• SSH from Internet to Pi

    From Vincent Coen@2:250/1 to Geeknix on Sun Apr 23 01:06:14 2023
    Hello Geeknix!

    Saturday April 22 2023 23:00, you wrote to All:

    I'd like to ask for tips. I have a Pi running a number of services.
    One is SSH to allow Telnet access via Putty. I use certificates
    for authentication. While at home on LAN I can Putty into the Pi just
    fine using IP 192.168.0.181:22

    I have dynamic DNS for external access so I can use address
    <me>.ddns.net:22 then port forwarding on my router to the Pi. Now this
    works with other services like web server. So I know DDNS and port forwarding works.

    What could be blocking SSH? Anyway to check logs on Pi?

    Silly questions, but have you opened SSH (instead of telnet - very low security) and have you set up secure key authority etc.

    Small point - on mine systems I have extra security set to verify all MAC addresses as well as user / passwords and they are only allowed using defined ip addresses in a specific network and no I have no need to get through from outside but do have a box set up as a concentrator if needs must with security set to above B1.


    Vincent

    --- Mageia Linux v8 X64/Mbse v1.0.8.3/GoldED+/LNX 1.1.5-b20180707
    * Origin: Air Applewood, The Linux Gateway to the UK & Eire (2:250/1)
  • From Geeknix@3:770/3 to All on Sat Apr 22 23:00:04 2023
    I'd like to ask for tips. I have a Pi running a number of services. One
    is SSH to allow Telnet access via Putty. I use certificates for
    authentication. While at home on LAN I can Putty into the Pi just fine
    using IP 192.168.0.181:22

    I have dynamic DNS for external access so I can use address
    <me>.ddns.net:22 then port forwarding on my router to the Pi. Now this
    works with other services like web server. So I know DDNS and port
    forwarding works.

    What could be blocking SSH? Anyway to check logs on Pi?

    Thanks!

    --
    Don't be afraid of the deep...
    --[ bbs.bottomlessabyss.net | https | telnet=2023 ]--
    --[ /query geeknix on libera.chat | tilde.chat ]--

    --- SoupGate-Win32 v1.05
    * Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)
  • From Theo@3:770/3 to Geeknix on Sun Apr 23 04:04:02 2023
    Geeknix <usenet@apple.geeknix135.net> wrote:
    I'd like to ask for tips. I have a Pi running a number of services. One
    is SSH to allow Telnet access via Putty. I use certificates for authentication. While at home on LAN I can Putty into the Pi just fine
    using IP 192.168.0.181:22

    I have dynamic DNS for external access so I can use address
    <me>.ddns.net:22 then port forwarding on my router to the Pi. Now this
    works with other services like web server. So I know DDNS and port
    forwarding works.

    What could be blocking SSH? Anyway to check logs on Pi?

    Do you have any firewalling on the Pi, router or ISP that might interfere?
    Try a different external port other than 22?

    To see logs:

    On the client, Putty has a logging window that tells you what happened on
    its side of the connection. On ther server, /var/log/auth.log often tells
    you if there was a problem with keys or similar.

    Post the logs here if you need help with them.

    Theo

    --- SoupGate-Win32 v1.05
    * Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)
  • From Geeknix@3:770/3 to Vincent Coen on Sun Apr 23 10:30:04 2023
    On 2023-04-22, Vincent Coen <nospam.Vincent.Coen@f1.n250.z2.fidonet.org> wrote:
    Hello Geeknix!

    Saturday April 22 2023 23:00, you wrote to All:

    I'd like to ask for tips. I have a Pi running a number of services.
    One is SSH to allow Telnet access via Putty. I use certificates
    for authentication. While at home on LAN I can Putty into the Pi just
    fine using IP 192.168.0.181:22

    I have dynamic DNS for external access so I can use address <me>.ddns.net:22 then port forwarding on my router to the Pi. Now this works with other services like web server. So I know DDNS and port forwarding works.

    Silly questions, but have you opened SSH (instead of telnet - very low security) and have you set up secure key authority etc.

    Not sure what you mean, when I open the port on the router I have
    selected All (i.e. TCP and UDP) for port 22.

    Small point - on mine systems I have extra security set to verify all MAC addresses as well as user / passwords and they are only allowed using defined ip addresses in a specific network and no I have no need to get through from outside but do have a box set up as a concentrator if needs must with security
    set to above B1.

    I have disabled username/password and only accept pre-shared keys.

