Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Need Help with SSH tunnel over internet

134 views
Skip to first unread message

root

unread,
May 19, 2013, 10:44:01 AM5/19/13
to
I am trying to set up an ssh tunnel so that I can ssh into
a machine on my lan from some remote machine on the internet.

I have a DLINK DIR-655 router no, but I am hoping the process will
be easily adapted to some other router.

Suppose when I am at home I go to whatismyip.com and find that my
IP is 96.24.168.44

Further suppose that I go to some distant location with, say,
and IP address of 172.34.55.32

When I am at this remote address I would like to set up
something like this:

ssh -p 2222 96.24.168.44

by which I mean to tell ssh to use port 2222 while attempting
to connect to 96.24.168.44.

In order to set this up I have tried several things on my
home router: port-forwarding, virtual-server, DMZ and access
control without success.

DMZ
The router says that I can put one machine on my lan into
the demilitarized zone and it will be outside the firewall.
I had imagined that would be as if that one machine were
directly connected to the modem. Not so, I cannot ssh
into that machine.

Access Control:
The router suggests that I can filter incoming requests.
I set up "allow" on all IP from 0.0.0.0 to 255.255.255.255
for the target machine, still no success

Virtual Server:
I set a page that has entries like this:
Name public protocol schedule
ssh 2222 TCP always
IP address
192.168.1.22 22 6 allow all

with a little box on the left that I checked.
I saved the settings and tried again. No luck.

Port Forwarding:
This time I set a page that looks like this:
Name TCP Schedule
ssh 22 Always
IP address UDP Inbound Filter
192.168.1.22 22 Allow All

Again with a little box on the left that I checked.

Once again, no success. This time I used:
ssh 96.24.168.44
using the default port 22

I have read wikipedia and googled for examples of ssh tunneling
and I have read articles which lead to these attempts but
nothing has worked.

I don't expect anyone who will answer this has the same router
but if you have set up any router at home to allow remote
login could you tell me the procedure for your router?

Thanks.



J G Miller

unread,
May 19, 2013, 12:07:14 PM5/19/13
to
On Sunday, May 19th, 2013, at 14:44:01h +0000, R Oot explained:

> I am trying to set up an ssh tunnel so that I can ssh into
> a machine on my lan from some remote machine on the internet.

For the best experience, you should follow these steps

1) get a free account on DynDNS.com and register a name
for your home LAN (effectively the outfacing port on
your DSL modem which is part of the DIR-655)

2) On the DIR-655 web interface go to the appropriate
page and enter the details for DynDNS dynamic name
service as per page 53 of the DIR-655 manual

<http://www.scribd.COM/doc/2090673/DIR655-manual-11>

3) On the DIR-655 web interface to to the appropriate page
for services and set SSH port 22 service to be directed towards
the host on your home LAN that has sshd running as per
page 31 of the DIR-655 manaul

<http://www.scribd.COM/doc/2090673/DIR655-manual-11>

4) On the host that has sshd running, if it has a firewall
sofware running, ensure that port 22 is not blocked.

5) For optimal security with sshd ensure that you have
setup your account with a passphrase for ssh.

6) For optimal security, adjust the sshd config file to NOT
allow password authentication and only to allow access to users
in say a new group "ssh-users" and add your userid to the new
group ssh-users for which you create an entry in /etc/group and
/etc/gshadow

7) If as is often the case your sshd implementation has TCP wrappers
capability, you will need to add an entry

sshd: ALL

to /etc/hosts.allow

Once all this is done, you will be able to do

slogin your_userid@your_registered_dyndns_name

(no need to worry about a fluctuating IP address)
from a remote machine on the internet, enter your passphrase,
and get a secure login to your home machine.

It is always a good idea to test your sshd functionality
first by slogin from the same host, then from another host
on the LAN, and then finally from an external host.

Also remember that because the port forwarding rules of
the DIR-655 router to the SSH port 22 service uses a
specified IP address, the host running the SSHD service
must have that fixed specified IP address, and so it must
not use DHCP IP address allocation from a range of IP addresses.

The best way to do this is to ensure DHCP is turned off completely
on the host and that the IP address is specified in the appropriate
config. The less efficient alternative lazy way is to make sure the
router provides the host by DHCP with a specified IP address according
to the MAC address of the host.

For security's sake do not enable DMZ on your router, and do
not start allowing access to all IP ranges and maybe all ports
as your appear to have been doing.

If you are not capable of doing any of the above steps, then maybe you
should pay somebody to set it all up for you.

Also since your question is about networking, the most appropriate
group to which you should have posted your question is

comp.os.linux.networking

So with all of the information above, you should now be good to go
to get your SSH service up and running and working for remote
logins in a secure manner.

J G Miller

unread,
May 19, 2013, 12:11:59 PM5/19/13
to
On Sunday, May 19th, 2013, at 16:07:14h +0000, J G Miller mistryped:

> (effectively the outfacing port on
> your DSL modem which is part of the DIR-655)

OOPS! That is not correct. The DIR-655 is router only.

So your DIR-655 is connected directly to a DSL modem or
cable TV adapter which is running in bridge mode?????

If it is not, and you are in fact connected to an upstream
router, then you will likely be doing double NAT which means no
end of configuration problems ...

J.O. Aho

unread,
May 19, 2013, 12:46:51 PM5/19/13
to
On 19/05/13 16:44, root wrote:
> I am trying to set up an ssh tunnel so that I can ssh into
> a machine on my lan from some remote machine on the internet.

If you are talking about real ssh tunnels, then you do this:

ssh -R 2222:127.0.0.1:22 -f -N 172.34.55.32


This makes the remote machine to have a tunnel back to your machine and
from there you will access your machine by:

ssh -p 2222 localhost



> When I am at this remote address I would like to set up
> something like this:
>
> ssh -p 2222 96.24.168.44
>
> by which I mean to tell ssh to use port 2222 while attempting
> to connect to 96.24.168.44.
>
> In order to set this up I have tried several things on my
> home router: port-forwarding, virtual-server, DMZ and access
> control without success.

Seems like you ain't out for ssh tunnel, you are supposed to use port
forward.

You need to configure the port forward of 2222 to the port 22 at the ip
which your computer has in the local network (you will see it with
/sbin/ifconfig).


> Port Forwarding:
> This time I set a page that looks like this:
> Name TCP Schedule
> ssh 22 Always
> IP address UDP Inbound Filter
> 192.168.1.22 22 Allow All
>
> Again with a little box on the left that I checked.
>
> Once again, no success. This time I used:
> ssh 96.24.168.44
> using the default port 22

Have you tested that your sshd is up and running (if you use ubuntu, it
don't install sshd by default)?

Try first; ssh localhost

if that don't work, install sshd if it's missing and then see to enabled
it at boot up.

Keep in mind, you need to test the port forward from the outside, not
from your machine to the external ip, you need to test it from a machine
which is located somewhere else on the internet.

--

//Aho

root

unread,
May 19, 2013, 12:54:49 PM5/19/13
to
I had tried my efforts first with this connection:

cable-modem<-OomaTelo<-DIR655<-computer with static IP

When this didn't work I moved the OomaTelo out:

cable-modem<-DIR655<-computer with fixed IP address

That didn't work. So again I tried setting the
computer to use dhcp and this connection:

cable-modem<-computer with dhcp

And I couldn't get a valid dhcp response. I seemed to get
an address, but IPV4 validation timed out after 8 seconds.
I tried several times with no success of getting back
online.

root

unread,
May 19, 2013, 1:18:21 PM5/19/13
to
J.O. Aho <us...@example.net> wrote:
Thanks for responding.

> On 19/05/13 16:44, root wrote:
>> I am trying to set up an ssh tunnel so that I can ssh into
>> a machine on my lan from some remote machine on the internet.
>
> If you are talking about real ssh tunnels, then you do this:
>
> ssh -R 2222:127.0.0.1:22 -f -N 172.34.55.32

I guess I'm not talking about a real tunnel then.

I tried your above example, replaceing the 172... with my
show IP address. I added -v to see what:

I get:
OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 96.40.167.12 [96.40.167.12] port 22.

and hangs.

>
>
> This makes the remote machine to have a tunnel back to your machine and
> from there you will access your machine by:
>
> ssh -p 2222 localhost

As I said, I don't get that far.

>
>
>
>> When I am at this remote address I would like to set up
>> something like this:
>>
>> ssh -p 2222 96.24.168.44
>>
>> by which I mean to tell ssh to use port 2222 while attempting
>> to connect to 96.24.168.44.
>>
>> In order to set this up I have tried several things on my
>> home router: port-forwarding, virtual-server, DMZ and access
>> control without success.
>
> Seems like you ain't out for ssh tunnel, you are supposed to use port
> forward.

Which I tried.

>
> You need to configure the port forward of 2222 to the port 22 at the ip
> which your computer has in the local network (you will see it with
> /sbin/ifconfig).

All the wired connections on my lan have fixed IP addresses.

>
>
>> Port Forwarding:
>> This time I set a page that looks like this:
>> Name TCP Schedule
>> ssh 22 Always
>> IP address UDP Inbound Filter
>> 192.168.1.22 22 Allow All
>>
>> Again with a little box on the left that I checked.
>>
>> Once again, no success. This time I used:
>> ssh 96.24.168.44
>> using the default port 22
>
> Have you tested that your sshd is up and running (if you use ubuntu, it
> don't install sshd by default)?

I am running slackware. sshd is running and I can ssh into this
machine from any others on the lan.

>
> Try first; ssh localhost
>
> if that don't work, install sshd if it's missing and then see to enabled
> it at boot up.
>
> Keep in mind, you need to test the port forward from the outside, not
> from your machine to the external ip, you need to test it from a machine
> which is located somewhere else on the internet.

My alma-mater gives us shell accounts on the alumni computer. I have
been ssh-ing into my shell account and trying to turn around and
ssh out to my IP address. That may be a source of trouble, I
haven't asked the alumni office if they are so configured.
>

root

unread,
May 19, 2013, 1:31:24 PM5/19/13
to
I want to go back and respond to your detailed instructions.

I really mis-stated my plan. I don't want to be able to
log into my machine when I am away, I want to allow my
friends to log into my machine from time to time. When
I want my friend(s) to do so I can easily find my
IP address from www.whatismyip.com, call them up
and tell them the address at that time. I say this because
it seems DynDNS.com is no longer free.

You cautioned me to ensure that port 22 is not blocked.
Here is a result of nmap scanme:
Starting Nmap 6.01 ( http://nmap.org ) at 2013-05-19 10:22 PDT
NSE: Loaded 93 scripts for scanning.
NSE: Script Pre-scanning.
Initiating Ping Scan at 10:22
Scanning scanme.nmap.org (74.207.244.221) [4 ports]
Completed Ping Scan at 10:22, 0.01s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 10:22
Scanning scanme.nmap.org (74.207.244.221) [1000 ports]
Discovered open port 80/tcp on 74.207.244.221

Discovered open port 22/tcp on 74.207.244.221 <-----HERE


Discovered open port 9929/tcp on 74.207.244.221
Completed SYN Stealth Scan at 10:22, 1.60s elapsed (1000 total ports)
Initiating Service scan at 10:22
Scanning 3 services on scanme.nmap.org (74.207.244.221)
Completed Service scan at 10:22, 6.05s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against scanme.nmap.org (74.207.244.221)
Retrying OS detection (try #2) against scanme.nmap.org (74.207.244.221)
Initiating Traceroute at 10:23
Completed Traceroute at 10:23, 0.02s elapsed
NSE: Script scanning 74.207.244.221.
Initiating NSE at 10:23
Completed NSE at 10:23, 0.54s elapsed
Nmap scan report for scanme.nmap.org (74.207.244.221)
Host is up (0.0040s latency).
Not shown: 993 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.3p1 Debian 3ubuntu7 (protocol 2.0)
| ssh-hostkey: 1024 8d:60:f1:7c:ca:b7:3d:0a:d6:67:54:9d:69:d9:b9:dd (DSA)
|_2048 79:f8:09:ac:d4:e2:32:42:10:49:d3:bd:20:82:85:ec (RSA)
80/tcp open http Apache httpd 2.2.14 ((Ubuntu))
|_http-title: Go ahead and ScanMe!
|_http-methods: GET HEAD POST OPTIONS
|_http-favicon: Unknown favicon MD5: 156515DA3C0F7DC6B2493BD5CE43F795
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
593/tcp filtered http-rpc-epmap
9929/tcp open nping-echo Nping echo
Device type: general purpose|storage-misc|WAP|media device
Running (JUST GUESSING): Linux 2.6.X|3.X|2.4.X (93%), HP embedded (86%), Linksys Linux 2.6.X|2.4.X (86%), Netgear embedded (85%), Western Digital embedded (85%)
OS CPE: cpe:/o:linux:kernel:2.6 cpe:/o:linux:kernel:3 cpe:/o:linux:kernel:2.6.18 cpe:/o:linksys:linux:2.4 cpe:/o:linux:kernel:2.4 cpe:/o:linux:kernel:2.6.22
Aggressive OS guesses: Linux 2.6.39 (93%), Linux 2.6.22 - 2.6.36 (89%), Linux 2.6.32 - 2.6.35 (88%), Linux 2.6.32 - 2.6.39 (88%), Linux 2.6.38 - 3.0 (88%), Linux 3.0 (87%), Linux 2.6.32 (87%), HP P2000 G3 NAS device (86%), Linux 2.6.23 - 2.No exact OS matches for host (test conditions non-ideal).
Uptime guess: 34.427 days (since Mon Apr 15 00:07:44 2013)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=199 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:kernel

TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 0.16 ms 74.207.244.221

NSE: Script Post-scanning.
Initiating NSE at 10:23
Completed NSE at 10:23, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.69 seconds
Raw packets sent: 1069 (48.684KB) | Rcvd: 1034 (42.752KB)


You also cautioned me to be careful about security. Right now I just
want to get some hint that a possible solution exists. I've spent
hours screwing with this.

You wanted me to set /etc/hosts.allow. Here is my file:
#
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided by
# the '/usr/sbin/tcpd' server.
#
# Version: @(#)/etc/hosts.allow 1.00 05/28/93
#
# Author: Fred N. van Kempen, <wal...@uwalt.nl.mugnet.org
#
#

ALL:ALL
sshd: all
rshd: all
# End of hosts.allow.


I had been trying ssh. You suggested slogin, which I tried.
Same result, the command hangs when it is trying to
connect.

My DMZ attempt was an act of desperation. I should have known
something was amiss when that didn't work.

Again thanks for responding, but I am still not able to
slogin. I am next going to try connecting from some
site other than my alumni shell account.

root

unread,
May 19, 2013, 2:24:43 PM5/19/13
to
OK, I called a friend who is running Slackware and had her
try to ssh into my machine. Same result, the command
hangs trying to connect.

Martin Gregorie

unread,
May 19, 2013, 2:21:46 PM5/19/13
to
On Sun, 19 May 2013 17:18:21 +0000, root wrote:

> All the wired connections on my lan have fixed IP addresses.
>
In that case its easy. Configure your router so it forwards port 2222
(and/or any other ports you want to use from the outside) to the IP of
the machine on your lan that is running the server you want to connect.

Don't forget that if you want to use an ssh session over the nonstandard
port 2222 you have to configure sshd on the target host to listen on that
port as well as 22. You do that by editing /etc/ssh/sshd_config

If you want to display X11 graphical output from programs on the target
machine you'll need to enable X11 forwarding on the client machine (the
one you're starting the ssh session from. Port forwarding is not involved
in this because ssh/sshd uses the ssh session to transport the X11 data.
Enabling X11 forwarding involves:

1) Edit /etc/ssh/ssh_config on the machine that starts the ssh session
to set:

ForwardX11 yes
ForwardX11Trusted yes

IIRC this is the university's machine, so you'll need to get their
sysadmin to do this if X11 forwarding isn't enabled.

2) Edit /etc/ssh/sshd_config on the machine you're using ssh to connect
to set:

X11Forwarding yes

As you want to ssh onto your own machine from the university, this
is something you do yourself.

Testing: If you make both changes on your own machine, you can use the
command "ssh localhost" to test that its all working. You'll be warned
that the identity of the remote host can't be verified and asked if you
want to continue. Answering 'yes' will add the 'localhost' verification
details to $USER/.ssh/known_hosts and you won't see that dialog again
unless/until you change something that invalidates the ID. Then all you
need to do the fix it is edit $USER/.ssh/known_hosts to remove the
'localhosts' details line and try the ssh command again, which has the
effect of going through the unverified host dialog again and storing the
new host details in $USER/.ssh/known_hosts.


