SSH refused from external network, works on internal network


10 posts
by jamesspader » Fri Oct 18, 2013 5:24 pm
Hi all,

I've run into a bit of a problem when setting my raspberry pi up to be a small webserver.

I've installed raspbian and nginx without problem. I have also been able to access the raspberry pi from my local network over ssh without issue. My nginx start page (i.e. the nginx hello world) is accessible from outside my local network and ports 80 and 22 have been forwarded in my router (80 is passed through to 80 and 22 to 22222) so I don't think it's an issue with my network setup.

When I attempt to access my raspberry pi over the internet using ssh
Code: Select all
ssh -v -p 22222 user@myaddress.com

I get a connection refused message. I've cleared my iptables rules and commented out the AllowUsers option in my, amateur at best, attempts at figuring out what's the issue.

Any ideas? Anything I can try to diagnose what's going on?

Thanks!
Posts: 5
Joined: Fri Oct 18, 2013 5:15 pm
by DeeJay » Fri Oct 18, 2013 5:31 pm
jamesspader wrote: ports 80 and 22 have been forwarded in my router (80 is passed through to 80 and 22 to 22222)

[... ]

When I attempt to access my raspberry pi over the internet using ssh
Code: Select all
ssh -v -p 22222 user@myaddress.com

I get a connection refused message.


The port on your router that is visible to the Internet is 22. That's what you need to specify in the connection. (For ssh that's probably the default and might be omitted?)

Code: Select all
ssh -v -p 22 user@myaddress.com
How To Ask Questions The Smart Way: http://www.catb.org/~esr/faqs/smart-questions.html
How to Report Bugs Effectively: http://www.chiark.greenend.org.uk/~sgtatham/bugs.html
User avatar
Posts: 2033
Joined: Tue Jan 01, 2013 9:33 pm
Location: East Midlands, UK
by jamesspader » Fri Oct 18, 2013 5:41 pm
Sorry, perhaps I was unclear, 22222 is the internet facing port from my router I am using for ssh connections (i.e. the router passes ssh connections from port 22222(external) to 22(internal). Port 22 constantly timed out from outside my network and nmap suggested 22 was being filtered, so I changed it to ensure it wasn't an ISP issue... Is this not something I should do? I thought port forwarding was rather common.

Thanks!
Posts: 5
Joined: Fri Oct 18, 2013 5:15 pm
by DeeJay » Fri Oct 18, 2013 5:47 pm
jamesspader wrote:Sorry, perhaps I was unclear, 22222 is the internet facing port from my router I am using for ssh connections (i.e. the router passes ssh connections from port 22222(external) to 22(internal).


Clearly that wasn't the way I interpreted what you wrote. What you describe should work if you implemented it correctly on your router.

Port 22 constantly timed out from outside my network and nmap suggested 22 was being filtered, so I changed it to ensure it wasn't an ISP issue... Is this not something I should do? I thought port forwarding was rather common.

Thanks!


Have you re-checked that your new service port is not being blocked?

Port forwarding is very common. There's even a website about it.
How To Ask Questions The Smart Way: http://www.catb.org/~esr/faqs/smart-questions.html
How to Report Bugs Effectively: http://www.chiark.greenend.org.uk/~sgtatham/bugs.html
User avatar
Posts: 2033
Joined: Tue Jan 01, 2013 9:33 pm
Location: East Midlands, UK
by jamesspader » Fri Oct 18, 2013 5:49 pm
Just to show what I was saying, attached is the port forwarding section of my router
ports.png
ports.png (4.87 KiB) Viewed 1636 times
Posts: 5
Joined: Fri Oct 18, 2013 5:15 pm
by DougieLawson » Fri Oct 18, 2013 5:52 pm
I don't expose my RPi to the public internet (because my Ubuntu server is doing that and I can use it as a gateway to my RPi).

On Ubuntu I got UFW installed as part of the basic software. It's definitely the easiest way to fiddle with the kernel ip tables.

sudo apt-get update
sudo-apt-get install ufw

sudo ufw allow ssh
sudo ufw enable

https://help.ubuntu.com/community/UFW has lots of docs for it.

