Can't ssh into raspberry pi from internet unless 0.0.0.0 Listen address is in sshd_config

[Danrancan]

I have sshd fully functional, secured, and working locally on my raspberry pi 4 raspbian web server. In my sshd_config if have two port addresses, and two ListenAddress's. One port address is for sshing locally, and the other is for ssh'ing from a different static ip (not the one my pi is using) across the internet into my Raspberry pi. Similarly, I one ListenAddress is that of a local IP on my network, and the other ListenAddress is that of my static public ip on a completely different internet connection using a proxy with a static ip.

My issue is, when my sshd_config file (partial) looks like this:

Code: Select all

# Port For Local SSH Traffic
Port 40001
# Port For Public SSH Traffic
Port 40002

# IP For All Traffic
ListenAddress 0.0.0.0
# IP For Local SSH Traffic
ListenAddress 192.168.1.2:40001
# IP For Public SSH Traffic
ListenAddress 205.206.207.208:40002

I can successfully ssh into my raspberry pi locally from the ip address 192.168.1.2:40001, as well as from across the internet from the ip address 205.206.207.208:40002.

However, when I comment out the ListenAddress 0.0.0.0, I can only access my raspberry pi locally from 192.168.1.2:40001 and not publicly from 205.206.207.208:40002. Instead I get "connection refused" errors from my public client. This tells me that somehow, (even though I am certain that my static public ip address is correct in my public ListenAddress), my raspberry pi's sshd server is not listening to my instructions and something is overriding the sshd server to listen for ssh access from the specified public ip address. With that being said, I have tried this with zero firewalls up on all devices, and still no luck.

Below is the sshd_config that I want to use, but wont work when trying to listen for a public ip.

Code: Select all

# Port For Local SSH Traffic
Port 40001
# Port For Public SSH Traffic
Port 40002

# IP For All Traffic
# 0.0.0.0
# IP For Local SSH Traffic
ListenAddress 192.168.1.2:40001
# IP For Public SSH Traffic
ListenAddress 205.206.207.208:40002

This only possible things that I did or noticed that I can think of which could be affecting this is:

• 1) In raspi-config settings, I added (or switched?) my hostname recently, but i don't think this should affect sshd
  2)In my /etc/hosts file, I noticed an extra ip address of

  Code: Select all

  127.0.1.1    MyPiServer

  which was not there before to my knowledge. I'm assuming this was added by some program from the LEMP server I am running on my pi, but I can't know which one.

My full hosts file looks like the following:

Code: Select all

127.0.0.1	localhost
::1	localhost ip6-localhost ip6-loopback
ff02::1 	ip6-allnodes
ff02::2	ip6-allrouters

127.0.1.1	MyPiServer

This is pretty much all of the information that I can think of. Please, any help would be massively appreciated. Any means to debug and narrow down this problem would be splendid! I have been at this for days now with no success. Much appreciated everyone! Cheers!

[Danrancan]

Sorry, it wont let me edit my OP in regards the the formatting errors i made in my hosts file. Anyway, here is my full hosts file reformatted to fit:

My full hosts file looks like the following:

Code: Select all

127.0.0.1	localhost
::1		localhost ip6-localhost ip6-loopback
ff02::1		ip6-allnodes
ff02::2		p6-allrouters

127.0.1.1	MyPiServer

Please help?

[tpyo kingg]

Does your Raspberry Pi actually have two IP addresses?

If you are doing port forwarding from your router, your router sees it only with the LAN address, so you would use your LAN address for both ports.

[pi-anazazi]

I think you misinterpret the parameter ListenAddress, have a look here:

https://www.thegeekstuff.com/2011/05/openssh-options/

[tpyo kingg]

The syntax for ListenAddress looks correct, it is allowed to specify the port names. See "man sshd_config" for that. But sshd can only listen to addresses which are actually on the Raspberry Pi itself. That would be 192.168.1.2. The 205.206.207.208 address might be the router's address, I would guess.

[pi-anazazi]

No, in my opinion these are the REMOTE IPs (one on the same subnet, one public IP) that he wants to be allowed to connect via ssh. I could be wrong, but from readin the OP...

[Danrancan]

No, in my opinion these are the REMOTE IPs (one on the same subnet, one public IP) that he wants to be allowed to connect via ssh. I could be wrong, but from readin the OP...

You are absolutely correct with that. One is a local ip i side my local network, and the other is my public ip.

[tpyo kingg]

So your Raspberry Pi is connected directly to the outside net, not via a router with an external IP address of its own?

[Danrancan]

No, My raspberry pi is connected to my router, which has port forwarding as well as my DNS A records pointing to it. My pi receives a private ip address from the router, but it has direct access to the public ip address on certain ports via port forwarding.

[tpyo kingg]

Sorry I am obtuse in understanding your topology. How many network interfaces is your Raspberry Pi using and which addresses are on them? The port forwarding is usually from an external IP address to a private LAN address. Can you verify that there is an address other than the LAN address(es) assigned on your Raspberry Pi:

Code: Select all

ip addr show

ip addr show | awk '/^[0-9]/{i=$1 $2;next}; /inet /{print i,$1,$2}'

The addresses, aside from the lo interface, are likely only in the range of 10/8, or 172.16/12, or 192.168/16 .

The ListenAddress directives for sshd have to match what is actually on the Raspberry Pi, not what is on the router.

[DougieLawson]

If you're in Milwaukee, WI why is 205.206.207.208 showing as a Burnaby, BC, Canada address when I look it up on https://www.ultratools.com/tools/geoIp?

Take a visit to http://ip4.me to find your public IP address.

[Danrancan]

If you're in Milwaukee, WI why is 205.206.207.208 showing as a Burnaby, BC, Canada address when I look it up on https://www.ultratools.com/tools/geoIp?

Take a visit to http://ip4.me to find your public IP address.

Haha! Because I use a VPN half of the time that I'm browsing or on the internet, unless of course, I'm connecting to my server or router. Good research though, my vpn tells me I'm in Chicago. What a piece of garbage. lol.

[DougieLawson]

That VPN will also be the explanation why your SSH stuff isn't working. VPNs tend to be outbound traffic only.

[Danrancan]

That VPN will also be the explanation why your SSH stuff isn't working. VPNs tend to be outbound traffic only.

Unfortunately thats doubtful. I have a dual router setup. One router using a vpn via ddwrt, and the other router not using a vpn. All I do is switch access points if i want to connect to my pi or otherwise connect to my ddwrt vpn. The pi and the computer are both never connected to the vpn when I am accessing my pi.

[DougieLawson]

Wow! I really couldn't see that in my crystal ball. It's not been right since the Great Crystal Ball Disaster of 1987.

[Omoeba]

Please post the output of the command

Code: Select all

ip a

on your pi

[knute]

Two NICs? /etc/hosts has no 205. address?

You don't need the two Port ### lines if you have the ListenAddress lines with the same ports. I want to see ip a too.

[Danrancan]

Wow! I really couldn't see that in my crystal ball. It's not been right since the Great Crystal Ball Disaster of 1987.

sudo apt-get update crystal-ball

[Danrancan]

Please post the output of the command

Code: Select all

ip a

on your pi

Code: Select all

-bash: ip: command not found

[tpyo kingg]

Code: Select all

-bash: ip: command not found

What about the output of these when run on the Raspberry Pi?

Code: Select all

/bin/grep -i pretty /etc/os-release
/sbin/ifconfig
/sbin/ip addr

[Danrancan]

I think you misinterpret the parameter ListenAddress, have a look here:

https://www.thegeekstuff.com/2011/05/openssh-options/

I finally figured out that you are correct on this. Here I thought that ListenAddress 0.0.0.0 was incorrect because (i thought) it allowed all external ip's to connect via ssh. In actuality, my understanding of ListenAddress was incorrect. Turns out, that the ListenAddress has nothing to do with what IP's are allowed to connect to my server, but it instead specifies which interfaces (LAN, WIFI, etc.) to listen to for inbound connections. This entire thread is a mistake on my part from lacking understanding in how the ListenAddress directive works. I assumed it worked more like a firewall or blacklist/whitelist in which the only addresses listed are allowed to connect to my server. That is totally and completely false. Sorry for such a complicated and confusing thread. Thanks everyone for all of the answers and help. At least I understand now and have learned something! (I think? Please correct me if I am wrong).

[tpyo kingg]

No worries.

By the way a Match directive can be used to limit access as per the way you had originally imagined.

Code: Select all

MaxAuthTries 0
Match Address 192.0.2.0/24
        MaxAuthTries 6

Where 192.0.2.0/24 is the CIDR address of the network of computers you wish to connect from to the Raspberry Pi. A single IP address can be specified as well not just a CIDR range.

See "man sshd_config"

[Danrancan]

No worries.

By the way a Match directive can be used to limit access as per the way you had originally imagined.

Code: Select all

MaxAuthTries 0
Match Address 192.0.2.0/24
        MaxAuthTries 6

Where 192.0.2.0/24 is the CIDR address of the network of computers you wish to connect from to the Raspberry Pi. A single IP address can be specified as well not just a CIDR range.

See "man sshd_config"

Now this is exactly what I needed! Thank you so much for your patience, understanding and help man! It's really appreciated! You da man!