SSH from outside network

CptCharis

Well-Known Member
Joined
Feb 27, 2018
Messages
562
Reaction score
463
Credits
970
Hello to all Linux Maniacs!!!:p

I'm back home, play with my two daughters & new born son.:D
Yeah , as you understand no time for Linux experimentation.
Good thing, back home internet is more than ok, instead of vessel.

So playing with SSH & SFTP the easy part , within LAN was pretty easy.
The difficult part was to achieved connection form outside world.

Thousand of tutorials in web were not that enough illustrative.
I have a Mac home (yes, I know but is also a Unix machine ;))
& I decided to make it a server.
I'm using my Mint as a client trying to succed a connection with my server.
I follow the below instructions (adapted for a Mac)
https://forums.linuxmint.com/viewtopic.php?f=42&t=13695

Of course I made a static IP for my server and port forwarding in my router.
what ever I tried was unsuccessful. :(

Finally I tried this

Code:

Using router IP instead of machine IP succeed a connection.
Problem is that router IP is not static & ISP probably is charging for a static IP,
moreover I don't know if this way is secured.

That's it folks, I'm waiting your for further investigation.
 


marcs

New Member
Joined
Apr 5, 2018
Messages
3
Reaction score
5
Credits
0
Congratulations.

When it comes to reaching SSH from WAN, via router with dynamic IP [fetched via DHCP], I use dynamic DNS service - changeip. It works like a charm, offers free basic service and never let me down. I simply forward specific SSH ports to given machines in a logical manner [and to avoid any autoscan bots trying to break into SSH 22, which could only be one on a WAN side of the router], thus I create forwarding to - for example:

machine_1 - ssh 22 => WAN port 1111
machine_2 - ssh 22 => WAN port 2222

etc.

Then I simply need to type:

ssh [email protected] -p 1111

to connect to machine_1, or use port 2222 to connect to machine_2.
Simple, efficient, quite secure [although authenticating using keys would be more secure, of course].
 
OP
CptCharis

CptCharis

Well-Known Member
Joined
Feb 27, 2018
Messages
562
Reaction score
463
Credits
970
Hello @marcs ,
Would you like to share with us the way you did it?
 

marcs

New Member
Joined
Apr 5, 2018
Messages
3
Reaction score
5
Credits
0
I have two routers [one is TP-Link and the other one is ASUS]. TP-Link is an internet-facing router [ASUS acts as an AP/repeater/extender, to cover the rest of the house with WiFi signal].
Both TP-Link and ASUS have opensource firmware installed, which extends their functionality and adds - for example - dynamic DNS configuration option. This allowed me to first create changeip.com account on the websited, then provide login and password into the router's dynamic DNS configuration fields.
Once I've had my router connected with changeip.com, I could be sure that my router's IP address is reachable via the same, unchangeable DNS name, which - in turn - allowed me to simply pass proper SSH ports from WAN to LAN [as in above example] and connect to my internal machines by connecting to router's DNS name with proper port.

Of course, you can configure changeip.com [or any other DynDNS service] on one of the linux boxes, but in case this box is down, your IP won't be updated to dynamic DNS name, so you won't be able connect. Also, I'm not sure if local IP address [LAN address] is going to be sent to DynDNS service ... plus, router is always UP and running, so it's best to configure DynDNS there.
 

marcs

New Member
Joined
Apr 5, 2018
Messages
3
Reaction score
5
Credits
0
I might add that TP-Link has Gargoyle opensource firmware installed, and ASUS has Padavan opensource firmware installed. Other types of such alternative firmware are: Tomato router, DD-WRT. However, it is highly device-specific, as each device * may * be supported by different alternative firmware. Some devices are not supported by any of the alternative firmwares, unfortunately :/ but ... most modern official firmwares from router vendors do have DynDNS option.
 
OP
CptCharis

CptCharis

Well-Known Member
Joined
Feb 27, 2018
Messages
562
Reaction score
463
Credits
970
Hello again everybody!!!!
@marcs thank you for your replay & your time you spent for us.

I need a little help with port forwarding.
I open a port in my router lets say 62615.
I check it throw page canyouseeme.org and shows to be close but same time port 22 shows to be open.
I change with another port lets say 8015 and again is closed but port 22 is open.
In case I will close the above ports, also port 22 shows closed.
Conclusion: Whatever port I open, only port 22 is appear to be open.
I repeat all the process and change also in sshd_config file the port number with same results.
Do anybody knows what I'm doing wrong?

Thanks again.
 

wizardfromoz

Administrator
Staff member
Gold Supporter
Joined
Apr 30, 2017
Messages
7,296
Reaction score
6,192
Credits
24,869
Do anybody knows what I'm doing wrong?

Not me :p but I am watching this Thread with interest and taking notes. I have a small SSH LAN setup at home for file and folder sharing, but the wider picture would be useful if I have to travel again.

...and a belated welcome @marcs , to linux.org (been away on a road trip for 11 days).

Enjoy your shore leave and your family time, Capta :)

Chris Turner
wizardfromoz
 

DaMeD83

New Member
Joined
Feb 13, 2018
Messages
13
Reaction score
18
Credits
0
@CptCharis Could you drop a screen shot of the IF on your router on the portforward page? might give an insight into what to do
 

DaMeD83

New Member
Joined
Feb 13, 2018
Messages
13
Reaction score
18
Credits
0
Sorry for late reply, been on and off sick and at home.

As far as I can see, it looks okay, depending that you are using port 8016 on both host and from the outside.

But, what i can read out of it, aswell is the Wan Host IP range seems abit odd, try setting it to 255.255.255.255 on the end maybe?

Tried reading up on the router,
https://www.cosmote.gr/fixed/docume..._2_1.pdf/e5aa9ed9-8e66-4d3b-8283-b79d67e0ded9

But I can't find anything else there might be.
 
OP
CptCharis

CptCharis

Well-Known Member
Joined
Feb 27, 2018
Messages
562
Reaction score
463
Credits
970
Don’t worry @DaMeD83 & thank you for your interest.
Unfortunately I haven’t find a solution yet.
I asked the IT department of my company also and they couldn’t help me too.
Most probably is ISP problem. They should leave specific ports for specific jobs, thus for ssh and/or sftp only door 22 could be open.
 

DaMeD83

New Member
Joined
Feb 13, 2018
Messages
13
Reaction score
18
Credits
0
Here's another good question are you using a bridged modem an modem/router in one or?

My question being that it might be dubble NAT and that will cause trouble
 
OP
CptCharis

CptCharis

Well-Known Member
Joined
Feb 27, 2018
Messages
562
Reaction score
463
Credits
970
Is modem / router supplied by IPS & unfortunately is run it'sown software only.
 

DaMeD83

New Member
Joined
Feb 13, 2018
Messages
13
Reaction score
18
Credits
0
This might be abit overkill but, thought of putting the Modem in bridged mode? kill the wlan on it and set up a funktional router behind it? might take some work but in the end it might be worth it.
 
OP
CptCharis

CptCharis

Well-Known Member
Joined
Feb 27, 2018
Messages
562
Reaction score
463
Credits
970
I had not think about it, I will try and let you know.

Thanks.
 
OP
CptCharis

CptCharis

Well-Known Member
Joined
Feb 27, 2018
Messages
562
Reaction score
463
Credits
970
Question guys.

When I open a new port , should I add it also in /etc/service file?
 
OP
CptCharis

CptCharis

Well-Known Member
Joined
Feb 27, 2018
Messages
562
Reaction score
463
Credits
970
Gentlemen good day,

I finally managed it and now I can ssh my MAC server from outside at any port I like.
I would return with a complete guide.
 

wizardfromoz

Administrator
Staff member
Gold Supporter
Joined
Apr 30, 2017
Messages
7,296
Reaction score
6,192
Credits
24,869
Sounds legend, Capta :) - I'll take notes.

