homerguy
Posts: 22
Joined: Mon Aug 13, 2012 8:39 pm

Struggling with SSH

Fri Aug 24, 2012 1:54 am

I am running Rasbian and I have SSH all set-up. I can SSH into my pi locally fine.

I am trying to get my RPi accessible globally, so I went ahead and did a portforward on the local ip to port 2222. Now if I want to ssh into my pi, I would use putty or any other tool to ssh into my routers ip using port 2222 no?

It seems to be not working. Any tips or suggestions? Maybe I am doing something wrong...

SirLagz
Posts: 1705
Joined: Mon Feb 20, 2012 8:53 am
Location: Perth, Australia
Contact: Website

Re: Struggling with SSH

Fri Aug 24, 2012 2:02 am

Is your SSH server setup to listen on port 2222 ?
And you can only ssh into your pi from your router's EXTERNAL ip address from OUTSIDE your network.
My Blog - http://www.sirlagz.net
Visit my blog for Tips, Tricks, Guides and More !
WiFi Issues ? Have a look at this post ! http://www.raspberrypi.org/phpBB3/viewtopic.php?f=28&t=44044

homerguy
Posts: 22
Joined: Mon Aug 13, 2012 8:39 pm

Re: Struggling with SSH

Fri Aug 24, 2012 2:04 am

SirLagz wrote:Is your SSH server setup to listen on port 2222 ?
And you can only ssh into your pi from your router's EXTERNAL ip address from OUTSIDE your network.
How do I check what port it is listening on. Also I am an idiot lol, I should try this outside my network -_-

homerguy
Posts: 22
Joined: Mon Aug 13, 2012 8:39 pm

Re: Struggling with SSH

Fri Aug 24, 2012 2:28 am

Ah figured it all out :).

Thanks for the tip.

Future reference for people who face this:

SSH outside of your network (fail on my part)
To change listen port edit etc/ssh/sshd_config

SirLagz
Posts: 1705
Joined: Mon Feb 20, 2012 8:53 am
Location: Perth, Australia
Contact: Website

Re: Struggling with SSH

Fri Aug 24, 2012 2:31 am

No problems :)
My Blog - http://www.sirlagz.net
Visit my blog for Tips, Tricks, Guides and More !
WiFi Issues ? Have a look at this post ! http://www.raspberrypi.org/phpBB3/viewtopic.php?f=28&t=44044

User avatar
alexeames
Forum Moderator
Forum Moderator
Posts: 2869
Joined: Sat Mar 03, 2012 11:57 am
Location: UK
Contact: Website

Re: Struggling with SSH

Fri Aug 24, 2012 7:14 am

Your homework assignment for this week is to set up ssh login using keys and then disable password login. Massive security enhancement. :)

Also, just to note that you can have it listen on more than one port if you want to keep port 22 open for traffic within your local network. All it needs is a second line in sshd_config

Code: Select all

Port 2222
Port 22
Alex Eames RasPi.TV, RasP.iO

Wendo
Posts: 142
Joined: Sun Jun 10, 2012 8:27 pm

Re: Struggling with SSH

Fri Aug 24, 2012 8:26 am

You could also have port forwarded port 2222 on your router the the pis IP address and port 22, there by not needing to change any config but still having it accessable externally on port 2222

ghans
Posts: 7882
Joined: Mon Dec 12, 2011 8:30 pm
Location: Germany

Re: Struggling with SSH

Fri Aug 24, 2012 1:54 pm

Just to add:
You always can connect to your Pi by it's external adress. Port forwarding has to be allowed, but you can still
access the Pi by the EXTERNAL address from INSIDE your network. Useless , but i have successfully done so.

ghans
• Don't like the board ? Missing features ? Change to the prosilver theme ! You can find it in your settings.
• Don't like to search the forum BEFORE posting 'cos it's useless ? Try googling : yoursearchtermshere site:raspberrypi.org

homerguy
Posts: 22
Joined: Mon Aug 13, 2012 8:39 pm

Re: Struggling with SSH

Fri Aug 24, 2012 2:02 pm

alexeames wrote:Your homework assignment for this week is to set up ssh login using keys and then disable password login. Massive security enhancement. :)

