16

I have this server (44.44.44.44, for instance) running a webserver. I have routed pollnote.com to the server to access my webserver. Everything works fine.

To access the server, I added my Public Key to .ssh/authorized_keys so I can do ssh root@44.44.44.44 to log in without problems.

The issue comes when I try it like this: ssh root@pollnote.com. The terminal just displays nothing, and it waits for me until I decide to abort the command.

What do I need to do to access the server using the domain name as reference?

UPDATE

I should have mentioned, I am accessing the server through CloudFlare. Maybe it is relevant..?

data

➜  ~  dig pollnote.com

; <<>> DiG 9.9.5-9ubuntu0.1-Ubuntu <<>> mydomain.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56675
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;pollnote.com.          IN  A

;; ANSWER SECTION:
pollnote.com.       299 IN  A   104.27.165.70
pollnote.com.       299 IN  A   104.27.164.70

;; Query time: 54 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Thu Jul 30 19:12:38 CEST 2015
;; MSG SIZE  rcvd: 73

➜  ~  ssh -vvv root@pollnote.com
OpenSSH_6.7p1 Ubuntu-5ubuntu1, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to pollnote.com [104.27.165.70] port 22.
Enrique Moreno Tent
  • 429
  • 2
  • 7
  • 19
  • Please paste the output of `dig mydomain.com` and `ssh -vvv root@mydomain.com`. – EEAA Jul 30 '15 at 17:09
  • Is `104.27.165.70` your `44.44.44.44`? It looks like it's a CloudFlare IP. Not sure if you can connect through CloudFlare. – jornane Jul 30 '15 at 17:23
  • That is the IP of Cloudflare. From there, I re-route it to `44.44.44.44` – Enrique Moreno Tent Jul 30 '15 at 17:23
  • Full disclosure: I have zero experience with CloudFlare (although I have done my part debugging end-user issues caused by them). On https://www.cloudflare.com/features-security it says something about blocking SSH on your root domain? – jornane Jul 30 '15 at 17:26
  • Again, no experience with them. They might provide you with an option to enable/disable SSH blocking. Check the control panel and their documentation. – jornane Jul 30 '15 at 17:29
  • isn't creating a "SRV Record" a good solution for this issue? – Behzad May 27 '20 at 14:48
  • Are you sure `ssh` users DNS `SRV` records? There at least an extension to do that ( https://github.com/Crosse/sshsrv) but it is not in core ssh. – Patrick Mevzek May 27 '20 at 16:08

5 Answers5

27

When you connect by IP address the SSH connection goes directly to your server but if you use the domain name it goes through Cloudflare defenses. My suggestion would be to either use direct.pollnote.com (I think CloudFlare creates it automaticaly but people often remove it) or add your own alias like ssh.pollnote.com and disable CloudFlare protection on it.

dtoubelis
  • 4,579
  • 1
  • 28
  • 31
  • 1
    Yep. OP is, as a result, trying to SSH into one of CloudFlare's servers rather than his own. – ceejayoz Jul 30 '15 at 17:53
  • I like the idea of adding an alias like `ssh.domain.com`. Worked for me and is way easier then remembering the origin IP. – skolind Apr 25 '18 at 09:46
  • Don't forget the portforward on i.e. your router. I came here already expecting the answer as provided here, but still had problems, turned out that head scratcher was because of this simple oversight. – Sam96 Nov 18 '20 at 18:51
  • IIRC, You can use Argo Tunnel while still having the connection proxy through Cloudflare. – Neeraj Mar 13 '21 at 13:40
3

dtoubelis's answer definitely solves this problem.

Friendly amendment, consider using something other than ssh.yourserver.com so that potential attackers have a harder time identifying your host's IP address.

For example, secret-circus-monkey.yourserver.com.

See, e.g., A Proper Server Naming Scheme; notably the author's comment regarding attack vectors:

In the article, we mentioned that our naming scheme also allows you to prevent inadvertent information disclosure by publicly exposing only the short random hostname while resolving the functional names solely on the internal network.

Jeremy
  • 31
  • 2
2

You can use something like is outlined here.

If I try to SSH to the domain, our IPs will show & that will cause issues (the same would go for something like ftp).

damoncloudflare
  • 471
  • 2
  • 5
1

I wanted to add this as a comment to @dtoubelis's answer but the text formatting was too restrictive so I'm adding it as an answer instead.

In my case I added the following DNS Record to the "DNS" screen in Cloudflare:

Type     Name    Value                            TTL           Status
CNAME    ssh     is an alias of mywebsite.com     Automatic     Grey

I still couldn't get it to work until I realised you then have to change your ssh login command from:

ssh user@mywebsite.com

to

ssh user@ssh.mywebsite.com.

I then added similar CNAME records for ftp and sftp so for example the ftp hostname in your ftp client changes from:

mywebsite.com

to

ftp.mywebsite.com.

I'm not sure if instead of a CNAME you can create an A record but it seems so according to Cloudflare.

Many thanks to @dtoubelis for the answer.

edwinbradford
  • 111
  • 2
0

I found a tricky way. I created a script using the cloudflare API, to get the real IP of my server, then i can use the IP to connect on my server. This way, all addresses on cloudflare remain proxied.

#!/bin/bash

# connect via cloudflare API to get real IP of home server
IP=$(curl -s -X GET "https://api.cloudflare.com/client/v4/zones/zoneID/dns_records?type=A&name=example.com&match=all" \
     -H "X-Auth-Email: admin@example.com" \
     -H "X-Auth-Key: API TOKEN" \
     -H "Content-Type: application/json" | jq -r '.result[].content')

# use recovered IP Address to connect on server from remote.
ssh -i ~/.ssh/myCustomIdRsa user@"$IP" -p portNumber

Enjoy!

Toli
  • 1
  • 2