This is the second part in a four part series covering remote access to Linux machines using SSH.
(Sorry this one was a little late. I just forgot to publish it. I’ll post the last two sooner.)
Everything in this tutorial should apply to most Linux distributions, however some of the commands may be specific to Ubuntu. You may need to modify some commands to work with your Linux distribution. This is an advanced tutorial, so most instructions will be given as text commands.
Allowing outside machines to access your computer is inherently risky. Assuming your router and/or firewall is properly configured, you will need to poke some holes in it. This potentially leaves you vulnerable to attack. Proceed at your own risk. Because security is a constantly changing issue, you are responsible for securing your own computer and network. You have been warned. If you are not behind a router or other physical firewall and you can’t explain why this is the case, do not proceed. I would also advise you to only try this on your home network, because your employer will probably dislike you messing with SSH, unless, of course, that’s your job.
There are some security tweaks you can make to your /etc/ssh/sshd_config file. There are, of course, tons and tons of tweaks you can make. A complete guide to the OpenSSH configuration file is way, way beyond this guide, but I’ll cover a few things you can do:
Port 4005 # Only listen on port 4005 # 4005 is just an example, this can be anything roughly between 1500 and 5000
This was discussed in part 1, so I suggest you read that. The basic lesson is that you probably shouldn’t use port 22 (the default).
ListenAddress 192.168.1.175 # Only listen on network interfaces with the IP 192.168.1.175
What this line says is to only listen on network connections where your computer’s IP is, in this case, 192.168.1.175. This is useful for a number of reasons. For example, if you have multiple network connections (such as an ethernet connection and a WiFi connection), you could tell SSH to only work on one of those connections. Also, if you were at a coffee shop or some other public WiFi, you would probably not have the same IP address that you do on your own network (depending on your network’s configuration). Basically, it’s just a generally good idea to specify what IP address SSH should listen on. Getting your IP address was also covered in part 1. The quick version is that executing ifconfig should tell you.
Protocol 2 # Only allow logins using SSH 2
There are two versions of the SSH protocol. SSH 1 is old and potentially insecure. Make sure you are only allowing protocol 2 with the line above. This should really already be in your default configuration, but if it isn’t, add it.
Once again, this is pretty straight-forward and is probably already in your configuration. You shouldn’t usually login to root locally, so why would you let remote users login to root? You can still sudo or whatever.
AllowUsers thomas # Only allow thomas to login
This option allows you to specify which user(s) should be allowed to login via SSH. You may or may not want to add this, but if your only going to login with one account, it adds a small extra layer of security.
It is worth noting that a lot of these configurations are purely security through obscurity. Contrary to what some people say, I don’t believe there is anything wrong with that, as long as it’s not your only defense.
Time to access your computer across the internet. I’ll warn you about the risks again:
A properly configured home router should usually pretend not to exist by giving no reply to unsolicited communications from the outside. In other words, if I try to talk to your router without your router talking to my server, you router should ignore me as if no one was there. This gives you great security, since if no one knows you are there, it’s hard to attack you. (This does not, of course, have any effect on malware spread by email, the web, chat programs, etc.) Allowing your computer to be remotely accessed over the internet cuts a hole in that anonymity. Your router will have to start replying to requests on a particular port. This is dangerous, but not too dangerous as long as your securing everything correctly. (You can test how your router is configured with GRC’s SheildsUP! tool.)
The first step is to make sure that your computer always gets the same IP address. If you are using DHCP, and you probably are, then your computer will get a different IP address ever time you get on your network, usually in the range of 192.168.1.100 to 192.168.1.150 or so. You need to setup something called a static lease in which one computer, identified by a MAC address and a hostname, always gets the same IP address.
This is a completely router specific process, so I can’t help you much. Unfortunately, some routers don’t even support this feature. Usually by installing a custom firmware like DD-WRT, you can get the feature even if your router doesn’t support it. Chadwick Wachs has an excellent tutorial for setting up static leases in DD-WRT, which should help you.
Next, we need to redirect traffic from your router, which is the only place an external computer can connect to, to your computer. This feature is support by almost ever router, so don’t work. It’s fairly simple, too.
Again, this is router specific, but you can find specific instructions for many routers on PortForward.com. Remember to replace port 22 with whatever port you choose in part 1.
Don’t worry, your almost there! The final step is to find a way to track your router’s changing IP address. (Yes, that changes too.)
Without paying your ISP extra, you can’t usually get a static IP for your router. Luckily, services like DynDNS.com (a free account is plenty) will give you a free subdomain that points to your router. For example:
username.dyndns.com would point to your routers IP
In order to get the IP to update, you need to enter your DynDNS account into your router settings. Once again, this is router specific, but look for a DDNS section in your router configuration.
Ok. If you’ve made it this far, congratulations! You should now be able to access your computer from any other computer on the internet (with an SSH client, of course), using this command:
ssh -p <em>port number</em> <em>username</em>@<em>dyndns username</em>.dyndns.com