Announcement

Collapse
No announcement yet.

SSH Connection to Raspberry Pi over WAN

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    [SOLVED] SSH Connection to Raspberry Pi over WAN

    I can SSH into my Raspberry Pi (running raspbian) over LAN, but not WAN.

    Port forwarding is enabled on my router.

    Click image for larger version

Name:	ssh.jpg
Views:	1
Size:	4.1 KB
ID:	648021

    Code:
    feathers-mcgraw@62-West-Wallaby-Street:~$ ssh admin@192.168.1.103
    ***************************************************************************
                                NOTICE TO USERS
    
    
    This computer system is the private property of its owner, whether
    individual, corporate or government.  It is for authorized use only.
    Users (authorized or unauthorized) have no explicit or implicit
    expectation of privacy.
    
    Any or all uses of this system and all files on this system may be
    intercepted, monitored, recorded, copied, audited, inspected, and
    disclosed to your employer, to authorized site, government, and law
    enforcement personnel, as well as authorized officials of government
    agencies, both domestic and foreign.
    
    By using this system, the user consents to such interception, monitoring,
    recording, copying, auditing, inspection, and disclosure at the
    discretion of such personnel or officials.  Unauthorized or improper use
    of this system may result in civil and criminal penalties and
    administrative or disciplinary action, as appropriate. By continuing to
    use this system you indicate your awareness of and consent to these terms
    and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the
    conditions stated in this warning.
    
    ****************************************************************************
    Enter passphrase for key '/home/feathers-mcgraw/.ssh/id_rsa': 
    Last login: Tue Sep 24 22:13:09 2013 from 62-west-wallaby-street
    admin@samhobbs ~ $ exit
    logout
    Connection to 192.168.1.103 closed.
    feathers-mcgraw@62-West-Wallaby-Street:~$ ssh admin@samhobbs.co.uk
    Connection closed by 195.166.151.235
    feathers-mcgraw@62-West-Wallaby-Street:~$ ssh admin@195.166.151.235
    Connection closed by 195.166.151.235
    As far as I know, this should be working.

    Any ideas?

    Feathers
    samhobbs.co.uk

    #2
    dont you kneed the IP in both boxes in your router pitcher ?
    or is it forwarding well like that with somthing elce ?

    VINNY
    i7 4core HT 8MB L3 2.9GHz
    16GB RAM
    Nvidia GTX 860M 4GB RAM 1152 cuda cores

    Comment


      #3
      Hi Vinny

      The other box is source net.

      Port forwarding is working well for port 80 and some others, without anything in that box.

      Feathers
      samhobbs.co.uk

      Comment


        #4
        In your dd-wrt configuration, Security, Firewall, are you limiting WAN?
        I do not personally use Kubuntu, but I'm the tech support for my daughter who does.

        Comment


          #5
          Nope, but your question helped me figure out what it was, so thanks!

          Basically, my router was listening on port 22 for ssh connections. So although I was forwarding port 22 to the Pi, port 22 was already in use.

          To fix it, I just turned off SSHd on the router admin page (services --> services --> disable Secure Shell). I guess if I wanted to use both I could just choose a different port for one of them.

          Code:
          feathers-mcgraw@62-West-Wallaby-Street:~$ ssh admin@195.166.151.235
          The authenticity of host '195.166.151.235 (195.166.151.235)' can't be established.
          ECDSA key fingerprint is ************************************************.
          Are you sure you want to continue connecting (yes/no)? yes
          Warning: Permanently added '195.166.151.235' (ECDSA) to the list of known hosts.
          ***************************************************************************
                                      NOTICE TO USERS
          
          
          This computer system is the private property of its owner, whether
          individual, corporate or government.  It is for authorized use only.
          Users (authorized or unauthorized) have no explicit or implicit
          expectation of privacy.
          
          Any or all uses of this system and all files on this system may be
          intercepted, monitored, recorded, copied, audited, inspected, and
          disclosed to your employer, to authorized site, government, and law
          enforcement personnel, as well as authorized officials of government
          agencies, both domestic and foreign.
          
          By using this system, the user consents to such interception, monitoring,
          recording, copying, auditing, inspection, and disclosure at the
          discretion of such personnel or officials.  Unauthorized or improper use
          of this system may result in civil and criminal penalties and
          administrative or disciplinary action, as appropriate. By continuing to
          use this system you indicate your awareness of and consent to these terms
          and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the
          conditions stated in this warning.
          
          ****************************************************************************
          Enter passphrase for key '/home/feathers-mcgraw/.ssh/id_rsa': 
          Last login: Tue Sep 24 22:16:18 2013 from 62-west-wallaby-street
          Thanks again,

          Feathers
          samhobbs.co.uk

          Comment


            #6
            The Internet is littered with bots that will hammer any open ports 22/tcp that they can find. I would recommend that you configure an alternate listening port on your router, then forward that to 22/tcp on your server. You would then log in to your server thusly:
            Code:
            ssh -p [i]new-port[/i] [i]account[/i]@[i]public-ip[/i]

            Comment


              #7
              Thanks Steve.

              Password authentication is disabled and I'm using an RSA key to log in. Is it still a problem? If I move the key somewhere else and try to connect, the connection is instantly refused... so there's nothing to brute force. Or do the repeated connection attempts place a strain on the server?

              Feathers
              samhobbs.co.uk

              Comment


                #8
                RSA keys are better than passwords. By leaving port 22 exposed, you'll just be drawing nuisance traffic. It may or may not attract the attention of your ISP.

                I've taken certain steps to ensure that Comcast pretty much leaves me alone. These include moving SSH to a non-standard port, SMTP to a non-standard port, relaying all outbound mail through Dyn, and using Dyn as my MX provider. These last two are easy since Dyn is the registrar for my domain. I pay about $100/yr for all this, and their control panel allows me to specify the TCP port to which they should direct inbound SMTP connections. These steps also ensure that my domain won't end up on block-lists like Spamhaus and their ilk.

                I'm still using standard ports for HTTPS, IMAPS, managesieve, submission, rsync, and OpenVPN. These seem to be less of a concern generally.

                Comment


                  #9
                  My ISP is Plusnet. I scanned through their T&Cs for anything hinting that running a server isn't allowed, and couldn't find anything. Will double check later just to be sure.

                  Anyway, is it really that simple to fool your ISP? Do they monitor certain ports and not others?

                  I noticed that with a dynamic IP address and dynamic DNS my outgoing mail was rejected by outlook, gmail etc. I paid £5 for a static IP and had no further problems. I think IPs in dynamic pools may be blocked by some email providers.

                  How exactly do you end up on a block list anyway?

                  Thanks for the info on this, it's a great way to learn.

                  Feathers
                  samhobbs.co.uk

                  Comment


                    #10
                    You can also configure your ssh to use a different port by default on both ends. Thus ending the requirement to use the -p option. I actually use differnet ports on different machine and configure the ssh definitions for each one. Then I need only type

                    ssh <MACHINE HOST NAME>

                    and it chooses the correct port and user name for the target machine.

                    Please Read Me

                    Comment


                      #11
                      That sounds convenient.

                      If you do this and you want to connect to ssh on the standard port on a new/different machine, you have to specify port 22 for that one?

                      Personally, I can't think of a time when I'd use ssh on a machine that I don't own, so I might do this.
                      samhobbs.co.uk

                      Comment


                        #12
                        I'm not at my linux box at the mo', but look in (or create) ~/.ssh/config. In my case, mine looks something like:

                        Host server
                        User smith
                        Port 2345

                        Host laptop
                        User stuart
                        Port 2222

                        This, coupled with RSA keys (and a correctly configured hosts file) eliminates a lot of keystrokes.

                        Another cool trick is to setup file access using Dolphin via ssh. Then you can browse the entire machine using Dolphin instead of the terminal.

                        Please Read Me

                        Comment


                          #13
                          Sorry, in answer to your question, no the default will always be 22 unless you change that in the system config file. The above is a local config and can be host specific.

                          Please Read Me

                          Comment


                            #14
                            BTW another security measure is to disallow password access via ssh. Then only a machine with the proper RSA key will be allowed in.

                            Please Read Me

                            Comment


                              #15
                              Thanks for the info. That setup looks ideal, I had initially thought you were making a system config change. Your way is the best of both.

                              Already using RSA keys, read about them here:

                              https://help.ubuntu.com/community/StricterDefaults

                              Feathers
                              samhobbs.co.uk

                              Comment

                              Working...
                              X