On Wed, 10 Oct 2012 08:35:13 -0700 (PDT) houkensjtu <houkens...@gmail.com> wrote:
> Hi debianer! > I am a newbie both of debian and networking... > Recently I am trying to connect my home laptop(I have a router in my > home) from office. I read several articles on port forwarding. And I > succeeded in opening an 22 port on my router, also I started ssh > server on my home laptop. > > (suppose my username at home is USER, and my laptop is called DEBIAN) > > I did several experiment and I got confusing in some of its result. > > 1. ssh USER@DEBIAN > > works well!! > > 2. nc -vz my_home_external_ip 22 > [my_home_external_ip] 22 (ssh) : Connection refused > > I cant understand why is it. Because I have actually succeeded in > test 1! > > 3. ssh -l USER my_home_external_ip > ssh: connect to host my_home_external_ip port 22: Connection refused > This also doesnt work! I thought it should be equivalent to test 1, > but things just dont work. > > Any one can explain this? > > Not yet. Many commercial networks operate firewalls affecting the connections leaving the network so as yet you don't know which end of the connection has an issue. Divide the problem into two parts: the simplest way to check port forwarding is to use an external website from home, that way you can change things without travelling from your office, and you know the other end will have no firewall problems. A simple and slightly alarming but fairly reliable site is http://grc.com. Click on Shields Up!!, scroll down over halfway and click the heading Shields Up!, then Proceed, and Continue, then Common Ports (you can enter 22 manually, but the Common Ports is a quick test and just one click is needed). You're looking for 22 shown as Open, and probably all others as Stealth. Ignore all the dire warnings, this is a site for Windows users and they need to be scared. If 22 is not shown as Open, then you either haven't got the forwarding right, or sshd isn't running as you expect. If the router looks right, from your laptop try ssh <IP address of laptop>. This isn't the same as ssh localhost, as the ssh server treats different interfaces separately. If all is well at this end, but there is still a problem from your office, then you need to ask about outgoing firewalling there. However you resolve the initial problem, the ssh server is very heavily targeted by the bad guys, using password checking bots. A quick and dirty security measure is to forward a non-standard high numbered external TCP port to <laptop>:22 (nearly all routers should be able to do that) or to forward it to the same port of the laptop, and reconfigure the ssh server to listen on that port (the Port xxx line(s) in /etc/sshd_config). Remember to restart the ssh server if you need to do this. Six people will now leap in and say that's not going to improve security, all the bad guys have to do is run a portscan to find your server. However, scanning 65,000 ports of the same IP address across the Internet is no small undertaking, and will certainly attract attention, and I've never yet seen a bot attempt it. I don't get *any* connection attempts to my ssh port, while 22 gets 10-100 a day. The long-term solution is to disable passwords and use public-private key pairs for authentication, which is not really difficult, but is not for a complete beginner, and can certainly not be tried until you have the system working reliably on passwords. A quick Google for ssh public key tutorial turns up a vast number of sites to help with this. If you need to work from Windows, by the way, the puTTY program is pretty much the industry standard. There is also a Portable Apps version of it, which does not write anything to the Windows machine. -- Joe -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20121010194427.02ca4...@jretrading.com