    Thanks Vincent.

    --
    Don't be afraid of the deep...
    --[ bbs.bottomlessabyss.net | https | telnet=2023 ]--
    --[ /query geeknix on libera.chat | tilde.chat ]--

    --- SoupGate-Win32 v1.05
    * Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)
  • From Geeknix@3:770/3 to Theo on Sun Apr 23 10:30:04 2023
    On 2023-04-23, Theo <theom+news@chiark.greenend.org.uk> wrote:
    Geeknix <usenet@apple.geeknix135.net> wrote:
    I'd like to ask for tips. I have a Pi running a number of services. One
    is SSH to allow Telnet access via Putty. I use certificates for
    authentication. While at home on LAN I can Putty into the Pi just fine
    using IP 192.168.0.181:22

    I have dynamic DNS for external access so I can use address
    <me>.ddns.net:22 then port forwarding on my router to the Pi. Now this
    works with other services like web server. So I know DDNS and port
    forwarding works.

    What could be blocking SSH? Anyway to check logs on Pi?

    Do you have any firewalling on the Pi, router or ISP that might interfere? Try a different external port other than 22?

    Thanks for your reply. I haven't knowingly setup a firewall on the Pi
    perhaps the router has one but the same steps I use to allow HTTP and
    Minecraft have opened those ports for use.

    On the client, Putty has a logging window that tells you what happened on
    its side of the connection.

    Great, I'll try and figure out how to see that window.

    On ther server, /var/log/auth.log often tells you if there was a problem
    with keys or similar.

    I'll check that out also. Thank you.

    --
    Don't be afraid of the deep...
    --[ bbs.bottomlessabyss.net | https | telnet=2023 ]--
    --[ /query geeknix on libera.chat | tilde.chat ]--

    --- SoupGate-Win32 v1.05
    * Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)
  • From The Natural Philosopher@3:770/3 to Geeknix on Sun Apr 23 12:00:16 2023
    On 23/04/2023 00:00, Geeknix wrote:
    I'd like to ask for tips. I have a Pi running a number of services. One
    is SSH to allow Telnet access via Putty. I use certificates for authentication. While at home on LAN I can Putty into the Pi just fine
    using IP 192.168.0.181:22

    I have dynamic DNS for external access so I can use address
    <me>.ddns.net:22 then port forwarding on my router to the Pi. Now this
    works with other services like web server. So I know DDNS and port
    forwarding works.

    What could be blocking SSH? Anyway to check logs on Pi?

    Thanks!

    Should be no different. I have a similar setup here - Ah!

    I remember. I couldn't forward port 22. The router was using it for
    secure remote login.

    Just try using an arbitrary high port on the router.



    --
    You can get much farther with a kind word and a gun than you can with a
    kind word alone.

    Al Capone

    --- SoupGate-Win32 v1.05
    * Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)
  • From Martin Gregorie@3:770/3 to Geeknix on Sun Apr 23 11:12:02 2023
    On Sun, 23 Apr 2023 10:30:04 GMT, Geeknix wrote:

    On 2023-04-22, Vincent Coen <nospam.Vincent.Coen@f1.n250.z2.fidonet.org> wrote:
    Hello Geeknix!

    Saturday April 22 2023 23:00, you wrote to All:

    I'd like to ask for tips. I have a Pi running a number of services.
    One is SSH to allow Telnet access via Putty. I use certificates for
    authentication. While at home on LAN I can Putty into the Pi just
    fine using IP 192.168.0.181:22

    I have dynamic DNS for external access so I can use address
    <me>.ddns.net:22 then port forwarding on my router to the Pi. Now
    this works with other services like web server. So I know DDNS and
    port forwarding works.

    Silly questions, but have you opened SSH (instead of telnet - very low
    security) and have you set up secure key authority etc.

    Not sure what you mean, when I open the port on the router I have
    selected All (i.e. TCP and UDP) for port 22.

    Small point - on mine systems I have extra security set to verify all
    MAC addresses as well as user / passwords and they are only allowed
    using defined ip addresses in a specific network and no I have no need
    to get through from outside but do have a box set up as a concentrator
    if needs must with security set to above B1.

    I have disabled username/password and only accept pre-shared keys.

    Thanks Vincent.

    Pedantry, maybe, but Telnet != ssh

    Telnet offers a very basic tty-like service over a plaintext channel,
    while ssh provides a secure, encrypted service. Their connection protocols
    are not compatible.

