LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 12-24-2006, 06:51 AM   #1
Siiiiiii
LQ Newbie
 
Registered: May 2006
Location: Sweden
Distribution: Vector Linux
Posts: 28

Rep: Reputation: 15
SSH outside LAN


This is probably a stupid question, but I don't seem to find the answer:

I have a router with a static IP-address (say 123.123.123.123), which is connected to my two computers (192.168.1.60 and 192.168.1.61).

I know how to use SSH from 192.168.1.60 to 192.168.1.61, but not how to use it from a computer outside my LAN.
Also (probably more stupid): I have to open port 22 on my router, right? Are there any more settings that I need to make it work safely?
 
Old 12-24-2006, 07:06 AM   #2
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,778
Blog Entries: 1

Rep: Reputation: 412Reputation: 412Reputation: 412Reputation: 412Reputation: 412
You need to set your router to forward port 22 traffic to the IP address of your ssh server. You also need to make sure that the firewall on your ssh server won't get in the way.

That should get you basic ssh connections from the outside world, however, you REALLY need to harden ssh with a few steps:

- Turn off root access via ssh. No arguing, just do it.
- Make sure you are using only Protocol 2
- Learn how to use the AllowUsers directive in your sshd_config file. This helps control what users are allowed ssh access.
- Make extremely sure that passwords are strong.
- Seriously consider turning off password access and moving to key authentication.

People ARE going to take a rip at cracking this, make sure your prepared.
 
Old 12-24-2006, 08:08 AM   #3
nuxrl
Member
 
Registered: Jun 2006
Location: NY, USA
Distribution: Slackware, Arch
Posts: 176

Rep: Reputation: 35
A few more suggestions

Besides Hangdog42's very nice suggestions, there are a few more,

1. limit max authentication tries in the ssh server
2. run ssh server on a different port (not 22) if sftp is not used

These steps can protect your server from most dictionary attacks.
 
Old 12-24-2006, 10:24 AM   #4
Siiiiiii
LQ Newbie
 
Registered: May 2006
Location: Sweden
Distribution: Vector Linux
Posts: 28

Original Poster
Rep: Reputation: 15
Thank you both.

What would the IP address to the SSH server be? 192.168.1.60@123.123.123.123?
 
Old 12-29-2006, 07:49 AM   #5
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,778
Blog Entries: 1

Rep: Reputation: 412Reputation: 412Reputation: 412Reputation: 412Reputation: 412
Quote:
Originally Posted by Siiiiiii
Thank you both.

What would the IP address to the SSH server be? 192.168.1.60@123.123.123.123?

I think just 192.168.1.60 should do fine. I'm not sure what you're trying to do with the @123.123.123.123 bit but I've never seen a home router need something like that. Is there something else you're trying to do?
 
Old 01-04-2007, 09:30 AM   #6
Siiiiiii
LQ Newbie
 
Registered: May 2006
Location: Sweden
Distribution: Vector Linux
Posts: 28

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by Hangdog42
I'm not sure what you're trying to do with the @123.123.123.123 bit but I've never seen a home router need something like that.
I know almost nothing about networking, but isn't there an outer IP (the address for people outside my local area network; my internet provider tells me it is 81.216.131.26) and an inner (that would be 192.168.1.66 for my router). Since all of my computers are connected to the Internet through the router, I reckoned other computers could not see them directly. Sorry if I was unclear.

Quote:
Originally Posted by Hangdog42
Is there something else you're trying to do?
Nope, I was just too lazy to look up my real IP
 
Old 01-05-2007, 06:55 AM   #7
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,778
Blog Entries: 1

Rep: Reputation: 412Reputation: 412Reputation: 412Reputation: 412Reputation: 412
Quote:
I know almost nothing about networking, but isn't there an outer IP (the address for people outside my local area network; my internet provider tells me it is 81.216.131.26) and an inner (that would be 192.168.1.66 for my router). Since all of my computers are connected to the Internet through the router, I reckoned other computers could not see them directly. Sorry if I was unclear.

Your right about the outer (WAN) and inner (LAN) addresses. To the rest of the world, all of your computers are just your WAN address and it is up to your router to keep straight which packet goes to which LAN computer. Which is where port forwarding comes in. When an SSH packet arrives at your router, it has absolutely no idea what to do with it. Adding the @123... bit is almost certainly meaningless to your router. However, if you have port 22 forwarded to one of your machines, then the router will pass that packet on. If you need to have access to more than one machine, you'll need to set the other SSH servers up on ports other than 22, and forward those ports to the proper linux box.
 
  


Reply

Tags
networking, ssh


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SSH in LAN works, but not from outside max2004 Linux - Networking 4 07-22-2006 11:27 AM
ssh from outside my lan? danimal87 Linux - Newbie 4 09-04-2005 10:35 AM
problems about ssh and LAN franz77 Linux - Networking 3 01-09-2005 03:41 AM
SSH access from outside the LAN? jdp Linux - Newbie 1 05-02-2004 01:12 PM
Problems with SSH/FTP on LAN w0rmh0l3 Linux - Networking 10 03-08-2002 08:32 AM


All times are GMT -5. The time now is 08:41 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration