0

So let's say hypothetically I am going to be away from my desktop but I'd like to be able to SSH into it when I am out and about.

Is it as simple as adding a NAT / port forwarding rule to my router page at 192.168.1.1 for port 22?

Let's say my public IP is 1.2.3.4. Then I would add the rule to my router and then I could SSH into my box from ssh [email protected]?

AJJ
  • 852
  • 2
  • 12
  • 21
  • 4
    I'm voting to close this question as off-topic because this is a router configuration question and should be asked on [su] or elsewhere. – muru Oct 17 '17 at 02:42

1 Answers1

2

The proposal in your question is completely correct.

You need to install the OpenSSH server (sudo apt install openssh-server) and then set up port-forwarding on your router. You will, of course, also need to add an exception in your local computer's firewall configuration for SSH.

It's also usually advised you force public-key authentication instead of using a password for added security.

Also note that you should set up a static IP address, just so your port-forwarding config doesn't break at an inopportune time because of DHCP. While most routers will tend to let your computer keep your IP address, this is not always a valid solution and does not account for temporary connection drops. It's typically better to build in a static NAT IP to just have the guarantee that it will work.

When you're out and about, you will just be able to SSH to your public IP, and you'll be able to get to your computer. You may also look into using a Dynamic DNS provider to assign a domain name to your router, so any IP changes pushed by your ISP will also not affect your connection.

Note that there are (very minor) security implications of opening a server to worldwide SSH. Mostly, this will cause your server to be pinged a few times by automated bots attempting to find poorly-secured servers. Not using a standard username (like admin) and key-based authentication will almost always keep them out. If you're really concerned, you can use a port other than 22 (though smart bots or humans will try an nmap if port 22 is closed), use Fail2Ban, or both. Assuming proper security protocols are in place, the absolute worst attack that a malicious bot can pull off is to write a decent number of log entries to your hard drive.

If you're one of those unlucky individuals between multiple layers of NAT (some ISPs will do something called Carrier-Grade NAT), this becomes much more involved. You will either need a VPN or some other means of proxying your SSH tunnel. Of course, you may also be able to request a port from your ISP, though success may vary.

Kaz Wolfe
  • 33,802
  • 20
  • 111
  • 168
  • Why is `openssh-server` needed exactly? Why can't I just have `sshd` running and then use the port forward on port 22? – AJJ Oct 17 '17 at 02:47
  • Why would my IP change because of DHCP? I thought that if the network device was active then any time the lease expires (or is about to expire) it simply re-requests the same IP. As long as the computer is kept online wouldn't it keep extending the same IP? – AJJ Oct 17 '17 at 02:48
  • 1
    @ArukaJ `sshd` is provided by the `openssh-server` package, and is a background service (`ssh.service`) controlled through systemd. Also, *usually* your IP stays the same. This is not always the case -- router implementations differ or a temporary loss in connection may cause your IP to change. – Kaz Wolfe Oct 17 '17 at 02:48
  • I don't quite follow, are you saying if I am using `sshd` then I already have `openssh-server` installed? – AJJ Oct 17 '17 at 02:49
  • @ArukaJ Exactly. If you do `dpkg -S $(which sshd)`, you'll see that you have the package installed. – Kaz Wolfe Oct 17 '17 at 02:50
  • Is there any security risk to exposing my SSH port to the public in terms of botnet bruteforcing? Or not a big deal since they don't know my username anyway, and even if they did and I had a sufficiently strong password, etc. (assuming I don't go the key auth route -- which I would -- but I am asking in theory) – AJJ Oct 17 '17 at 02:54
  • @ArukaJ Not really. At worst, you'll get a bunch of stray auth failure log entries, but those can be deleted easily enough. Most bots will just try a "common" user list, and will give up pretty fast if a key is needed. Sophisticated (read: well-designed) bots may try an `nmap` on your IP first to try to find an open port. If you're really worried, you can change to a different port, use [Fail2Ban](https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04), or both. – Kaz Wolfe Oct 17 '17 at 02:57