|
||bit (OP)
|
 |
June 27, 2011, 07:15:02 AM |
|
I have a computer (miner) behind a home router. I can SSH to the miner from another computer in the same house - connected to the same router - it's simple using default local network IP addressing. However, those localized IP addresses are not directly accessible from the internet side of the router (in a remote location away from the house not behind the router). What detailed steps must be done to use an SSH client to get past the router from an outside computer to the miner that's behind the router?
Also, I'm using Putty.exe as the SSH client for now. Perhaps, there is something better...any helpful feedback would be appreciated.
|
|
|
|
|
|
|
|
|
|
Bitcoin addresses contain a checksum, so it is very unlikely that mistyping an address will cause you to lose money.
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
bcpokey
|
|
June 27, 2011, 07:19:12 AM |
|
Open up whatever port your SSH is bound to from the router (usually port forward to 23) to external traffic. Depending on the SSH server you may need to set it to allow remote access as well.
|
|
|
|
|
|
grndzero
|
|
June 27, 2011, 07:30:14 AM |
|
Open up whatever port your SSH is bound to from the router (usually port forward to 23) to external traffic. Depending on the SSH server you may need to set it to allow remote access as well.
ssh is port 22 |
Ubuntu Desktop x64 - HD5850 Reference - 400Mh/s w/ cgminer @ 975C/325M/1.175V - 11.6/2.1 SDK
Donate if you find this helpful: 1NimouHg2acbXNfMt5waJ7ohKs2TtYHePy
|
|
|
|
stellan0r
|
|
June 27, 2011, 11:03:30 AM |
|
and you need dyndns or a similar service in case your ip is not static (it will be dynamic in most cases)
dyndns.org
|
Allgemeine Gesundheitsberatung gegen Bitcoin-Zahlung. Bei Fragen einfach eine PM schicken!
If you want to send a thank you: BTC "1PZJvKvarRviQRQWejpvXW2j4e1xbT8MZb"
|
|
|
|
|
|
||bit (OP)
|
|
June 27, 2011, 01:25:02 PM
Last edit: June 27, 2011, 01:35:33 PM by ||bit |
|
Thanks for the different angle.  However, that's pretty pricey for what I need it... which is just to monitor activity and maybe launch miners or adjust fan speeds. |
|
|
|
|
|
||bit (OP)
|
|
June 27, 2011, 01:33:17 PM |
|
Open up whatever port your SSH is bound to from the router (usually port forward to 23) to external traffic. Depending on the SSH server you may need to set it to allow remote access as well.
Thanks. I am not sure how to modify the SSH server on the machine I intend to access, but I think it is probably setup correctly. However, I've used the first bit of instructions from this thread to install SSH on the machine I want to access: http://forum.bitcoin.org/index.php?topic=7514.0Inaba, that thread author, wrote instructions as follows: Optional First Step (Skip this if you don't care about SSH):
Optional 1: Press the upper left 'start' button on the desktop and in the search field enter 'terminal'. Click it and open a terminal window.
In the terminal window, type:
sudo apt-get install openssh-server
This will install the SSH server. Once the server is installed, you can connect to your machine via SSH and perform the rest of the steps listed below.
END Optional First Step Also, I found this online, but I wasn't siure it was exactly what I need to do. It sounds like what you said. http://www.wikihow.com/Set-up-Port-Forwarding-on-a-RouterThanks again. |
|
|
|
|
|
||bit (OP)
|
|
June 27, 2011, 01:34:58 PM |
|
and you need dyndns or a similar service in case your ip is not static (it will be dynamic in most cases)
dyndns.org
Good point. I'll look into resolving that if the IP is dynamic. Thanks. |
|
|
|
|
|
||bit (OP)
|
|
June 27, 2011, 01:36:23 PM |
|
Open up whatever port your SSH is bound to from the router (usually port forward to 23) to external traffic. Depending on the SSH server you may need to set it to allow remote access as well.
ssh is port 22 Sounds right. That's what putty.exe defaults to...i.e. port 22. |
|
|
|
|
|
dunand
|
|
June 27, 2011, 01:37:34 PM |
|
With dyndns, you will be able to access only one of your computer. If you want to access the others you can do this :
Let's say you have 2 computers behind your router. Computer A and B.
You forward port 22 to computer A and you can SSH to computer A from outside.
When you are on computer A, you can access any computer on your LAN with another SSH.
|
|
|
|
|
dukejer
Jr. Member
 Offline
Activity: 42
Merit: 2
|
|
June 27, 2011, 01:54:45 PM |
|
I would disable passwords in ssh and generate a private/public key pair to login from the outside world. I run 2 copies of sshd on my box. One on port 22 that uses passwords but is only available on the internal LAN and 1 that is mapped to a different port that I only know that only allows access through keys. My router disables port forwarding until I run knockd to enable port forwarding to my hidden sshd port. Knockd is a program that listens on the Internet interface on your router and will allow you to enable port forwarding on demand when a combination of certain tcp/udp ports are accessed in the correct order that only you will know. Basically a secret knock that will then allow you to ssh into your systems behind your router. Also for this level of security you would have to load different firmware onto your router. Something like DD-WRT, Tomato or OpenWRT. This is not for the novice but secures your system much tighter.
-Dukejer
|
|
|
|
|
|
||bit (OP)
|
|
June 27, 2011, 01:55:55 PM |
|
It's simple Let's say you have 2 computers behind your router. Computer A and B. You forward port 22 to computer A and you can SSH to computer A from outside. When you are on computer A, you can access any computer on your LAN with another SSH. I will not ask donation for this one, too simple LOL. Thanks for not pressuring me. Though, I have donated before a little already (I'm a kinda newbie with mining). The donation was because the person helped me in depth in troubleshooting my new linux system. The person didn't ask, but it took his/her time and expertise. Otherwise, I kinda feel we would all help each other up as a community with simple things anyway. What are forums for?  That said. It's been actually pretty enjoyable learning about linux, mining and this little bit of networking this past couple weeks. Thanks for your feedback! It's helpful. |
|
|
|
|
|
||bit (OP)
|
|
June 27, 2011, 02:01:18 PM |
|
I would disable passwords in ssh and generate a private/public key pair to login from the outside world. I run 2 copies of sshd on my box. One on port 22 that uses passwords but is only available on the internal LAN and 1 that is mapped to a different port that I only know that only allows access through keys. My router disables port forwarding until I run knockd to enable port forwarding to my hidden sshd port. Knockd is a program that listens on the Internet interface on your router and will allow you to enable port forwarding on demand when a combination of certain tcp/udp ports are accessed in the correct order that only you will know. Basically a secret knock that will then allow you to ssh into your systems behind your router. Also for this level of security you would have to load different firmware onto your router. Something like DD-WRT, Tomato or OpenWRT. This is not for the novice but secures your system much tighter.
-Dukejer
Thanks for the great info. It does seem involvled, but worthwhile to consider. So, the advantage with the option you are suggesting is security? Is that to say the barebones SSH makes things more or particularily unsecure? e.g. Opens up the network to behind the router? |
|
|
|
|
|
Yanz
|
|
June 27, 2011, 02:15:28 PM |
|
Teamview is free for home "personal" use.
|
With great video cards comes great power consumption.
|
|
|
dukejer
Jr. Member
Offline
Activity: 42
Merit: 2
|
|
June 27, 2011, 02:18:17 PM |
|
Thanks for the great info. It does seem involvled, but worthwhile to consider. So, the advantage with the option you are suggesting is security? Is that to say the barebones SSH makes things more or particularily unsecure? e.g. Opens up the network to behind the router? Openssh by itself is fairly secure even with passwords. I was hacked a little over a decade ago under Openssh with using passwords only but I have not see any easy exploits of Openssh in sometime. Passwords can be brute forced though and this makes them a security breach unless you have a long random password with a mix of uppercase, lowercase, numbers and symbols. I like the certificate keys because if you do not have the key you can not login to the box from the outside world. I run connectbot with a generated certificate key on my android phone to log into my systems. Locking down port forwarding with Knockd adds another level of security because if a port is open it gives a hacker a reason to try to break into your system. If they do not know the port is open in the first place they have no reason to try. Also they will not have an easy way of knowing which type of system is behind the port forward. Even with a port forwarding a hacker maybe able to fingerprint your Operating System by the way the port and application on the port like sshd responds. From their they can look for known exploits in the Operating System and try to break in. It is better if they do not know what OS or how many computer systems are behind the router. -Dukejer |
|
|
|
|
|
Xer0
|
|
June 27, 2011, 03:07:01 PM |
|
Arent there any bots yet, that connect to an IRC channel, and wait for shell commands?
|
|
|
|
|
|
evlew
|
|
June 27, 2011, 04:18:26 PM |
|
FYI: port forwarding 22 from the internet to port 22 on your machine directly exposes that port. This is not a very safe way to do it as some people will continually try to get in once they find that port is open. (and it's very easy to find if you stick to the default port) try port forwarding a different port number that they are not likely to guess ssh'ing to.
ie: port forward 4022 to 22.
then when you are outside your network use port 4022 when using putty or whatever ssh program. (your router will translate it to 22 so your computer knows to receive it)
another way is to use a VPN. that is what I use. in which case you can act as if your are locally connected to your network from anywhere with internet access. It has it's own security flaws, but whatever, the worst a hacker can to do my miner network is reconfigure them to mine for them, in which case I just reinstall the os and more security. No coins on my network.
if your router is flashable with DD-WRT you can essentially turn it into a way more functional device. Mind you the navigation and settings are a little more advanced, but nothing a miner can't figure out! (lots of documentation on their website)
in which case you can setup open-vpn on your router.
|
|
|
|
|
|
stellan0r
|
|
June 27, 2011, 09:37:28 PM |
|
and you need dyndns or a similar service in case your ip is not static (it will be dynamic in most cases)
dyndns.org
Good point. I'll look into resolving that if the IP is dynamic. Thanks. no problem. I'm now actually using my iphone/ipad to SSH into my miner from everywhere where I have 3G or WiFi  |
Allgemeine Gesundheitsberatung gegen Bitcoin-Zahlung. Bei Fragen einfach eine PM schicken!
If you want to send a thank you: BTC "1PZJvKvarRviQRQWejpvXW2j4e1xbT8MZb"
|
|
|
Grinder
Legendary
Offline
Activity: 1284
Merit: 1001
|
|
June 28, 2011, 08:26:27 AM |
|
The best thing you can do to secure your SSH server is probably to not run it on port 22. If there is a security hole or somebody wants to try to guess your password there's more than 99.9% chance they're only going to check port 22.
|
|
|
|
|
Capitan
Member
Offline
Activity: 112
Merit: 10
|
|
June 28, 2011, 08:40:07 AM |
|
With dyndns, you will be able to access only one of your computer. If you want to access the others you can do this :
Let's say you have 2 computers behind your router. Computer A and B.
You forward port 22 to computer A and you can SSH to computer A from outside.
When you are on computer A, you can access any computer on your LAN with another SSH.
Couldn't you also put SSH onto a different port on Computer B, and forward that port as well in the router? Then you could access both directly from outside? |
|
|
|
|
|
