Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Impossible to connect remotely via ssh
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Fulgurance
Veteran
Veteran


Joined: 15 Feb 2017
Posts: 1198

PostPosted: Sun Jul 25, 2021 4:34 pm    Post subject: Impossible to connect remotely via ssh Reply with quote

Hello, I have a problem, I tried to connect with my phone via ssh to my laptop, but this don't work. I enabled the sshd service already, but nothing. Is it needed to enable a feature in the config file to allow the access remotely via ssh ?
Back to top
View user's profile Send private message
alamahant
Advocate
Advocate


Joined: 23 Mar 2019
Posts: 3872

PostPosted: Sun Jul 25, 2021 4:49 pm    Post subject: Reply with quote

Yes in
/etc/ssh/sshd_config
edit
Code:

PasswordAuthentication yes
PermitRootLogin yes

Then make sure port 22/tcp is open in firewall and restart sshd
Then plz find a way to create ssh keys in your phone,
If successful copy the keys over to the laptop and
reedit
/etc/ssh/sshd_config
Code:

PermitRootLogin prohibit-password
PasswordAuthentication no

restart sshd and enjoy passwordless ssh from your phone to your laptop
_________________
:)


Last edited by alamahant on Sun Jul 25, 2021 5:29 pm; edited 3 times in total
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54028
Location: 56N 3W

PostPosted: Sun Jul 25, 2021 4:54 pm    Post subject: Reply with quote

Fulgurance,

Code:
PasswordAuthentication yes
PermitRootLogin yes

If this system is accessible from the outside world, that gives script kiddies 50% of the information required to brute force ssh.
Its OK for a test, with a good pass phrase but not for long term use.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
Fulgurance
Veteran
Veteran


Joined: 15 Feb 2017
Posts: 1198

PostPosted: Sun Jul 25, 2021 4:59 pm    Post subject: Reply with quote

Oh yeah, I read that, and I was thinking already this can be a way to be attacked...; Thanks you for your advices.

Are there other way more secure to do that?
Back to top
View user's profile Send private message
alamahant
Advocate
Advocate


Joined: 23 Mar 2019
Posts: 3872

PostPosted: Sun Jul 25, 2021 5:01 pm    Post subject: Reply with quote

Quote:

Oh yeah, I read that, and I was thinking already this can be a way to be attacked...; Thanks you for your advices.

Are there other way more secure to do that?

Yes plz use key authentication.Plz look my updated post above.
I was using this ssh client in my tablet
https://play.google.com/store/apps/details?id=com.sonelli.juicessh&hl=en&gl=US
Neddy is 100% right.
You will be getting countless attempts to ssh into your laptop.
Best use this scheme only in your LAN.
If you definitely need access to your laptop from the internet consider some of these

1.use a different sshd port --but it will not really protect you.
2.use a vpn
3.use torrified ssh ie ssh over tor.It is very safe but very slow.
4.totally prohibit root ssh access
Code:

PermitRootLogin no

_________________
:)
Back to top
View user's profile Send private message
mv
Watchman
Watchman


Joined: 20 Apr 2005
Posts: 6747

PostPosted: Sun Jul 25, 2021 5:38 pm    Post subject: Reply with quote

NeddySeagoon wrote:
Fulgurance,

Code:
PasswordAuthentication yes
PermitRootLogin yes

If this system is accessible from the outside world, that gives script kiddies 50% of the information required to brute force ssh.

What do you mean by 50% information? If a user name is really 50% information, you are doing something very wrong with your passwords.
Quote:
Its OK for a test, with a good pass phrase but not for long term use.

If all your users have a sufficiently long passphrase, there is no risk with it.
That being said, most users and administrators do not have the discipline to use such a long passphrase so that, in practice, you are right.

BTW, isn't there also a way to use SSL certificates instead of keys? Maybe with Let's encrypt this might become an option even for "normal" users nowadays?
(I never tried that, but I know that on android it was hard to find a free open-source app which uses keys.)
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54028
Location: 56N 3W

PostPosted: Sun Jul 25, 2021 5:53 pm    Post subject: Reply with quote

mv,

The 50% meant that you need both a username and password.
The username root is widely known.

I did not intend to imply that it was 50% of the entropy, for want of a better word, to achieve a successful login.

