View previous topic :: View next topic |
Author |
Message |
Fulgurance Veteran
Joined: 15 Feb 2017 Posts: 1198
|
Posted: Sun Jul 25, 2021 4:34 pm Post subject: Impossible to connect remotely via ssh |
|
|
Hello, I have a problem, I tried to connect with my phone via ssh to my laptop, but this don't work. I enabled the sshd service already, but nothing. Is it needed to enable a feature in the config file to allow the access remotely via ssh ? |
|
Back to top |
|
|
alamahant Advocate
Joined: 23 Mar 2019 Posts: 3872
|
Posted: Sun Jul 25, 2021 4:49 pm Post subject: |
|
|
Yes in
/etc/ssh/sshd_config
edit
Code: |
PasswordAuthentication yes
PermitRootLogin yes
|
Then make sure port 22/tcp is open in firewall and restart sshd
Then plz find a way to create ssh keys in your phone,
If successful copy the keys over to the laptop and
reedit
/etc/ssh/sshd_config
Code: |
PermitRootLogin prohibit-password
PasswordAuthentication no
|
restart sshd and enjoy passwordless ssh from your phone to your laptop _________________
Last edited by alamahant on Sun Jul 25, 2021 5:29 pm; edited 3 times in total |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54028 Location: 56N 3W
|
Posted: Sun Jul 25, 2021 4:54 pm Post subject: |
|
|
Fulgurance,
Code: | PasswordAuthentication yes
PermitRootLogin yes |
If this system is accessible from the outside world, that gives script kiddies 50% of the information required to brute force ssh.
Its OK for a test, with a good pass phrase but not for long term use. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
Fulgurance Veteran
Joined: 15 Feb 2017 Posts: 1198
|
Posted: Sun Jul 25, 2021 4:59 pm Post subject: |
|
|
Oh yeah, I read that, and I was thinking already this can be a way to be attacked...; Thanks you for your advices.
Are there other way more secure to do that? |
|
Back to top |
|
|
alamahant Advocate
Joined: 23 Mar 2019 Posts: 3872
|
Posted: Sun Jul 25, 2021 5:01 pm Post subject: |
|
|
Quote: |
Oh yeah, I read that, and I was thinking already this can be a way to be attacked...; Thanks you for your advices.
Are there other way more secure to do that?
|
Yes plz use key authentication.Plz look my updated post above.
I was using this ssh client in my tablet
https://play.google.com/store/apps/details?id=com.sonelli.juicessh&hl=en&gl=US
Neddy is 100% right.
You will be getting countless attempts to ssh into your laptop.
Best use this scheme only in your LAN.
If you definitely need access to your laptop from the internet consider some of these
1.use a different sshd port --but it will not really protect you.
2.use a vpn
3.use torrified ssh ie ssh over tor.It is very safe but very slow.
4.totally prohibit root ssh access
_________________
|
|
Back to top |
|
|
mv Watchman
Joined: 20 Apr 2005 Posts: 6747
|
Posted: Sun Jul 25, 2021 5:38 pm Post subject: |
|
|
NeddySeagoon wrote: | Fulgurance,
Code: | PasswordAuthentication yes
PermitRootLogin yes |
If this system is accessible from the outside world, that gives script kiddies 50% of the information required to brute force ssh. |
What do you mean by 50% information? If a user name is really 50% information, you are doing something very wrong with your passwords.
Quote: | Its OK for a test, with a good pass phrase but not for long term use. |
If all your users have a sufficiently long passphrase, there is no risk with it.
That being said, most users and administrators do not have the discipline to use such a long passphrase so that, in practice, you are right.
BTW, isn't there also a way to use SSL certificates instead of keys? Maybe with Let's encrypt this might become an option even for "normal" users nowadays?
(I never tried that, but I know that on android it was hard to find a free open-source app which uses keys.) |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54028 Location: 56N 3W
|
Posted: Sun Jul 25, 2021 5:53 pm Post subject: |
|
|
mv,
The 50% meant that you need both a username and password.
The username root is widely known.
I did not intend to imply that it was 50% of the entropy, for want of a better word, to achieve a successful login.
