appliancejunk
Posts: 19
Joined: Mon Nov 24, 2014 12:51 am
Location: South Dakota - U.S.A

SSH & Port forwarding?

Tue Mar 31, 2015 11:14 pm

I can SSH into my RPi well on my local network without any problems.
I can also SSH into my RPi from outside my local network if I open port 22 on my Apple Airport Extreme.

From what I have been reading I may not want to use port 22 so I have been trying to open other ports without any success.

First off when I go into my Airport Extreme port setting there is a drop down menu that lets me select "Remote Login - SSH" when I select that it automatically add 22 for "Public TCP Ports" and "Private TCP Ports". With them setting I can SSH into my RPi from outside my network. I can also run my Network Utility to scan for open ports and see that 22 is open.

The problem I have is if I manually change that 22 setting that is auto filled in to anything else. I have tried changing it to 2202, 2022 and some others. I have tried with my firewall turned off too. I once again use the Network Utility to scan for open ports and it can't find that 2202 or 2022 is open and I can no longer SSH into my RPi.

Any suggestion as to why I can't get anything but port 22 to work? Any problem just using port 22?

Thanks,

User avatar
MarkHaysHarris777
Posts: 1820
Joined: Mon Mar 23, 2015 7:39 am
Location: Rochester, MN
Contact: Website

Re: SSH & Port forwarding?

Wed Apr 01, 2015 12:42 am

If your RPi is going to be on the 'outside' you really should set the ssh port to something other than 22. I'm confused about what you've tried so far. Do things in two steps. First make sure the new port works 'inside' your network. Then worry about forwarding it to the outside. Some setups do not allow forwarding certain ranges of ports, so you need to understand your firewall, and forward a port that is permitted.

First you need to setup your ssh deamon on your RPi so that it is expecting connections on a new port. Which config file are you modifying to do this?

Then you need to modify your firewall, so that the new port is forwarded (the ssh service needs to be forwarded as well the port range or number).


Make sure your new port will work 'inside' your network first... then move on to the firewall (airport)
marcus
:ugeek:

klricks
Posts: 7211
Joined: Sat Jan 12, 2013 3:01 am
Location: Grants Pass, OR, USA
Contact: Website

Re: SSH & Port forwarding?

Wed Apr 01, 2015 1:09 am

If your router allows it you can link the internal port 22 to an external port xxxx.
If you can't do that in the router then you will have to edit the SSH config file to match the external port.

Code: Select all

sudo nano /etc/ssh/sshd_config
Unless specified otherwise my response is based on the latest and fully updated RPiOS Buster w/ Desktop OS.

appliancejunk
Posts: 19
Joined: Mon Nov 24, 2014 12:51 am
Location: South Dakota - U.S.A

Re: SSH & Port forwarding?

Wed Apr 01, 2015 4:07 am

Maybe this is more of a Apple Airport Extreme router question then a RPi question.

I will try and explain my problem a little better.

I can SSH into my RPi well on the same wifi without any problem.

I can also SSH into my RPi well not on the same network just as long as I have port 22 open on my router.

The problem I run into is getting anything but port 22 to open up on my router.

As shown in the attachment. If I select "Remote Login - SSH" the 22 is automatically filled in for me.
apu.jpg
apu.jpg (38.48 KiB) Viewed 9233 times
I can then use my "Network Utility" to scan for open port and it will show port 22 is open for SSH.

If I leave this setting on 22 everything works great. If I change it to what ever, 555 for example, and then scan for open ports 555 is not open.
apu.jpg
apu.jpg (38.48 KiB) Viewed 9233 times
Probably more of a Apple Airport Extreme question then anything as I can SSH to the RPi just fine. I just can't seem to open any ports other then 22 on my router for SSH.
Last edited by appliancejunk on Thu Apr 02, 2015 2:16 am, edited 2 times in total.

User avatar
DougieLawson
Posts: 39626
Joined: Sun Jun 16, 2013 11:19 pm
Location: A small cave in deepest darkest Basingstoke, UK
Contact: Website Twitter

Re: SSH & Port forwarding?

Wed Apr 01, 2015 8:43 am

MarkHaysHarris777 wrote:If your RPi is going to be on the 'outside' you really should set the ssh port to something other than 22.
Security by obscurity is no security at all.

Setting it up with something other than 22 doesn't stop the port scanners, it just delays them for a few seconds.

It's better to leave it at 22 and actively block every attempt to circumvent the security. Also disallow any access from outside your local LAN subnet with a userid/password. Force everyone coming in from outside to use a userid and key pair.

Fail2ban give you a simple tool to add a blocking iptables rule for every failed access attempt.
Note: Any requirement to use a crystal ball or mind reading will result in me ignoring your question.

Criticising any questions is banned on this forum.

Any DMs sent on Twitter will be answered next month.
All fake doctors are on my foes list.

gkreidl
Posts: 6351
Joined: Thu Jan 26, 2012 1:07 pm
Location: Germany

Re: SSH & Port forwarding?

Wed Apr 01, 2015 10:09 am

DougieLawson wrote:
MarkHaysHarris777 wrote:If your RPi is going to be on the 'outside' you really should set the ssh port to something other than 22.
Security by obscurity is no security at all.

Setting it up with something other than 22 doesn't stop the port scanners, it just delays them for a few seconds.

It's better to leave it at 22 and actively block every attempt to circumvent the security. Also disallow any access from outside your local LAN subnet with a userid/password. Force everyone coming in from outside to use a userid and key pair.

Fail2ban give you a simple tool to add a blocking iptables rule for every failed access attempt.
It's no better security, but it keeps the script kiddies away ...
Minimal Kiosk Browser (kweb)
Slim, fast webkit browser with support for audio+video+playlists+youtube+pdf+download
Optional fullscreen kiosk mode and command interface for embedded applications
Includes omxplayerGUI, an X front end for omxplayer

User avatar
Can-Toi
Posts: 68
Joined: Sat Mar 28, 2015 12:41 pm
Contact: Website

Re: SSH & Port forwarding?

Wed Apr 01, 2015 11:10 am

DougieLawson wrote:
MarkHaysHarris777 wrote:If your RPi is going to be on the 'outside' you really should set the ssh port to something other than 22.
Security by obscurity is no security at all.
.
Agreed, one should take additional measures.

However, I've got an experiment for you, an empirical one as well:
- Monitor public port 22 for SSH-requests
- Monitor another, unusual public port for SSH-requests

You'll see that by changing the port to anything other than the default, the number of SSH login attempts will drop by a percentage up to 90%.

However, those 10% that do "discover" the unusual port are probably the 10% to worry about anyway, so changing does not really add any real protection.
"The mind is the effect, not the cause"
- Daniel Dennett

User avatar
DougieLawson
Posts: 39626
Joined: Sun Jun 16, 2013 11:19 pm
Location: A small cave in deepest darkest Basingstoke, UK
Contact: Website Twitter

Re: SSH & Port forwarding?

Wed Apr 01, 2015 11:17 am

I prefer to monitor and block all traffic on port 22. They may be less frequent when they're scanning on another port but those attacks are arriving with a more malicious purpose.
Note: Any requirement to use a crystal ball or mind reading will result in me ignoring your question.

Criticising any questions is banned on this forum.

Any DMs sent on Twitter will be answered next month.
All fake doctors are on my foes list.

ddevejian
Posts: 14
Joined: Tue Mar 31, 2015 11:18 pm

Re: SSH & Port forwarding?

Wed Apr 01, 2015 1:00 pm

Youre not clear which "22" you are changing. You want to change ONLY the first.

From the labels (and I am not familiar with the Airport) changing the first will forward port X to port 22 on your pi. Changing both will simply allow port X through to your pi, but your pi is still listening on 22. (Unless you modify the sshd.config to have it listen on X.) Changing only the second would forward port 22 to port X on your pi, which is almost certainly not what you want.

As others have pointed out, changing your ssh port from 22 is not much in the way of security. It will cut down on the number of attempts, but many attackers will still find your open port and the ones that will will almost certainly be the ones you need to worry about.

If you are going to allow access from the internet, some minimal suggestions: deny root --"PermitRootLogin no" in your sshd.config and use a certificate for authentication rather than password -- see http://www.raspberrypi.org/documentatio ... ordless.md and then disable password authentication (ie, allow only certificate authentication) -- "PasswordAuthentication no" in your sshd.config.

appliancejunk
Posts: 19
Joined: Mon Nov 24, 2014 12:51 am
Location: South Dakota - U.S.A

Re: SSH & Port forwarding?

Wed Apr 01, 2015 5:41 pm

ddevejian wrote:Youre not clear which "22" you are changing. You want to change ONLY the first.
This was a big help and was the solution to my problem, thanks!

I was changing them both instead of just the first one. Being my router auto filled in both to 22 I just assumed I had to change them both. But after reading your reply the light went off in my head and a lot of what I read earlier about port forward started to make a lot more sense now.

I can now change my "Public TCP Ports" to 2022" and leave the "Private TCP Port" set to 22 and then when I scan for open ports with my Network Utility app I see, "Open TCP Port: 2022 down" displayed, showing me it's open.
As others have pointed out, changing your ssh port from 22 is not much in the way of security.
Yes, I understand that now and was more or less just trying to figure out port forwarding.
I have a much better understanding about port forwarding now, thanks.
If you are going to allow access from the internet, some minimal suggestions: deny root --"PermitRootLogin no" in your sshd.config and use a certificate for authentication rather than password -- see http://www.raspberrypi.org/documentatio ... ordless.md and then disable password authentication (ie, allow only certificate authentication) -- "PasswordAuthentication no" in your sshd.config.
Sounds like good information and I will definitely give it a try.

One more question about a open port.

If I don't have my RPi turned on, yet I still have my router set up to "Remote Login - SSH" port 22 my "Network Utility" app don't show port 22 open when I scan for open port. The scanner only shows port 22 open once my RPi is turned on.

I can't really wrap my head around why it works that way. Even though I left port 22 open on my router it's not really open until something like my RPi is using the port?

