Hello folks.
I'm wary about leaving ports permanently open on my router to allow SSH connection to my Pi's from outside the LAN.
Is it possible to open ports on demand using UPnP, initiated by the Pi and perhaps following receipt of an email?
I know how to get the Pi to respond to emailed commands. I'm unsure however how to punch a hole through the router from the Pi itself using UPnP. Note that I will never have the same IP on the WAN device and it only has SSH client and no SSH server to recieve an SSH connection from the Pi: it's an Android device running JuiceSSH
-
chorlton2080
- Posts: 126
- Joined: Sun Dec 23, 2012 9:44 pm
Re: SSH with UPnP
Sounds like your fix is worse than your problem...
-
chorlton2080
- Posts: 126
- Joined: Sun Dec 23, 2012 9:44 pm
Re: SSH with UPnP
Which fix? Please elaborate
Re: SSH with UPnP
He probably mean that keeping a permanent open port is much easier.. and you can use a different port than 22 for better security.
You can forward the routers 2222 to the Pis 22 if you want.
You can forward the routers 2222 to the Pis 22 if you want.
-
chorlton2080
- Posts: 126
- Joined: Sun Dec 23, 2012 9:44 pm
Re: SSH with UPnP
I don't use port 22, still wouldn't want to leave it open unnecessarily.
How could processing an email from a known sender, then opening a port, be a security problem, given that leaving the port open all the time appears to be advocated by the above responses?
How could processing an email from a known sender, then opening a port, be a security problem, given that leaving the port open all the time appears to be advocated by the above responses?
Re: SSH with UPnP
UPnP isn't exactly renowned for security.
If you expose a port it's obvious the port is the attack surface and needs to be watched by fail2ban, for instance.
If you open up the port by mail, you need to watch the mail agent and still need to watch the port when it's opened up. And your local network is open for a number of UPnP reconnaissance methods. Your total attack surface just became bigger. If you have Windows machines on that local network, you might start seeing some bluescreens
Also, do you know exactly how your router reacts to UPnP?
Alternatively, you could use port knocking (knockd is available for the Pi) in stead of mail, to open up a port.
If you expose a port it's obvious the port is the attack surface and needs to be watched by fail2ban, for instance.
If you open up the port by mail, you need to watch the mail agent and still need to watch the port when it's opened up. And your local network is open for a number of UPnP reconnaissance methods. Your total attack surface just became bigger. If you have Windows machines on that local network, you might start seeing some bluescreens
Also, do you know exactly how your router reacts to UPnP?
Alternatively, you could use port knocking (knockd is available for the Pi) in stead of mail, to open up a port.