# trying to ssh to a machine at home



## Hybrid_theory (Feb 12, 2010)

For an assignment I need to setup a vpn at home and reach it from my school. Now VPN seems to be impossible as there is no passthrough setting on the router from bell (2WIRE 2701HG-G). And i've read its near impossible to get it to work. So i thought i'd do ssh instead. 

Ive got a fedora virtual machine on bridged mode, which I can ssh to just fine from the LAN. I have the SSH server application forwarded to Fedora's IP. I checked and the application setting is TCP port 22.

So i ssh my WAN IP and it times out. Not sure where to go from here.


----------



## Easy Rhino (Feb 12, 2010)

hrm...well on your router at home you should forward port 22 to your fedora vm. make sure you edit your fedora firewall to allow traffic through to port 22. it should be that easy.


----------



## Hybrid_theory (Feb 12, 2010)

Easy Rhino said:


> hrm...well on your router at home you should forward port 22 to your fedora vm. make sure you edit your fedora firewall to allow traffic through to port 22. it should be that easy.



well i can ssh from the laptop and desktop. and the port is forwarded.


----------



## Easy Rhino (Feb 12, 2010)

Hybrid_theory said:


> well i can ssh from the laptop and desktop. and the port is forwarded.



true, but your fedora firewall may have separate settings for wan access. if it isnt the firewall and the router is setup properly to forward traffic then either the network bridge isnt configured properly or your ISP blocks all traffic from outside.


----------



## Hybrid_theory (Feb 12, 2010)

Easy Rhino said:


> true, but your fedora firewall may have separate settings for wan access. if it isnt the firewall and the router is setup properly to forward traffic then either the network bridge isnt configured properly or your ISP blocks all traffic from outside.



firewall's disabled, thought it was. gonna get on chat with bell. see what they say


----------



## Easy Rhino (Feb 12, 2010)

Hybrid_theory said:


> firewall's disabled, thought it was. gonna get on chat with bell. see what they say



don't forget fedora has SELinux so you may have to edit some of those settings as well. also are you sure your VM is getting its IP from the router and not from the host machine?


----------



## Hybrid_theory (Feb 12, 2010)

Easy Rhino said:


> don't forget fedora has SELinux so you may have to edit some of those settings as well. also are you sure your VM is getting its IP from the router and not from the host machine?



yeah SELinux is disabled.

the router lists all of its connected clients, and can see the ipaddress of the server


----------



## Easy Rhino (Feb 12, 2010)

Hybrid_theory said:


> yeah SELinux is disabled.
> 
> the router lists all of its connected clients, and can see the ipaddress of the server



hrm, then unless i missed something it has to be your ISP


----------



## Hybrid_theory (Feb 12, 2010)

Easy Rhino said:


> hrm, then unless i missed something it has to be your ISP



Bell says they dont block it. could it be cause im connecting to my WAN ip from my own LAN??


----------



## Hybrid_theory (Feb 12, 2010)

Hybrid_theory said:


> Bell says they dont block it. could it be cause im connecting to my WAN ip from my own LAN??



well when i through it in DMZ mode, it got the same WAN ip as my router. and it worked then. so its having trouble NATing maybe or getting through the router.


----------



## AlienIsGOD (Feb 12, 2010)

Bells is teh Suxx0r.  I switched from them to Cogeco as they allow cable internet


----------



## Hybrid_theory (Feb 12, 2010)

AlienIsGOD said:


> Bells is teh Suxx0r.  I switched from them to Cogeco as they allow cable internet



eh its probably the router they gave me.


----------



## Hybrid_theory (Feb 13, 2010)

k works now. my buddy can do it from his place. but when i try i think the router tries something funky


----------



## Easy Rhino (Feb 13, 2010)

Hybrid_theory said:


> k works now. my buddy can do it from his place. but when i try i think the router tries something funky



must be a shit router or your dns settings. change the dns server on your host machine or whatever machine you are connecting to and see if that helps.


