I have a custom WOL script on my pi. Have always been able to log in over internet via ssh (port forwarded in router) to run script, but just recently am able to log in fine when on own WiFi, but trying to do this via the internet has stopped working. Checked router and correct port/ rule is still set up
Any ideas where to start with troubleshooting this?
You should check the system journal for details of any SSH logon attempts:
sudo journalctl
If you can log on from the internet while still being able to monitor the system journal, eg by going out via a VPN, you can see in real time what’s happening with
DHCP lease expire and your ISP changed your external IP address?
I do this regularly myself and I run a cron job where my OSMC box checks it’s external IP address and pushes it to a place I can access. I have a script that reads that and kicks off ssh to the appropriate IP and port.
Strange thing - reckon phone proivder has blocked the traffic - if I fire up a VPN on my phone and then try to log in, everything fine, turn it off, no connection whatsoever to the pi (used journalctl -f to check).
So you think that this might be an outbound issue, with your mobile phone company, rather than an inbound one? They do have a habit of doing hinky things with traffic. I guess you should be thankful the VPN is still getting through.
They tend to have a downer on UDP traffic but TCP usually gets through. I’d be inclined to try different incoming ports on your router. You can forward them to port 22 (or wherever) in the router. In fact, I’d always recommend you use a different Internet-facing port than 22 for SSH.
This is literally a worst practice and I’d say you are lucky it’s blocked. You would have certainly been being probed by script kiddies and botnet operators if traffic were allowed to pass on 22. Even if they didn’t get access, it’s still costing CPU cycles to refuse their attempts.
You should always forward some non-standard port from outside your firewall to 22 on the lan side, or change the ssh all together to some non-standard port.
@ActionA, yes. It’s easy to scan all ports and even easier to tell the port is running SSH. telnet to an ssh port; it announces itself. But also, as in my case, sometimes all ports are locked down except specific ones. No one can lock down 443 without a rather large whitelist of exceptions though. It’s possible, but unlikely. So I run SSH on 443.
Changed ssh to use some random port and tried again, same result, could connect on 4g via vpn, but not without the vpn.
Just as a test, installed a different ssh app, and everything works over 4g! App must have have an update that broke it, although why it would only not work over 4g is beyond me!
Thanks for everyone’s time on this - not an osmc issue at all
Securing ssh isn’t hard, but it does take a few steps.
Always, always, use ssh-keys, NEVER passwords.
NEVER allow remote root access.
Block all IPs that don’t have any business getting ssh access, if you can. That means allowing your work public IPs when you want to ssh home, or your home IPs when you want to ssh into work. Don’t allow the entire USA, Europe, Russia, China, Japan, Mexico, if you live in Chile. Only allow Chilean IPs to even make an attempt. Realize that Geo-IP lists are flawed, not 100% correct, and change constantly.
Don’t allow constant attack attempts. Block an IP/subnet after 3 failed attempts for a day (or a week).
It used to be that moving the sshd to a non-standard port (router port translation) was sufficient to avoid 99.99999% of the issues. In the last month, I’ve seen 1000+ attempts against my high-port SSHd listeners. That makes the firewall blocks critical.
Use either fail2ban or denyhosts to dynamically block failed attackers. I cannot think of any reason NOT to install fail2ban at the same time I install openssh-server.
Stay patched with any internet-facing devices. Weekly is a good idea. Monthly is a little lacking. Quarterly is unacceptable.
Of course, there are exceptions to these items. Thankfully, ssh and iptables allow highly locked down situations, but they aren’t for noobs.
For remote access into your LAN from anywhere, really only 443/tcp will work almost always. Some corporate/nation-state level firewalls DO know the difference between ssh traffic and HTTPS traffic, but most do not.
If you want remote access into an OSMC/Kodi/Plex setup, you can use SOCKS over ssh and a web browser. I use this all the time from different continents. Of course, the internet connection much support the required bandwidth. Internet in the middle of nowhere in Patagonia just doesn’t support video streaming … but it did work fine for audio. Tested 2 weeks ago. YMMV. I’ve done video from Europe, SE-Asia, Central America and South Africa sourced from the USA. Just had to turn down the 1080p to 480p video.
If you need more details, ask. I don’t use ssh much from phones or android devices. Still ssh is pretty amazing.
openvpn is more hassle. ssh is trivial in comparison. I know people who spend weeks trying to get openvpn working, some never do, but 10 minutes for ssh.
True, openvpn is capable of many things, but for many common uses, ssh is just as capable. ssh and sftp and rsync are extremely powerful. Between those 3 options, which you get by setting up openssh-server, the only real limitation is using protocols that have ZERO security and expecting them to be secure from devices which cannot be secured anyway (Windows, Android, iOS).
How to block attempts - I listed 3 methods. fail2ban, denyhosts and iptables. Block most of the internet with iptables. Actually, I’d use ipset (it is more efficient loading large rules). Fail2ban watches all remaining connections for failures. It is highly configurable, but still fairly easy to use. The defaults secure sshd on port 22 by default. There are multiple manpages which explain more.