Thanks

ddevejian
Posts: 14
Joined: Tue Mar 31, 2015 11:18 pm

Re: SSH & Port forwarding?

Wed Apr 01, 2015 6:39 pm

appliancejunk wrote:
This was a big help and was the solution to my problem, thanks!
Im glad it worked out.
One more question about a open port.

If I don't have my RPi turned on, yet I still have my router set up to "Remote Login - SSH" port 22 my "Network Utility" app don't show port 22 open when I scan for open port. The scanner only shows port 22 open once my RPi is turned on.

I can't really wrap my head around why it works that way. Even though I left port 22 open on my router it's not really open until something like my RPi is using the port?

Thanks
The router is only forwarding the packets to the pi, and then forwarding the pi's response back. The router is not responding to them as well. (Some routers can be configured to do so, but those are usually commercial not residential models and you need to know what youre doing to configure it.)

In somewhat more detail, assuming a syn scan (default on nmap and lots of others are built on nmap under the covers) what is happening is your port scanner sends a SYN packet to port 22 and expects an ACK packet in return. If it gets a RST or nothing, it assumes the port is closed, and ACK means the port is open. The firewall doesnt reply to the SYN, but passes it to the pi and then passes whatever the pi replys with on to the scanner. (With suitable changes to the source and destination fields in the ip header.) Now, if the pi is off, it does nothing, there is nothing for the router to forward, and after a timeout the scanner decides the port is closed. If the pi is on, but not running ssh (or running it on a different port), then the os will reply with a RST, which the scanner interprets as the port is closed. Only if ssh (or some other app) is running on port 22 will the pi respond with an ACK and the scanner registers the port is open (assuming the firewall then passes the ACK on to it.)

appliancejunk
Posts: 19
Joined: Mon Nov 24, 2014 12:51 am
Location: South Dakota - U.S.A

Re: SSH & Port forwarding?

Wed Apr 01, 2015 7:33 pm

Awesome, thanks!

appliancejunk
Posts: 19
Joined: Mon Nov 24, 2014 12:51 am
Location: South Dakota - U.S.A

Re: SSH & Port forwarding?

Wed Apr 01, 2015 9:54 pm

ddevejian wrote: If you are going to allow access from the internet, some minimal suggestions: deny root --"PermitRootLogin no" in your sshd.config and use a certificate for authentication rather than password -- see http://www.raspberrypi.org/documentatio ... ordless.md and then disable password authentication (ie, allow only certificate authentication) -- "PasswordAuthentication no" in your sshd.config.
Looking at my sshd.config file I don't see -- "PermitRootLogin no".
Do I simply need to added it? I was thinking it would be there and I would just make sure it said no and if it didn't change yes to no, but I don't see it at all.

I also don't see -- "PasswordAuthentication no".
# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

Joe Schmoe
Posts: 4277
Joined: Sun Jan 15, 2012 1:11 pm

Re: SSH & Port forwarding?

Wed Apr 01, 2015 10:12 pm

Yes. If they are not there, just add them.

That should be understood in most of these sort of situations...
And some folks need to stop being fanboys and see the forest behind the trees.

(One of the best lines I've seen on this board lately)

appliancejunk
Posts: 19
Joined: Mon Nov 24, 2014 12:51 am
Location: South Dakota - U.S.A

Re: SSH & Port forwarding?

Wed Apr 01, 2015 11:08 pm

Sounds good, thanks.

appliancejunk
Posts: 19
Joined: Mon Nov 24, 2014 12:51 am
Location: South Dakota - U.S.A

Re: SSH & Port forwarding?

Wed Apr 01, 2015 11:19 pm

Well strange, seems "PermitRootLogin no" and "PasswordAuthentication no" are in my sshd_config file.

Just did not see them before as my terminal window was to small and thought I had tried scrolling down to see if there was more to the file and I could not scroll so I thought what I was seeing was the complete file.

Well when I went back to add "PermitRootLogin no" and "PasswordAuthentication no" I had a larger terminal window already open and could see "PermitRootLogin no" and "PasswordAuthentication no" this time. :D

ddevejian
Posts: 14
Joined: Tue Mar 31, 2015 11:18 pm

Re: SSH & Port forwarding?

Wed Apr 01, 2015 11:52 pm

Are you sure? I just checked the sshd_config on my pi, (I havent changed anything there, so it still has the defaults) and both parameters are in there with a yes value.

Unless you had changed them earlier, I would double check the values.

Also, unless you are using a keyboard and screen, do not change PasswordAuthentication untill you have generated yourself a key pair and tested that you can use them to ssh in.

appliancejunk
Posts: 19
Joined: Mon Nov 24, 2014 12:51 am
Location: South Dakota - U.S.A

Re: SSH & Port forwarding?

Thu Apr 02, 2015 12:32 am

I was wrong, both parameters are in there with a yes value for me too.

I just had a small terminal window open when I was looking for them and for some reason could not seem to figure out how to scroll down to view the rest of it, haha...

Thanks again everyone, you have all been so helpful.

Return to “Troubleshooting”