Alternate SSH Port on WAN?

ndoo · September 5, 2012, 3:11am

Hi guys,

I’d like to change the SSH port on WAN to reduce likelihood of intrusion attempts.

Which section of the firewall should I be using to achieve this?

Thanks!

janisk · September 5, 2012, 8:46am

better use ip firewlal filter, to block access to ssh from outside. Changing via /ip services will change ssh server port binding on all the interfaces.

ndoo · September 5, 2012, 2:58pm

Is there any firewall chain I can use (pre/postrouting) to redirect the port?

E.g. if I have already a device on the NAT serving SFTP on port 22 WAN, but I would like an alternate port for RouterBOARD’s SSH.

While maintaining the service port as 22.

If it’s not possible then I will change the service port. Thanks for your help!

cbrown · September 5, 2012, 4:02pm

You could do a redirect in NAT.

/ip firewall nat
add action=redirect chain=dstnat dst-port=2222 protocol=tcp to-ports=22

leoservices · September 6, 2012, 1:41am

Hello friend, I use these very rules that you’ll find in the Mikrotik Wiki. Take a look hopefully help you.

http://wiki.mikrotik.com/wiki/Port_Knocking

janisk · September 6, 2012, 12:16pm

sftp and ssh can and are using the same port as same service is responding to both of them.

ndoo · September 9, 2012, 6:38pm

Oops, I meant to say I have a NAS with SFTP on external port 22, that is using a NAT forward rule.

But I would also like to offer SSH into my RouterOS using an alternate WAN port, but from LAN still port 22. I think the redirect rule from @cbrown does what I am trying to achieve. Thanks!

janisk · September 10, 2012, 8:29am

yes, that does the trick, as ssh can be easily NATed

peper · September 11, 2012, 6:02pm

Hello!
Trying to achieve the same as topic starter (enable ssh from WAN only from some fantasy port like 60022).
I’ve added proposed rule to the NAT, but still can’t connect from external network until 22 port is not opened in filter.
But that is not what I expect - I don’t want to open port 22 from WAN.

Please, help!

The Port Knocking idea is good, but in my case (connecting to MikroTik from iPad) requires actions from 3 different applications (first ping Router from RDP client, then touch it in browser and then SSH it from “Prompt” application, which is a terminal client). But it is working (even though, I used a bit different 3 rule - not “drop all except the list”, but @accept only those from the list").

roadrunner79 · March 7, 2013, 6:25am

Default ports for all services (ssh, web, telnet, ftp, etc) can be changed from IP → Services.

janisk · March 7, 2013, 10:33am

unless you want different ports to access same service from different interfaces in the device. In this case you have to use redirect to point to correct port.