SSH via Internet

rjs1943 · 04-02-2020, 07:47 PM

I can connect to my ssh server via my local wifi in my house. Now say I go to town away from my home, can I still connect to my ssh server from there thru the internet, and is entering the login info different than connecting at my home? I probably will connect from my Android phone using Andftp app. In other words, can I still connect using the same login info I use when I'm home, or do I have to login different when I'm away from home?

Thanks.

michaelk · 04-02-2020, 08:35 PM

The username/password is the same just not the IP address...

You can connect to your ssh server assuming your router/MODEM internet connection is using a public IP address.

You forward the ssh IP port to your servers LAN IP address. It helps if you configure the router to use a DHCP IP address reservation assignment for your ssh server.

Use a free dynamic IP DNS server like noip.com so that you can use a URL instead of trying to keep track of your public IP address although these days they tend not to change much if you leave your router powered on.

Use keys and disable password authentication to help protect the sever.

lleb · 04-03-2020, 11:01 AM

michaelk hit the nail on the head, take a look at my sig for some howto guides for setting up ssh keys.

their is an ongoing debate with port forwarding of known ports for specific services like ssh (port 22) to be moved to a different port external facing. ie: instead of port 22, use port 222 or something like that.

I ran an IPCop firewall for years and looking over the log files, port 22 was constantly hammered by script kiddies and real attackers from China, Iran, Russia, etc... Thankfully iptables has rules to drop full blocks of IP ranges so dropping China and other bad actors was not hard. I do use an alternate port and looking over the logs that port was only tapped, scanned when in use by myself or others how know and have access to my network.

noip.com has a good CLI tools that can run as a service on your system if you trust it, i have done this from time to time, but also as mentioned I no longer need it as my IP has not rolled in over 3 years.