    Similarly with ftp vs. ssh2 for file transfers: I wouldn't dream of using telnet, ftp or Kermit outside my LAN, which is firewalled off from the
    wider Internet, but I have no problems with using ssh or ssh2 to log in to
    a remote (trusted) system or to transfer files to or from them.


    --

    Martin | martin at
    Gregorie | gregorie dot org

    --- SoupGate-Win32 v1.05
    * Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)
  • From Geeknix@3:770/3 to Theo on Sun Apr 23 10:30:06 2023
    On 2023-04-23, Theo <theom+news@chiark.greenend.org.uk> wrote:
    Try a different external port other than 22?

    I have tried port 4444 for external access, that still forwards to port
    22 on the Pi.

    --
    Don't be afraid of the deep...
    --[ bbs.bottomlessabyss.net | https | telnet=2023 ]--
    --[ /query geeknix on libera.chat | tilde.chat ]--

    --- SoupGate-Win32 v1.05
    * Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)
  • From The Natural Philosopher@3:770/3 to Geeknix on Sun Apr 23 12:22:52 2023
    On 23/04/2023 11:30, Geeknix wrote:
    On 2023-04-23, Theo <theom+news@chiark.greenend.org.uk> wrote:
    Try a different external port other than 22?

    I have tried port 4444 for external access, that still forwards to port
    22 on the Pi.

    Hmm. Let me see how I did it here.
    Ok I used a high port on the router and 22 on the target machine

    Worked for me on *86 platform. Mint. so basically debian with frills

    Have you enabled global access to sshd in /etc/ssh/sshd.config and friends?

    I think that is the default, but check anyway

    Match Address is the line to look at. I think

    Ok a good way to test this is to telnet to the ssh port on your public interface and see whether the daemon is responding or not

    $telnet media.larksrise.com 2345
    Trying 212.69.38.60...
    Connected to media.larksrise.com.
    Escape character is '^]'.
    SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5

    ....etc. Oh, I edited the port number, so don't get cute


    --
    All political activity makes complete sense once the proposition that
    all government is basically a self-legalising protection racket, is
    fully understood.

    --- SoupGate-Win32 v1.05
    * Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)
  • From Martin Gregorie@3:770/3 to Geeknix on Sun Apr 23 11:21:28 2023
    On Sun, 23 Apr 2023 10:30:05 GMT, Geeknix wrote:

    On 2023-04-23, Theo <theom+news@chiark.greenend.org.uk> wrote:
    Geeknix <usenet@apple.geeknix135.net> wrote:
    I'd like to ask for tips. I have a Pi running a number of services.
    One is SSH to allow Telnet access via Putty. I use certificates for
    authentication. While at home on LAN I can Putty into the Pi just fine
    using IP 192.168.0.181:22

    I have dynamic DNS for external access so I can use address
    <me>.ddns.net:22 then port forwarding on my router to the Pi. Now this
    works with other services like web server. So I know DDNS and port
    forwarding works.

    What could be blocking SSH? Anyway to check logs on Pi?

    Do you have any firewalling on the Pi, router or ISP that might
    interfere?
    Try a different external port other than 22?

    Thanks for your reply. I haven't knowingly setup a firewall on the Pi
    perhaps the router has one but the same steps I use to allow HTTP and Minecraft have opened those ports for use.

    On the client, Putty has a logging window that tells you what happened
    on its side of the connection.

    Great, I'll try and figure out how to see that window.

    On ther server, /var/log/auth.log often tells you if there was a
    problem with keys or similar.

    I'll check that out also. Thank you.

    Use 'nmap' to see what ports are accessible on your firewall, rpi's etc
    from inside your LAN.

    http://grc.com/ - the Gibson Research Corp - provides "Shields Up", which
    scans your firewall from the outside and reports which ports are
    accessible to an intruder.

    --

    Martin | martin at
    Gregorie | gregorie dot org

    --- SoupGate-Win32 v1.05
    * Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)
  • From Vincent Coen@2:250/1 to Geeknix on Sun Apr 23 15:57:32 2023
    Hello Geeknix!

    Sunday April 23 2023 10:30, you wrote to me:

    On 2023-04-22, Vincent Coen
    <nospam.Vincent.Coen@f1.n250.z2.fidonet.org> wrote:
    Hello Geeknix!

    Saturday April 22 2023 23:00, you wrote to All:

    I'd like to ask for tips. I have a Pi running a number of
    services.
    One is SSH to allow Telnet access via Putty. I use certificates
    for authentication. While at home on LAN I can Putty into the Pi
    just
    fine using IP 192.168.0.181:22

    I have dynamic DNS for external access so I can use address
    <me>.ddns.net:22 then port forwarding on my router to the Pi. Now
    this
    works with other services like web server. So I know DDNS and port
    forwarding works.

    Silly questions, but have you opened SSH (instead of telnet - very
    low security) and have you set up secure key authority etc.

    Not sure what you mean, when I open the port on the router I have
    selected All (i.e. TCP and UDP) for port 22.


    Should only be TCP - according to my router settings for port trigger but both for port forwarding so look correct.

    Small point - on mine systems I have extra security set to verify
    all MAC addresses as well as user / passwords and they are only
    allowed using defined ip addresses in a specific network and no I
    have no need to get through from outside but do have a box set up as
    a concentrator if needs must with security set to above B1.

    I have disabled username/password and only accept pre-shared keys.

    Yep, for ssh that is best as far as I know but I have extra security that means
    users system must have declared MAC code (I also make use of users CPU
    model and serial numbers - but that was an experiment that seems to work.



    Vincent

    --- Mageia Linux v8 X64/Mbse v1.0.8.3/GoldED+/LNX 1.1.5-b20180707
    * Origin: Air Applewood, The Linux Gateway to the UK & Eire (2:250/1)
  • From Chris Green@3:770/3 to Theo on Sun Apr 23 18:27:00 2023
    Theo <theom+news@chiark.greenend.org.uk> wrote:
    Geeknix <usenet@apple.geeknix135.net> wrote:
    I'd like to ask for tips. I have a Pi running a number of services. One
    is SSH to allow Telnet access via Putty. I use certificates for authentication. While at home on LAN I can Putty into the Pi just fine using IP 192.168.0.181:22

    I have dynamic DNS for external access so I can use address <me>.ddns.net:22 then port forwarding on my router to the Pi. Now this works with other services like web server. So I know DDNS and port forwarding works.

    What could be blocking SSH? Anyway to check logs on Pi?

    Do you have any firewalling on the Pi, router or ISP that might interfere? Try a different external port other than 22?

    Yes, on many routers you not only have to configure the port
    forwarding you also hove to open up the relevant ports on the
    firewall.

    --
    Chris Green
    ·

    --- SoupGate-Win32 v1.05
    * Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)
  • From The Natural Philosopher@3:770/3 to Chris Green on Mon Apr 24 09:39:18 2023
    On 23/04/2023 18:27, Chris Green wrote:
    Theo <theom+news@chiark.greenend.org.uk> wrote:
    Geeknix <usenet@apple.geeknix135.net> wrote:
    I'd like to ask for tips. I have a Pi running a number of services. One
    is SSH to allow Telnet access via Putty. I use certificates for
    authentication. While at home on LAN I can Putty into the Pi just fine
    using IP 192.168.0.181:22

    I have dynamic DNS for external access so I can use address
    <me>.ddns.net:22 then port forwarding on my router to the Pi. Now this
    works with other services like web server. So I know DDNS and port
    forwarding works.

    What could be blocking SSH? Anyway to check logs on Pi?

    Do you have any firewalling on the Pi, router or ISP that might interfere? >> Try a different external port other than 22?

    Yes, on many routers you not only have to configure the port
    forwarding you also hove to open up the relevant ports on the
    firewall.

    I think he said he already tried that.
    --
    Microsoft : the best reason to go to Linux that ever existed.

    --- SoupGate-Win32 v1.05
    * Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)
  • From Geeknix@3:770/3 to Geeknix on Mon Apr 24 20:59:56 2023
    On 23/04/2023 07:00, Geeknix wrote:
    I'd like to ask for tips. I have a Pi running a number of services. One
    is SSH to allow Telnet access via Putty. I use certificates for authentication. While at home on LAN I can Putty into the Pi just fine
    using IP 192.168.0.181:22

    Thanks for all the replies, I'm away from home until Wednesday (SG
    time), I'll try the suggestions then and let you all know the outcome!

