hpr-knowledge-base/hpr_transcripts/hpr1924.txt

Episode: 1924
Title: HPR1924: Port Forwarding
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr1924/hpr1924.mp3
Transcribed: 2025-10-18 11:13:08

---

This in HBR episode 1924 entitled Port Forwarding and is part of the series Privacy and Security,
it is hosted by 5150 and is about 23 minutes long.
The summary is in HBR 1900, are you going to suggest changing the default SSH port I asked why not employ Port Forwarding?
This episode of HBR is brought to you by an Honesthost.com
Get 15% discount on all shared hosting with the offer code HBR15, that's HBR15.
Better web hosting that's Honest and Fair at An Honesthost.com
Howdy folks, this is 5150 for Hacker Public Radio.
I want to talk to you a little bit today about Port Forwarding and one inspired me to record this podcast was episode 1900
where Hacker talked about sending up SSH and SSH server and he advised the users to change the default port on the server.
I thought about why I was going to respond to that and ask him why he didn't just change the port via Port Forwarding on the router and it struck me that if there was anybody in the audience who didn't understand why I'm asking that question then they probably would benefit from explaining a little bit about Port Forwarding.
So for 9 over 90% of the HBR listeners what I'm going to be imparting today is stuff that you already know so I'm not trying to insult anybody's experience or intelligence or something like that but if somebody if there's any listeners out there who followed a hookah's episode on SSH and didn't question whether why he didn't use Port Forwarding
then probably you need to learn a little bit more about Port Forwarding so that's what I'm going to do today.
Now I said Hacker rightly said he shouldn't expose SSH service to the internet on the default port in fact any service exposed to the internet should be not be on the default port with possibly the exception of a web server that's meant for public access.
Now if it's the only people going to be accessing the web server are you and your family members then yes certainly move it, move it to anything with Port 80 and Port 80, 80, 80, 80, 80, 80, 80.
That's the alternate port for HTTP but unfortunately if you're trying to set up a web server if the general public is supposed to be coming into then most of them are not sophisticated enough.
To add a colon and the port number at the end of the address and if you set up your website like that for the public nobody's going to come.
That's one of the few protocols that I would recommend you stick with the default ports but if it's just going to be you and maybe some friends or family members coming in I would always suggest putting services on a port other than the default port.
I'm just questioning the way a hookah went about it. So I'm not sure I don't know if I don't recall if explained exactly how you would do it on the server side but I've got an article from Cyber City which is cited in the show notes.
So I'm sort of paraphrased it but if you wanted to change the default port for SSH then you would want to edit slash at C slash SSH slash SSH D.
I'm sorry let me start over again because invariably somebody is going to put in too many S's.
Slash ETC slash SSH slash SSH D underscore config so you want to open that nano or something whatever you're comfortable with and look for lines says port 22 and change it to port.
The article says port 22 22 don't make it port 22 22 make it you know make it make it some other different port because if you see something cited in an article like that then yeah a lot of people are just going to think oh yeah it has to be that or that's a good that's a good place to put it.
So yeah I guarantee you people trying to get in your net network they're scanning 22 22 for SSH because they've read the same article it's it's like on passwords I I guarantee you there's a thousand people out there that their password is a correct horse battery staple from the XKD cartoon because they thought you know they literally typed in the example from the XKD.
From the XKCD and of course anybody is trying to crack in your network they've got that in their in their list of common passwords.
So if you ever see something in art in an example and say okay we're going to redirect from the standard port to this port pick anything whatever whatever port they say to change it to.
Now it says restart SSHD server and you want to where the D comes from I believe that's SH I'm sorry SSHD well.
Yes sir. SSHD for Daemon. So I'm pretty sure under system D that would be system CTL space restart space SSHD.
So that's that's what you do to restart the SSH server service without having to reboot the computer and of course you have to do that as root.
So assuming you've done sue to elevate to root or you're you're prefacing that command with sue to then it tells you how to connect.
Exactly you've got to use if you're using an on standard port then you have to use that the dash P switch so it's SSH space dash P space 2222 where you were using their example don't don't use the same port underscore user at your dash IP or SSH space dash P space 2222 space
user at your domain now switching SSH port internally might make a sense if you manage a business or school network where you've various levels of trust with the people who let you let on your network internally.