Also, just to note that you can have it listen on more than one port if you want to keep port 22 open for traffic within your local network. All it needs is a second line in sshd_config

Code: Select all

Port 2222
Port 22
Sweet, I will configure SSH keys tonight :) Thanks!

ghans
Posts: 7882
Joined: Mon Dec 12, 2011 8:30 pm
Location: Germany

Re: Struggling with SSH

Fri Aug 24, 2012 2:17 pm

For added security , disable root logins and use fail2ban.

ghans
• Don't like the board ? Missing features ? Change to the prosilver theme ! You can find it in your settings.
• Don't like to search the forum BEFORE posting 'cos it's useless ? Try googling : yoursearchtermshere site:raspberrypi.org

User avatar
alexeames
Forum Moderator
Forum Moderator
Posts: 2869
Joined: Sat Mar 03, 2012 11:57 am
Location: UK
Contact: Website

Re: Struggling with SSH

Fri Aug 24, 2012 2:58 pm

homerguy wrote:
alexeames wrote:Your homework assignment for this week is to set up ssh login using keys and then disable password login. Massive security enhancement. :)

Also, just to note that you can have it listen on more than one port if you want to keep port 22 open for traffic within your local network. All it needs is a second line in sshd_config

Code: Select all

Port 2222
Port 22
Sweet, I will configure SSH keys tonight :) Thanks!
One catch, depending on how you create and copy your keys, which I discovered the hard way, was that it won't work unless the user you are trying to log in as is the OWNER of the key file. Obvious when you know.

Mine refused to work as I had copied it over from windows and it was assigned to root. Wouldn't work for pi until I chowned the file to pi. ;)
Alex Eames RasPi.TV, RasP.iO

homerguy
Posts: 22
Joined: Mon Aug 13, 2012 8:39 pm

Re: Struggling with SSH

Fri Aug 24, 2012 3:02 pm

ghans wrote:For added security , disable root logins and use fail2ban.

ghans
To disable do I just edit the /etc/ssh/sshd_config and change PermitRootLogin to no

User avatar
alexeames
Forum Moderator
Forum Moderator
Posts: 2869
Joined: Sat Mar 03, 2012 11:57 am
Location: UK
Contact: Website

Re: Struggling with SSH

Fri Aug 24, 2012 3:07 pm

homerguy wrote:
ghans wrote:For added security , disable root logins and use fail2ban.

ghans
To disable do I just edit the /etc/ssh/sshd_config and change PermitRootLogin to no
Yes, but I fail to see how this helps anything if you are using keys - perhaps somebody can enlighten us? :lol: All you have to do to prevent root login, surely is not create a key for root? Or is there (quite likely :lol: ) something I've missed?
Alex Eames RasPi.TV, RasP.iO

homerguy
Posts: 22
Joined: Mon Aug 13, 2012 8:39 pm

Re: Struggling with SSH

Fri Aug 24, 2012 3:15 pm

alexeames wrote:
homerguy wrote:
ghans wrote:For added security , disable root logins and use fail2ban.

ghans
To disable do I just edit the /etc/ssh/sshd_config and change PermitRootLogin to no
Yes, but I fail to see how this helps anything if you are using keys - perhaps somebody can enlighten us? :lol: All you have to do to prevent root login, surely is not create a key for root? Or is there (quite likely :lol: ) something I've missed?
Yeah I guess with keys it doesn't matter, but hey why not lulz

User avatar
jojopi
Posts: 3150
Joined: Tue Oct 11, 2011 8:38 pm

Re: Struggling with SSH

Fri Aug 24, 2012 11:06 pm

ghans wrote:For added security , disable root logins and use fail2ban.
fail2ban and similar do not add any security; they just pretend to. An attacker who has a valid credential can still log in. And an attacker with a big enough botnet can still mount a brute-force attack.

If you can predict the netblocks that you might want to log in from, then it is worth restricting to those. Otherwise just disable passwords and root.

User avatar
alexeames
Forum Moderator
Forum Moderator
Posts: 2869
Joined: Sat Mar 03, 2012 11:57 am
Location: UK
Contact: Website

Re: Struggling with SSH

Sat Aug 25, 2012 6:55 am

jojopi wrote:
ghans wrote:For added security , disable root logins and use fail2ban.
fail2ban and similar do not add any security; they just pretend to. An attacker who has a valid credential can still log in. And an attacker with a big enough botnet can still mount a brute-force attack.

If you can predict the netblocks that you might want to log in from, then it is worth restricting to those. Otherwise just disable passwords and root.
jojopi, can you explain the benefit of disabling root login on ssh if you're using keys? I can't figure it out myself. Thanks. :D
Alex Eames RasPi.TV, RasP.iO

ghans
Posts: 7882
Joined: Mon Dec 12, 2011 8:30 pm
Location: Germany

Re: Struggling with SSH

Sat Aug 25, 2012 9:23 am

LOL , i've must have missed that part. Cheers alexeames :D


ghans
• Don't like the board ? Missing features ? Change to the prosilver theme ! You can find it in your settings.
• Don't like to search the forum BEFORE posting 'cos it's useless ? Try googling : yoursearchtermshere site:raspberrypi.org

User avatar
alexeames
Forum Moderator
Forum Moderator
Posts: 2869
Joined: Sat Mar 03, 2012 11:57 am
Location: UK
Contact: Website

Re: Struggling with SSH

Sat Aug 25, 2012 11:13 am

ghans wrote:LOL , i've must have missed that part. Cheers alexeames :D


ghans
I'm not completely convinced that there isn't a good reason for doing it, but I wonder if someone can tell us what it is? For example, you still need an id name to log in with a key, so disabling root login and using a different name might be even more secure - provided that root login is permitted already. But if there isn't a root password or root key, disabling root surely adds nothing?
Alex Eames RasPi.TV, RasP.iO

User avatar
alexeames
Forum Moderator
Forum Moderator
Posts: 2869
Joined: Sat Mar 03, 2012 11:57 am
Location: UK
Contact: Website

Re: Struggling with SSH

Sat Aug 25, 2012 12:52 pm

Just in case anyone's wondering why disabling root login by ssh is a good idea in general, here's an extract from my web server's log from before I implemented keys (not had a failed login attempt since)...

Code: Select all

Aug 25 02:38:35 ns1 sshd[32500]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=41.191.231.118  user=root
Aug 25 02:38:37 ns1 sshd[32500]: Failed password for root from 41.191.231.118 port 38291 ssh2
Aug 25 02:38:38 ns1 sshd[32503]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=41.191.231.118  user=root
Aug 25 02:38:41 ns1 sshd[32503]: Failed password for root from 41.191.231.118 port 38760 ssh2
Aug 25 02:38:42 ns1 sshd[32505]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=41.191.231.118  user=root
Aug 25 02:38:45 ns1 sshd[32505]: Failed password for root from 41.191.231.118 port 39113 ssh2
Aug 25 02:38:46 ns1 sshd[32507]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=41.191.231.118  user=root
Aug 25 02:38:48 ns1 sshd[32507]: Failed password for root from 41.191.231.118 port 39427 ssh2
Aug 25 02:38:50 ns1 sshd[32509]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=41.191.231.118  user=root
Aug 25 02:38:52 ns1 sshd[32509]: Failed password for root from 41.191.231.118 port 39750 ssh2
Aug 25 02:38:54 ns1 sshd[32513]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=41.191.231.118  user=root
Aug 25 02:38:56 ns1 sshd[32513]: Failed password for root from 41.191.231.118 port 40126 ssh2
Aug 25 02:38:57 ns1 sshd[32515]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=41.191.231.118  user=root
Aug 25 02:38:59 ns1 sshd[32515]: Failed password for root from 41.191.231.118 port 40447 ssh2
Aug 25 02:39:01 ns1 sshd[32517]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=41.191.231.118  user=root
Aug 25 02:39:03 ns1 sshd[32517]: Failed password for root from 41.191.231.118 port 40764 ssh2
Aug 25 02:39:05 ns1 sshd[32529]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=41.191.231.118  user=root
Aug 25 02:39:07 ns1 sshd[32529]: Failed password for root from 41.191.231.118 port 41117 ssh2
Aug 25 02:39:08 ns1 sshd[32531]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=41.191.231.118  user=root
Aug 25 02:39:11 ns1 sshd[32531]: Failed password for root from 41.191.231.118 port 41455 ssh2
Aug 25 02:39:12 ns1 sshd[32533]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=41.191.231.118  user=root
Aug 25 02:39:14 ns1 sshd[32533]: Failed password for root from 41.191.231.118 port 41817 ssh2
Aug 25 02:39:15 ns1 sshd[32535]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=41.191.231.118  user=root
Aug 25 02:39:17 ns1 sshd[32535]: Failed password for root from 41.191.231.118 port 42118 ssh2
Aug 25 02:39:25 ns1 sshd[32537]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=41.191.231.118  user=root
Aug 25 02:39:27 ns1 sshd[32537]: Failed password for root from 41.191.231.118 port 42396 ssh2
Looks like someone's been trying to get in.
Alex Eames RasPi.TV, RasP.iO

User avatar
jojopi
Posts: 3150
Joined: Tue Oct 11, 2011 8:38 pm

Re: Struggling with SSH

Sat Aug 25, 2012 3:03 pm

alexeames wrote:jojopi, can you explain the benefit of disabling root login on ssh if you're using keys?
It is not practical to "guess" a valid key, like it is with a password. So disabling passwords is sufficient to prevent successful brute-force attacks, even if root is still allowed. But one risk that does exist with keys is that an attacker might first compromise one machine, and then use the keys found on that machine to attack other machines named in its history and known hosts files. This is more dangerous if any of the keys give root access.

As a general principle of security you should allow only the level of access that is necessary. Since it is never strictly necessary to be able to log in remotely as root there is no reason to allow this. Disallowing it by configuration, instead of just not installing a key, makes it considerably less easy to accidentally install a key in future. If you are using no-passphrase keys for automated jobs you should go further and create a separate user account and authorize the keys only to run the specific commands required.

(Obviously, the security advantage in disallowing root login does not really exist unless sudo is configured at least to ask for a password.)

The vast majority of unsophisticated brute-force attackers, who try IP addresses at random and seemingly do not even notice if password authentication is disabled, are quite effectively defeated by moving SSH to a non-standard port number.

User avatar
Dweeber
Posts: 606
Joined: Fri Aug 17, 2012 3:35 am
Location: Mesa, AZ
Contact: Website

Re: Struggling with SSH

Sun Aug 26, 2012 3:48 am

My RPi is behind a router and I have the router configured to only allow connections to the RPi at the house from specific IP's. In other environments where I have no router access I would do the same with IPtables which is loaded on the RPi (at least rasberian it is). You can do the same type of restriction. Even then, I use SSH keys for access, not a password.

If your device is on the Internet and you are using standard port 22, you will get a lot of script hits which will hammer your device if you let them. Sometimes simply moving to a non-standard port eliminates the script hits and reduces the number of attempts on your device dramatically. You should still be using other security measures with that.

As for having the pi user basically as a root account (can sudo to anything without further authentication), it is more of a learning tool than security prevention. New users to Linux are not used to the commands and having them do an extra step is a learning process to know that they are doing something "special". It has little security advantages since most will use the same default user (pi) and the default password despite the ability to change the password is provided on the main config screen when you first run it.

I suspect most won't make their RPi's available for login from the Internet and will only be using them while home. So no big deal, but not a good security lesson.

If you decide to open up a web server port or something like that to your RPi from the Internet, it might be worth setting up Fail2ban to watch the logs for mischief. Not a end all to save all, but will give you a clue when someone is messing around. Using a filter that looks for common attempts with an early cut off will do well.
Dweeber A.K.A. Kevin...
My RPI Info Pages including Current Setup - http://rpi.tnet.com

Return to “General discussion”