cancel
Showing results for 
Search instead for 
Did you mean: 

SSH over WAN

bobpullen
Community Gaffer
Community Gaffer
Posts: 16,869
Thanks: 4,950
Fixes: 315
Registered: ‎04-04-2007

Re: SSH over WAN

Quote from: kmilburn
I have SSH forwarded from a non-standard port on the router to the default port on the sever  (also a raspberry pi),  and (so far) don't get any unwanted traffic.
As a secondary security measure,  tools like Fail2Ban or DenyHosts can monitor the logs and block IPs with too many failures.

This is what I've done. Forwarded a non-default port on the WAN interface to the default port on the LAN interface, poked a hole through the iptables and installed fail2ban.

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵

Anonymous
Not applicable

Re: SSH over WAN

Quote from: chenks76
Quote from: dvorak
same was as you do it on any platform... but here's a link https://www.raspberrypi.org/documentation/remote-access/ssh/passwordless.md

that's all very well, but the device i am connecting from is a windows 7 system, and that document only refers to connecting from linux/unix systems.

You can get OpenSSL for Windows and it comes with all the tools you need. Certificates, keys etc created on one OS can easily be used on another.
ejs
Aspiring Hero
Posts: 5,442
Thanks: 631
Fixes: 25
Registered: ‎10-06-2010

Re: SSH over WAN

OpenSSH doesn't actually use SSL, nor certificates. It uses ssh keys. You could create the keys on the pi, then copy the private key to the Windows system.
chenks76
All Star
Posts: 3,274
Thanks: 338
Fixes: 12
Registered: ‎24-10-2013

Re: SSH over WAN

not sure if that can be done on a sky router (SR102)...or can it?
kmilburn
Grafter
Posts: 911
Thanks: 6
Registered: ‎30-07-2007

Re: SSH over WAN

On the windows client front,  I use Putty for shell access,  and WinSCP for transferring files over ssh.
VileReynard
Hero
Posts: 12,616
Thanks: 582
Fixes: 20
Registered: ‎01-09-2007

Re: SSH over WAN

I wouldn't use ssh over the external internet - you will get dozens of attacks on port 22 each day.
The default user name is usually 'pi' on a pi device - not actually really secure.
It's worth setting up ssh though, as this also gives you a ftp connection (using sftp with the ssh user & passphrase).
Additionally, I use a VNC server on the Pi so that I can control a GUI interface via a PC VNC client.

"In The Beginning Was The Word, And The Word Was Aardvark."

chenks76
All Star
Posts: 3,274
Thanks: 338
Fixes: 12
Registered: ‎24-10-2013

Re: SSH over WAN

Quote from: vilefoxdemonofdoom
I wouldn't use ssh over the external internet - you will get dozens of attacks on port 22 each day.
The default user name is usually 'pi' on a pi device - not actually really secure.

providing they don't guess the non-dictionary password then it doesn't matter how many attacks.
changing to a different port won't stop the possibility of attacks.
VileReynard
Hero
Posts: 12,616
Thanks: 582
Fixes: 20
Registered: ‎01-09-2007

Re: SSH over WAN

Given a choice of attacking a single port or many thousands, your average spammer just aims at 22.
There is nothing stopping you running a honeypot on port 22 and the real ssh port on some other number.  Cheesy

"In The Beginning Was The Word, And The Word Was Aardvark."

ashgeo
Grafter
Posts: 96
Registered: ‎24-07-2008

Re: SSH over WAN

Thanks everyone.... Cheesy Interesting! I've installed Fail2Ban and eventually got it configured. I've forwarded a random port on from WAN to the ssh port on the Pi (via my two routers!) and have successfully tried to hack into it, and have been banned! It will be interesting to keep an eye on the logs over time.....
ashgeo
Grafter
Posts: 96
Registered: ‎24-07-2008

Re: SSH over WAN

I've had it up and running now for almost a month and no-one has yet tried to hack into it.... Logs on rPi are clean! Thanks everyone. Touchwood it continues....
SteveA
Pro
Posts: 1,847
Thanks: 106
Fixes: 3
Registered: ‎17-06-2007

Re: SSH over WAN

you can also set up hosts.allow and hosts.deny to control access.
Also denyhosts is worth looking at.
VileReynard
Hero
Posts: 12,616
Thanks: 582
Fixes: 20
Registered: ‎01-09-2007

Re: SSH over WAN

Not using port 22 is what gives you the most protection (by obscurity) - although obviously a half-serious attack would easily find your chosen port.

"In The Beginning Was The Word, And The Word Was Aardvark."

kabads
Grafter
Posts: 73
Thanks: 2
Registered: ‎07-09-2013

Re: SSH over WAN

You can install something like fail2ban or denyhosts which will pick up on failed logins and add them automatically to /etc/deny.