But you know I think anybody's capable of brute forcing your SSH credentials or you shared keys I don't I don't think they're be slowed down any by changing the port but who can mention home networks and I think if you trust the people in your family be best keep things simple simple locally.
So I'm suggesting we leave earth we leave SSH running on port 22 internal to the network and we then we change it using IP forwarding in the router for the external network in other words if you're trying to get into your network.
A machine via SSH over the internet on you know on your network because unless you only have the one PC connected directly to your ISP with no router or firewall you'll still need to set up port forwarding to tell the router which machine on your network you're the incoming data is intended.
In other words let's say you've enabled SSH on port 40,001 on a machine with internal address of 192.168.1.5 in other words if you're on your network you can ping that machine at 192.168.1.5.
Okay let's say you try to log in remotely I mean you're not on your network you're in a hotel on vacation or you're at your office whatever.
So you're outside your network and you want to log in to a machine on your home system.
So instead of looking in a you're not going to be looking in address like 192.168.X.Y you're going to be looking in address like it'll be either class A or class B address that was assigned to your ISP by the IANA.
So let's say for sake of argument your external address is 73.149.124 and to find the external address of your network should be you'll find it in your router status page or you just go to Google and type in what's my IP and you'll find several pages that will reflect that back to you.
So to reiterate let's say you have SSH server running on port 40,001 on a machine with the IP address 192.168 sorry 192.168.1.5 on your home network your external address is 73.149.122.124.
and you're trying to get in you're trying SSH into that server for remote location out on the internet.
So you issue SSH space dash P space 4,001 I'm sorry 40,001 space you your your user name at 73.149.121.124.
Well unless the router you're you're using actually supports SSH server very well could be if you're using external firmware like openwrt or ddwrt in which case I don't know why you're still listening to this episode.
But if you haven't feared port 40 the router will have any idea what to do if income and income request on port 40,001 you need to set up port forwarding table in your router don't worry it's all point and click you may find it under advanced in the menus or security or firewall or combination of the above.
But when you set port 40 you're going to be asked to first enter the external port number in our example 40,001 whether it uses the TCP or UDP IP protocol or both and unless you've got a drop down selection for both you may have to set it up on separate lines for TCP and UDP in which you have two entries in your table.
You'll have the internal IP address again in our example it was 192.168.1.5 and then the internal port number and if you changed it internally as a hooker recommended you know from our example it's 40,001 but and this is the whole point of this entire podcast if you're going to have to set up port forwarding anyway why change the port number locally in the first place.
So in other words it might as well leave the internal port number alone in which in which case the internal port numbers still going to be 22 the default.
Now I want to go over the terms TCP and UDP because you followed me this far like I said I'm not trying insulting by his experience out there but if you followed me this far it's possible those terms are not familiar to you.
So TCP stands for transport control protocol and UDP stands for user data protocol and really the difference is TCP when the machine that's that's transmitting information it stops every so many packets and I don't hold me this I believe the default is three.
It stops and listens for reply from the receiver what's looking for a reply from the receiver yes I got those last three packets go ahead.
UDP by contrast the transmitting computer just blasts out the whole message all at once doesn't care whether the receiving computer got any of it or not.
Doesn't doesn't check on so UDP is faster certainly but TCP is less errors.
Now when picking whatever port number that you're going to use externally I skipped over that you know changing port numbers is called it comes under the heading of security by obscurity.
In other words somebody's different ports they do you know if you're using 40,001 and again don't use for the same reason I said don't use 2222 don't use 40,001 because the bad guys are going to find this article and say yeah there's going to be some people who take the article way too literally and they use 40,001.
So you know for SSH for that port number is forever burned use something else but you know if you put in if you enter the term TCP port into Google you're going to come up with this excellent article.
The documents all unofficial official and unofficial port assignments because in about three digits a lot of most of those are taken for port assignments.
You get four digits a little more scarce five digits that's pretty rare but you still need to look because you think the example I gave 40,001.
Oh nobody's got assigned ports will actually 40,000 is used by safety net real time industrial ethernet protocol.
Now you may look at the I'm not saying don't write on the same port that is already used by something that obscure because you know above the number 500 I think most most of the ports are not officially assigned.
Just somebody's come up with the technology and the product and they've they're sort of squatting on the port.
You know at least it's documented but there's nothing official it says that port has to be assigned to that product.
It's just they they pulled just like you will they pulled they pulled a random port out of the air and used it.
