I am trying to ssh into my home computer remotely. It is connected to the internet with a DSL modem/router. I know the ip address that the modem is getting, and I know the network ip address that the modem gives to the local machine, but I don't know how to put it all together. As an example, lets say that:
* the local user name is user
* the local machine is host1
* the internet ip address is 10.20.30.40
* the network ip address is 192.168.0.10

What I tried was
ssh user@host1.10.20.30.40
and it didn't work.

Please help, or point me to a reference.

Dig into port forwarding, if your router supports it.

As giulix says you need to port forward the external ip, port 22 to the internal machine ip, port 22 from the routers configuration. Review router manuals and faqs on the manufactors website. Also make sure if a firewall is up on the linux box that it has port 22 open.

Brian

That also may not be the proper ssh statement for after you get port-forwarding set up. You must do the following:

1) Make sure that you ssh.conf is setup to allow the connections
2) Port forward your ssh port (22 by default if you have not changed it) in your router to your machine 192.168.0.10
3) Make sure that you have ssh opened in iptables and selinux if you are running either one.
4) Use putty if logging in from a windows machine and if a linux machine I would use this statement:
ssh -l user 10.20.30.40

Jeff

Thanks for all of your input. I am looking into port forwarding, and I am getting hung up on setting up a static route with my DSL router. I am thinking of trying to bypass the DSL router and use another router that I have. I think that I can do that by turning on DMZ routing on the DSL router (which should send everything to the second router?) and then set up a static route with the second router to my local machine.

Go here....they list numerous gateways/routers with instructions on how to do it.

http://www.portforward.com/

What type of a router do you have? Most routers really do not have to have the static route defined.

If you have dhcp set up for say addressess 10-50, then just pick an address with your server that is above 50. Usually this works and the router will allow it then you won't have the complexity of setting up a dual-routing system. Those work, although they require a little more skill than a single routing system.

Jeff

I think that I figured out my problem. I was trying to specify which computer got the static route on my router, when it is the computer that needs to be set up as a static route. Thanks for the help.

Yes that is correct. With store bought routers the machine you are forwarding to must also have the same IP. So static IP is what it needs to be set as.

Glad to see you you have it going or getting close.
Brian

I have been working on other things lately, but now I am back. I think that I have the router configered now. I have port forwarding setup and DMZ setup to goto 192.168.0.100 and my linux box is set to a static route of 192.168.0.100, and I think that every thing is cool with that. I can ssh into it if I go through the network:

ssh -l user 192.168.0.100

But if I go out to the internet it gives me an error: "ssh_exchange_identification: Connection closed by remote host".

Right now the firewall is turned off, and the SELinux is dissabled. So what do I need to do to configure ssh and iptables?

As always, any pointers are appreciated.

I don't think that I've ever had that error. Why did you set the server up on the DMZ? I would just use a port-forward statement that instructs the router to send all port 22 requests to 192.168.0.100.

That should solve the problem by itself. What ssh are you using when attempting to gain remote access?

ssh -l user yourname.com should work if you are using a service like dyndns.

Jeff

Just a couple thoughts here. Make sure your computer is actually running the ssh server. I believe it is service sshd start (as root) from the command line. To make it start automatically when the computer starts try chkconfig sshd on (as root).

Also you should run something like denyhosts to help prevent others from gaining access to your computer and disable root ssh log ins. The message you received is similar to one you get if denyhosts has added the IP to the firewall. So make sure that your firewall iptables is allowing ssh connections. There is a gui interface that will allow you to set this up easily in fedora core 5 and 6 if you are using gnome.

Some routers like D-Link have option named "Virtual Server". You can put there source and destination port ("22" both), and host addres (Your linux host local address). It is better than using DMZ.

Submitted to wrong post. Sorry.

Orriginally I had another router behind the DSL router, and I was trying to send all of the ports to the next router. I have removed that router and didn't think that it would hurt to have DMZ setup (temporarily). I will try turning that off. I do have port 22 forwarded to 192.168.0.100, so shouldn't it still be getting it?

Also I the sshd is running because if I am within my network I can ssh into it, but if I go outside it I can not.

How do I setup/ manage/ check this business with denyhost and iptables. I am not to familliar with them.

For now, my goal is just to get things to work, then the next step is to make things work "correctly". By correctly, I mean secure.

I tried looking at setting up iptables, and it is way beyond me. All I want to know is what is blocking me from sshing remotely. I haven't looked at denyhost just yet.

Is there something that I have to do to setup the sshd to allow remote logins?

First, check to see if denyhosts is running.
/sbin/chkconfig --list denyhosts

It will tell you what the status is for each runlevel. If it's on, it should be set to on for runlevels 3 & 5.

Secondly, if it is on and you are being blocked (unless you set it up it probably will not be on) you will get messages in /var/log/denyhosts so turn it off temporarily.

Next, open your /etc/ssh/sshd_config file and check to see what port you are actually listening on. It is probably set correctly if you are getting the system on local attempts. Make sure that you are forwarding the proper ports.

Then if all of that is working, you should not have any problems getting to your box unless the location that you are attempting to port forward from is blocking your out-bound request, or if by chance (and I think this is not very probable) your ISP has port 22 closed for your use. If you want to test that theory, switch the port in sshd_config to something like port 12022 and see if you can hit it that way.

If you are attempting to ssh through putty, post a screenshot of your set-up. If from a *nix machine, post the ssh line that you are using.

Jeff

I have been working on other things lately, but now I am back. I think that I have the router configered now. I have port forwarding setup and DMZ setup to goto 192.168.0.100 and my linux box is set to a static route of 192.168.0.100, and I think that every thing is cool with that. I can ssh into it if I go through the network:

ssh -l user 192.168.0.100

But if I go out to the internet it gives me an error: "ssh_exchange_identification: Connection closed by remote host".

Right now the firewall is turned off, and the SELinux is dissabled. So what do I need to do to configure ssh and iptables?

As always, any pointers are appreciated.

I see this is an old thread, all the same, I had the same error message :

ssh_exchange_identification: Connection closed by remote host

the "problem" was with hosts.allow. ssh does not like /24 or /255

So : sshd : <ip> : ALLOW

As far as I can tell it is IP by IP ...

The only other option is to allow all ssh connections in hosts.deny

You may be correct as I have not attempted to DENY ALL and allow only select addresses (I do block ALL and open only select ones with ftp though as that is not encrypted) . I allow ssh open on my box and keep a very strong password and I also have my box setup to blacklist into the deny section any offending IP address that enters a wrong password 3 times within 10 minutes. It is then blocked for the next 30 days, so that is how I deal with hack attempts. It has worked for me.

Jeff

hi,

it looks like this problem occurred long long time ago...

But i faced it again and i followed the posts here but i couldn' t come to a solution since no solution is exactly stated. "Nardinc" also didn't posted back as problem is solved...

I tried all those stated above, i am trying to ssh from my local machine to my internet ip. And through rooter (adsl modem) i configured the NAT to point to another local machine.

But i get the "ssh_exchange_identification: Connection closed by remote host" !

This has probably nothing with the remote local machine that i want to access, since i plug its network cable off and i still get that error. I think the ssh command tries to ssh into the modem itself :) instead of forwarding the request to the other local machines port...

my /etc/hosts.deny file is as below :

# /etc/hosts.deny
# See 'man tcpd' and 'man 5 hosts_access' as well as /etc/hosts.allow
# for a detailed description.

http-rman : ALL EXCEPT LOCAL

according to this nothing should be denied or ?

I just ssh from my home lan network to my internet ip with "ssh username@staticip" and i get "ssh_exchange_identification: Connection closed by remote host"

can anyone help ?

I tried DMZ (Demilitarized Zone) through Firewall, but no help as well.

Will be great if we can solve this ...


--------------
linux newbee
ilke

Mutaroglu,

You hosts.deny file is blocking all connection except the local machine and possible the local network as I have not used the command so I'm unsure if it will block all outside connections or not.

For testing purposes, put a # in front of the line so that your file reads like this and save it, then try again to see if that works. If it does, then you can configure a proper hosts.deny file afterwards.

Your file should read:

# /etc/hosts.deny
# See 'man tcpd' and 'man 5 hosts_access' as well as /etc/hosts.allow
# for a detailed description.

#http-rman : ALL EXCEPT LOCAL

Save it and try again. This may or may not work depending on how advanced your router is. I run a sonicwall which is much more rule oriented that a standard home use router such as a linksys or netgear, and I don't have the rules set up to allow that so I can't ssh from within my local network, back through my WAN address at all! But If I'm outside of the network, it works just fine. But then I don't get that error message either, so you are probably hitting your machine and it is blocked by hosts.deny.

Jeff