:26 +0530
> > > > > > > >> >> > Subject: Re: Partial Disabling of port 22 using
> > apache-mina
> > > > SSHD
> > > > > > > >> >> > To: dev@mina.apache.org
> > > > > > > >> >> >
> > > > > > > >> >> > Hi elijah,
> > > > > > > >> >> >
> > > > > > > >> >> > The requirement is to block port 22 for SSH and accept
> > SFTP
> > > > > > > >> connections
> > > > > > > >> >> on
> > > > > > > >> >> > Port 22. Is there a class/method that can help us
> > achieve the
> > > > > > aim?
> > > > > > > >> >> >
> > > > > > > >> >> > -Garima Jain.
> > > > > > > >> >> >
> > > > > > > >> >> > On Fri, Jun 17, 2016 at 3:27 PM, elijah baley <
> > > > > > e_baley@outlook.com>
> > > > > > > >> >> wrote:
> > > > > > > >> >> >
> > > > > > > >> >> > > Is there some reason your code cannot examine the
> > incoming
> > > > > > client
> > > > > > > >> >> address
> > > > > > > >> >> > > and reject it if it does not match some specified
> > criteria
> > > > > > (e.g.,
> > > > > > > >> mask,
> > > > > > > >> >> > > network, closed group of IPs - whatever...) ?
> > > > > > > >> >> > >
> > > > > > > >> >> > > > From: jain.garima88@gmail.com
> > > > > > > >> >> > > > Date: Fri, 17 Jun 2016 14:50:51 +0530
> > > > > > > >> >> > > > Subject: Partial Disabling of port 22 using
> > apache-mina
> > > > SSHD
> > > > > > > >> >> > > > To: dev@mina.apache.org
> > > > > > > >> >> > > >
> > > > > > > >> >> > > > Hi,
> > > > > > > >> >> > > >
> > > > > > > >> >> > > >
> > > > > > > >> >> > > >
> > > > > > > >> >> > > > We are using
> > com.springsource.org.apache.mina-1.0.2.jar
> > > > in
> > > > > > our
> > > > > > > >> >> product.
> > > > > > > >> >> > > > The requirement is to disable port 22 for all
> > incoming
> > > > > > traffic
> > > > > > > >> over
> > > > > > > >> >> SSH
> > > > > > > >> >> > > but
> > > > > > > >> >> > > > the same port is required to communicate with few
> > IP’s
> > > > over
> > > > > > 22.
> > > > > > > >> Is
> > > > > > > >> >> there
> > > > > > > >> >> > > a
> > > > > > > >> >> > > > way to handle selective port blocking?
> > > > > > > >> >> > > >
> > > > > > > >> >> > > >
> > > > > > > >> >> > > > -Garima Jain.
> > > > > > > >> >> > >
> > > > > > > >> >> > >
> > > > > > > >> >>
> > > > > > > >>
> > > > > > > >>
> > > > > > > >>
> > > > > > > >> --
> > > > > > > >> thanks
> > > > > > > >> ashish
> > > > > > > >>
> > > > > > > >> Blog: http://www.ashishpaliwal.com/blog
> > > > > > > >> My Photo Galleries: http://www.pbase.com/ashishpaliwal
> > > > > > > >>
> > > > > > > >
> > > > > >
> > > >
> >
> >
Re: Partial Disabling of port 22 using apache-mina SSHD
Posted by garima jain <ja...@gmail.com>.
Hey,
Is there a way I can override the method doAuth under
UserAuthPublicKey.java to return back if the connection service is SSH?
-Garima Jain.
On Wed, Jun 22, 2016 at 9:29 PM, elijah baley <e_...@outlook.com> wrote:
> Sorry, mail communication is best I can do for now...
>
> > Date: Wed, 22 Jun 2016 00:04:31 +0530
> > Subject: RE: Partial Disabling of port 22 using apache-mina SSHD
> > From: jain.garima88@gmail.com
> > To: dev@mina.apache.org
> >
> > Hey, thanks for the detailed info. Is there any way we can have a chat
> > other than mail communication in case needed.
> >
> > -Garima Jain
> > On Jun 21, 2016 11:48 PM, "elijah baley" <e_...@outlook.com> wrote:
> >
> > > The topic is too wide to cover in a short mail message - I suggest you
> > > look into the code of Apache MINA SSHD (
> > > https://github.com/apache/mina-sshd) especially the tests where you
> will
> > > find many examples how to achieve anything you like. However, here are
> the
> > > basics (for client side):
> > > - Initialize an SshClient instance- Use that instance to open a
> session to
> > > your server- Provide username/password or private key and authenticate
> the
> > > session- Once you have the session authenticated there are many choices
> > > open to you:
> > > * Open a "shell" channel and run interactive commands * Open an
> > > "exec" channel and run a single command * Obtain an SftpClient
> instance
> > > and access remote files * Obtain an ScpClient instance and
> > > upload/download files * Create a local/remote tunnel * Clean
> up/close
> > > the resources you opened once no longer needed (note: the SshClient
> should
> > > be stopped/closed once your application no longer needs to access SSH
> > > servers - usually on application exit...).
> > > All this and more using the session you just obtained, or (if you
> > > like/need) create a new session for each usage - there are advatanges
> and
> > > disadvantages to each approach. There are many details to take into
> > > account, but if you don't have any special requirements then the
> defaults
> > > you get should be good enough. The vast majority of the APIs have
> Javadoc
> > > that should help make sense of the options - again, I recommend you
> look at
> > > how the tests are coded - there are very good chances you will find a
> > > suitable example similar to what you want to achieve.
> > > The same applies for the server side, although it is a bit
> tricker...Hope
> > > this gives you a good lead how to proceed.
> > >
> > > > Date: Tue, 21 Jun 2016 22:45:57 +0530
> > > > Subject: RE: Partial Disabling of port 22 using apache-mina SSHD
> > > > From: jain.garima88@gmail.com
> > > > To: dev@mina.apache.org
> > > >
> > > > Hey,
> > > >
> > > > What shell commands can be executed and how? Or how to provide
> tunnel?
> > > > Can you provide sample code for the same?
> > > >
> > > > Any methods from sftp class?
> > > >
> > > > -Garima Jain
> > > > On Jun 21, 2016 10:02 PM, "elijah baley" <e_...@outlook.com>
> wrote:
> > > >
> > > > > No, SFTP is not a protocol that runs on a specific port it is a
> > > > > sub-protocol (actually a subsystem) of SSH. FYI, SSH enables
> opening
> > > > > multiple channels on the same session. You can run shell commands
> (what
> > > > > many mistakenly call SSH) SFTP and SCP as well as tunnels
> concurrently
> > > on
> > > > > the same SSH session. The port is always 22 (SSH) for SFTP and SCP
> > > (and any
> > > > > other channel - e.g. PROXY, SOCKS, etc...)..
> > > > >
> > > > > > From: jain.garima88@gmail.com
> > > > > > Date: Tue, 21 Jun 2016 11:42:58 +0530
> > > > > > Subject: Re: Partial Disabling of port 22 using apache-mina SSHD
> > > > > > To: dev@mina.apache.org
> > > > > >
> > > > > > Can I keep the port open for sftp and close for ssh?
> > > > > >
> > > > > > -Garima Jain.
> > > > > >
> > > > > > On Mon, Jun 20, 2016 at 10:33 PM, garima jain <
> > > jain.garima88@gmail.com>
> > > > > > wrote:
> > > > > >
> > > > > > > Thanks. Will use that.
> > > > > > >
> > > > > > > -Garima Jain
> > > > > > > On Jun 20, 2016 10:31 PM, "Ashish" <pa...@gmail.com>
> > > wrote:
> > > > > > >
> > > > > > >> On Mon, Jun 20, 2016 at 9:43 AM, garima jain <
> > > jain.garima88@gmail.com
> > > > > >
> > > > > > >> wrote:
> > > > > > >> > Can we use black list/whitelist feature?
> > > > > > >>
> > > > > > >> This is what you should use.
> > > > > > >>
> > > > > > >> >
> > > > > > >> > -Garima Jain
> > > > > > >> > On Jun 20, 2016 10:12 PM, "elijah baley" <
> e_baley@outlook.com>
> > > > > wrote:
> > > > > > >> >
> > > > > > >> >> There are many options - depending on the actual setup:
> > > > > > >> >> - You can move SSHD to a non-standard port on all
> interfaces -
> > > > > easy to
> > > > > > >> do
> > > > > > >> >> when setting up the server - just call "setPort" on the
> > > SshServer
> > > > > > >> instance-
> > > > > > >> >> You can bind SSHD to a specific interface (e.g.,
> 127.0.0.1)om
> > > port
> > > > > 22
> > > > > > >> and
> > > > > > >> >> bind SFTP to the public interface on port 22 - easy to do
> just
> > > call
> > > > > > >> >> "setAddress" (or something to that effect) on the
> SshServer
> > > > > instance
> > > > > > >> >> I could think of more exotic options - e.g. similar to
> sslh,
> > > using
> > > > > > >> >> HAPROXY, etc., etc.
> > > > > > >> >> > From: jain.garima88@gmail.com
> > > > > > >> >> > Date: Mon, 20 Jun 2016 12:10:26 +0530
> > > > > > >> >> > Subject: Re: Partial Disabling of port 22 using
> apache-mina
> > > SSHD
> > > > > > >> >> > To: dev@mina.apache.org
> > > > > > >> >> >
> > > > > > >> >> > Hi elijah,
> > > > > > >> >> >
> > > > > > >> >> > The requirement is to block port 22 for SSH and accept
> SFTP
> > > > > > >> connections
> > > > > > >> >> on
> > > > > > >> >> > Port 22. Is there a class/method that can help us
> achieve the
> > > > > aim?
> > > > > > >> >> >
> > > > > > >> >> > -Garima Jain.
> > > > > > >> >> >
> > > > > > >> >> > On Fri, Jun 17, 2016 at 3:27 PM, elijah baley <
> > > > > e_baley@outlook.com>
> > > > > > >> >> wrote:
> > > > > > >> >> >
> > > > > > >> >> > > Is there some reason your code cannot examine the
> incoming
> > > > > client
> > > > > > >> >> address
> > > > > > >> >> > > and reject it if it does not match some specified
> criteria
> > > > > (e.g.,
> > > > > > >> mask,
> > > > > > >> >> > > network, closed group of IPs - whatever...) ?
> > > > > > >> >> > >
> > > > > > >> >> > > > From: jain.garima88@gmail.com
> > > > > > >> >> > > > Date: Fri, 17 Jun 2016 14:50:51 +0530
> > > > > > >> >> > > > Subject: Partial Disabling of port 22 using
> apache-mina
> > > SSHD
> > > > > > >> >> > > > To: dev@mina.apache.org
> > > > > > >> >> > > >
> > > > > > >> >> > > > Hi,
> > > > > > >> >> > > >
> > > > > > >> >> > > >
> > > > > > >> >> > > >
> > > > > > >> >> > > > We are using
> com.springsource.org.apache.mina-1.0.2.jar
> > > in
> > > > > our
> > > > > > >> >> product.
> > > > > > >> >> > > > The requirement is to disable port 22 for all
> incoming
> > > > > traffic
> > > > > > >> over
> > > > > > >> >> SSH
> > > > > > >> >> > > but
> > > > > > >> >> > > > the same port is required to communicate with few
> IP’s
> > > over
> > > > > 22.
> > > > > > >> Is
> > > > > > >> >> there
> > > > > > >> >> > > a
> > > > > > >> >> > > > way to handle selective port blocking?
> > > > > > >> >> > > >
> > > > > > >> >> > > >
> > > > > > >> >> > > > -Garima Jain.
> > > > > > >> >> > >
> > > > > > >> >> > >
> > > > > > >> >>
> > > > > > >>
> > > > > > >>
> > > > > > >>
> > > > > > >> --
> > > > > > >> thanks
> > > > > > >> ashish
> > > > > > >>
> > > > > > >> Blog: http://www.ashishpaliwal.com/blog
> > > > > > >> My Photo Galleries: http://www.pbase.com/ashishpaliwal
> > > > > > >>
> > > > > > >
> > > > >
> > >
>
>
RE: Partial Disabling of port 22 using apache-mina SSHD
Posted by elijah baley <e_...@outlook.com>.
Sorry, mail communication is best I can do for now...
> Date: Wed, 22 Jun 2016 00:04:31 +0530
> Subject: RE: Partial Disabling of port 22 using apache-mina SSHD
> From: jain.garima88@gmail.com
> To: dev@mina.apache.org
>
> Hey, thanks for the detailed info. Is there any way we can have a chat
> other than mail communication in case needed.
>
> -Garima Jain
> On Jun 21, 2016 11:48 PM, "elijah baley" <e_...@outlook.com> wrote:
>
> > The topic is too wide to cover in a short mail message - I suggest you
> > look into the code of Apache MINA SSHD (
> > https://github.com/apache/mina-sshd) especially the tests where you will
> > find many examples how to achieve anything you like. However, here are the
> > basics (for client side):
> > - Initialize an SshClient instance- Use that instance to open a session to
> > your server- Provide username/password or private key and authenticate the
> > session- Once you have the session authenticated there are many choices
> > open to you:
> > * Open a "shell" channel and run interactive commands * Open an
> > "exec" channel and run a single command * Obtain an SftpClient instance
> > and access remote files * Obtain an ScpClient instance and
> > upload/download files * Create a local/remote tunnel * Clean up/close
> > the resources you opened once no longer needed (note: the SshClient should
> > be stopped/closed once your application no longer needs to access SSH
> > servers - usually on application exit...).
> > All this and more using the session you just obtained, or (if you
> > like/need) create a new session for each usage - there are advatanges and
> > disadvantages to each approach. There are many details to take into
> > account, but if you don't have any special requirements then the defaults
> > you get should be good enough. The vast majority of the APIs have Javadoc
> > that should help make sense of the options - again, I recommend you look at
> > how the tests are coded - there are very good chances you will find a
> > suitable example similar to what you want to achieve.
> > The same applies for the server side, although it is a bit tricker...Hope
> > this gives you a good lead how to proceed.
> >
> > > Date: Tue, 21 Jun 2016 22:45:57 +0530
> > > Subject: RE: Partial Disabling of port 22 using apache-mina SSHD
> > > From: jain.garima88@gmail.com
> > > To: dev@mina.apache.org
> > >
> > > Hey,
> > >
> > > What shell commands can be executed and how? Or how to provide tunnel?
> > > Can you provide sample code for the same?
> > >
> > > Any methods from sftp class?
> > >
> > > -Garima Jain
> > > On Jun 21, 2016 10:02 PM, "elijah baley" <e_...@outlook.com> wrote:
> > >
> > > > No, SFTP is not a protocol that runs on a specific port it is a
> > > > sub-protocol (actually a subsystem) of SSH. FYI, SSH enables opening
> > > > multiple channels on the same session. You can run shell commands (what
> > > > many mistakenly call SSH) SFTP and SCP as well as tunnels concurrently
> > on
> > > > the same SSH session. The port is always 22 (SSH) for SFTP and SCP
> > (and any
> > > > other channel - e.g. PROXY, SOCKS, etc...)..
> > > >
> > > > > From: jain.garima88@gmail.com
> > > > > Date: Tue, 21 Jun 2016 11:42:58 +0530
> > > > > Subject: Re: Partial Disabling of port 22 using apache-mina SSHD
> > > > > To: dev@mina.apache.org
> > > > >
> > > > > Can I keep the port open for sftp and close for ssh?
> > > > >
> > > > > -Garima Jain.
> > > > >
> > > > > On Mon, Jun 20, 2016 at 10:33 PM, garima jain <
> > jain.garima88@gmail.com>
> > > > > wrote:
> > > > >
> > > > > > Thanks. Will use that.
> > > > > >
> > > > > > -Garima Jain
> > > > > > On Jun 20, 2016 10:31 PM, "Ashish" <pa...@gmail.com>
> > wrote:
> > > > > >
> > > > > >> On Mon, Jun 20, 2016 at 9:43 AM, garima jain <
> > jain.garima88@gmail.com
> > > > >
> > > > > >> wrote:
> > > > > >> > Can we use black list/whitelist feature?
> > > > > >>
> > > > > >> This is what you should use.
> > > > > >>
> > > > > >> >
> > > > > >> > -Garima Jain
> > > > > >> > On Jun 20, 2016 10:12 PM, "elijah baley" <e_...@outlook.com>
> > > > wrote:
> > > > > >> >
> > > > > >> >> There are many options - depending on the actual setup:
> > > > > >> >> - You can move SSHD to a non-standard port on all interfaces -
> > > > easy to
> > > > > >> do
> > > > > >> >> when setting up the server - just call "setPort" on the
> > SshServer
> > > > > >> instance-
> > > > > >> >> You can bind SSHD to a specific interface (e.g., 127.0.0.1)om
> > port
> > > > 22
> > > > > >> and
> > > > > >> >> bind SFTP to the public interface on port 22 - easy to do just
> > call
> > > > > >> >> "setAddress" (or something to that effect) on the SshServer
> > > > instance
> > > > > >> >> I could think of more exotic options - e.g. similar to sslh,
> > using
> > > > > >> >> HAPROXY, etc., etc.
> > > > > >> >> > From: jain.garima88@gmail.com
> > > > > >> >> > Date: Mon, 20 Jun 2016 12:10:26 +0530
> > > > > >> >> > Subject: Re: Partial Disabling of port 22 using apache-mina
> > SSHD
> > > > > >> >> > To: dev@mina.apache.org
> > > > > >> >> >
> > > > > >> >> > Hi elijah,
> > > > > >> >> >
> > > > > >> >> > The requirement is to block port 22 for SSH and accept SFTP
> > > > > >> connections
> > > > > >> >> on
> > > > > >> >> > Port 22. Is there a class/method that can help us achieve the
> > > > aim?
> > > > > >> >> >
> > > > > >> >> > -Garima Jain.
> > > > > >> >> >
> > > > > >> >> > On Fri, Jun 17, 2016 at 3:27 PM, elijah baley <
> > > > e_baley@outlook.com>
> > > > > >> >> wrote:
> > > > > >> >> >
> > > > > >> >> > > Is there some reason your code cannot examine the incoming
> > > > client
> > > > > >> >> address
> > > > > >> >> > > and reject it if it does not match some specified criteria
> > > > (e.g.,
> > > > > >> mask,
> > > > > >> >> > > network, closed group of IPs - whatever...) ?
> > > > > >> >> > >
> > > > > >> >> > > > From: jain.garima88@gmail.com
> > > > > >> >> > > > Date: Fri, 17 Jun 2016 14:50:51 +0530
> > > > > >> >> > > > Subject: Partial Disabling of port 22 using apache-mina
> > SSHD
> > > > > >> >> > > > To: dev@mina.apache.org
> > > > > >> >> > > >
> > > > > >> >> > > > Hi,
> > > > > >> >> > > >
> > > > > >> >> > > >
> > > > > >> >> > > >
> > > > > >> >> > > > We are using com.springsource.org.apache.mina-1.0.2.jar
> > in
> > > > our
> > > > > >> >> product.
> > > > > >> >> > > > The requirement is to disable port 22 for all incoming
> > > > traffic
> > > > > >> over
> > > > > >> >> SSH
> > > > > >> >> > > but
> > > > > >> >> > > > the same port is required to communicate with few IP’s
> > over
> > > > 22.
> > > > > >> Is
> > > > > >> >> there
> > > > > >> >> > > a
> > > > > >> >> > > > way to handle selective port blocking?
> > > > > >> >> > > >
> > > > > >> >> > > >
> > > > > >> >> > > > -Garima Jain.
> > > > > >> >> > >
> > > > > >> >> > >
> > > > > >> >>
> > > > > >>
> > > > > >>
> > > > > >>
> > > > > >> --
> > > > > >> thanks
> > > > > >> ashish
> > > > > >>
> > > > > >> Blog: http://www.ashishpaliwal.com/blog
> > > > > >> My Photo Galleries: http://www.pbase.com/ashishpaliwal
> > > > > >>
> > > > > >
> > > >
> >
RE: Partial Disabling of port 22 using apache-mina SSHD
Posted by garima jain <ja...@gmail.com>.
Hey, thanks for the detailed info. Is there any way we can have a chat
other than mail communication in case needed.
-Garima Jain
On Jun 21, 2016 11:48 PM, "elijah baley" <e_...@outlook.com> wrote:
> The topic is too wide to cover in a short mail message - I suggest you
> look into the code of Apache MINA SSHD (
> https://github.com/apache/mina-sshd) especially the tests where you will
> find many examples how to achieve anything you like. However, here are the
> basics (for client side):
> - Initialize an SshClient instance- Use that instance to open a session to
> your server- Provide username/password or private key and authenticate the
> session- Once you have the session authenticated there are many choices
> open to you:
> * Open a "shell" channel and run interactive commands * Open an
> "exec" channel and run a single command * Obtain an SftpClient instance
> and access remote files * Obtain an ScpClient instance and
> upload/download files * Create a local/remote tunnel * Clean up/close
> the resources you opened once no longer needed (note: the SshClient should
> be stopped/closed once your application no longer needs to access SSH
> servers - usually on application exit...).
> All this and more using the session you just obtained, or (if you
> like/need) create a new session for each usage - there are advatanges and
> disadvantages to each approach. There are many details to take into
> account, but if you don't have any special requirements then the defaults
> you get should be good enough. The vast majority of the APIs have Javadoc
> that should help make sense of the options - again, I recommend you look at
> how the tests are coded - there are very good chances you will find a
> suitable example similar to what you want to achieve.
> The same applies for the server side, although it is a bit tricker...Hope
> this gives you a good lead how to proceed.
>
> > Date: Tue, 21 Jun 2016 22:45:57 +0530
> > Subject: RE: Partial Disabling of port 22 using apache-mina SSHD
> > From: jain.garima88@gmail.com
> > To: dev@mina.apache.org
> >
> > Hey,
> >
> > What shell commands can be executed and how? Or how to provide tunnel?
> > Can you provide sample code for the same?
> >
> > Any methods from sftp class?
> >
> > -Garima Jain
> > On Jun 21, 2016 10:02 PM, "elijah baley" <e_...@outlook.com> wrote:
> >
> > > No, SFTP is not a protocol that runs on a specific port it is a
> > > sub-protocol (actually a subsystem) of SSH. FYI, SSH enables opening
> > > multiple channels on the same session. You can run shell commands (what
> > > many mistakenly call SSH) SFTP and SCP as well as tunnels concurrently
> on
> > > the same SSH session. The port is always 22 (SSH) for SFTP and SCP
> (and any
> > > other channel - e.g. PROXY, SOCKS, etc...)..
> > >
> > > > From: jain.garima88@gmail.com
> > > > Date: Tue, 21 Jun 2016 11:42:58 +0530
> > > > Subject: Re: Partial Disabling of port 22 using apache-mina SSHD
> > > > To: dev@mina.apache.org
> > > >
> > > > Can I keep the port open for sftp and close for ssh?
> > > >
> > > > -Garima Jain.
> > > >
> > > > On Mon, Jun 20, 2016 at 10:33 PM, garima jain <
> jain.garima88@gmail.com>
> > > > wrote:
> > > >
> > > > > Thanks. Will use that.
> > > > >
> > > > > -Garima Jain
> > > > > On Jun 20, 2016 10:31 PM, "Ashish" <pa...@gmail.com>
> wrote:
> > > > >
> > > > >> On Mon, Jun 20, 2016 at 9:43 AM, garima jain <
> jain.garima88@gmail.com
> > > >
> > > > >> wrote:
> > > > >> > Can we use black list/whitelist feature?