Connectbot on Android has an option to manage public keys. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
figueroa Advocate
Joined: 14 Aug 2005 Posts: 2894 Location: Edge of marsh USA
|
Posted: Tue Jul 27, 2021 2:53 am Post subject: |
|
|
Use Fail2Ban on your host with stringent settings. This will discourage script kiddies. _________________ Andy Figueroa
hp pavilion hpe h8-1260t/2AB5; spinning rust x3
i7-2600 @ 3.40GHz; 16 gb; Radeon HD 7570
amd64/17.1/desktop (stable), OpenRC, -systemd -pulseaudio -uefi |
|
Back to top |
|
|
Leonardo.b Apprentice
Joined: 10 Oct 2020 Posts: 294
|
Posted: Sat Jul 31, 2021 12:09 am Post subject: |
|
|
The firewall can be configured to notice when someone attempts to connect to ports in a certain range (a sort of minecamp), and add the IPs of matching connections to a banlist.
It helps if you have sshd on non-default port. |
|
Back to top |
|
|
Fulgurance Veteran
Joined: 15 Feb 2017 Posts: 1198
|
Posted: Sat Jul 31, 2021 10:15 pm Post subject: |
|
|
One question again, I’m a noob with network …
When my phone isn’t connected to the same wifi with my laptop, I can’t established a connection via ssh to my laptop.
I think I need to use the public IP maybe, I tried as well with this address but impossible to connect ? Why ? And how I can connect to my laptop with distance ? |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54028 Location: 56N 3W
|
Posted: Sat Jul 31, 2021 11:15 pm Post subject: |
|
|
Fulgurance,
When you are away from home, you will connect over the internet.
This means that you need to use your public IP and forward the ssh port in your router to the system you want to connect to.
Its likely you have a dynamic public IP, so it will change. To work around that, you need a service like no-ip, which is a dynamic DNS.
You get a name that resolves to your dynamic IP and when your IP changes your name points to the new IP.
no-ip is not a recommendation. I have a static IP, so its not a feature I have a use for. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
mv Watchman
Joined: 20 Apr 2005 Posts: 6747
|
Posted: Sun Aug 01, 2021 4:40 am Post subject: |
|
|
NeddySeagoon wrote: | This means that you need to use your public IP and forward the ssh port in your router to the system you want to connect to. |
Since this part might have got lost in the comments about no-ip:
It is the main answer to the question (because Fulgurance noted that they already tried with that IP).
Most routers are by default configured to not forward anything (as a questionable security feature).
Looking at your router is the first thing you should do if connection does not work as expected; possibly you also find log files or tools that help debugging.
Concerning the other point which NeddySeagoon mentioned: Some router vendors also provide their own dynamic DNS service and/or support various such services, so it is not necessarily something you have to do with your gentoo. But it very much depends on the router (and its vendor) - there are also routers without much functionality. |
|
Back to top |
|
|
Fulgurance Veteran
Joined: 15 Feb 2017 Posts: 1198
|
Posted: Sun Aug 01, 2021 8:38 am Post subject: |
|
|
Hmmm okay. But it’s strange, I remember in past, I used juicessh application on Android, and I was able to connect with distance |
|
Back to top |
|
|
alamahant Advocate
Joined: 23 Mar 2019 Posts: 3872
|
Posted: Sun Aug 01, 2021 9:16 am Post subject: |
|
|
Also as Neddy pointed out you will need a dyn dns service.
I like Dynu very much.
You can have up to 4 domains forwarded to your external ip.
And updating is easy even with a chrome extension.
The only way to avoid a dynamic dns is either you get an immutable external ip or use ssh over tor after creating an ssh secret tor service in your laptop.
But it is SLOW. _________________
|
|
Back to top |
|
|
Fulgurance Veteran
Joined: 15 Feb 2017 Posts: 1198
|
Posted: Sun Aug 01, 2021 9:31 am Post subject: |
|
|
One question because I’m not an expert with network.
When you say I need dns. If I use a dns, a dns is able to give to my laptop a fix host ?
This can be done with resolv.conf ? https://wiki.gentoo.org/wiki/Resolv.conf |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54028 Location: 56N 3W
|
Posted: Sun Aug 01, 2021 9:58 am Post subject: |
|
|
Fulgurance,
Dynamic DNS tracks a changing Public IP and points the name to it ... including the changes.
Say you were away from home for 10 days and your IP address changed every day.
Dynamic DNS would word all the time.
If you made a note oy your IP address before you left, it would only work until the first change.
While you are at home testing, you can use your mobile phone and its data plan (not wifi) to test.
As you can see your public IP, Dynamic DNS is not required.
What router do you have?
Post the make and model so we can find the user manual. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
|