problems setting up remote ssh

7

2

I've got an ubuntu desktop at home and a mac laptop. I'm trying to set this up so that I can ssh into my ubuntu machine from outside my local network.

Here is what I have done so far:

(1) I've enabled ssh on port 22 on my ubuntu machine. The file /etc/ssh/sshd_config says it is listening on Port 22.

(2) If I look at my firewall status (ufw status), it says:

Status: active

To                         Action      From
--                         ------      ----
22                         ALLOW       Anywhere                  
22 (v6)                    ALLOW       Anywhere (v6)

(3) On my Netgear C3700-100NAS router, I reserved the ip address to my ubuntu machine so that it won't change.

(4) I set up port forwarding, with service type TCP/UDP, external and internal ports set to 22, and it points to my internal IP address.

(5) I found my public ip address using http://www.myipaddress.com/

I can successfully ssh into my ubuntu machine from home, on the local network, using the local ip address.

But remote ssh times out. I also tried an online port forwarding tester (https://www.yougetsignal.com/tools/open-ports/), and when I point it to my public ip address and port 22, it tells me the port is closed.

When I attempt to remotely ssh, I get the following:

~ $ ssh -vvv myusername@xx.xxx.xxx.xx
OpenSSH_7.4p1, LibreSSL 2.5.0
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: resolving "xx.xxx.xxx.xx" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to xx.xxx.xxx.xx [xx.xxx.xxx.xx] port 22.
debug1: connect to address xx.xxx.xxx.xx port 22: Operation timed out
ssh: connect to host xx.xxx.xxx.xx port 22: Operation timed out

UPDATES

Following some advice listed below, I've made a few changes. I changed port forwarding so that it now uses port 8022 as the external port, but still port 22 as the internal port. I've also turned on an option in my router settings that it responds to pings.

Now, if I ping my public IP, it does respond. However, if I test whether or not port 8022 is open via the yougetsignal website listed above, it still says it's closed.

If I attempt to SSH:

> ssh -vvv username@xx.xxx.xxx.xx -p 8022
OpenSSH_7.4p1, LibreSSL 2.5.0
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: resolving "xx.xxx.xxx.xx" port 8022
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to xx.xxx.xxx.xx [xx.xxx.xxx.xx] port 8022.
debug1: connect to address xx.xxx.xxx.xx port 8022: Operation timed out
ssh: connect to host xx.xxx.xxx.xx port 8022: Operation timed out

I also called my ISP, and although it was a confusing conversation, it didn't seem like they were blocking the ports I was trying to use...

Following a suggestion below, I ran sudo nmap --packet-trace --traceroute --reason xx.xxx.xxx.xx. Here is a subset of the output. Port 8022 is not listed, but I imagine it should be:

Host is up, received reset ttl 253 (0.0028s latency).
Not shown: 996 filtered ports
Reason: 996 no-responses
PORT     STATE  SERVICE      REASON
135/tcp  closed msrpc        reset ttl 253
139/tcp  closed netbios-ssn  reset ttl 253
445/tcp  closed microsoft-ds reset ttl 253
1025/tcp closed NFS-or-IIS   reset ttl 253

I'm not sure where the problem is... the ubuntu machine? the router? Any ideas how to figure this out?

Thanks!

Pascal

Posted 2017-09-20T18:03:44.420

Reputation: 121

Answers

1

I had similar problem few days ago. Your modem or router may not be configured as a bridge. It depends on the ISP. In normal mode it will block all the incoming connections, but switching it into bridge mode gives all access. I had to call my ISP to change that, so I would have public IP address (not exactly fixed for long time but that's enough for me) and my router now works as a bridge for all the connections.

It is all about that ISP are lack of IP addresses and hide users beside few other routing stuff. You need to truly have public IP address.

pbies

Posted 2017-09-20T18:03:44.420

Reputation: 1 633

You just want port-forwarding on port 22. – xenoid – 2017-09-20T18:18:01.197

Behind ISP's modem I have my own router. So static IP and full modem bypass is needed. – pbies – 2018-06-11T08:29:54.197

0

(3) On my Netgear C3700-100NAS router, I reserved the ip address to my ubuntu machine so that it won't change.

(4) I set up port forwarding, with service type TCP/UDP, external and internal ports set to 22, and it points to my internal IP address.

From your description it looks like, your router does not listen to port 22.

I would test a few things

  1. Is it possible to ping to your public IP address? If not, can you activate ping/ICMP listening on the router?
  2. Test if it works, when you listen on your router on port 8022 and forward that to port 22. On Linux non privileged users aren't allowed to use port 1 to 1024, so perhaps something similar.
  3. I further would test, if a it would work with port 80 or 8080 and http. Perhaps the router does not allow SSH for some reason.

chloesoe

Posted 2017-09-20T18:03:44.420

Reputation: 627

I just tried pinging my public ip with ping xx.xxx.xxx.xx and the request timed out. So maybe that's a sign that I need to contact my ISP... – Pascal – 2017-09-20T23:28:37.977

Before anything else, I would Google "<your ISP> port forwarding"; perhaps they are blocking access. Another thing to try is to install nmap on your Mac laptop, connect to any external network (i.e. not your home network), and run something like sudo nmap --packet-trace --traceroute --reason xx.xxx.xxx.xx to debug any routing that may be going on.

– Zombie Feynman – 2017-09-21T07:56:52.993

I ran the nmap line you suggested. The port I have set up for port forwarding is not listed at all. I'm posting an excerpt above of the output. I imagine it should be, right? – Pascal – 2017-09-21T20:44:49.487

0

I would look first if the problem is on some network device of your ISP, then on your router, then on the pc.

Could you try once more and move the port from 8022 to 443?

Sometimes some ISP can have very restrictive port filtering. But 443 is often kept unfiltered. Also ports higher than 10000 might have better chances, but I see from your nmap that you can reach down to 445 or so: did you do the nmap from outside your local network? The best proof would be if you could launch the nmap from outside your home network towards your public ip.

Kr,
Cisco

tent

Posted 2017-09-20T18:03:44.420

Reputation: 51

0

I would suggest checking the NAT tables on your router. The NAT tables should enable your router to listen to any request on that port and forward the request to the designated port on the target machine (they can be the same port if desired). Ports between 1024 and 49151 are available for user use. If using a non-standard port, be use to use the -p flag on your ssh command.

Calvin Wels

Posted 2017-09-20T18:03:44.420

Reputation: 1

Asked: 2017-09-20T18:03:44.420

Viewed: 438 times

Active: 2017-11-22T22:32:52.803