2

I am trying to ssh into my computer from an external source using my public IP address. but keep getting the error message ssh: connect to host <public_ip> port 2222: Connection refused.

What fails

  1. If I try to ssh from an external IP, into my local computer with ssh -p 2222 <user_name>@<public_ip> then this command hangs.

  2. If I try to ssh into my computer from my computer itself with ssh -p 2222 <user_name>@<public_ip> then I receive the error message ssh: connect to host <public_ip> port 2222: Connection refused.

What works

  1. I can into my own computer from my computer with ssh -p 2222 <user_name>@<internal_ip>

  2. I can into my own computer from my mac within the same network with ssh -p 2222 <user_name>@<internal_ip>

  3. I can ping my public ip address from an computer on an external from my network.

Here is what I have done:

  1. I have logged into the netgear genie at routerlogin.net and set a port forward to to port 2222 directed to my computer's internal IP address.

  2. systemctl status sshd returns

● ssh.service - OpenBSD Secure Shell server
     Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
     Active: active (running) since Mon 2023-10-23 14:44:09 PDT; 19min ago
       Docs: man:sshd(8)
             man:sshd_config(5)
    Process: 305357 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
   Main PID: 305359 (sshd)
      Tasks: 1 (limit: 38023)
     Memory: 1.7M
        CPU: 23ms
     CGroup: /system.slice/ssh.service
             └─305359 "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups"

Oct 23 14:44:09 lenovo systemd[1]: Starting OpenBSD Secure Shell server...
Oct 23 14:44:09 lenovo sshd[305359]: Server listening on 0.0.0.0 port 2222.
Oct 23 14:44:09 lenovo sshd[305359]: Server listening on 0.0.0.0 port 22.
Oct 23 14:44:09 lenovo systemd[1]: Started OpenBSD Secure Shell server.

So my computer is listening to port 2222

  1. systemctl status ufw
● ufw.service - Uncomplicated firewall
     Loaded: loaded (/lib/systemd/system/ufw.service; enabled; vendor preset: enabled)
     Active: active (exited) since Sun 2023-10-22 20:48:44 PDT; 18h ago
       Docs: man:ufw(8)
    Process: 725 ExecStart=/lib/ufw/ufw-init start quiet (code=exited, status=0/SUCCESS)
   Main PID: 725 (code=exited, status=0/SUCCESS)
        CPU: 36ms

Oct 22 20:48:43 lenovo systemd[1]: Starting Uncomplicated firewall...
Oct 22 20:48:44 lenovo systemd[1]: Finished Uncomplicated firewall.
  1. I have run sudo ufw allow 2222/tcp and ufw stats returns
To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere
22                         ALLOW       Anywhere
8080/tcp                   ALLOW       Anywhere
2222/tcp                   ALLOW       Anywhere
22/tcp (v6)                ALLOW       Anywhere (v6)
22 (v6)                    ALLOW       Anywhere (v6)
8080/tcp (v6)              ALLOW       Anywhere (v6)
2222/tcp (v6)              ALLOW       Anywhere (v6)

  1. I have added Port 2222 to /etc/ssh/sshd_config

  2. nmap -O -v <your public_IP> returns the follwoing

PORT     STATE    SERVICE
22/tcp   filtered ssh
23/tcp   filtered telnet
80/tcp   filtered http
111/tcp  filtered rpcbind
443/tcp  filtered https
2222/tcp filtered EtherNetIP-1
8080/tcp filtered http-proxy
8181/tcp filtered intermapper
9000/tcp filtered cslistener

What else am I missing here?

Solution

So I figured out the problem. My network has a double NAT and need to set up port forwarding on both my router and my modem. On my modem, I had to port forward to my router and on my router I had to port forward to my device. I set this up and restarted the modem and now I am able to ssh into my device from an external IP address. Another thing that I think messed me up was that I dont have a static internal IP address so I needed to change the router's port forward to my device since during some of the modem reboots, my internal IP address changed.

user68186
  • 37,461
alpastor
  • 121
  • 1
  • 4

2 Answers2

1

From a terminal that receives a connection refused error, run

nmap -O -v <your public_IP>

This will tell you what ports are open and responding. The results should tell you how to proceed to fix your issue. If port 22 and 2222 answer up have a look at the ssh configuration files on your openssh server. You should also consider focusing on getting port 22 to work and ditch the forwarding to port 2222 step temporarily.

In the config file /etc/ssh/sshd_config.d/sshd_config.conf, set loglevel INFO and then tail -f /var/log/syslog in a shell on the server to see if anything about the login attempt is logged. Note (and this could be your problem) you will need to create a similar entry for port 2222 in this config file. Note that the ListenAddress needs to be reachable from the Internet (for your purposes), via NAT or an assigned public IP address.

For troubleshooting purposes, consider setting ListenAddress 0.0.0.0

The use of AllowUsers and DenyUsers is a great security feature that should be utilized. That and the port forwarding you are doing will really cut down on the chances of being hacked.

Sample:

Port 22
          ListenAddress 192.168.1.1
          HostKey /etc/ssh/ssh_host_key
          ServerKeyBits 1024
          LoginGraceTime 600
          KeyRegenerationInterval 3600
          PermitRootLogin no
          IgnoreRhosts yes
          IgnoreUserKnownHosts yes
          StrictModes yes
          X11Forwarding no
          PrintMotd yes
          SyslogFacility AUTH
          LogLevel INFO
          RhostsAuthentication no
          RhostsRSAAuthentication no
          RSAAuthentication yes
          PasswordAuthentication yes
          PermitEmptyPasswords no
          AllowUsers your_username

Based on your symptoms I doubt you are getting this far but check/clear $HOME/.ssh/known_hosts on the client you are using to ssh in to the server and see if keys are being exchanged. Again, I would modify the openssh server and your router to only use port 22 for ssh. Once you get that working you can add the additional security of using a different port. You should also disable telnet/ftp and only allow ssh and sftp for better security.

jones0610
  • 2,514
0

So I figured out the problem. My network has a double NAT and need to set up port forwarding on both my router and my modem. On my modem, I had to port forward to my router and on my router I had to port forward to my device. I set this up and restarted the modem and now I am able to ssh into my device from an external IP address. Another thing that I think messed me up was that I dont have a static internal IP address so I needed to change the router's port forward to my device since during some of the modem reboots, my internal IP address changed

alpastor
  • 121
  • 1
  • 4