ssh via putty to linux box?

ponder

ponder

Honorary Master
Joined
Jan 22, 2005
Messages
98,642
Reaction score
31,305
Location
Niflheimr
I'm obviously missing something here as I cannot get to my own linux box (10.0.0.11) over the internet using putty.

netgear DG834GUv5, I've setup port forwarding using one of the existing listed services.
fwr.png

I'm using telkom dynamic dns, I can ping the hostname over the net and it resolves to the correct ip address.
Using a few online tools it indicates port 22 on the wan side is open.

I open putty, enter the host name or ip address and it just sits there until it times out. I'm expecting a screen asking me to accept the certificate.

What am I missing?
 
Last edited:
1. is ssh running (service sshd status OR systemctl status sshd
2. is it listening on the correct interface (netstat -nplt)
3. is your OS firewall blocking connections (iptables -nvL)
4. Is your routing correct (route -n), make sure your default route is the modem

If you like I can scan/nmap your IP for you, just PM me the IP address

!!! Install Fail2Ban on your linux server, delete un-needed users, and use strong passwords / ssh public-private keys with a passphrase
 
not familiar with this router so i am not sure where u are defining what the external ip port number is.
I make a habit of not using port 22 as the outside facing port (paranoia). My outside facing is always some thing such as 18222 or some pattern such as that.
 
qDot said:
not familiar with this router so i am not sure where u are defining what the external ip port number is.
I make a habit of not using port 22 as the outside facing port (paranoia). My outside facing is always some thing such as 18222 or some pattern such as that.
Click to expand...

port is defined in the service. Aware of port 22, I'll change that once I get it working.
 
PS. Your Outbound rules 1 + 2 are not needed, as the default rule allows all new connections out...

Additionally a inbound rule looks like
ANY (tcp/ANY) -- MODEM (ACCEPT TCP/22) / DNAT (10.0.0.11:22/TCP) --> LINUX (TCP/22)
the outbound section fro that rule would be a established connection and not a new connection to the internet. Plus the reply traffic to internet client would not be coming from port 22, instead it would be a random port between 1024 - 65535.
 
Was the public key done correctly in putty, did you select SSH-2 RSA (or something to that effect)?

Probably a dumb question, but I've made that mistake before, because I hardly ever use PuTTY and though I could edit the funny looking key to my liking.
 
Last edited:
Thanks people, I'll revisit this in the morning.

Btw Rule 1 is for something else totally unrelated.
 
ponder said:
Thanks people, I'll revisit this in the morning.

Btw Rule 1 is for something else totally unrelated.
Click to expand...

1. Enable logging on that ssh incoming rule on the router
2. Check logs on your SSH daemon your Linux box
3 Also check that your router doesn't have the DMZ server option enabled

Good luck and keep us posted
 
qDot said:
not familiar with this router so i am not sure where u are defining what the external ip port number is.
I make a habit of not using port 22 as the outside facing port (paranoia). My outside facing is always some thing such as 18222 or some pattern such as that.
Click to expand...

Obfuscation isn't security. Port scan will quickly reveal SSH is running over a non standard port.

Rather look at:

a) Blocking root login
b) Fail2Ban
 
1) Can you get to your linux box from inside your network?

eg putty / other ssh software -> that machine works from the lan?

That rules out something on the linux box if that works fine.

2) Testing - externally.

Testing from outside - have you tried from a different location?
Most crappy router firmwares suck.
Most crappy routers won't let you connect to the internal network from the external ip from internally.

If you don't mind giving us your current ip, we can test if we get a prompt or not.
Its not a security issue, as its already on the internet in theory. Don't need a user/pass, we just need the ip to see if we get prompted.


3) Check the logs for ssh

On ubuntu / debian, its usually /var/log/auth.log so something like
tail -F /var/log/auth.log

Watch to see if you see any activity on connection from another box.
 
lsheed_cn said:
1) Can you get to your linux box from inside your network?

eg putty / other ssh software -> that machine works from the lan?

That rules out something on the linux box if that works fine.
Click to expand...

Yeah sorry I forgot to mention that it works fine over the LAN :o

I'll get back to you guys with the router ip tonight.
 
lsheed_cn said:
Testing from outside - have you tried from a different location?
Most crappy router firmwares suck.
Most crappy routers won't let you connect to the internal network from the external ip from internally.
Click to expand...

Just for schites & giggles I got myself a shell account on freeshells.org and ssh'd from there and it worked fine!

To think I was pulling my hair out when everything I setup was actually fine :D

I must try my ancient router as I'm pretty sure I did this before on that router...
 
Its basically iptables forwarding rules are a bit dof on crappy router firmwares.


I usually run AdvancedTomato or OpenWRT on mine, which is a little less dof.
Have some Ubiquiti gear arriving tomorrow to play with though, haven't used much of that yet.

Glad to have solved it :)

Now, add some fail2ban rules or similar to protect against the script kiddies.
I personally set key only logins, as no-one else has my keys.

I also use hamachi for a pseudo vpn setup, as I can do that without fussing with router setups.
I admin a couple of HP Microservers that way. They have hamachi installed, I add them to a group, and I can ssh in whenever I want.
Easy way to do remote access..
 
ponder said:
Just for schites & giggles I got myself a shell account on freeshells.org and ssh'd from there and it worked fine!

To think I was pulling my hair out when everything I setup was actually fine :D

I must try my ancient router as I'm pretty sure I did this before on that router...
Click to expand...

Aaah....I lot of routers have that issue with Dynamic DNS. I remember not being able to connect via domain name locally on wigi (used ip address) but used to connect my client via 3g comnection and connect via domain name without a problem
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X