> > > > >>
> > > > >> This is what you should use.
> > > > >>
> > > > >> >
> > > > >> > -Garima Jain
> > > > >> > On Jun 20, 2016 10:12 PM, "elijah baley" <e_...@outlook.com>
> > > wrote:
> > > > >> >
> > > > >> >> There are many options - depending on the actual setup:
> > > > >> >> - You can move SSHD to a non-standard port on all interfaces -
> > > easy to
> > > > >> do
> > > > >> >> when setting up the server - just call "setPort" on the
> SshServer
> > > > >> instance-
> > > > >> >> You can bind SSHD to a specific interface (e.g., 127.0.0.1)om
> port
> > > 22
> > > > >> and
> > > > >> >> bind SFTP to the public interface on port 22 - easy to do just
> call
> > > > >> >> "setAddress" (or something to that effect) on the SshServer
> > > instance
> > > > >> >> I could think of more exotic options - e.g. similar to sslh,
> using
> > > > >> >> HAPROXY, etc., etc.
> > > > >> >> > From: jain.garima88@gmail.com
> > > > >> >> > Date: Mon, 20 Jun 2016 12:10:26 +0530
> > > > >> >> > Subject: Re: Partial Disabling of port 22 using apache-mina
> SSHD
> > > > >> >> > To: dev@mina.apache.org
> > > > >> >> >
> > > > >> >> > Hi elijah,
> > > > >> >> >
> > > > >> >> > The requirement is to block port 22 for SSH and accept SFTP
> > > > >> connections
> > > > >> >> on
> > > > >> >> > Port 22. Is there a class/method that can help us achieve the
> > > aim?
> > > > >> >> >
> > > > >> >> > -Garima Jain.
> > > > >> >> >
> > > > >> >> > On Fri, Jun 17, 2016 at 3:27 PM, elijah baley <
> > > e_baley@outlook.com>
> > > > >> >> wrote:
> > > > >> >> >
> > > > >> >> > > Is there some reason your code cannot examine the incoming
> > > client
> > > > >> >> address
> > > > >> >> > > and reject it if it does not match some specified criteria
> > > (e.g.,
> > > > >> mask,
> > > > >> >> > > network, closed group of IPs - whatever...) ?
> > > > >> >> > >
> > > > >> >> > > > From: jain.garima88@gmail.com
> > > > >> >> > > > Date: Fri, 17 Jun 2016 14:50:51 +0530
> > > > >> >> > > > Subject: Partial Disabling of port 22 using apache-mina
> SSHD
> > > > >> >> > > > To: dev@mina.apache.org
> > > > >> >> > > >
> > > > >> >> > > > Hi,
> > > > >> >> > > >
> > > > >> >> > > >
> > > > >> >> > > >
> > > > >> >> > > > We are using com.springsource.org.apache.mina-1.0.2.jar
> in
> > > our
> > > > >> >> product.
> > > > >> >> > > > The requirement is to disable port 22 for all incoming
> > > traffic
> > > > >> over
> > > > >> >> SSH
> > > > >> >> > > but
> > > > >> >> > > > the same port is required to communicate with few IP’s
> over
> > > 22.
> > > > >> Is
> > > > >> >> there
> > > > >> >> > > a
> > > > >> >> > > > way to handle selective port blocking?
> > > > >> >> > > >
> > > > >> >> > > >
> > > > >> >> > > > -Garima Jain.
> > > > >> >> > >
> > > > >> >> > >
> > > > >> >>
> > > > >>
> > > > >>
> > > > >>
> > > > >> --
> > > > >> thanks
> > > > >> ashish
> > > > >>
> > > > >> Blog: http://www.ashishpaliwal.com/blog
> > > > >> My Photo Galleries: http://www.pbase.com/ashishpaliwal
> > > > >>
> > > > >
> > >
>
RE: Partial Disabling of port 22 using apache-mina SSHD
Posted by elijah baley <e_...@outlook.com>.
The topic is too wide to cover in a short mail message - I suggest you look into the code of Apache MINA SSHD (https://github.com/apache/mina-sshd) especially the tests where you will find many examples how to achieve anything you like. However, here are the basics (for client side):
- Initialize an SshClient instance- Use that instance to open a session to your server- Provide username/password or private key and authenticate the session- Once you have the session authenticated there are many choices open to you:
* Open a "shell" channel and run interactive commands * Open an "exec" channel and run a single command * Obtain an SftpClient instance and access remote files * Obtain an ScpClient instance and upload/download files * Create a local/remote tunnel * Clean up/close the resources you opened once no longer needed (note: the SshClient should be stopped/closed once your application no longer needs to access SSH servers - usually on application exit...).
All this and more using the session you just obtained, or (if you like/need) create a new session for each usage - there are advatanges and disadvantages to each approach. There are many details to take into account, but if you don't have any special requirements then the defaults you get should be good enough. The vast majority of the APIs have Javadoc that should help make sense of the options - again, I recommend you look at how the tests are coded - there are very good chances you will find a suitable example similar to what you want to achieve.
The same applies for the server side, although it is a bit tricker...Hope this gives you a good lead how to proceed.
> Date: Tue, 21 Jun 2016 22:45:57 +0530
> Subject: RE: Partial Disabling of port 22 using apache-mina SSHD
> From: jain.garima88@gmail.com
> To: dev@mina.apache.org
>
> Hey,
>
> What shell commands can be executed and how? Or how to provide tunnel?
> Can you provide sample code for the same?
>
> Any methods from sftp class?
>
> -Garima Jain
> On Jun 21, 2016 10:02 PM, "elijah baley" <e_...@outlook.com> wrote:
>
> > No, SFTP is not a protocol that runs on a specific port it is a
> > sub-protocol (actually a subsystem) of SSH. FYI, SSH enables opening
> > multiple channels on the same session. You can run shell commands (what
> > many mistakenly call SSH) SFTP and SCP as well as tunnels concurrently on
> > the same SSH session. The port is always 22 (SSH) for SFTP and SCP (and any
> > other channel - e.g. PROXY, SOCKS, etc...)..
> >
> > > From: jain.garima88@gmail.com
> > > Date: Tue, 21 Jun 2016 11:42:58 +0530
> > > Subject: Re: Partial Disabling of port 22 using apache-mina SSHD
> > > To: dev@mina.apache.org
> > >
> > > Can I keep the port open for sftp and close for ssh?
> > >
> > > -Garima Jain.
> > >
> > > On Mon, Jun 20, 2016 at 10:33 PM, garima jain <ja...@gmail.com>
> > > wrote:
> > >
> > > > Thanks. Will use that.
> > > >
> > > > -Garima Jain
> > > > On Jun 20, 2016 10:31 PM, "Ashish" <pa...@gmail.com> wrote:
> > > >
> > > >> On Mon, Jun 20, 2016 at 9:43 AM, garima jain <jain.garima88@gmail.com
> > >
> > > >> wrote:
> > > >> > Can we use black list/whitelist feature?
> > > >>
> > > >> This is what you should use.
> > > >>
> > > >> >
> > > >> > -Garima Jain
> > > >> > On Jun 20, 2016 10:12 PM, "elijah baley" <e_...@outlook.com>
> > wrote:
> > > >> >
> > > >> >> There are many options - depending on the actual setup:
> > > >> >> - You can move SSHD to a non-standard port on all interfaces -
> > easy to
> > > >> do
> > > >> >> when setting up the server - just call "setPort" on the SshServer
> > > >> instance-
> > > >> >> You can bind SSHD to a specific interface (e.g., 127.0.0.1)om port
> > 22
> > > >> and
> > > >> >> bind SFTP to the public interface on port 22 - easy to do just call
> > > >> >> "setAddress" (or something to that effect) on the SshServer
> > instance
> > > >> >> I could think of more exotic options - e.g. similar to sslh, using
> > > >> >> HAPROXY, etc., etc.
> > > >> >> > From: jain.garima88@gmail.com
> > > >> >> > Date: Mon, 20 Jun 2016 12:10:26 +0530
> > > >> >> > Subject: Re: Partial Disabling of port 22 using apache-mina SSHD
> > > >> >> > To: dev@mina.apache.org
> > > >> >> >
> > > >> >> > Hi elijah,
> > > >> >> >
> > > >> >> > The requirement is to block port 22 for SSH and accept SFTP
> > > >> connections
> > > >> >> on
> > > >> >> > Port 22. Is there a class/method that can help us achieve the
> > aim?
> > > >> >> >
> > > >> >> > -Garima Jain.
> > > >> >> >
> > > >> >> > On Fri, Jun 17, 2016 at 3:27 PM, elijah baley <
> > e_baley@outlook.com>
> > > >> >> wrote:
> > > >> >> >
> > > >> >> > > Is there some reason your code cannot examine the incoming
> > client
> > > >> >> address
> > > >> >> > > and reject it if it does not match some specified criteria
> > (e.g.,
> > > >> mask,
> > > >> >> > > network, closed group of IPs - whatever...) ?
> > > >> >> > >
> > > >> >> > > > From: jain.garima88@gmail.com
> > > >> >> > > > Date: Fri, 17 Jun 2016 14:50:51 +0530
> > > >> >> > > > Subject: Partial Disabling of port 22 using apache-mina SSHD
> > > >> >> > > > To: dev@mina.apache.org
> > > >> >> > > >
> > > >> >> > > > Hi,
> > > >> >> > > >
> > > >> >> > > >
> > > >> >> > > >
> > > >> >> > > > We are using com.springsource.org.apache.mina-1.0.2.jar in
> > our
> > > >> >> product.
> > > >> >> > > > The requirement is to disable port 22 for all incoming
> > traffic
> > > >> over
> > > >> >> SSH
> > > >> >> > > but
> > > >> >> > > > the same port is required to communicate with few IP’s over
> > 22.
> > > >> Is
> > > >> >> there
> > > >> >> > > a
> > > >> >> > > > way to handle selective port blocking?
> > > >> >> > > >
> > > >> >> > > >
> > > >> >> > > > -Garima Jain.
> > > >> >> > >
> > > >> >> > >
> > > >> >>
> > > >>
> > > >>
> > > >>
> > > >> --
> > > >> thanks
> > > >> ashish
> > > >>
> > > >> Blog: http://www.ashishpaliwal.com/blog
> > > >> My Photo Galleries: http://www.pbase.com/ashishpaliwal
> > > >>
> > > >
> >
RE: Partial Disabling of port 22 using apache-mina SSHD
Posted by garima jain <ja...@gmail.com>.
Hey,
What shell commands can be executed and how? Or how to provide tunnel?
Can you provide sample code for the same?
Any methods from sftp class?
-Garima Jain
On Jun 21, 2016 10:02 PM, "elijah baley" <e_...@outlook.com> wrote:
> No, SFTP is not a protocol that runs on a specific port it is a
> sub-protocol (actually a subsystem) of SSH. FYI, SSH enables opening
> multiple channels on the same session. You can run shell commands (what
> many mistakenly call SSH) SFTP and SCP as well as tunnels concurrently on
> the same SSH session. The port is always 22 (SSH) for SFTP and SCP (and any
> other channel - e.g. PROXY, SOCKS, etc...)..
>
> > From: jain.garima88@gmail.com
> > Date: Tue, 21 Jun 2016 11:42:58 +0530
> > Subject: Re: Partial Disabling of port 22 using apache-mina SSHD
> > To: dev@mina.apache.org
> >
> > Can I keep the port open for sftp and close for ssh?
> >
> > -Garima Jain.
> >
> > On Mon, Jun 20, 2016 at 10:33 PM, garima jain <ja...@gmail.com>
> > wrote:
> >
> > > Thanks. Will use that.
> > >
> > > -Garima Jain
> > > On Jun 20, 2016 10:31 PM, "Ashish" <pa...@gmail.com> wrote:
> > >
> > >> On Mon, Jun 20, 2016 at 9:43 AM, garima jain <jain.garima88@gmail.com
> >
> > >> wrote:
> > >> > Can we use black list/whitelist feature?
> > >>
> > >> This is what you should use.
> > >>
> > >> >
> > >> > -Garima Jain
> > >> > On Jun 20, 2016 10:12 PM, "elijah baley" <e_...@outlook.com>
> wrote:
> > >> >
> > >> >> There are many options - depending on the actual setup:
> > >> >> - You can move SSHD to a non-standard port on all interfaces -
> easy to
> > >> do
> > >> >> when setting up the server - just call "setPort" on the SshServer
> > >> instance-
> > >> >> You can bind SSHD to a specific interface (e.g., 127.0.0.1)om port
> 22
> > >> and
> > >> >> bind SFTP to the public interface on port 22 - easy to do just call
> > >> >> "setAddress" (or something to that effect) on the SshServer
> instance
> > >> >> I could think of more exotic options - e.g. similar to sslh, using
> > >> >> HAPROXY, etc., etc.
> > >> >> > From: jain.garima88@gmail.com
> > >> >> > Date: Mon, 20 Jun 2016 12:10:26 +0530
> > >> >> > Subject: Re: Partial Disabling of port 22 using apache-mina SSHD
> > >> >> > To: dev@mina.apache.org
> > >> >> >
> > >> >> > Hi elijah,
> > >> >> >
> > >> >> > The requirement is to block port 22 for SSH and accept SFTP
> > >> connections
> > >> >> on
> > >> >> > Port 22. Is there a class/method that can help us achieve the
> aim?
> > >> >> >
> > >> >> > -Garima Jain.
> > >> >> >
> > >> >> > On Fri, Jun 17, 2016 at 3:27 PM, elijah baley <
> e_baley@outlook.com>
> > >> >> wrote:
> > >> >> >
> > >> >> > > Is there some reason your code cannot examine the incoming
> client
> > >> >> address
> > >> >> > > and reject it if it does not match some specified criteria
> (e.g.,
> > >> mask,
> > >> >> > > network, closed group of IPs - whatever...) ?
> > >> >> > >
> > >> >> > > > From: jain.garima88@gmail.com
> > >> >> > > > Date: Fri, 17 Jun 2016 14:50:51 +0530
> > >> >> > > > Subject: Partial Disabling of port 22 using apache-mina SSHD
> > >> >> > > > To: dev@mina.apache.org
> > >> >> > > >
> > >> >> > > > Hi,
> > >> >> > > >
> > >> >> > > >
> > >> >> > > >
> > >> >> > > > We are using com.springsource.org.apache.mina-1.0.2.jar in
> our
> > >> >> product.
> > >> >> > > > The requirement is to disable port 22 for all incoming
> traffic
> > >> over
> > >> >> SSH
> > >> >> > > but
> > >> >> > > > the same port is required to communicate with few IP’s over
> 22.
> > >> Is
> > >> >> there
> > >> >> > > a
> > >> >> > > > way to handle selective port blocking?
> > >> >> > > >
> > >> >> > > >
> > >> >> > > > -Garima Jain.
> > >> >> > >
> > >> >> > >
> > >> >>
> > >>
> > >>
> > >>
> > >> --
> > >> thanks
> > >> ashish
> > >>
> > >> Blog: http://www.ashishpaliwal.com/blog
> > >> My Photo Galleries: http://www.pbase.com/ashishpaliwal
> > >>
> > >
>
RE: Partial Disabling of port 22 using apache-mina SSHD
Posted by elijah baley <e_...@outlook.com>.
No, SFTP is not a protocol that runs on a specific port it is a sub-protocol (actually a subsystem) of SSH. FYI, SSH enables opening multiple channels on the same session. You can run shell commands (what many mistakenly call SSH) SFTP and SCP as well as tunnels concurrently on the same SSH session. The port is always 22 (SSH) for SFTP and SCP (and any other channel - e.g. PROXY, SOCKS, etc...)..
