chorlton2080
Posts: 126
Joined: Sun Dec 23, 2012 9:44 pm

SSH with UPnP

Sat Aug 09, 2014 9:54 pm

Hello folks.

I'm wary about leaving ports permanently open on my router to allow SSH connection to my Pi's from outside the LAN.

Is it possible to open ports on demand using UPnP, initiated by the Pi and perhaps following receipt of an email?

I know how to get the Pi to respond to emailed commands. I'm unsure however how to punch a hole through the router from the Pi itself using UPnP. Note that I will never have the same IP on the WAN device and it only has SSH client and no SSH server to recieve an SSH connection from the Pi: it's an Android device running JuiceSSH


User avatar
cyrano
Posts: 714
Joined: Wed Dec 05, 2012 11:48 pm
Location: Belgium

Re: SSH with UPnP

Sun Aug 10, 2014 9:10 am

Sounds like your fix is worse than your problem...

chorlton2080
Posts: 126
Joined: Sun Dec 23, 2012 9:44 pm

Re: SSH with UPnP

Sun Aug 10, 2014 11:05 am

Which fix? Please elaborate

User avatar
topguy
Posts: 6895
Joined: Tue Oct 09, 2012 11:46 am
Location: Trondheim, Norway

Re: SSH with UPnP

Sun Aug 10, 2014 3:58 pm

He probably mean that keeping a permanent open port is much easier.. and you can use a different port than 22 for better security.

You can forward the routers 2222 to the Pis 22 if you want.

chorlton2080
Posts: 126
Joined: Sun Dec 23, 2012 9:44 pm

Re: SSH with UPnP

Sun Aug 10, 2014 6:29 pm

I don't use port 22, still wouldn't want to leave it open unnecessarily.

How could processing an email from a known sender, then opening a port, be a security problem, given that leaving the port open all the time appears to be advocated by the above responses?

User avatar
cyrano
Posts: 714
Joined: Wed Dec 05, 2012 11:48 pm
Location: Belgium

Re: SSH with UPnP

Sun Aug 10, 2014 8:13 pm

UPnP isn't exactly renowned for security.

If you expose a port it's obvious the port is the attack surface and needs to be watched by fail2ban, for instance.

If you open up the port by mail, you need to watch the mail agent and still need to watch the port when it's opened up. And your local network is open for a number of UPnP reconnaissance methods. Your total attack surface just became bigger. If you have Windows machines on that local network, you might start seeing some bluescreens ;)

Also, do you know exactly how your router reacts to UPnP?

Alternatively, you could use port knocking (knockd is available for the Pi) in stead of mail, to open up a port.

Return to “Raspberry Pi OS”