Ssh – How to debug SSH port forwarding

freebsdport-forwardingsshsshd

This is an extension to ssh port forward to access my home machine from anywhere

I tried things mentioned there but I am not able to ssh to my machine.

Netgear router settings for port forwarding:

Start Port: 22
End Port: 22
Server IP Address: IP address of by FreeBSD box

/etc/ssh/sshd_conf of my FreeBSD box:

PasswordAuthentication yes
AllowUsers root
X11Forwarding yes
AllowTcpForwarding yes

How I am trying to connect:

I've signed up for dyndns.com and got a URL that maps to my external IP address.

From another machine in my home network, I do:
ssh -l root my_dyndns_ip
Which is just timing out.

On the other hand, I can ping my_dyndns_url successfully.

Debugging:

How can I fix this so that I can ssh from anywhere to my_dnydns_url ?

I tried to look into logs of my Netgear router but on failed ssh attempt, no log in generated on the router.

I also looked into /var/log/messages but could not finding anything.

Edit:0
Running ssh in verbose mode (as per @jasonwryan suggested):

I am noticing a weird thing: When I do ssh to the dyndns.com provided url, its trying to connect to other IP address than what I get from whatismyip.com. Isn't that wrong?

Edit:1
Problem with dyndns is now solved.

Now when I try to ssh, it times out and I get error: Connection timed out

Edit:2
Does iptables or NAT has anything to do with it?

Edit:3
I started ssh with -d option to capture debug messages.

When I ssh to the freebsd box from any other machine in wlan, It works fine and I can see logs.

But when I ssh to external ip (which should forward that to my freebsd box), I do not even see any logs – that means, request is not even reaching freebsd box. And it times out.

Best Answer

I am thinking you problem is not in the port forwarding, but another option in the NAT config in the router.

First, ensure if you use your LAN IP, you can successfully SSH from another machine on the network. This ensures SSH works at all.

Second, test from another machine outside the network using the public IP. This ensures that port forwarding works.

Third, test from that same machine outside the network and use the DynDNS URL. This ensures that DynDNS is working properly.

If all of those succeed, then nothing is wrong with your configuration (which I'll assume is correct) and you problem is only accessng the public IP (either directly or through DynDNS) from inside the network. This means that your router needs to have NAT reflection enabled (if possible) to route internal requests as if they were external requests for the public IP.

I'll start with the raw facts :

You have: A - your FreeBSD box, B - your router and C - some machine with Internet access. This is how it looks like:

.-----.      .-----.                        .-----.
|  A  |  ==  |  B  |  - - ( Internet ) - -  |  C  |
'-----'      '-----'                        '-----'
\_________ ________/
          v
           `- this is your LAN

Notice how your router normally works: it allows connections from machines on your LAN to the Internet (simply speaking). So if the A (or any other machine on LAN) wants to access the Internet, it will be allowed (again, just talking about basic understanding and configuration) :

.-----.      .-----.                        .-----.
|  A  |  ==  |  B  |  - - ( Internet ) - -  |  C  |
'-----'      '-----'                        '-----'
      `-->----'  `--->--->---^

And the following is not allowed by default:

.-----.      .-----.                        .-----.
|  A  |  ==  |  B  |  - - ( Internet ) - -  |  C  |
'-----'      '-----'                        '-----'
      `--<----'  `---<--- - - - - --<---<-----'

(That is, the router protects the machines on your LAN from being accessed from the Internet.) Notice that the router is the only part of your LAN that is seen from the Internet¹⁾.

Port forwarding is what allows the third schema to take place. This consists in telling the router what connection from C²⁾ should go to which machine on the LAN. This is done based on port numbers - that is why it is called port forwarding. You configure that by instructing the router that all the connections coming on a given port from the Internet should go to a certain machine on LAN. Here's an example for port 22 forwarded to machine A:
```
.------.     .-------.                        .-----.
|  A   | ==  |   B   |  - - ( Internet ) - -  |  C  |
|      |     |       |                        '-----'
'-|22|-'     ',--|22|'                          |
    `--<-22---'    `---<---- - - - - - --<-22---'
```
Such connections through the Internet occur based on IP addresses. So a bit more precise representation of the above example would be:
```
.------.      .-------.                                .-----.
|  A   |  ==  |   B   | - - - - - ( Internet ) - - - - |  C  |
|      |      |       |                                '-----'
'-|22|-'      ',--|22|'                                   |
    `--<-A:22--'    `--<-YourIP:22 - - - - --<-YourIP:22--'
```
If you do not have an Internet connection with a static IP, then you'd have to somehow learn what IP is currently assigned to your router by the ISP. Otherwise, C will not know what IP it has to connect to in order to get to your router (and further, to A). To solve this in an easy way, you can use a service called dynamic DNS. This would make your router periodically send information to a special DNS server that will keep track of your IP and provide you with a domain name. There are quite a few free dynamic DNS providers. Many routers come with configuration options to easily contact with those.

_{¹⁾ This is, again, a simplification - the actual device that is seen to the Internet is the modem - which can often be integrated with the router, but might also be a separate box.

²⁾ or any other machine with Internet connection.}

Now for what you want:

Simply allowing ssh access to your machine from the Internet is a bad idea. There are thousands of bots set up by crackers that search the Internet for machines with open SSH port. They typically "knock" on the default SSH port of as many IPs as they can and once they find an SSH daemon running somewhere, the try to gain bruteforce access to the machine. This is not only a risk of potential break-in, but also of network slow-downs while the machine is being bruteforced.
If you really need such access, you should at least
- assure that you have strong passwords for all the user accounts,
- disallow root access over SSH (you can always log in as normal user and su or sudo then),
- change the default port on which your SSH server would run,
- introduce a mechanism of disallowing numerous SSH login attempts (with icreasing time-to-wait for subsequent attempts - I don't remember how exactly this is called - I had it enabled some time ago on FreeBSD and I recall it was quite easy - try searching some FreeBSD forums etc. about securing SSH an you'll find it.)
- If possible, try to run ssh daemon only when you know you will be accessing the machine in near future an turn it off afterwards
Get used to going through your system logs. If you begin noticing anything suspicious, introduce additional security mechanisms like IP tables or port knocking.

Best Answer

Related Solutions

SSH Port Forwarding – How to Access Home Machine from Anywhere

I'll start with the raw facts :

Now for what you want:

Related Question