    RenMas

    --
    Don't be afraid of the deep...
    --[ bbs.bottomlessabyss.net|https|telnet=2023|ssh=2222 ]--
    --[ Remove the fruit and digits for valid email address ]--
    --[ usenet <at> apple.geeknix135.net ]--

    --- SoupGate-Win32 v1.05
    * Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)
  • From Nikolaj Lazic@3:770/3 to All on Mon Apr 24 15:35:20 2023
    Dana Sun, 23 Apr 2023 10:30:04 GMT, Geeknix <usenet@apple.geeknix135.net> napis'o:
    On 2023-04-22, Vincent Coen <nospam.Vincent.Coen@f1.n250.z2.fidonet.org> wrote:
    Hello Geeknix!

    Saturday April 22 2023 23:00, you wrote to All:

    I'd like to ask for tips. I have a Pi running a number of services.
    One is SSH to allow Telnet access via Putty. I use certificates
    for authentication. While at home on LAN I can Putty into the Pi just
    fine using IP 192.168.0.181:22

    I have dynamic DNS for external access so I can use address
    <me>.ddns.net:22 then port forwarding on my router to the Pi. Now this
    works with other services like web server. So I know DDNS and port
    forwarding works.

    Silly questions, but have you opened SSH (instead of telnet - very low
    security) and have you set up secure key authority etc.

    Not sure what you mean, when I open the port on the router I have
    selected All (i.e. TCP and UDP) for port 22.

    Ok, but you have to forward that port to your 102.168.0.181:22


    Small point - on mine systems I have extra security set to verify all MAC
    addresses as well as user / passwords and they are only allowed using defined
    ip addresses in a specific network and no I have no need to get through from >> outside but do have a box set up as a concentrator if needs must with security
    set to above B1.

    I have disabled username/password and only accept pre-shared keys.

    Thanks Vincent.


    --- SoupGate-Win32 v1.05
    * Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)
  • From Nikolaj Lazic@3:770/3 to All on Mon Apr 24 15:38:50 2023
    Dana Mon, 24 Apr 2023 20:59:57 +0800, Geeknix <usenet@apple.geeknix135.net> napis'o:
    On 23/04/2023 07:00, Geeknix wrote:
    I'd like to ask for tips. I have a Pi running a number of services. One
    is SSH to allow Telnet access via Putty. I use certificates for
    authentication. While at home on LAN I can Putty into the Pi just fine
    using IP 192.168.0.181:22

    Thanks for all the replies, I'm away from home until Wednesday (SG
    time), I'll try the suggestions then and let you all know the outcome!

    You can also forward some highet ot to your 192.168.0.181:22
    You have to do that on your router provided by your ISP.

    --- SoupGate-Win32 v1.05
    * Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)
  • From Geeknix@3:770/3 to Geeknix on Sun Apr 30 13:00:02 2023
    On 2023-04-22, Geeknix <usenet@apple.geeknix135.net> wrote:
    I'd like to ask for tips. I have a Pi running a number of services. One
    is SSH to allow Telnet access via Putty. I use certificates for authentication. While at home on LAN I can Putty into the Pi just fine
    using IP 192.168.0.181:22

    I have dynamic DNS for external access so I can use address
    <me>.ddns.net:22 then port forwarding on my router to the Pi. Now this
    works with other services like web server. So I know DDNS and port
    forwarding works.

    What could be blocking SSH? Anyway to check logs on Pi?

    Thank you everyone for your replies. I tried everything you mentioned
    and it all looked good. I turned on logging in Putty and more detailed
    logs in auth.log on sshd.

    When fiddling with the router firewall I noticed I had 2 port forwards
    to 22 on the Pi. Basically I was forwarding 4440 (changed from 4444 as
    it seemed to be used by other protocols) and 22 from external to local
    22. I deleted external 22 and left only 4440. And it started working
    around this time, so I suspect I created some kind of clash on the
    router!?

    Anyway, is really great I can now access my Pi with SSH. Thanks again!

    --
    Don't be afraid of the deep...
    --[ bbs.bottomlessabyss.net | https | telnet=2023 ]--
    --[ /query geeknix on libera.chat | tilde.chat ]--

    --- SoupGate-Win32 v1.05
    * Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)
  • From The Natural Philosopher@3:770/3 to Geeknix on Sun Apr 30 14:49:36 2023
    On 30/04/2023 14:00, Geeknix wrote:

    Anyway, is really great I can now access my Pi with SSH. Thanks again!

    👍

    --
    “Some people like to travel by train because it combines the slowness of
    a car with the cramped public exposure of 
an airplane.”

    Dennis Miller

    --- SoupGate-Win32 v1.05
    * Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)