ssh problem

[Joseph Sinclair]

der.hans wrote:
> Am 17. Mar, 2007 schw�tzte Joey Prestia so:
> 
>> I have a linksys router a desktop computer connected that stays on at
>> all times and sometimes a laptop connected wireless to my home network
>> I have static IP set for my desktop which I can ssh into any time but if
>> I
>> get of my network I cannot ssh into my desktop by using the external IP
>> I have my firewall settings off on my router and ssh -v says :
>> [joey at localhost ~]$ ssh -v 68.3.73.132
>> OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006
>> debug1: Reading configuration data /etc/ssh/ssh_config
>> debug1: Applying options for *
>> debug1: Connecting to 68.3.73.132 [68.3.73.132] port 22.
>> debug1: connect to address 68.3.73.132 port 22: Connection timed out
>> ssh: connect to host 68.3.73.132 port 22: Connection timed out
>> [joey at localhost ~]$
> 
> Presuming the Linksys is connected to your Internet pipe and the desktop
> is connected behind it...
> 
> Log in to the Linksys config interface[0].
> 
> Under "Applications & Gaming" add a port forward. You want to forward TCP
> port 22 to your internal IP.
> 
> [0] If you don't know where that is, try the following. On your desktop in
> a terminal window type 'netstat -rn'. That'll list an IP address under
> Router. The destination for that router should be 0.0.0.0. That's your
> gateway, which is the internal interface for your Linksys.
> 
> Let's says the IP is 192.168.1.1[1].
> 
> Point a browser a that IP, http://192.168.1.1/[2]. Linksys doesn't use the
> username. Enter whatever password you've set or the default if you haven't
> set one[3].
> 
> [1] I'd suggest changing the internal network to something other than the
> default. For instance, 192.168.204 would be better than 192.168.1. That'll
> require changing the static IP of your desktop to also be on the new
> network.
> 
> [2] Linksys allows being only available via an SSL connection. Under
> Administration enable HTTPS under Web Access -> Access Server. Make sure
> you can connect via https, then disable the http connection. I think the
> Wireless Access Web there is to allow connecting to the admin interface
> via a wireless client, so suggest making sure that's off.
> 
> [3] If you haven't changed the password please do :).
> 
> ciao,
> 
> der.hans
> 
> 
---
To Hans excellent instructions I would add that it's generally a good idea to run
SSH on a non-standard external port (say 43722).  Port 22 is a well-known port, so it's
often the target of port scanning attacks, while high-range ports (above 33000) are
expensive enough to randomly scan that they're rarely examined by attackers.

To Whit:
The port forward would look something like forward port (48522) on WAN to port (22) host (192.168.204.149) on LAN
If your particular Linksys won't allow the port translation, just run the SSH daemon on port 48522 on the LAN box,
either way it takes your external connection off of port 22 and into a slightly safer region.