Connectbot on Android has an option to manage public keys.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
figueroa
Advocate
Advocate


Joined: 14 Aug 2005
Posts: 2894
Location: Edge of marsh USA

PostPosted: Tue Jul 27, 2021 2:53 am    Post subject: Reply with quote

Use Fail2Ban on your host with stringent settings. This will discourage script kiddies.
_________________
Andy Figueroa
hp pavilion hpe h8-1260t/2AB5; spinning rust x3
i7-2600 @ 3.40GHz; 16 gb; Radeon HD 7570
amd64/17.1/desktop (stable), OpenRC, -systemd -pulseaudio -uefi
Back to top
View user's profile Send private message
Leonardo.b
Apprentice
Apprentice


Joined: 10 Oct 2020
Posts: 294

PostPosted: Sat Jul 31, 2021 12:09 am    Post subject: Reply with quote

The firewall can be configured to notice when someone attempts to connect to ports in a certain range (a sort of minecamp), and add the IPs of matching connections to a banlist.
It helps if you have sshd on non-default port.
Back to top
View user's profile Send private message
Fulgurance
Veteran
Veteran


Joined: 15 Feb 2017
Posts: 1198

PostPosted: Sat Jul 31, 2021 10:15 pm    Post subject: Reply with quote

One question again, I’m a noob with network …

When my phone isn’t connected to the same wifi with my laptop, I can’t established a connection via ssh to my laptop.

I think I need to use the public IP maybe, I tried as well with this address but impossible to connect ? Why ? And how I can connect to my laptop with distance ?
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54028
Location: 56N 3W

PostPosted: Sat Jul 31, 2021 11:15 pm    Post subject: Reply with quote

Fulgurance,

When you are away from home, you will connect over the internet.
This means that you need to use your public IP and forward the ssh port in your router to the system you want to connect to.

Its likely you have a dynamic public IP, so it will change. To work around that, you need a service like no-ip, which is a dynamic DNS.
You get a name that resolves to your dynamic IP and when your IP changes your name points to the new IP.

no-ip is not a recommendation. I have a static IP, so its not a feature I have a use for.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
mv
Watchman
Watchman


Joined: 20 Apr 2005
Posts: 6747

PostPosted: Sun Aug 01, 2021 4:40 am    Post subject: Reply with quote

NeddySeagoon wrote:
This means that you need to use your public IP and forward the ssh port in your router to the system you want to connect to.

Since this part might have got lost in the comments about no-ip:
It is the main answer to the question (because Fulgurance noted that they already tried with that IP).
Most routers are by default configured to not forward anything (as a questionable security feature).

Looking at your router is the first thing you should do if connection does not work as expected; possibly you also find log files or tools that help debugging.
Concerning the other point which NeddySeagoon mentioned: Some router vendors also provide their own dynamic DNS service and/or support various such services, so it is not necessarily something you have to do with your gentoo. But it very much depends on the router (and its vendor) - there are also routers without much functionality.
Back to top
View user's profile Send private message
Fulgurance
Veteran
Veteran


Joined: 15 Feb 2017
Posts: 1198

PostPosted: Sun Aug 01, 2021 8:38 am    Post subject: Reply with quote

Hmmm okay. But it’s strange, I remember in past, I used juicessh application on Android, and I was able to connect with distance
Back to top
View user's profile Send private message
alamahant
Advocate
Advocate


Joined: 23 Mar 2019
Posts: 3872

PostPosted: Sun Aug 01, 2021 9:16 am    Post subject: Reply with quote

Also as Neddy pointed out you will need a dyn dns service.
I like Dynu very much.
You can have up to 4 domains forwarded to your external ip.
And updating is easy even with a chrome extension.
The only way to avoid a dynamic dns is either you get an immutable external ip or use ssh over tor after creating an ssh secret tor service in your laptop.
But it is SLOW.
_________________
:)
Back to top
View user's profile Send private message
Fulgurance
Veteran
Veteran


Joined: 15 Feb 2017
Posts: 1198

PostPosted: Sun Aug 01, 2021 9:31 am    Post subject: Reply with quote

One question because I’m not an expert with network.

When you say I need dns. If I use a dns, a dns is able to give to my laptop a fix host ?

This can be done with resolv.conf ? https://wiki.gentoo.org/wiki/Resolv.conf
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54028
Location: 56N 3W

PostPosted: Sun Aug 01, 2021 9:58 am    Post subject: Reply with quote

Fulgurance,

Dynamic DNS tracks a changing Public IP and points the name to it ... including the changes.

Say you were away from home for 10 days and your IP address changed every day.
Dynamic DNS would word all the time.
If you made a note oy your IP address before you left, it would only work until the first change.

While you are at home testing, you can use your mobile phone and its data plan (not wifi) to test.
As you can see your public IP, Dynamic DNS is not required.

What router do you have?
Post the make and model so we can find the user manual.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum