Re: newbie question on port forwarding(and ssh, netcat)
On Wed, 10 Oct 2012 08:35:13 -0700 (PDT)
houkensjtu <houkensjtu@gmail.com> wrote:
> Hi debianer!
> I am a newbie both of debian and networking...
> Recently I am trying to connect my home laptop(I have a router in my
> home) from office. I read several articles on port forwarding. And I
> succeeded in opening an 22 port on my router, also I started ssh
> server on my home laptop.
>
> (suppose my username at home is USER, and my laptop is called DEBIAN)
>
> I did several experiment and I got confusing in some of its result.
>
> 1. ssh USER@DEBIAN
>
> works well!!
>
> 2. nc -vz my_home_external_ip 22
> [my_home_external_ip] 22 (ssh) : Connection refused
>
> I cant understand why is it. Because I have actually succeeded in
> test 1!
>
> 3. ssh -l USER my_home_external_ip
> ssh: connect to host my_home_external_ip port 22: Connection refused
> This also doesnt work! I thought it should be equivalent to test 1,
> but things just dont work.
>
> Any one can explain this?
>
>
Not yet. Many commercial networks operate firewalls affecting the
connections leaving the network so as yet you don't know which end of
the connection has an issue.
Divide the problem into two parts: the simplest way to check port
forwarding is to use an external website from home, that way you can
change things without travelling from your office, and you know the
other end will have no firewall problems.
A simple and slightly alarming but fairly reliable site is
http://grc.com. Click on Shields Up!!, scroll down over halfway and
click the heading Shields Up!, then Proceed, and Continue, then Common
Ports (you can enter 22 manually, but the Common Ports is a quick test
and just one click is needed).
You're looking for 22 shown as Open, and probably all others as
Stealth. Ignore all the dire warnings, this is a site for Windows users
and they need to be scared.
If 22 is not shown as Open, then you either haven't got the forwarding
right, or sshd isn't running as you expect. If the router looks right,
from your laptop try ssh <IP address of laptop>. This isn't the same as
ssh localhost, as the ssh server treats different interfaces separately.
If all is well at this end, but there is still a problem from your
office, then you need to ask about outgoing firewalling there.
However you resolve the initial problem, the ssh server is very heavily
targeted by the bad guys, using password checking bots. A quick and
dirty security measure is to forward a non-standard high numbered
external TCP port to <laptop>:22 (nearly all routers should be able to
do that) or to forward it to the same port of the laptop, and
reconfigure the ssh server to listen on that port (the Port xxx line(s)
in /etc/sshd_config). Remember to restart the ssh server if you need to
do this.
Six people will now leap in and say that's not going to improve
security, all the bad guys have to do is run a portscan to find your
server. However, scanning 65,000 ports of the same IP address across
the Internet is no small undertaking, and will certainly attract
attention, and I've never yet seen a bot attempt it. I don't get *any*
connection attempts to my ssh port, while 22 gets 10-100 a day.
The long-term solution is to disable passwords and use public-private
key pairs for authentication, which is not really difficult, but is
not for a complete beginner, and can certainly not be tried until you
have the system working reliably on passwords. A quick Google for ssh
public key tutorial turns up a vast number of sites to help with this.
If you need to work from Windows, by the way, the puTTY program is
pretty much the industry standard. There is also a Portable Apps
version of it, which does not write anything to the Windows machine.
--
Joe
Reply to: