Return-Path: X-Original-To: apmail-mina-users-archive@www.apache.org Delivered-To: apmail-mina-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id A61A518C85 for ; Wed, 24 Feb 2016 01:52:25 +0000 (UTC) Received: (qmail 26558 invoked by uid 500); 24 Feb 2016 01:52:25 -0000 Delivered-To: apmail-mina-users-archive@mina.apache.org Received: (qmail 26540 invoked by uid 500); 24 Feb 2016 01:52:25 -0000 Mailing-List: contact users-help@mina.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@mina.apache.org Delivered-To: mailing list users@mina.apache.org Received: (qmail 26528 invoked by uid 99); 24 Feb 2016 01:52:24 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 24 Feb 2016 01:52:24 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 67113C628C for ; Wed, 24 Feb 2016 01:52:24 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 3.449 X-Spam-Level: *** X-Spam-Status: No, score=3.449 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, HTML_MESSAGE=2, KAM_BADIPHTTP=2, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, WEIRD_PORT=0.001] autolearn=disabled Authentication-Results: spamd1-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id kIrTwdBG6_gf for ; Wed, 24 Feb 2016 01:52:23 +0000 (UTC) Received: from mail-ob0-f175.google.com (mail-ob0-f175.google.com [209.85.214.175]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id 5B1D15FAFD for ; Wed, 24 Feb 2016 01:52:22 +0000 (UTC) Received: by mail-ob0-f175.google.com with SMTP id dm2so4214863obb.2 for ; Tue, 23 Feb 2016 17:52:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=kJ7qQ7wcDFxaq5iQ0vMrz2mIqseqOd+QNg64pziU+MI=; b=AzO+7JueXtMh/3c+1/zpL/JFWKXWmOoZjup2lGB19AIdRLi6pkFdYkTlyK317OnSDP 6fDmHC022ZFPgdX6mzd/yTIjJ3/RSuze/DpFSvXcfYriV5Z2Fnt1xL3bO2f8Ww8AKyZg 7wupAZKnLrN+MzwtdppOyul5a5ijUWTThCRiSChmtEDFe+kmxUZcTpbJ6MDPVp69lOej ewo5nO7jStg2UtlBnklaHIM9TJQw3YKs1DxcKmMYe1t/ZXr23FT0bEiqBUh6/G7AK7r5 msHTGwTktrd5Q20nS1DJSYkG1HCXtesIx7e7apZGINSloC31eL49MFe4V5u99SUIvDDJ x/4w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=kJ7qQ7wcDFxaq5iQ0vMrz2mIqseqOd+QNg64pziU+MI=; b=h4C/vjzcAMGQprSIuhzvj67dgj0u2mlorB1rgG6Xwj9tkEhRW/pyzc4Y07D3W5HVPC UX5LsVfqw88aBYyDtobb5oO/ZVEkrc+u0oTXAR1/1GhYKO35FxumH6c0xXinb+3l8xb4 AAsdqSwU8o8/qFAGDY2h066NAL0/iYOZieLzYmAy2qmtsT7MNPE08XXVXvpTdFqKsht+ LfAGWUAba5KunNOVJ+etFIc2weguJcIm2ayTz4yq/FFQzSvb+OfpKNsG5r5r4XH35gdk o7RShChEwOZrp+V7M/UT2pQbyrt0lQ0XDmHCOYP+Wa6ijWNsvROgOnbpffIQS8dn7UYM hTew== X-Gm-Message-State: AG10YOTmjDQCIvkvBGsAZIw7e26vmiOYyCDidxAj2FRU8AiDOUB6KsBiq/LheDR5zKKLh2NtBLTx3yhnBHezDg== MIME-Version: 1.0 X-Received: by 10.182.58.81 with SMTP id o17mr8513964obq.25.1456278741190; Tue, 23 Feb 2016 17:52:21 -0800 (PST) Received: by 10.202.215.193 with HTTP; Tue, 23 Feb 2016 17:52:21 -0800 (PST) In-Reply-To: References: Date: Tue, 23 Feb 2016 18:52:21 -0700 Message-ID: Subject: Re: Why are high ports used by SFTP server implementation? From: David Hoffer To: users@mina.apache.org Content-Type: multipart/alternative; boundary=e89a8f83a83b100ebd052c7a51cd --e89a8f83a83b100ebd052c7a51cd Content-Type: text/plain; charset=UTF-8 Hum, that's not entirely clear to me. The first link says... 'A TCP/IPv4 connection consists of two endpoints, and each endpoint consists of an IP address and a port number. Therefore, when a client user connects to a server computer, an established connection can be thought of as the 4-tuple of (server IP, server port, client IP, client port). Usually three of the four are readily known -- client machine uses its own IP address and when connecting to a remote service, the server machine's IP address and service port number are required. What is not immediately evident is that when a connection is established that the client side of the connection uses a port number. Unless a client program explicitly requests a specific port number, the port number used is an *ephemeral* port number. Ephemeral ports are temporary ports assigned by a machine's IP stack, and are assigned from a designated range of ports for this purpose. In our case the server is configured to listen on port 22 and the client connects to port 22 so isn't that fixing the port on both sides at port 22? Are you saying that although port 22 is the logical port used on both systems, that in reality a different port is used on the client to connect to the server? We are using SSH only here I understand that only used port 22. Regarding the second link is that for FTP or also for SFTP? I know FTP uses passive ports and so does FTPS but we are only using SFTP, e.g. file transfer as part of SSH. Do those links really describe my situation? Or are those high ports created on the server so it can hand off work so it can listen on 22 again? E.g. is it using separate ports to communicate with clients instead of multiple threads on same port? Its not clear to me yet, trying to understand. -Dave On Tue, Feb 23, 2016 at 4:32 PM, Chad Beaulac wrote: > Hey Dave, > > Listener servers hand off to ephemeral ports. > http://www.ncftp.com/ncftpd/doc/misc/ephemeral_ports.html > You need ephemeral ports so a server can start listening on port 22 again > while something else is happening. > > Look here for some configuration options. > https://mina.apache.org/ftpserver-project/configuration_passive_ports.html > > -Chad > > > On Tue, Feb 23, 2016 at 3:09 PM, David Hoffer wrote: > > > We are using SSHD in an application to create an embedded SFTP server > which > > works fine. Our clients connect on port 22 and we don't have any issue > > with that. > > > > The problem/question is that our IA folks are complaining that our app > also > > listens on what appear to be random high ports. E.g. I see this in our > > logs. > > > > Session username@/127.0.0.1:58118 authenticated > > Server session created from /127.0.0.1:58132 > > Server session created from /127.0.0.1:58139 > > Server session created from /127.0.0.1:58157 > > > > I see these later log statements are coming from IoSession in > > ServerSessionImpl but I don't call this in my code so must be part of the > > SSHD/MINA framework. > > > > Why are these high ports being used and do we need them? If not needed > for > > SFTP server how can I disable? If they are needed, why and can I control > > the exact ports that are used? > > > > -Dave > > > --e89a8f83a83b100ebd052c7a51cd--