Page 1 of 2 12 LastLast
Results 1 to 10 of 19

Thread: SSH and external IP address.

  1. #1
    Join Date
    Dec 2011
    Beans
    10

    SSH and external IP address.

    Hi all

    I´d like to pick your brains a bit regarding the sshd_config file and external IP address. My apologies if im posting this in a wrong forum or the topic has been covered in detail elsewhere - i could not find a satisfying answer, maybe i didnt search long enough in the right places.

    Anyways...My issue:

    We had an internal ssh server running for a while, this is now upgrade with an additional NIC.
    The server will have one NIC that connects to our internal network, the other one connects directly to the internet.
    The server is also acting as a router/firewall.

    The server works fine, but there is one thing that has come to my attention. Its the ListenAddress keyword. As i gathered one should always tell the server what address(es) it should listen to, but we have a dynamic IP address...

    My question here is: what wold be the easiest way to keep the external IP up to date in the sshd_config? I guess the most likely approach here is scripting the update of the sshd_config.

    Im no expert on SSH so i´d like to hear what other solutions is out there.

    Our sshd_config looks like this:

    Port 22
    AddressFamily inet
    ListenAddress 192.168.1.11
    ListenAddress ???????????? <---------- External IP
    Protocol 2

    HostKey /etc/ssh/ssh_host_rsa_key
    HostKey /etc/ssh/ssh_host_dsa_key
    ServerKeyBits 1024

    SyslogFacility AUTH
    LogLevel DEBUG

    LoginGraceTime 60
    PermitRootLogin no
    StrictModes yes
    MaxAuthTries 5
    MaxSessions 5
    ClientAliveInterval 1200
    ClientAliveCountMax 0
    AllowGroups manager biz

    RhostsRSAAuthentication no
    RSAAuthentication yes
    PubkeyAuthentication yes
    PasswordAuthentication yes
    PermitEmptyPasswords no

    Subsystem sftp /usr/libexec/sftp-server
    Match group secftp
    ChrootDirectory %h
    X11Forwarding no
    AllowTcpForwarding no
    ForceCommand internal-sftp

    All suggestions on updating the external IP and improvements of the sshd_config are greatly appreciated.
    Last edited by blackseptember; December 9th, 2011 at 05:05 PM.

  2. #2
    Join Date
    Feb 2009
    Beans
    Hidden!

    Re: SSH and external IP address.

    I'm just a home user but the way I do it is I setup a forwarding service using no-ip.biz and I just setup a name like blah.no-ip.biz. The no-ip script that checks your IP is in the repo. This will dynamically update your IP in the event it changes. I then just use ssh using my made no-ip name so I just use ssh name@blah.no-ip.biz

  3. #3
    Join Date
    Jun 2008
    Location
    Tennessee
    Beans
    3,421

    Re: SSH and external IP address.

    If you comment out all "listaddress" directives, the default is to listen on all addresses on all interfaces. Unless there's an interface you *don't* want to run ssh on, this is probably the simplest solution.

  4. #4
    Join Date
    Dec 2011
    Beans
    10

    Re: SSH and external IP address.

    Thanks for you reply azmyth

    I know of the no-ip setup, which is pretty good. It´s similar to what i eventually will be using, but the no-ip setup dont update the sshd_config´s ListenAddress [ external IP ].

  5. #5
    Join Date
    Dec 2011
    Beans
    10

    Re: SSH and external IP address.

    I agree with you, lykwydchykyn, that commenting out the ListenAddress, or using ListenAddress 0.0.0.0, is one way to solve this - but from a security point of view this is usually discouraged.

    Does anyone know if sshd_config take FQDN in ListenAddress?

  6. #6
    Join Date
    Aug 2008
    Location
    Arizona State
    Beans
    418
    Distro
    Ubuntu

    Re: SSH and external IP address.

    I've just done this myself. you're going to need a DNS because virtually all ISPs do not supply static IP addresses anymore. Mine charges a good deal of money to lease a static IP. Just set yourself up with a DNS at no-ip and then install noip2 package on you system to periodically update your DNS with your current external IP. Beyond that, assuming you are behind a router, you need to assign static local IP addresses in your router's DHCP reservation menu and then forward the port you plan on using. Also worth noting is that many ISPs will block traffic on lower ports like 22. set your port to something much higher like 5000.
    Works like a charm for me using FTP, SSH and VNC. Nothing beats being able to grab my homework I forgot to print off my desktop from my Android phone while I'm at school and then emailing it to my instructor.

  7. #7
    Join Date
    Dec 2011
    Beans
    10

    Re: SSH and external IP address.

    Ooops, totally forgot to add this in my explanation - the ssh server is also used as a router/firewall - so no i cant really put another router infront of it (lack of hardware).

    ...Adding information to original post now
    Last edited by blackseptember; December 9th, 2011 at 05:06 PM.

  8. #8
    Join Date
    Mar 2007
    Location
    Outer Milky Way
    Beans
    Hidden!
    Distro
    Kubuntu 12.04 Precise Pangolin

    Re: SSH and external IP address.

    You don't specify the external IP as a ListenAddress for SSH.

    You specify the port that SSH listens on, and then it is your (hardware or software) router's job to forward that port to the computer on the LAN on which your SSH server is running.

    For example, my SSH server is at 192.168.0.133.

    My router is then set to forward all port 22 SSH traffic to 192.168.0.133.

    The SSH server on 192.168.0.133 listens for port 22 traffic.

    End of story.

    If you have multiple computers on a LAN each running a SSH server, each should listen on a different port.

    For example, one SSH server could listen on port 22133, and another could listen on port 22134.

    The router would direct those ports to the appropriate LAN IP address of each SSH-serving computer on the LAN, and you would select which computer into which to SSH by specifying the correct port.

    The you could SSH using your (dynamically maintained) URL address:

    to computer 1: ssh mydynamicurl.dyndns.org:22
    to computer 2: ssh mydynamicurl.dyndns.org:22133
    to computer 3: ssh mydynamicurl.dyndns.org:22134

    BTW, there's a good deal of advice on Dynamic DNS at

    http://ubuntuguide.org/wiki/Ubuntu:A...or_a_webserver

    or

    http://ubuntuguide.org/wiki/Dynamic_IP_servers

    Also, regarding SSH:

    http://ubuntuguide.org/wiki/Ubuntu:All#SSH
    Last edited by perspectoff; December 9th, 2011 at 05:16 PM.

    UbuntuGuide/KubuntuGuide

    Right now the killer is being surrounded by a web of deduction, forensic science,
    and the latest in technology such as two-way radios and e-mail.

  9. #9
    Join Date
    Jun 2008
    Location
    Tennessee
    Beans
    3,421

    Re: SSH and external IP address.

    Quote Originally Posted by blackseptember View Post
    I agree with you, lykwydchykyn, that commenting out the ListenAddress, or using ListenAddress 0.0.0.0, is one way to solve this - but from a security point of view this is usually discouraged.
    By whom and why?
    Does anyone know if sshd_config take FQDN in ListenAddress?
    I just tried it. It appears the answer is no.

  10. #10
    Join Date
    Dec 2011
    Beans
    10

    Re: SSH and external IP address.

    Thank you for a good reply perspectoff

    Our set up looks like this:
    [ Internet ] <-----> [ NIC 1 ]| Firewall/router/ssh |[ NIC 2 ] <-----> [ LAN ]

    The ssh server is infact the router/firewall here.

    From the explanation you give me, im guessing i could use the firewall to forward the traffic from NIC 1 to it´s internal addressort on NIC 2 and specify the internal address in ListenAddress.

Page 1 of 2 12 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •