Announcement

**vinnywright** · Sep 24, 2013, 03:58 PM

dont you kneed the IP in both boxes in your router pitcher ?
or is it forwarding well like that with somthing elce ?

VINNY

**Feathers McGraw** · Sep 24, 2013, 04:20 PM

Hi Vinny

The other box is source net.

Port forwarding is working well for port 80 and some others, without anything in that box.

Feathers

**Buddlespit** · Sep 24, 2013, 06:38 PM

In your dd-wrt configuration, Security, Firewall, are you limiting WAN?

**Feathers McGraw** · Sep 24, 2013, 09:56 PM

Nope, but your question helped me figure out what it was, so thanks!

Basically, my router was listening on port 22 for ssh connections. So although I was forwarding port 22 to the Pi, port 22 was already in use.

To fix it, I just turned off SSHd on the router admin page (services --> services --> disable Secure Shell). I guess if I wanted to use both I could just choose a different port for one of them.

Code:

feathers-mcgraw@62-West-Wallaby-Street:~$ ssh admin@195.166.151.235
The authenticity of host '195.166.151.235 (195.166.151.235)' can't be established.
ECDSA key fingerprint is ************************************************.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '195.166.151.235' (ECDSA) to the list of known hosts.
***************************************************************************
                            NOTICE TO USERS


This computer system is the private property of its owner, whether
individual, corporate or government.  It is for authorized use only.
Users (authorized or unauthorized) have no explicit or implicit
expectation of privacy.

Any or all uses of this system and all files on this system may be
intercepted, monitored, recorded, copied, audited, inspected, and
disclosed to your employer, to authorized site, government, and law
enforcement personnel, as well as authorized officials of government
agencies, both domestic and foreign.

By using this system, the user consents to such interception, monitoring,
recording, copying, auditing, inspection, and disclosure at the
discretion of such personnel or officials.  Unauthorized or improper use
of this system may result in civil and criminal penalties and
administrative or disciplinary action, as appropriate. By continuing to
use this system you indicate your awareness of and consent to these terms
and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the
conditions stated in this warning.

****************************************************************************
Enter passphrase for key '/home/feathers-mcgraw/.ssh/id_rsa': 
Last login: Tue Sep 24 22:16:18 2013 from 62-west-wallaby-street

Thanks again,

Feathers

**SteveRiley** · Sep 26, 2013, 11:54 PM

The Internet is littered with bots that will hammer any open ports 22/tcp that they can find. I would recommend that you configure an alternate listening port on your router, then forward that to 22/tcp on your server. You would then log in to your server thusly:

Code:

ssh -p [i]new-port[/i] [i]account[/i]@[i]public-ip[/i]

**Feathers McGraw** · Sep 27, 2013, 12:21 AM

Thanks Steve.

Password authentication is disabled and I'm using an RSA key to log in. Is it still a problem? If I move the key somewhere else and try to connect, the connection is instantly refused... so there's nothing to brute force. Or do the repeated connection attempts place a strain on the server?

Feathers

**SteveRiley** · Sep 27, 2013, 12:44 AM

RSA keys are better than passwords. By leaving port 22 exposed, you'll just be drawing nuisance traffic. It may or may not attract the attention of your ISP.

I've taken certain steps to ensure that Comcast pretty much leaves me alone. These include moving SSH to a non-standard port, SMTP to a non-standard port, relaying all outbound mail through Dyn, and using Dyn as my MX provider. These last two are easy since Dyn is the registrar for my domain. I pay about $100/yr for all this, and their control panel allows me to specify the TCP port to which they should direct inbound SMTP connections. These steps also ensure that my domain won't end up on block-lists like Spamhaus and their ilk.

I'm still using standard ports for HTTPS, IMAPS, managesieve, submission, rsync, and OpenVPN. These seem to be less of a concern generally.

**Feathers McGraw** · Sep 27, 2013, 02:31 AM

My ISP is Plusnet. I scanned through their T&Cs for anything hinting that running a server isn't allowed, and couldn't find anything. Will double check later just to be sure.

Anyway, is it really that simple to fool your ISP? Do they monitor certain ports and not others?

I noticed that with a dynamic IP address and dynamic DNS my outgoing mail was rejected by outlook, gmail etc. I paid £5 for a static IP and had no further problems. I think IPs in dynamic pools may be blocked by some email providers.

How exactly do you end up on a block list anyway?

Thanks for the info on this, it's a great way to learn.

Feathers

**oshunluvr** · Sep 27, 2013, 11:53 AM

You can also configure your ssh to use a different port by default on both ends. Thus ending the requirement to use the -p option. I actually use differnet ports on different machine and configure the ssh definitions for each one. Then I need only type

ssh <MACHINE HOST NAME>

and it chooses the correct port and user name for the target machine.

**Feathers McGraw** · Sep 27, 2013, 12:06 PM

That sounds convenient.

If you do this and you want to connect to ssh on the standard port on a new/different machine, you have to specify port 22 for that one?

Personally, I can't think of a time when I'd use ssh on a machine that I don't own, so I might do this.

**oshunluvr** · Sep 27, 2013, 12:53 PM

I'm not at my linux box at the mo', but look in (or create) ~/.ssh/config. In my case, mine looks something like:

Host server
User smith
Port 2345

Host laptop
User stuart
Port 2222

This, coupled with RSA keys (and a correctly configured hosts file) eliminates a lot of keystrokes.

Another cool trick is to setup file access using Dolphin via ssh. Then you can browse the entire machine using Dolphin instead of the terminal.

**oshunluvr** · Sep 27, 2013, 12:54 PM

Sorry, in answer to your question, no the default will always be 22 unless you change that in the system config file. The above is a local config and can be host specific.

**oshunluvr** · Sep 27, 2013, 12:56 PM

BTW another security measure is to disallow password access via ssh. Then only a machine with the proper RSA key will be allowed in.

**Feathers McGraw** · Sep 27, 2013, 01:04 PM

Thanks for the info. That setup looks ideal, I had initially thought you were making a system config change. Your way is the best of both.

Already using RSA keys, read about them here:

https://help.ubuntu.com/community/StricterDefaults

Feathers

Announcement

SSH Connection to Raspberry Pi over WAN

[SOLVED] SSH Connection to Raspberry Pi over WAN

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment