MEPIS Community Forum

Hi All,

If anyone can point me to appropriate guidance on this I'd really appreciate it.
I'm trying to get remote ssh access to my desktop mepis system. I know I have the dns set up correctly because the domain resolves to the right IP Address. I know I have the ssh daemon running on the local machine. I have forwarded port 22 on the router to my desktop system. Yet I cannot get into the machine from the outside.

I've turned off the machine's firewall, and so I'm convinced it has to be the router config. It's a buffalo router running DDWRT, and there's too much going on in there. Does anyone know a good guide to these things?

Best,
Chris

Just a thought - have you configured /etc/hosts.allow & /etc/hosts.deny to allow logins from your other machine's IP address?

Hi Timkb,

I haven't touched those files but I don't think that's the issue as I'm able to ssh from my windows laptop using cygwin just fine.
It's just not working getting through the router. Ugh!

Thanks,
Chris

run traceroute -p 22 fqdn

where fqdn is the fully qualified domain name....

it'll help illuminate any potential networking issues.

you can also ssh to the fqdn and it should go out your router and then back in through the port...

I ran traceroute -p 22 fqdn and it works fine. However, trying to ssh to port 22 does not work.
Could it be that my ISP is blocking ssh on that port?

One annoying thing is that I could not run traceroute at all with the firewall on (guarddog), and I have enabled traceroute within guarddog....

Thanks for your help.
Chris

honestly, i use firestarter for my firewall frontend. guarddog is fine, but with firestarter you can see logged events in real time and take action on them. i seriously doubt the ISP is doing anything to block port 22.

btw, if you don't allow inbound traffic for port 22 on your gateway (your router) then that will result in no ssh connection.

also, allowing inbound ssh traffic can be a HUGE security risk. make sure you have fail2ban installed too. it'll help prevent brute force attacks against ssh - it's automatic and adds a nice layer.

make sure you have the latest firmware for your router installed

Thanks for your pointers. I'll try using Firestarter. Maybe I should back up and state that all I want to do is to be able to tunnel into my machine from outside in order to remotely access it via VNC. Perhaps there is a better way of doing this than using ssh and opening the port in the router.

However, I'm pretty sure that SSH could be set up to use only RSA keys, and it's unlikely that anyone is going to bruteforce a 2048-bit key.

I'm also aware of using other solutions, such as LogMeIn/Hamachi. What's the easiest way to attain what I'm after? I'm certainly interested in security, but if there's a solution that is easy I'd go for that. The reason I haven't tried Hamachi is that there is the third party present and I'm not sure how much of my connection would really be secure from that provider

Thanks,
Chris

you're still going to have to get the port forwarding working. ssh is the better choice for the encryption because you can then use it for a bunch of things and not just vnc.

also, if you are going to use ssh then use fail2ban, too. whether or not someone actually is able to break the encryption key isn't necessarily the real harm. fail2ban will block an offending ip just because it's trying to break the encryption, so it helps prevent ddos type of situations. you'd be surprised how much unwanted traffic you'll notice once you open port 22 - lots of automated attacks that troll the net for sites that have ports open.

fail2ban is a no-brainer tool, thanks for the pointer. I am installing it right now! I am still convinced the only thing that really isn't working is my router, blasted thing. I should probably post over in the DDWRT forums.
Best,
Chris

i use ddwrt and had no problems getting ssh to work with port forwarding... just make sure you have the latest firmware from them.