Hope you weren't working on it while you were steering the effin' ship?

b_Zo_Rud6_-_Imgur.gif


... and yes, I know you are back home, currently :D

Goodonyer, Mate

Wiz
 
OP
CptCharis

CptCharis

Well-Known Member
Joined
Feb 27, 2018
Messages
562
Reaction score
463
Credits
970
Ok guys here we are!

Just to remind you that my problem it was not that I failed to SSH my server but I couldn't do it with different port, other than 22.
I tried to config the sshd.conf with out results. At this point I have to refer that my modem settings was as per manufacturer manual directions.
I made a new port forwarding with a number let's say 123456 but once I check "canyouseeme.org" only port 22 was open.
Again I closed port 123456 and port 22 was closed. Anyway trying to be soon, the problem it's stupid Apple.

After many hours of youtube and google I found accidentally an article stayed that if you are using a Mac as server and you want to change ssh port, configuring sshd.conf is not enough, actually is doesn't matter at all.

Apple is using another file for configuring SSH. This file is named ssh.plist.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Disabled</key>
<true/>
<key>Label</key>
<string>com.openssh.sshd</string>
<key>Program</key>
<string>/usr/libexec/sshd-keygen-wrapper</string>
<key>ProgramArguments</key>
<array>
<string>/usr/sbin/sshd</string>
<string>-i</string>
</array>
<key>Sockets</key>
<dict>
<key>Listeners</key>
<dict>
<key>SockServiceName</key>
<string>ssh</string>
<key>Bonjour</key>
<array>
<string>ssh</string>
<string>sftp-ssh</string>
</array>
</dict>
</dict>
<key>inetdCompatibility</key>
<dict>
<key>Wait</key>
<false/>
<key>Instances</key>
<integer>42</integer>
</dict>
<key>StandardErrorPath</key>
<string>/dev/null</string>
<key>SHAuthorizationRight</key>
<string>system.preferences</string>
<key>POSIXSpawnType</key>
<string>Interactive</string>
</dict>
</plist>


Bolt letters ssh should be replaced by the new port e.x 123456

<key>SockServiceName</key>
<string>123456</string>
<key>Bonjour</key>
<array>
<string>123456</string>
<string>sftp-ssh</string>


System Integrity Protection

But this is not that easy, because this is Apple and Mac's root files are locked even for root user!!!
Can u imagine it? Yes it is because Apple's products refer to stupid people like me, not to geeks.
Anyway they use a protocol named "System Integrity Protection" (SIP) or "rootless".
If you want to check a file is protected under SIP you can use ls command:
Code:
ls -lO
. This is a capital "O", not a "zero".


How to disable SIP

1. Reboot your Mac into recovery mode by restarting it and holding down "Command + R".
2. Open a Terminal
3. In Terminal type
Code:
csrutil disable
and press "Enter".
4. Restart Mac.

Enable ssh daemon

Once you did all this and configure your ssh.plist file do the following:
1. Go to system preferences
2. Open sharing
3. Click on padlock to unlock (using your passwd)
4. Check on Remote login (this will start ssh server in background)
5. Lock back padlock

Security measures
Even changing port is a good security measure, another good security measure is to limit the access to your Server using "Only these users" instead of "All user", in the appropriate window.

ssh your Mac
Finally you can ssh your Mac server using
Code:
ssh -p123456 [email protected]


Make your Alias
In order to avoid all this locomotive command you can make an alias in your ~/.bashrc.
I made an alias named home.

Enable back SIP

In case you want to enable back your SIP, (I don't know why but let's assume).
Follow disable instructions and in Terminal type
Code:
csrutil enable
and press "Enter".
 
$100 Digital Ocean Credit
Get a free VM to test out Linux!

Linux.org Hosting Donations
Consider making a donation

Members online


Top