--
martin@ | Martin Gregorie
gregorie. | Essex, UK
org |

Theo Markettos

unread,
May 19, 2013, 2:35:15 PM5/19/13
to
In uk.comp.os.linux Martin Gregorie <mar...@address-in-sig.invalid> wrote:
> On Sun, 19 May 2013 17:18:21 +0000, root wrote:
>
> > All the wired connections on my lan have fixed IP addresses.
> >
> In that case its easy. Configure your router so it forwards port 2222
> (and/or any other ports you want to use from the outside) to the IP of
> the machine on your lan that is running the server you want to connect.
>
> Don't forget that if you want to use an ssh session over the nonstandard
> port 2222 you have to configure sshd on the target host to listen on that
> port as well as 22. You do that by editing /etc/ssh/sshd_config

I think the critical thing here is many routers aren't clever enough to
forwad WAN port X to local IP Y port Z, they insist that you have to forward
the same port (ie WAN port X to local IP Y port X). So in this case you
need to set /etc/ssh/sshd_config to listen on port 2222 (either instead of,
or in addition to, port 22).

Then configure your router to forward port 2222 to the local IP of the
machine running the SSH server (port 2222). Note that if the router talks
about 'SSH' in one of the dropdowns, this is probably a red herring (it's
code for 'port 22', which isn't what you want).

Theo

root

unread,
May 19, 2013, 2:37:05 PM5/19/13
to
root <NoE...@home.org> wrote:
>
>
> I want to go back and respond to your detailed instructions.
>
> I really mis-stated my plan. I don't want to be able to
> log into my machine when I am away, I want to allow my
> friends to log into my machine from time to time. When
> I want my friend(s) to do so I can easily find my
> IP address from www.whatismyip.com, call them up
> and tell them the address at that time. I say this because
> it seems DynDNS.com is no longer free.
>

That was wrong. DLINK provides a single DNS address for
free if I am running a DLINK router. So I created an
account at dlinkddns.com and tried to add a host.

I chose a hostname something like:
myhostname.dlinkddns.com

Then it wants an IP address. There is absolutely no
mention of what IP address it will accept. After
screwing around for a while I hit on the idea of
using the IP address of dlinkddns.com:

204.13.248.130

the addhosts accepted that. Then I went to
my router page, Tools-DynamicDNS and
entered the Server address as
www.DynDNS.com
with hostname as above:
myhostname.dlinkddns.com
and the password/key that I entered at the
addhost page.

Then I ssh over to my remote shell account, and
try:
slogin -v us...@myhostname.ddlinkddns.com
debug1: Connecting to myhostname.dlinkddns.com [96.40.167.12] port 22

and the connection just hangs there.

As far as I know I followed everything.

J G Miller

unread,
May 19, 2013, 2:34:59 PM5/19/13
to
On Sunday, May 19th, 2013, at 17:31:24h +0000, R Oot wrote:

>> I had tried my efforts first with this connection:
>>
>> cable-modem<-OomaTelo<-DIR655<-computer with static IP

Okay so now we can see your setup

PC ----> DIR-655 ---> OomaTelo --> cable-modem

An Ooma Telo is a VOIP telephone box.

Surely your arrangement should be this --


PC[-----------+
| +---------+
+----] | +-------------+
| DIR 655 [-------]cable adaptor[------> cable company
+----] | +-------------+
| +---------+
OOma Telo[-----+


If the ethernet cable from the PC is going to the OOmaTelo and so
is subject to double NATting from the OOmaTelo and the DIR655 then
as I previously stated you will have problems.


>> When this didn't work I moved the OomaTelo out:
>>
>> cable-modem<-DIR655<-computer with fixed IP address

Well I do not see why you would have the PC connected to
the OOmaTelo because it will make life very awkward if
the OOmaTelo is doing routing. If it is just acting as
a switch then of course it does not matter.

>> cable-modem<-computer with dhcp

I told you that having a DHCP pool address on your
computer is not going to work. Also without knowing whether
or not your cable adapter has any routing capabilities
I cannot offer any advice on this setup.

>> And I couldn't get a valid dhcp response.

Why should you expect one if your cable adapter is just
a cable adapter and not a router with dhcp service?

> I really mis-stated my plan. I don't want to be able to
> log into my machine when I am away, I want to allow my
> friends to log into my machine from time to time.

It does not matter who is logging into your machine
so long as you authorized them to and are happy with
them making use of your machine.

> I say this because it seems DynDNS.com is no longer free.

Your conclusion is wrong because the basic DynDNS service
is still free, you just have to get past the "buy our
standard or enhanced service" teasers.

However since last month, you do have to login to your
free account at the web site once a month to avoid
automatic deletion as the auto-update from the router
is no longer accepted as account validation for obvious
reasons (they want people to buy their service by making
the free one less convenient).

> Discovered open port 22/tcp on 74.207.244.221 <-----HERE

So if I understand correctly, that was done from an external
site, and thus shews that the port on your router is open.

So the problem is not one of an open port on the router,
but one of the router forwarding packets from port 22
to the machine with specified fixed IP, not a floating
one from DHCP, and of course that sshd is actually up
and running on that machine.

> You also cautioned me to be careful about security. Right now I just
> want to get some hint that a possible solution exists.

If you did not get a sufficient *hint* from my previous posting
that *a solution does exist*, then clearly I cannot be of
any further help to you.


> You wanted me to set /etc/hosts.allow. Here is my file:
> #
> # hosts.allow This file describes the names of the hosts which are
> # allowed to use the local INET services, as decided by
> # the '/usr/sbin/tcpd' server.
> #
> # Version: @(#)/etc/hosts.allow 1.00 05/28/93
> #
> # Author: Fred N. van Kempen, <wal...@uwalt.nl.mugnet.org
> #
> #
>
> ALL:ALL
> sshd: all
> rshd: all
> # End of hosts.allow.

NEVER USE RSHD!!!!! So that line should never be there.

And putting in ALL:ALL is the equivalent of not bothering
with TCP wrapper security at all.

When you leave your car in the road, do you turn off the
car alarm and leave all the doors unlocked and the windows open?

> I had been trying ssh. You suggested slogin, which I tried.

ssh and slogin are basically the same thing.

The purpose of ssh is to say ssh user@host command

If you do not specify the command, then it is the equivalent of slogin

If you do man slogin, you will see that it just display the manual page for ssh

> Again thanks for responding, but I am still not able to
> slogin. I am next going to try connecting from some
> site other than my alumni shell account.

You see there you go again not following the advice that was
given and trying something which will be a waste of time.

The first test you should be doing, as I explained in the previous
message, is to check if sshd is running on the machine and if on that
machine you can get a connection with slogin

Have you even bothered to check the configuration for ssh and sshd
in /etc/ssh on your machine?

Have you configured your PC to have a fixed IP address?

And have you generated a key for use with ssh as I strongly advised?

If you do not wish to follow advice offered, then my attemtps to
help you are futile.

Martin Gregorie

unread,
May 19, 2013, 2:43:09 PM5/19/13
to
On Sun, 19 May 2013 18:24:43 +0000, root wrote:

> OK, I called a friend who is running Slackware and had her try to ssh
> into my machine. Same result, the command hangs trying to connect.

Can you connect using the localhost loopback?
Can she ping your sshd host?
What does traceroute say if she uses it with the same hostname she used
for ssh?

J G Miller

unread,
May 19, 2013, 2:51:14 PM5/19/13
to
On Sunday, May 19th, 2013, at 17:31:24h +0000, Root wrote:

> Discovered open port 22/tcp on 74.207.244.221 <-----HERE

It is open:

City: Galloway
StateProv: NJ

slogin 74.207.244.221
The authenticity of host '74.207.244.221 (74.207.244.221)' can't be established.
RSA key fingerprint is 79:f8:09:ac:d4:e2:32:42:10:49:d3:bd:20:82:85:ec.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '74.207.244.221' (RSA) to the list of known hosts.
ro...@74.207.244.221's password:


Assuming that is your machine, you are now going to get lots
of crackers (mostly from the People's Republic of China)
continually trying brute force password attacks on that port.

Now if you had disabled password logins like I suggested,
external users without a RSA or DSA passphrase key file,
would just get automatically disconnected.

So do not say that you were not warned ..

Tony Houghton

unread,
May 19, 2013, 3:54:11 PM5/19/13
to
On 19 May 2013 19:35:15 +0100 (BST)
Theo Markettos <theom...@chiark.greenend.org.uk> wrote:

> In uk.comp.os.linux Martin Gregorie <mar...@address-in-sig.invalid> wrote:
> >
> > Don't forget that if you want to use an ssh session over the nonstandard
> > port 2222 you have to configure sshd on the target host to listen on that
> > port as well as 22. You do that by editing /etc/ssh/sshd_config
>
> I think the critical thing here is many routers aren't clever enough to
> forwad WAN port X to local IP Y port Z, they insist that you have to forward
> the same port (ie WAN port X to local IP Y port X). So in this case you
> need to set /etc/ssh/sshd_config to listen on port 2222 (either instead of,
> or in addition to, port 22).

IME Netgear routers can't change the port, most others can. One of the
tables of settings the OP posted suggested his can, but I found it
difficult to follow the format of those tables. I was also puzzled that
there was a "Virtual Server" section and a "Port Forwarding" section,
both looking as if they do the same thing.

J G Miller

unread,
May 19, 2013, 4:45:59 PM5/19/13
to
On Sunday, May 19th, 2013, at 20:54:11h +0100, Tony Houghton wrote:

> I was also puzzled that there was a "Virtual Server" section and a
> "Port Forwarding" section, both looking as if they do the same thing.

Many people are puzzled at first by this, including meself.

Careful examination reveals the subtle difference

<http://www.dlink.cc/tag/port-forwarding>

On the Dlink routers, port-forwarding is a 1 to 1 mapping for
either a single port or a range of ports. So the incoming
public port(s) is sent to the same number private port(s) on
the designated IP address.

On the Dlink routers, virtual server is a 1 to many mapping
for a single port. So the incoming public port is sent to
the same or a different number private port on the designated
IP address.

In Mr R Oot of New Jersey's case, he should use the Port Forwarding
screen (on page 32 *NOT 31* as I incorrectly advised)

<http://www.dlink.cc/wp-content/uploads/2011/09/dlink-dir-825-Port-Forwarding.jpg>

One possible use of the Virtual Server would be say your remote host is on
a network which does not permit outgoing port 22 but only port 80.

One could then use the Virtual Server setup to forward port 80 to port 22
as the SSH service. Thanks to the feature of inbound filters, this
redirection for port 80 to 22 can be done for just the IP address or
range of IP addresses for the remote network which is blocking the
outgoing port 22. Same technique could be used for ISPs which block
outgoing port 25 to force all mail through their mail monitoring as
part of surveillance on users and cutting down on spam.

What would people think if the Royal Mail was legally obliged to keep
a record of the sender and recipient of every letter sent via them for
up to 6 months?

Would not people think that it was Big Brother Nanny State Surveillance
gone out of control?

root

unread,
May 19, 2013, 4:55:56 PM5/19/13
to
Martin Gregorie <mar...@address-in-sig.invalid> wrote:
> On Sun, 19 May 2013 18:24:43 +0000, root wrote:
>
>> OK, I called a friend who is running Slackware and had her try to ssh
>> into my machine. Same result, the command hangs trying to connect.
>
> Can you connect using the localhost loopback?
> Can she ping your sshd host?
> What does traceroute say if she uses it with the same hostname she used
> for ssh?
>
>

I reset the router to factory defaults. Then configured the wireless
stuff and, once again, set port-forwarding as I described.

Now when I go to a remote site I am *able* to ssh back to
my machine. The only explanation I have is that I must
have screwed something else in the router in the course
of experimenting.

Thanks to every one.

root

unread,
May 19, 2013, 4:58:29 PM5/19/13
to
I settled for just using port 22 to access the machine. Sometime when
I recover I may try the 2222 thing. I know I can't set that up
with port-forwarding on the DLINK655. I have to use virtual server.

root

unread,
May 19, 2013, 5:03:49 PM5/19/13
to
On the DLINK 655 router the virtual-server is more powerful than
simple port forwarding. You can set several ports to all map
into, say, port 22.

A few days ago I had some experience with a Netgear router,
and more recently I played with a WesternDigital HD router.
Both of these offered a USB port for small-scale NAS.

They don't work with linux.

My interest in routers was stimulated when I played with
putting OpenWRT on a linksys WRT54G router and then
DD-WRT on a Belkin. My current router is the DLINK655 which
seems to be the fastest connection of all the routers
I tested including the WD N900.

J G Miller

unread,
May 19, 2013, 5:01:34 PM5/19/13
to
On Sunday, May 19th, 2013, at 20:55:56h +0000, R Oot wrote:

> I reset the router to factory defaults. Then configured the wireless
> stuff and, once again, set port-forwarding as I described.

So before you change anything else, go straight to the DIR 655 web
interface page for system administration and download your configuration
settings and keep them in a safe place.

Thus if you make more changes which go badly wrong, you can just
upload the working settings again without having to do a factory
reset and go through the painful procedure of putting in all your
custom settings.

