340

I have two computers behind the same router. Let's call them A and B.

A can SSH to B in the following manner: ssh usr@<internal ip of computer>

B can SSH to A by doing the same, but the external IP must be used. I have forwarded port 22 of my router to the IP of computer A, so that all makes sense to me.

However, I want to also forward port 26 to computer B, and SSH from outside the network by using the external IP for both, but specifying either port 22 or 26, to effectively select which computer to use.

I have tried allowing port 26 through OUTPUT of iptables on A and INPUT of B, but that didn't seem to work. I have also forwarded port 26 to the internal IP of B (through the router), as I did with 22 for A.

Here's what I get when I try to SSH from A to B using the external IP and port 26:

ssh: connect to host xx.xx.xxx.xx port 26: Connection refused.

Versions:

  • A = OpenSSH_5.9p1 Debian-5ubuntu1, OpenSSL 1.0.1 14 Mar 2012
  • B = OpenSSH_6.0p1 Debian-4, OpenSSL 1.0.1c 10 May 2012

A has 12.04 Ubuntu, B is a Raspberry Pi with Raspbian.

EDIT: Something that I forgot to put in: I did try switching the SSH config file (I found it is /etc/ssh/ssh_config) I uncommented (deleted the #) the line with Port and changed 22 to 26. It gave me the connection refused message still. (I rebooted to no avail.)

Organic Marble
  • 24,696
Gary
  • 4,042

7 Answers7

670

If you are on Linux system and you want connect to an SSH server on port 26 you can use the following command.

ssh user@192.168.1.1 -p 26

Note:

  1. Replace server IP with the IP Address or DNS name of your server.
  2. Change your port number as you have set.
  3. if you are using custom port SSH then same port most be allowed for outbound, inbound connection on firewall otherwise the connection will not establish
Shiv Singh
  • 6,941
91

It seems like you're not running SSH on port 26 on the second machine. You can either change the port number on that machine to 26.

Either edit /etc/ssh/sshd_config & don't forget to restart SSH (service sshd restart) or leave it on 22, but forward port 26 on the router to port 22 on the second machine. Also, don't forget to change any firewall settings on the second machine to allow the connections through.

Mahsa2
  • 353
Nerdfest
  • 4,658
14

As I've explained in a related answer, ssh client allows specifying URI format as ssh://user@host:1234. For example:

ssh  ssh://myuser@mydomain.com:2222

where 2222 is the port number. Substitute the port number which you intend to use instead. Of course, remember that in order to connect to the specified port ssh server (on the host to which you are trying to connect) has to listen on the specified port in the first place

Sergiy Kolodyazhnyy
  • 107,582
13

I use port 22 only for the intranet ssh access.

For access via internet I use a custom (unusual) port. This has the benefit the I reduce the load produced generated by script kids who are scanning port 22 for "well known usernames".

The external sshd processes are controlled by xinetd and running in parallel to the internal sshd process. In the following example I use the port 12345:

You are free to change this to any available free port number on your system. Maybe a higher value will make it also a bit more unlikely that this port is scanned by a "quick port scan".

The xinetd configuration is:

service ssh-external
{
    socket_type = stream
    wait = no
    protocol = tcp
    type = UNLISTED
    user = root
    server = /usr/sbin/sshd
    server_args = -i -f  /etc/ssh/external-sshd.config
    port = 12345
    log_on_failure += USERID
}

The file /etc/ssh/external-ssdh.config can be a copy of your usual sshd configuration. Ensure that the following statements are configured:

Port 12345
AddressFamily inet

I also suggest to enforce public key authentication and disable password authentication for the internet access:

PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
Stunner
  • 103
H.-Dirk Schmitt
  • 4,851
11

Listen ports can also be hard linked to IP addresses. On /etc/ssh/sshd_config:

ListenAddress 10.10.10.10:22
ListenAddress 20.20.20.20:4444
Pablo Bianchi
  • 17,371
OasisInDesert
  • 111
6

It is not a good idea to run ssh on default port (TCP/22), neither forward from WAN IP 22 to whatever port is using ssh-server on LAN IP.

To make ssh-server listen on any given port you have to

  1. Edit on /etc/ssh/sshd_config (note the d) from #Port 22 to Port 26. Ie, uncomment and change the port. Better than 26 would be something randomly above (below 65535), like 42895.
    Also consider changing to PermitRootLogin no.

  2. Test your configuration with ssh test mode

    sudo sshd -t

  3. Restart ssh-server service

    sudo systemctl restart sshd.service

Then from ssh-client you will be able to connect

ssh user@serverNameOrIP -p 42895

Furthermore

mosh

Mosh (mobile shell) Remote terminal application that allows roaming, supports intermittent connectivity, and provides intelligent local echo and line editing of user keystrokes.. Mosh is a replacement for interactive SSH terminals. It's more robust and responsive, especially over Wi-Fi, cellular, and long-distance links.

If mosh package is installed on server you can then use

mosh --ssh="ssh -p 42895" serverNameOrIP

Proxy jump

OpenSSH v7.3 onward supports one or more -J, just for jump hosts.

Pablo Bianchi
  • 17,371
2

Two approaches.

You don't need to make any changes to your SSH configuration on either machine. If you set up port-forwarding on your router you can forward traffic from any public port on the router to port 22 on the computer. Use a different port forwarded to port 22 on the other machine. Unless you have a good reason to do it you should avoid opening port 22 on your external IP address. It makes you a target.

The other option is simply to SSH into one of the machines then SSH from there to the other.

Bernard Peek
  • 129