2

Possible Duplicate:
How to connect two computers via internet with ssh?

I'm in LAN running an SSH deamon on one of the Linux machines. I use it to connect from my PC. Now the problem is I can connect to SSH in LAN using internal IP address. How to connect to that SSH in LAN from outside LAN?

Community
  • 1
Deveshsai
  • 21
  • 1
    Do you have control over the router between your LAN and your WAN ? – BatchyX Dec 04 '12 at 18:16
  • Be extremely careful exposing you ssh server to the wild and wonderful internet. Consider using a different port other than 22 on your firewall/router. – midnightsteel Dec 04 '12 at 18:57
  • @midnightsteel Using a different port doesn't give you any security worth the trouble. It mostly means you get fewer log entries. – Gilles 'SO- stop being evil' Dec 04 '12 at 23:51
  • @Gilles The point is not to have any well known ports advertised. If I was a hacker I would go after the well known ports first. (80, 443, 25, 23, 22....etc). Most security devices prevent port scans, so putting the service on a port like 50031 would help to at least slow down an attacker. Pinpointing 50031 on the first try would almost be like hitting the lotto. – midnightsteel Dec 05 '12 at 12:08

4 Answers4

4

If your router has an external IP address, and your machines on the LAN has local addresses (e.g. 192.168.x.x) you need to set up port forwarding from the WAN to LAN (port 22 is for SSH). Alternatively, you can set your machine as a DMZ (de-militarized zone) but this is not recommended since it exposes your machine entirely.

papashou
  • 66
2

It depends on who has control of the systems and if you are allowed to install software on them. If so, one option is to use LogMeIn Hamachi.

LogMeIn Hamachi is a virtual networking service that can be set up in minutes and enables secure remote access to your business network anywhere there is an Internet connection.

Basically, you install the hamachi client on each system that you want to be connected. The client will allow you to create your own private VPN which will exist outside of your LAN. You then connect each of your systems to the VPN you just created. Each system will get its own hamachi IP address which you can then use to connect to it, like so:

$ ssh <hamachi_ip>

LogMeIn Hamachi is a paid service, however, it is free for up to 5 clients. There is a link to a PDF "Getting Started Guide" at the bottom of this page. I have been using hamachi for years and it works very well for my basic needs.

J.C. Yamokoski
  • 2,143
0

If you have control over the router(s) in the network (I assume you do), then you can set up simple port forwarding + translation. Choose a port number on the outside and map it to the internal network IP with port 22. You should then reach that internal port by accessing the external IP+port from outside. Please refer to the documentation of your router on how to do that.

Alternatively, if you don't have access to the router, but you do have access on some other remote machine, you could set up an SSH reverse tunnel to connect via that 'other remote machine'. Prerequisite here is that you can reach that machine from both internal networks. If you can, then see this article on how to set up a reverse tunnel (just one example out of many): "Howtoforge: Reverse SSH Tunneling".

gertvdijk
  • 13,977
0

If you must must must go with exposing your host via either DMZ or port forwarding, then look make sure you tighten up your sshd config:

  • do not allow root login over ssh ( you can sudo / su when after login)
  • do not allow password based login - use certificate (to prevent brute force attacks)
  • only allow users who absolutely need to login via ssh to be allowed ... see sshd_config manpage (relevant section AllowGroups and AllowUsers)
  • while my last suggestion is somewhat in the realm of sec-by-obsecurity, i will suggest it anyway since it would protect against port scans and the casual script kiddiez: use port knocking ... you can read up on install for client and server here.
gertvdijk
  • 13,977
Paul Allen
  • 123