----------



## slyfox2151 (Feb 13, 2010)

you cant connect via wan through your own lan. (that i know of)


----------



## Hybrid_theory (Feb 13, 2010)

Easy Rhino said:


> must be a shit router or your dns settings. change the dns server on your host machine or whatever machine you are connecting to and see if that helps.



well i ran wireshark and what happened was the ssh responses came from 2.21 which is the vm and went directly to my laptop. so it didnt route back out then in which could be the issue. 

then a couple minutes later the router ip sent responses.

ill admit i thought this could be the problem from the start. 

when it didnt work for my friend initially, was probably because i just switched it to dmz and hadnt rebooted the vm yet


----------



## Clement (Feb 15, 2010)

Hybrid_theory said:


> well i ran wireshark and what happened was the ssh responses came from 2.21 which is the vm and went directly to my laptop. so it didnt route back out then in which could be the issue.
> 
> then a couple minutes later the router ip sent responses.
> 
> ...



You do not need to use DMZ mode on that router (If you do make sure the DMZ'd machine is also configured to route). "That course of action, is inadvisable".

Instead, Setup a custom profile for the firewall from the drop down menu (It will be the radio button in between off, and DMZ) for your server machine.

There is nothing fancy on those routers, I know, but it will work. All you can do is let the ports open and as long as you know your external IP and the port it will work from the cloud. This is assuming you have your network settings inside your network sorted correctly.

Please be aware that this configuration is *very insecure*, especially with these routers.

Consider getting a router either with linux, or one you can flash linux to. Eg. DD-WRT. At the very least put a real router between your server, and your gateway. You will never look back.


----------



## Hybrid_theory (Feb 15, 2010)

Clement said:


> You do not need to use DMZ mode on that router (If you do make sure the DMZ'd machine is also configured to route). "That course of action, is inadvisable".
> 
> Instead, Setup a custom profile for the firewall from the drop down menu (It will be the radio button in between off, and DMZ) for your server machine.
> 
> ...



I used to have a wrt54g behind it. But i took it out as the bell one does everything, and it decreases ping times by a margin. 

I think i read that you can set the bell to be modem only then i could put my wrt54gs behind it and use that.

On your insecure note. even if the port is open on a dd-wrt router, the service is still open for attack, whether its ssh or vpn. the vpn is pptp so i put a good password on the user i made for it.

ssh i setup to use a public/private key so no1 can get into it but me


----------



## Clement (Feb 15, 2010)

Hybrid_theory said:


> I used to have a wrt54g behind it. But i took it out as the bell one does everything, and it decreases ping times by a margin.
> 
> I think i read that you can set the bell to be modem only then i could put my wrt54gs behind it and use that.
> 
> ...



The only way to be completely secure is to disconnect from the cloud,  indeed. Your gateway in particular is *very* easy to get by, considering the mechanism your ISP uses to diagnose your connection.

Call me paranoid, but you may not need to worry about such things.

A few things to try that will lower the transfer latencies on your WRT:
1. Disabling unneeded services
2. Disable logging/caching of information
3. Disable filtering the data (under the SPI firewall section)
4. If you trust your gateways firewall, you can disable the SPI firewall, but I would advise against it.

You may or may not need these settings depending on your Situation/Operating system/Browser usage.

EDIT: Your Bell modem can be a router, aswell as the WRT. The WRT must be set as a DHCP forwarder if you want full network access between clients (shared folders for example). You must also configure in your WRT the Bell router as the gateway.

There are two common home configurations:
1 WRT as a separate sub-network; WRT creates its own DHCP client pool; Bell must still be the gateway, but you can use DNS caching on your WRT if you wish.
2. WRT as a router, Bell as the Gateway; Bell rules as DHCP, DNS, and gateway.
The Features of your Bell router may limit the possibilities. If you need help configuring these two, don't be afraid to ask.

If you choose configuration 1, your 2wire modem will complain about a separate router on the network, you can safely disable this warning in that dialog or here:
http://192.168.1.254/mdc (whichever IP is your Bell gateway)

Have fun!


----------



## Deleted member 3 (Feb 15, 2010)

Why don't you cheat? Use hamachi or something similar.


----------



## Steevo (Feb 15, 2010)

Dan FTW!!!


Go way ol man, hes trying to learn to do it the hard way.


But other than that, I have to say MITM. anythigin requiring a password that responds to query on the net is open to all sorts of script kiddies, vulnerabilities, and backdoor hacks. No sir, not I.


I frequently change a 256 AES encrypted shared key that is on a firewall VPN, that only routes inside the ISP network to only unique IP addresses, and then has a secondary handshake protocol that includes a username, password, and unique identifier that is sent in encrypted form, the initial packets are sent and the hops mapped, the VPN self terminates if the hop count and node address changes.


Nothing is secure.


----------



## Clement (Feb 15, 2010)

Steevo said:


> Dan FTW!!!
> 
> 
> Go way ol man, hes trying to learn to do it the hard way.
> ...



Very true. Not everything is mission critical either.

Thru rate latencies were mentioned as being an issue so I didn't mention any sort of extra encryption.

Learning to do it the way I suggested is a good foundation to start from.

I am under the impression that VPN tunneling is being used. With a few tweaks this will suffice for the majority of 'kiddies' out there.


----------



## Hybrid_theory (Feb 15, 2010)

DanTheBanjoman said:


> Why don't you cheat? Use hamachi or something similar.



Haha dont think id get marks for that.



> Dan FTW!!!
> 
> 
> Go way ol man, hes trying to learn to do it the hard way.
> ...



Yeah some1 can scan my router see 1723 is open and try to bruteforce my username/password. i gave it a decent sized password with a few different characters. The user is restricted user, and not an admin. And he's the only one who can get in. The AES way sounds nice, but also like a lot of work. would need to install something to get that up and going.



> If you choose configuration 1, your 2wire modem will complain about a separate router on the network, you can safely disable this warning in that dialog or here:
> http://192.168.1.254/mdc (whichever IP is your Bell gateway)



mdc page is password protected. ive read you can flash the firmware, but im renting the modem.


----------



## Clement (Feb 15, 2010)

Hybrid_theory said:


> Haha dont think id get marks for that.
> 
> 
> 
> Yeah some1 can scan my router see 1723 is open and try to bruteforce my username/password. i gave it a decent sized password with a few different characters. The user is restricted user, and not an admin. And he's the only one who can get in. The AES way sounds nice, but also like a lot of work. would need to install something to get that up and going.



If your gateway supports these features go for it. The 2wire surely doesn't though, AFAIK. You could, however, setup the linux router to do this and much more directly after your gateway, if you really need that kind of security.


----------



## Hybrid_theory (Feb 15, 2010)

So for say the gateway setup. I'd need to port forward everything to the wrt that i want open. so ssh, vpn pptp, and anything else i use?

Keep the bell as dns, dhcp, and gateway. so the bell is the wrt's gateway. wireless should be off the wrt. setup wrt as a dhcp relay. anything im missing?

should i use tomato or dd-wrt. ive heard good things on both


----------



## Clement (Feb 15, 2010)

Hybrid_theory said:


> So for say the gateway setup. I'd need to port forward everything to the wrt that i want open. so ssh, vpn pptp, and anything else i use?
> 
> Keep the bell as dns, dhcp, and gateway. so the bell is the wrt's gateway. wireless should be off the wrt. setup wrt as a dhcp relay. anything im missing?
> 
> should i use tomato or dd-wrt. ive heard good things on both



You can run wireless on the WRT if you wish, may not make sense if they are beside each other though.

If you can on the Bell, restrict access as much as you can, if you wish.

I've only many years experience with DD-WRT. Its always worked, so I've never switched.

Here:
http://blog.fourfridays.com/2009/03/01/ddwrt-vs-tomato/
Is an account of a real world reason why a person wanted tomato over ddwrt.

There are other features, to which you will have to make the choice yourself. Just make sure you do the proper research and make sure your router is supported, and how to correctly flash it.

http://www.dd-wrt.com/wiki/index.php/Supported_Devices

http://www.polarcloud.com/tomatofaq#what_will_this_run_on


----------



## Hybrid_theory (Feb 15, 2010)

Clement said:


> You can run wireless on the WRT if you wish, may not make sense if they are beside each other though.
> 
> If you can on the Bell, restrict access as much as you can, if you wish.
> 
> ...



well my thought to run wireless on the wrt and turn it off on the bell is for the reason of just keeping bell as the gateway, and makes less complication for sharing between desktop and laptop.


----------



## Clement (Feb 15, 2010)

Hybrid_theory said:


> well my thought to run wireless on the wrt and turn it off on the bell is for the reason of just keeping bell as the gateway, and makes less complication for sharing between desktop and laptop.



Less complication is good!


----------



## Hybrid_theory (Feb 15, 2010)

alright just wondering how to deal with the bell router now. For setting port forwards on it, you specify an application to a machine from a drop down list (IP). should i just leave them on there.

just not sure basically where to make this more secure.

ive wired everything to the wrt. and the wrt to the bell.


----------



## Clement (Feb 16, 2010)

Hybrid_theory said:


> alright just wondering how to deal with the bell router now. For setting port forwards on it, you specify an application to a machine from a drop down list (IP). should i just leave them on there.
> 
> just not sure basically where to make this more secure.
> 
> ive wired everything to the wrt. and the wrt to the bell.



Only leave the applications/ports that you are using, nothing else. (the wrt router should auto configure the port fowards for you so long as everything else is kosher-check the configuration after you start your server application)

AFAIK you may have to configure your own application/ports, then that's about it for the bell and that is it for security on them, aside from keeping the firewall enabled (Some settings in Firewall->Advanced will help). *Make sure* you don't have any applications/ports open that aren't necessary.

You can check the advanced settings tab but AFAIK the 2wire routers do not even support something as simple as VPN tunnelling (you may have to check this yourself, not 100% on this)

If you need a more secure setup, you will have to have the bell replaced with either a better router with the features that you want, or a router that you can flash yourself (you may* have to check your ISP's policies to make sure can if you do are renting the router).

Let me just remind you this is all just to get you up and running.

AFAIK you are severely limited by that Bell 2wire router.

This setup will work until you get your current gateway replaced with a 'real' one. You may or may not choose to do so (its really upto you and your needs).

_You may also want to look into the suggestions by other users in this thread._


----------



## Hybrid_theory (Feb 19, 2010)

well realized my tomato was wired to the bell just on a switch port, so it wasnt blocking anything. but after connecting it to the wan port i could not get it sending packets over it. DHCP leases from the bell couldnt reach my computers, and my computers couldnt ping the .1 address of the bell. Even setting a static IP and a gateway of .2 didnt work.

So decided to go back to just the bell. In terms of security, an open port is an open port. It would be open between both devices, so dont see the reason to go through a large headache to get this to work... unless its something simple i missed.


----------



## Clement (Feb 19, 2010)

Hybrid_theory said:


> well realized my tomato was wired to the bell just on a switch port, so it wasnt blocking anything. but after connecting it to the wan port i could not get it sending packets over it. DHCP leases from the bell couldnt reach my computers, and my computers couldnt ping the .1 address of the bell. Even setting a static IP and a gateway of .2 didnt work.
> 
> So decided to go back to just the bell. In terms of security, an open port is an open port. It would be open between both devices, so dont see the reason to go through a large headache to get this to work... unless its something simple i missed.



On a ddwrt router, you would enable DHCP forwarding on the first setup page.

I do not know if you can or how to enable DHCP forwarding on tomato.


----------