> From: jain.garima88@gmail.com
> Date: Tue, 21 Jun 2016 11:42:58 +0530
> Subject: Re: Partial Disabling of port 22 using apache-mina SSHD
> To: dev@mina.apache.org
>
> Can I keep the port open for sftp and close for ssh?
>
> -Garima Jain.
>
> On Mon, Jun 20, 2016 at 10:33 PM, garima jain <ja...@gmail.com>
> wrote:
>
> > Thanks. Will use that.
> >
> > -Garima Jain
> > On Jun 20, 2016 10:31 PM, "Ashish" <pa...@gmail.com> wrote:
> >
> >> On Mon, Jun 20, 2016 at 9:43 AM, garima jain <ja...@gmail.com>
> >> wrote:
> >> > Can we use black list/whitelist feature?
> >>
> >> This is what you should use.
> >>
> >> >
> >> > -Garima Jain
> >> > On Jun 20, 2016 10:12 PM, "elijah baley" <e_...@outlook.com> wrote:
> >> >
> >> >> There are many options - depending on the actual setup:
> >> >> - You can move SSHD to a non-standard port on all interfaces - easy to
> >> do
> >> >> when setting up the server - just call "setPort" on the SshServer
> >> instance-
> >> >> You can bind SSHD to a specific interface (e.g., 127.0.0.1)om port 22
> >> and
> >> >> bind SFTP to the public interface on port 22 - easy to do just call
> >> >> "setAddress" (or something to that effect) on the SshServer instance
> >> >> I could think of more exotic options - e.g. similar to sslh, using
> >> >> HAPROXY, etc., etc.
> >> >> > From: jain.garima88@gmail.com
> >> >> > Date: Mon, 20 Jun 2016 12:10:26 +0530
> >> >> > Subject: Re: Partial Disabling of port 22 using apache-mina SSHD
> >> >> > To: dev@mina.apache.org
> >> >> >
> >> >> > Hi elijah,
> >> >> >
> >> >> > The requirement is to block port 22 for SSH and accept SFTP
> >> connections
> >> >> on
> >> >> > Port 22. Is there a class/method that can help us achieve the aim?
> >> >> >
> >> >> > -Garima Jain.
> >> >> >
> >> >> > On Fri, Jun 17, 2016 at 3:27 PM, elijah baley <e_...@outlook.com>
> >> >> wrote:
> >> >> >
> >> >> > > Is there some reason your code cannot examine the incoming client
> >> >> address
> >> >> > > and reject it if it does not match some specified criteria (e.g.,
> >> mask,
> >> >> > > network, closed group of IPs - whatever...) ?
> >> >> > >
> >> >> > > > From: jain.garima88@gmail.com
> >> >> > > > Date: Fri, 17 Jun 2016 14:50:51 +0530
> >> >> > > > Subject: Partial Disabling of port 22 using apache-mina SSHD
> >> >> > > > To: dev@mina.apache.org
> >> >> > > >
> >> >> > > > Hi,
> >> >> > > >
> >> >> > > >
> >> >> > > >
> >> >> > > > We are using com.springsource.org.apache.mina-1.0.2.jar in our
> >> >> product.
> >> >> > > > The requirement is to disable port 22 for all incoming traffic
> >> over
> >> >> SSH
> >> >> > > but
> >> >> > > > the same port is required to communicate with few IP’s over 22.
> >> Is
> >> >> there
> >> >> > > a
> >> >> > > > way to handle selective port blocking?
> >> >> > > >
> >> >> > > >
> >> >> > > > -Garima Jain.
> >> >> > >
> >> >> > >
> >> >>
> >>
> >>
> >>
> >> --
> >> thanks
> >> ashish
> >>
> >> Blog: http://www.ashishpaliwal.com/blog
> >> My Photo Galleries: http://www.pbase.com/ashishpaliwal
> >>
> >
Re: Partial Disabling of port 22 using apache-mina SSHD
Posted by garima jain <ja...@gmail.com>.
Also, the jars used are sshd-core-0.9.0.jar, sshd-sftp-0.9.0.jar.
-Garima Jain.
On Tue, Jun 21, 2016 at 11:42 AM, garima jain <ja...@gmail.com>
wrote:
> Can I keep the port open for sftp and close for ssh?
>
> -Garima Jain.
>
> On Mon, Jun 20, 2016 at 10:33 PM, garima jain <ja...@gmail.com>
> wrote:
>
>> Thanks. Will use that.
>>
>> -Garima Jain
>> On Jun 20, 2016 10:31 PM, "Ashish" <pa...@gmail.com> wrote:
>>
>>> On Mon, Jun 20, 2016 at 9:43 AM, garima jain <ja...@gmail.com>
>>> wrote:
>>> > Can we use black list/whitelist feature?
>>>
>>> This is what you should use.
>>>
>>> >
>>> > -Garima Jain
>>> > On Jun 20, 2016 10:12 PM, "elijah baley" <e_...@outlook.com> wrote:
>>> >
>>> >> There are many options - depending on the actual setup:
>>> >> - You can move SSHD to a non-standard port on all interfaces - easy
>>> to do
>>> >> when setting up the server - just call "setPort" on the SshServer
>>> instance-
>>> >> You can bind SSHD to a specific interface (e.g., 127.0.0.1)om port 22
>>> and
>>> >> bind SFTP to the public interface on port 22 - easy to do just call
>>> >> "setAddress" (or something to that effect) on the SshServer instance
>>> >> I could think of more exotic options - e.g. similar to sslh, using
>>> >> HAPROXY, etc., etc.
>>> >> > From: jain.garima88@gmail.com
>>> >> > Date: Mon, 20 Jun 2016 12:10:26 +0530
>>> >> > Subject: Re: Partial Disabling of port 22 using apache-mina SSHD
>>> >> > To: dev@mina.apache.org
>>> >> >
>>> >> > Hi elijah,
>>> >> >
>>> >> > The requirement is to block port 22 for SSH and accept SFTP
>>> connections
>>> >> on
>>> >> > Port 22. Is there a class/method that can help us achieve the aim?
>>> >> >
>>> >> > -Garima Jain.
>>> >> >
>>> >> > On Fri, Jun 17, 2016 at 3:27 PM, elijah baley <e_...@outlook.com>
>>> >> wrote:
>>> >> >
>>> >> > > Is there some reason your code cannot examine the incoming client
>>> >> address
>>> >> > > and reject it if it does not match some specified criteria (e.g.,
>>> mask,
>>> >> > > network, closed group of IPs - whatever...) ?
>>> >> > >
>>> >> > > > From: jain.garima88@gmail.com
>>> >> > > > Date: Fri, 17 Jun 2016 14:50:51 +0530
>>> >> > > > Subject: Partial Disabling of port 22 using apache-mina SSHD
>>> >> > > > To: dev@mina.apache.org
>>> >> > > >
>>> >> > > > Hi,
>>> >> > > >
>>> >> > > >
>>> >> > > >
>>> >> > > > We are using com.springsource.org.apache.mina-1.0.2.jar in our
>>> >> product.
>>> >> > > > The requirement is to disable port 22 for all incoming traffic
>>> over
>>> >> SSH
>>> >> > > but
>>> >> > > > the same port is required to communicate with few IP’s over 22.
>>> Is
>>> >> there
>>> >> > > a
>>> >> > > > way to handle selective port blocking?
>>> >> > > >
>>> >> > > >
>>> >> > > > -Garima Jain.
>>> >> > >
>>> >> > >
>>> >>
>>>
>>>
>>>
>>> --
>>> thanks
>>> ashish
>>>
>>> Blog: http://www.ashishpaliwal.com/blog
>>> My Photo Galleries: http://www.pbase.com/ashishpaliwal
>>>
>>
>
Re: Partial Disabling of port 22 using apache-mina SSHD
Posted by garima jain <ja...@gmail.com>.
Can I keep the port open for sftp and close for ssh?
-Garima Jain.
On Mon, Jun 20, 2016 at 10:33 PM, garima jain <ja...@gmail.com>
wrote:
> Thanks. Will use that.
>
> -Garima Jain
> On Jun 20, 2016 10:31 PM, "Ashish" <pa...@gmail.com> wrote:
>
>> On Mon, Jun 20, 2016 at 9:43 AM, garima jain <ja...@gmail.com>
>> wrote:
>> > Can we use black list/whitelist feature?
>>
>> This is what you should use.
>>
>> >
>> > -Garima Jain
>> > On Jun 20, 2016 10:12 PM, "elijah baley" <e_...@outlook.com> wrote:
>> >
>> >> There are many options - depending on the actual setup:
>> >> - You can move SSHD to a non-standard port on all interfaces - easy to
>> do
>> >> when setting up the server - just call "setPort" on the SshServer
>> instance-
>> >> You can bind SSHD to a specific interface (e.g., 127.0.0.1)om port 22
>> and
>> >> bind SFTP to the public interface on port 22 - easy to do just call
>> >> "setAddress" (or something to that effect) on the SshServer instance
>> >> I could think of more exotic options - e.g. similar to sslh, using
>> >> HAPROXY, etc., etc.
>> >> > From: jain.garima88@gmail.com
>> >> > Date: Mon, 20 Jun 2016 12:10:26 +0530
>> >> > Subject: Re: Partial Disabling of port 22 using apache-mina SSHD
>> >> > To: dev@mina.apache.org
>> >> >
>> >> > Hi elijah,
>> >> >
>> >> > The requirement is to block port 22 for SSH and accept SFTP
>> connections
>> >> on
>> >> > Port 22. Is there a class/method that can help us achieve the aim?
>> >> >
>> >> > -Garima Jain.
>> >> >
>> >> > On Fri, Jun 17, 2016 at 3:27 PM, elijah baley <e_...@outlook.com>
>> >> wrote:
>> >> >
>> >> > > Is there some reason your code cannot examine the incoming client
>> >> address
>> >> > > and reject it if it does not match some specified criteria (e.g.,
>> mask,
>> >> > > network, closed group of IPs - whatever...) ?
>> >> > >
>> >> > > > From: jain.garima88@gmail.com
>> >> > > > Date: Fri, 17 Jun 2016 14:50:51 +0530
>> >> > > > Subject: Partial Disabling of port 22 using apache-mina SSHD
>> >> > > > To: dev@mina.apache.org
>> >> > > >
>> >> > > > Hi,
>> >> > > >
>> >> > > >
>> >> > > >
>> >> > > > We are using com.springsource.org.apache.mina-1.0.2.jar in our
>> >> product.
>> >> > > > The requirement is to disable port 22 for all incoming traffic
>> over
>> >> SSH
>> >> > > but
>> >> > > > the same port is required to communicate with few IP’s over 22.
>> Is
>> >> there
>> >> > > a
>> >> > > > way to handle selective port blocking?
>> >> > > >
>> >> > > >
>> >> > > > -Garima Jain.
>> >> > >
>> >> > >
>> >>
>>
>>
>>
>> --
>> thanks
>> ashish
>>
>> Blog: http://www.ashishpaliwal.com/blog
>> My Photo Galleries: http://www.pbase.com/ashishpaliwal
>>
>
Re: Partial Disabling of port 22 using apache-mina SSHD
Posted by garima jain <ja...@gmail.com>.
Thanks. Will use that.
-Garima Jain
On Jun 20, 2016 10:31 PM, "Ashish" <pa...@gmail.com> wrote:
> On Mon, Jun 20, 2016 at 9:43 AM, garima jain <ja...@gmail.com>
> wrote:
> > Can we use black list/whitelist feature?
>
> This is what you should use.
>
> >
> > -Garima Jain
> > On Jun 20, 2016 10:12 PM, "elijah baley" <e_...@outlook.com> wrote:
> >
> >> There are many options - depending on the actual setup:
> >> - You can move SSHD to a non-standard port on all interfaces - easy to
> do
> >> when setting up the server - just call "setPort" on the SshServer
> instance-
> >> You can bind SSHD to a specific interface (e.g., 127.0.0.1)om port 22
> and
> >> bind SFTP to the public interface on port 22 - easy to do just call
> >> "setAddress" (or something to that effect) on the SshServer instance
> >> I could think of more exotic options - e.g. similar to sslh, using
> >> HAPROXY, etc., etc.
> >> > From: jain.garima88@gmail.com
> >> > Date: Mon, 20 Jun 2016 12:10:26 +0530
> >> > Subject: Re: Partial Disabling of port 22 using apache-mina SSHD
> >> > To: dev@mina.apache.org
> >> >
> >> > Hi elijah,
> >> >
> >> > The requirement is to block port 22 for SSH and accept SFTP
> connections
> >> on
> >> > Port 22. Is there a class/method that can help us achieve the aim?
> >> >
> >> > -Garima Jain.
> >> >
> >> > On Fri, Jun 17, 2016 at 3:27 PM, elijah baley <e_...@outlook.com>
> >> wrote:
> >> >
> >> > > Is there some reason your code cannot examine the incoming client
> >> address
> >> > > and reject it if it does not match some specified criteria (e.g.,
> mask,
> >> > > network, closed group of IPs - whatever...) ?
> >> > >
> >> > > > From: jain.garima88@gmail.com
> >> > > > Date: Fri, 17 Jun 2016 14:50:51 +0530
> >> > > > Subject: Partial Disabling of port 22 using apache-mina SSHD
> >> > > > To: dev@mina.apache.org
> >> > > >
> >> > > > Hi,
> >> > > >
> >> > > >
> >> > > >
> >> > > > We are using com.springsource.org.apache.mina-1.0.2.jar in our
> >> product.
> >> > > > The requirement is to disable port 22 for all incoming traffic
> over
> >> SSH
> >> > > but
> >> > > > the same port is required to communicate with few IP’s over 22. Is
> >> there
> >> > > a
> >> > > > way to handle selective port blocking?
> >> > > >
> >> > > >
> >> > > > -Garima Jain.
> >> > >
> >> > >
> >>
>
>
>
> --
> thanks
> ashish
>
> Blog: http://www.ashishpaliwal.com/blog
> My Photo Galleries: http://www.pbase.com/ashishpaliwal
>
Re: Partial Disabling of port 22 using apache-mina SSHD
Posted by Ashish <pa...@gmail.com>.
On Mon, Jun 20, 2016 at 9:43 AM, garima jain <ja...@gmail.com> wrote:
> Can we use black list/whitelist feature?
This is what you should use.
>
> -Garima Jain
> On Jun 20, 2016 10:12 PM, "elijah baley" <e_...@outlook.com> wrote:
>
>> There are many options - depending on the actual setup:
>> - You can move SSHD to a non-standard port on all interfaces - easy to do
>> when setting up the server - just call "setPort" on the SshServer instance-
>> You can bind SSHD to a specific interface (e.g., 127.0.0.1)om port 22 and
>> bind SFTP to the public interface on port 22 - easy to do just call
>> "setAddress" (or something to that effect) on the SshServer instance
>> I could think of more exotic options - e.g. similar to sslh, using
>> HAPROXY, etc., etc.
>> > From: jain.garima88@gmail.com
>> > Date: Mon, 20 Jun 2016 12:10:26 +0530
>> > Subject: Re: Partial Disabling of port 22 using apache-mina SSHD
>> > To: dev@mina.apache.org
>> >
>> > Hi elijah,
>> >
>> > The requirement is to block port 22 for SSH and accept SFTP connections
>> on
>> > Port 22. Is there a class/method that can help us achieve the aim?
>> >
>> > -Garima Jain.
>> >
>> > On Fri, Jun 17, 2016 at 3:27 PM, elijah baley <e_...@outlook.com>
>> wrote:
>> >
>> > > Is there some reason your code cannot examine the incoming client
>> address
>> > > and reject it if it does not match some specified criteria (e.g., mask,
>> > > network, closed group of IPs - whatever...) ?
>> > >
>> > > > From: jain.garima88@gmail.com
>> > > > Date: Fri, 17 Jun 2016 14:50:51 +0530
>> > > > Subject: Partial Disabling of port 22 using apache-mina SSHD
>> > > > To: dev@mina.apache.org
>> > > >
>> > > > Hi,
>> > > >
>> > > >
>> > > >
>> > > > We are using com.springsource.org.apache.mina-1.0.2.jar in our
>> product.
>> > > > The requirement is to disable port 22 for all incoming traffic over
>> SSH
>> > > but
>> > > > the same port is required to communicate with few IP’s over 22. Is
>> there
>> > > a
>> > > > way to handle selective port blocking?
>> > > >
>> > > >
>> > > > -Garima Jain.
>> > >
>> > >
>>
--
thanks
ashish
Blog: http://www.ashishpaliwal.com/blog
My Photo Galleries: http://www.pbase.com/ashishpaliwal
RE: Partial Disabling of port 22 using apache-mina SSHD
Posted by garima jain <ja...@gmail.com>.
Can we use black list/whitelist feature?
-Garima Jain
On Jun 20, 2016 10:12 PM, "elijah baley" <e_...@outlook.com> wrote:
> There are many options - depending on the actual setup:
> - You can move SSHD to a non-standard port on all interfaces - easy to do
> when setting up the server - just call "setPort" on the SshServer instance-
> You can bind SSHD to a specific interface (e.g., 127.0.0.1)om port 22 and
> bind SFTP to the public interface on port 22 - easy to do just call
> "setAddress" (or something to that effect) on the SshServer instance
> I could think of more exotic options - e.g. similar to sslh, using
> HAPROXY, etc., etc.
> > From: jain.garima88@gmail.com
> > Date: Mon, 20 Jun 2016 12:10:26 +0530
> > Subject: Re: Partial Disabling of port 22 using apache-mina SSHD
> > To: dev@mina.apache.org
> >
> > Hi elijah,
> >
> > The requirement is to block port 22 for SSH and accept SFTP connections
> on
> > Port 22. Is there a class/method that can help us achieve the aim?
> >
> > -Garima Jain.
> >
> > On Fri, Jun 17, 2016 at 3:27 PM, elijah baley <e_...@outlook.com>
> wrote:
> >
> > > Is there some reason your code cannot examine the incoming client
> address
> > > and reject it if it does not match some specified criteria (e.g., mask,
> > > network, closed group of IPs - whatever...) ?
> > >
> > > > From: jain.garima88@gmail.com
> > > > Date: Fri, 17 Jun 2016 14:50:51 +0530
> > > > Subject: Partial Disabling of port 22 using apache-mina SSHD
> > > > To: dev@mina.apache.org
> > > >
> > > > Hi,
> > > >
> > > >
> > > >
> > > > We are using com.springsource.org.apache.mina-1.0.2.jar in our
> product.
> > > > The requirement is to disable port 22 for all incoming traffic over
> SSH
> > > but
> > > > the same port is required to communicate with few IP’s over 22. Is
> there
> > > a
> > > > way to handle selective port blocking?
> > > >
> > > >
> > > > -Garima Jain.
> > >
> > >
>
RE: Partial Disabling of port 22 using apache-mina SSHD
Posted by elijah baley <e_...@outlook.com>.
There are many options - depending on the actual setup:
- You can move SSHD to a non-standard port on all interfaces - easy to do when setting up the server - just call "setPort" on the SshServer instance- You can bind SSHD to a specific interface (e.g., 127.0.0.1)om port 22 and bind SFTP to the public interface on port 22 - easy to do just call "setAddress" (or something to that effect) on the SshServer instance
I could think of more exotic options - e.g. similar to sslh, using HAPROXY, etc., etc.
> From: jain.garima88@gmail.com
> Date: Mon, 20 Jun 2016 12:10:26 +0530
> Subject: Re: Partial Disabling of port 22 using apache-mina SSHD
> To: dev@mina.apache.org
>
> Hi elijah,
>
> The requirement is to block port 22 for SSH and accept SFTP connections on
> Port 22. Is there a class/method that can help us achieve the aim?
>
> -Garima Jain.
>
> On Fri, Jun 17, 2016 at 3:27 PM, elijah baley <e_...@outlook.com> wrote:
>
> > Is there some reason your code cannot examine the incoming client address
> > and reject it if it does not match some specified criteria (e.g., mask,
> > network, closed group of IPs - whatever...) ?
> >
> > > From: jain.garima88@gmail.com
> > > Date: Fri, 17 Jun 2016 14:50:51 +0530
> > > Subject: Partial Disabling of port 22 using apache-mina SSHD
> > > To: dev@mina.apache.org
> > >
> > > Hi,
> > >
> > >
> > >
> > > We are using com.springsource.org.apache.mina-1.0.2.jar in our product.
> > > The requirement is to disable port 22 for all incoming traffic over SSH
> > but
> > > the same port is required to communicate with few IP’s over 22. Is there
> > a
> > > way to handle selective port blocking?
> > >
> > >
> > > -Garima Jain.
> >
> >
Re: Partial Disabling of port 22 using apache-mina SSHD
Posted by garima jain <ja...@gmail.com>.
Hi elijah,
The requirement is to block port 22 for SSH and accept SFTP connections on
Port 22. Is there a class/method that can help us achieve the aim?
-Garima Jain.
On Fri, Jun 17, 2016 at 3:27 PM, elijah baley <e_...@outlook.com> wrote:
> Is there some reason your code cannot examine the incoming client address
> and reject it if it does not match some specified criteria (e.g., mask,
> network, closed group of IPs - whatever...) ?
>
> > From: jain.garima88@gmail.com
> > Date: Fri, 17 Jun 2016 14:50:51 +0530
> > Subject: Partial Disabling of port 22 using apache-mina SSHD
> > To: dev@mina.apache.org
> >
> > Hi,
> >
> >
> >
> > We are using com.springsource.org.apache.mina-1.0.2.jar in our product.
> > The requirement is to disable port 22 for all incoming traffic over SSH
> but
> > the same port is required to communicate with few IP’s over 22. Is there
> a
> > way to handle selective port blocking?
> >
> >
> > -Garima Jain.
>
>
Re: Partial Disabling of port 22 using apache-mina SSHD
Posted by garima jain <ja...@gmail.com>.
Hi,
The code is accepting the traffic coming on port 9822 and forwarding it to
22. But while connecting over ssh on port 22, the server is accepting a
connection.
Is there a way from the library itself to handle the condition.
-Garima Jain.
On Fri, Jun 17, 2016 at 3:27 PM, elijah baley <e_...@outlook.com> wrote:
> Is there some reason your code cannot examine the incoming client address
> and reject it if it does not match some specified criteria (e.g., mask,
> network, closed group of IPs - whatever...) ?
>
> > From: jain.garima88@gmail.com
> > Date: Fri, 17 Jun 2016 14:50:51 +0530
> > Subject: Partial Disabling of port 22 using apache-mina SSHD
> > To: dev@mina.apache.org
> >
> > Hi,
> >
> >
> >
> > We are using com.springsource.org.apache.mina-1.0.2.jar in our product.
> > The requirement is to disable port 22 for all incoming traffic over SSH
> but
> > the same port is required to communicate with few IP’s over 22. Is there
> a
> > way to handle selective port blocking?
> >
> >
> > -Garima Jain.
>
>
RE: Partial Disabling of port 22 using apache-mina SSHD
Posted by elijah baley <e_...@outlook.com>.
Is there some reason your code cannot examine the incoming client address and reject it if it does not match some specified criteria (e.g., mask, network, closed group of IPs - whatever...) ?
> From: jain.garima88@gmail.com
> Date: Fri, 17 Jun 2016 14:50:51 +0530
> Subject: Partial Disabling of port 22 using apache-mina SSHD
> To: dev@mina.apache.org
>
> Hi,
>
>
>
> We are using com.springsource.org.apache.mina-1.0.2.jar in our product.
> The requirement is to disable port 22 for all incoming traffic over SSH but
> the same port is required to communicate with few IP’s over 22. Is there a
> way to handle selective port blocking?
>
>
> -Garima Jain.