But beware, as soon as an SSH port is open you machine will be attacked from thousands of addresses all the time (changing to port 22222 doesn't work, security by obscurity isn't security). You'll also get a lot of unwelcome visitors hitting port 80 (search engines that don't read robots.txt are the worst, they suck bandwidth and cpu when they hit your webserver).

Here's my most recent unwelcome SSH visitor
Code: Select all
Oct 18 14:52:47 the-doctor sshd[30011]: Failed password for root from 207.7.92.99 port 52850 ssh2


So you a) need to check for security fixes for sshd every single day b) you need to ensure that the root user has a password that isn't simple ("1234" or "password" or "root") or a dictionary word. http://xkcd.com/936/

Here's my the latest website hacker
Code: Select all
error.log:[Fri Oct 18 01:03:01 2013] [error] [client 58.211.18.184] Invalid URI in request GET <title>phpMyAdmin HTTP/1.1
error.log:[Fri Oct 18 01:03:02 2013] [error] [client 58.211.18.184] File does not exist: /srv/www/homelinux/public-internet/phpmyadmin


They get blocked with a tool called fail2ban (which should work on an RPi since it's written in python).

To test what's open from your machine to the Public Internet head over to http://www.yougetsignal.com/tools/open-ports/
Hacker on ZX80, Microtan65, Raspberry Pis and Arduinos
Unemployed mainframe database troubleshooter
RPi owner since 2012.
Twitter: @DougieLawson

Gaffer tape is "The Force", it has a dark side and a light side and it holds the Universe together.
User avatar
Posts: 7211
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
by DougieLawson » Fri Oct 18, 2013 5:54 pm
jamesspader wrote:Just to show what I was saying, attached is the port forwarding section of my router


Have you given your RPi a fixed IP address and used that in the router? You can't rely on DHCP always handing out the same address when the lease expires.

Have you used dyndns or no-ip or http://freedns.org to give your public IP address a nice name that moves when your ISP assigns a new address for you?
Hacker on ZX80, Microtan65, Raspberry Pis and Arduinos
Unemployed mainframe database troubleshooter
RPi owner since 2012.
Twitter: @DougieLawson

Gaffer tape is "The Force", it has a dark side and a light side and it holds the Universe together.
User avatar
Posts: 7211
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
by jamesspader » Fri Oct 18, 2013 6:02 pm
Yes, 22222 doesn't appear to be blocked, but it is reading as filtered
nmap.png
nmap.png (2.58 KiB) Viewed 1624 times
. Perhaps due to SPI filtering in my router settings? I was under the impression that SPI is rather necessary though...

I do have some iptables rules, but for now they are removed while I figure out what's going wrong.

I am aware of a lot of the issues I'll be facing with "bad people", I've been looking at a bunch of home hosted webserver resources so I'm trying to mitigate my risk.

I am currently setup through no-ip as a dynamic dns service..I'm trying to get around their restriction on domain name service by forwarding requests from my owned domain name through their no-ip address via CNAME. Seems to work for others so I'm sticking with it for now.
Posts: 5
Joined: Fri Oct 18, 2013 5:15 pm
by jamesspader » Fri Oct 18, 2013 6:08 pm
OK, after some other online reading, I tried sshing to my domain's ip address...and it worked! So do you think it's an issue with my domain's cname not forwarding the ssh connection properly to the no-ip.com address?

To reiterate
Code: Select all
ssh -p 22222 user@ipaddress
works completely
Code: Select all
ssh -p 22222 user@domain.com
connection refused

Thanks for all your help everyone
Posts: 5
Joined: Fri Oct 18, 2013 5:15 pm
by jojopi » Fri Oct 18, 2013 6:58 pm
jamesspader wrote:ssh -p 22222 user@ipaddress
ssh -p 22222 user​@domain.com
These are identical, providing that domain.com resolves to ipaddress and only ipaddress, and assuming that you do not have host-specific rules in ~/.ssh/config. "ssh -v" will confirm which IP and port it is attempting to connect to.

If you have put a CNAME on the top-level node of a DNS zone (such as example.com, rather than host.example.com), then that is invalid. CNAME must be the only record on its node, so it clashes with the essential SOA and NS records if used at the top of a delegated zone.
User avatar
Posts: 2122
Joined: Tue Oct 11, 2011 8:38 pm