Bitcoin Forum

I have a computer (miner) behind a home router. I can SSH to the miner from another computer in the same house - connected to the same router - it's simple using default local network IP addressing. However, those localized IP addresses are not directly accessible from the internet side of the router (in a remote location away from the house not behind the router). What detailed steps must be done to use an SSH client to get past the router from an outside computer to the miner that's behind the router?

Also, I'm using Putty.exe as the SSH client for now. Perhaps, there is something better...any helpful feedback would be appreciated.

Open up whatever port your SSH is bound to from the router (usually port forward to 23) to external traffic. Depending on the SSH server you may need to set it to allow remote access as well.

ssh is port 22

and you need dyndns or a similar service in case your ip is not static (it will be dynamic in most cases)

dyndns.org

Or just use

http://www.teamviewer.com/en/index.aspx

Thanks for the different angle. :)

However, that's pretty pricey for what I need it... which is just to monitor activity and maybe launch miners or adjust fan speeds.

Thanks. I am not sure how to modify the SSH server on the machine  I intend to access, but I think it is probably setup correctly. However, I've used the first bit of instructions from this thread to install SSH on the machine I want to access:

http://forum.bitcoin.org/index.php?topic=7514.0

Inaba, that thread author, wrote instructions as follows:


Also, I found this online, but I wasn't siure it was exactly what I need to do. It sounds like what you said.

http://www.wikihow.com/Set-up-Port-Forwarding-on-a-Router

Thanks again.

Good point. I'll look into resolving that if the IP is dynamic.

Thanks. :)

Sounds right. That's what putty.exe defaults to...i.e. port 22.

With dyndns, you will be able to access only one of your computer. If you want to access the others you can do this :

Let's say you have 2 computers behind your router. Computer A and B.
You forward port 22 to computer A and you can SSH to computer A from outside.
When you are on computer A, you can access any computer on your LAN with another SSH.

I would disable passwords in ssh and generate a private/public key pair to login from the outside world.  I run 2 copies of sshd on my box.  One on port 22 that uses passwords but is only available on the internal LAN and 1 that is mapped to a different port that I only know that only allows access through keys.  My router disables port forwarding until I run knockd to enable port forwarding to my hidden sshd port.  Knockd is a program that listens on the Internet interface on your router and will allow you to enable port forwarding on demand when a combination of certain tcp/udp ports are accessed in the correct order that only you will know.  Basically a secret knock that will then allow you to ssh into your systems behind your router.  Also for this level of security you would have to load different firmware onto your router.  Something like DD-WRT, Tomato or OpenWRT.  This is not for the novice but secures your system much tighter.

-Dukejer

LOL. Thanks for not pressuring me. Though, I have donated before a little already (I'm a kinda newbie with mining). The donation was because the person helped me in depth in troubleshooting my new linux system.
The person didn't ask, but it took his/her time and expertise. Otherwise, I kinda feel we would all help each other up as a community with simple things anyway. What are forums for? :D

That said. It's been actually pretty enjoyable learning about linux, mining and this little bit of networking this past couple weeks.

Thanks for your feedback! It's helpful. :)

Thanks for the great info. :) It does seem involvled, but worthwhile to consider. So, the advantage with the option you are suggesting is security? Is that to say the barebones SSH makes things more or particularily unsecure? e.g. Opens up the network to behind the router?

Teamview is free for home "personal" use.

Openssh by itself is fairly secure even with passwords.  I was hacked a little over a decade ago under Openssh with using passwords only but I have not see any easy exploits of Openssh in sometime.  Passwords can be brute forced though and this makes them a security breach unless you have a long random password with a mix of uppercase, lowercase, numbers and symbols.  I like the certificate keys because if you do not have the key you can not login to the box from the outside world.  I run connectbot with a generated certificate key on my android phone to log into my systems.   Locking down port forwarding with Knockd adds another level of security because if a port is open it gives a hacker a reason to try to break into your system.  If they do not know the port is open in the first place they have no reason to try.   Also they will not have an easy way of knowing which type of system is behind the port forward.  Even with a port forwarding a hacker maybe able to fingerprint your Operating System by the way the port and application on the port like sshd responds.  From their they can look for known exploits in the Operating System and try to break in.  It is better if they do not know what OS or how many computer systems are behind the router.

-Dukejer

Arent there any bots yet, that connect to an IRC channel, and wait for shell commands?

FYI: port forwarding 22 from the internet to port 22 on your machine directly exposes that port.  This is not a very safe way to do it as some people will continually try to get in once they find that port is open.  (and it's very easy to find if you stick to the default port) try port forwarding a different port number that they are not likely to guess ssh'ing to.

ie:  port forward 4022 to 22.

then when you are outside your network use port 4022 when using putty or whatever ssh program.  (your router will translate it to 22 so your computer knows to receive it)

another way is to use a VPN.  that is what I use.  in which case you can act as if your are locally connected to your network from anywhere with internet access.  It has it's own security flaws, but whatever, the worst a hacker can to do my miner network is reconfigure them to mine for them, in which case I just reinstall the os and more security.  No coins on my network.

if your router is flashable with DD-WRT you can essentially turn it into a way more functional device.  Mind you the navigation and settings are a little more advanced, but nothing a miner can't figure out! (lots of documentation on their website)

in which case you can setup open-vpn on your router. 

no problem.

I'm now actually using my iphone/ipad to SSH into my miner from everywhere where I have 3G or WiFi ;)

The best thing you can do to secure your SSH server is probably to not run it on port 22. If there is a security hole or somebody wants to try to guess your password there's more than 99.9% chance they're only going to check port 22.

Couldn't you also put SSH onto a different port on Computer B, and forward that port as well in the router? Then you could access both directly from outside?

Hamachi works wonders too. The latest Linux client even supports their LogMeIn accounts, so you can manage all your networks from their web interface.