So if you're if you look at whatever protocol that is where product is associated with that protocol if it's if you're sure that's something you're never going to be used on your network that even adds to the obscurity to you to run a service like SSH over a protocol that
that it that is linked to a technology but to a technology you're sure you're never going to use.
Okay another advantage of port redirection let's say you're with Roman you want to you want to there's more and one machine on your network that you want to remotely log into so in other words
40,000 sorry 40,000 and one redirects to your server 40,000 and two redirects to your desktop and 40,000 and three redirects that old laptop that you gave to your kids.
So you know you could you could pick which machine on your network that your SSH into by changing the port number and you would set you would set up separate redirections for each of those ports.
But you know for most person I would suggest only only having SSH redirect to one machine and then you remotely log into that machine and then from there you use SSH locally like you were like you were on your local network and then you would you know
once you're on one client on your local network you SSH from there further into other machines locally so we're we're talking about at least three nested shells here.
It's even possible to run graphical programs over SSH using the dash capital X argument but I'm going to leave that's kind of complicated gives me a headache I'm I'm leaving that one for for another podcast unfortunately we're going to lose that functionality when you move from X server to wail and so really if you if you need to get into your network via graphical probe let's say
you know your router has graphical interface you really don't want to configure router so that you can directly log into it from the WAN side.
If you put in that external address if you if you have the router set up to accept WAN side external connections and then you put in that address that the ISP gave you yeah you're going to be logged in the router just like you typed in 192.168.1.1 or whatever but that means anybody else could get into it too.
Of course you still got a password or whatever but now it's best not to do it that way so you could SSH into a host on your system and assuming that host probably a host have to be a host other than your servers you might get into your server then get into a desktop or laptop running on your system and then well or not the end then but get it from the server again in the desktop or laptop on your system using the capital X option to start an X server.
And from there you could you know get into a browser and then you know get into your router setup or get into your own cloud setup something like that so that's a better way to go but you know we're going to we're going to lose that functionality when we move from X server to wailand.
So if that's something you need you're probably going to have to look into something like VNC or virtual private networking of course everything I've talked about tonight you're going to have to have a static IP locally for anything running SSH server or any any protocol that you're using for port forwarding because your router is going to be said it's going to be expecting.
Your server to be on with our example of course to be on 192.168.1.5 and if every time you reboot you reboot everything on your network that IP floats around that it's going to work out for you so either you're going to have to go on that server and manually assign it to static IP or go in your router most your most of your modern routers.
Once it went the cheap one I have it doesn't it won't do it but the good one the Buffalo will that's running ddwrt anyway by default but you go in and set static IPs and associate them with a MAC address those are two ways to go to make sure it's a static IP now on the other end for this to work you're going to have to have a static IP or a pseudo static IP on the external address of your network now I'm.
I'm lucky my particular provider in less they switch out the hardware my external IP never changes but you may find out from today today at least if you if you cycle the power and get a new connection your your external IP is going to change to something in that range that the INA has assigned your ISP so if you've got that you're going to have to set up some sort.
Of virtual domain service and there's there's few out there I think are still no cost and and more that do cost a nominal amount per month because if you're you know if you're logging remotely you've you've got to know that the IP of your network that you're trying to hit isn't changing.
Yeah, I hope I haven't I really hope I haven't made this too complicated for folks but I said if you're in pretty much every situation if you're trying to log in to machine on your network remotely then you're going to have to set up port forward and cross your router because otherwise the router is not going to know which machine on your network it's supposed to be moving that information over to have been 5150.
You can contact me directly at 5150 at links basement dot com or reply in the con in the comments or record your own show if you if you think I've been an error here you know record your show and explain to me what I said wrong that's I think I already said but in case I didn't say.
And once we get IV P6 local on our local networks all this goes out the window so you can forget when that happens you can forget everything I said tonight okay well thanks for listening to HP are.
You've been listening to hecka public radio at hecka public radio dot org we are a community podcast network that releases shows every weekday Monday through Friday today show like all our shows was contributed by an HP are listener like yourself if you ever thought of recording a podcast and click on our contributing to find out how easy it really is.
Hecka public radio was founded by the digital dog pound and the infonomicon computer club and it's part of the binary revolution at binwreff.com if you have comments on today's show please email the host directly leave a comment on the website or record a follow up episode yourself unless otherwise status today's show is released on the creative comments attribution share a light free dot horizons.
you