Also very *occasionally* doing a firmware upgrade resets boxes
to their factory defaults, so it is always best to keep a copy
of the custom configuration just in case.

And if this is your machine, it is still open for root account
cracking and you must not care about some criminals breaking or doing a
DOS attack via your sshd service.

\slogin 74.207.244.221

root

unread,
May 19, 2013, 5:10:16 PM5/19/13
to
J G Miller <mil...@yoyo.ORG> wrote:
Again, thanks for all your help. As I posted a few lines ago,
I can now ssh into my machine from a remote site. In brief,
I just reset the router to factory default and started over
anew. This time I just concentrated on port-forwarding and
I was successful.

I did follow your advice.

root

unread,
May 19, 2013, 5:13:57 PM5/19/13
to
J G Miller <mil...@yoyo.ORG> wrote:
> On Sunday, May 19th, 2013, at 17:31:24h +0000, Root wrote:
>
>> Discovered open port 22/tcp on 74.207.244.221 <-----HERE
>
> It is open:
>
> City: Galloway
> StateProv: NJ
>
> slogin 74.207.244.221
> The authenticity of host '74.207.244.221 (74.207.244.221)' can't be established.
> RSA key fingerprint is 79:f8:09:ac:d4:e2:32:42:10:49:d3:bd:20:82:85:ec.
> Are you sure you want to continue connecting (yes/no)? yes
> Warning: Permanently added '74.207.244.221' (RSA) to the list of known hosts.
> ro...@74.207.244.221's password:


That is *not* my IP. That is an artefact of using
nmap -v -A scanme.nmap.org
the 74.207.244.221 is part of their network.

Try the command yourself and see.

J G Miller

unread,
May 19, 2013, 5:56:35 PM5/19/13
to
On Sunday, May 19th, 2013, at 21:10:16h +0000, R Oot wrote:

> This time I just concentrated on port-forwarding and
> I was successful.

I am most pleased to hear that you have been successful,
but, please, please, please, take note and act to ensure
that your SSHD service is set up securely.

Do *not* allow password authentication, only keys with passphrases,
and restrict sshd access to an ssh-users group.

If you know the IP address or maybe IP address range of
the systems that you want to allow to connect to your
SSHD service, then make use of the INBOUND FILTER rules
that the DIR-655 facility makes possible.

For an even more secure setup you should really be thinking
of IPSEC with certificates, and then your friends can ssh
over the IPSEC tunnel, or if you are feeling generous, doing
VNC as well.

The DIR-655 does permit IPSEC pass through, but one deficiency
may be that it does not allow internal static routes, but that
in fact ties down external access to just the target IPSEC
host within the LAN.

For more on IPSEC take a look at

<http://www.strongswan.ORG>


BTW if you are interested in how the DIR-655 rates at total
simultaneous throughput speed compared to other routers,
take a look at

<http://www.smallnetbuilder.COM/lanwan/router-charts/bar/76-total-simul>

Tony Houghton

unread,
May 19, 2013, 6:43:44 PM5/19/13
to
On Sun, 19 May 2013 21:01:34 +0000 (UTC)
J G Miller <mil...@yoyo.ORG> wrote:

> And if this is your machine, it is still open for root account
> cracking and you must not care about some criminals breaking or doing a
> DOS attack via your sshd service.
>
> \slogin 74.207.244.221
> The authenticity of host '74.207.244.221 (74.207.244.221)' can't be established.
> RSA key fingerprint is 79:f8:09:ac:d4:e2:32:42:10:49:d3:bd:20:82:85:ec.
> Are you sure you want to continue connecting (yes/no)? yes
> Warning: Permanently added '74.207.244.221' (RSA) to the list of known hosts.
> ro...@74.207.244.221's password:

It's also safer to disable password authentication and use keys. If you
want to be able to log in from any PC, password protect the private key
and save it on a USB stick, along with putty in case you have to use
Windows.

J G Miller

unread,
May 19, 2013, 7:47:28 PM5/19/13
to
On Sunday, May 19th, 2013, at 23:43:44h +0100, Tony Houghton wrote:

> It's also safer to disable password authentication and use keys.

Absolutely. Exactly. Indeed so. This cannot be stressed enough.

Particularly if the account is given to "a friend" who may write the
password down and lose the piece or even pass it on, perhaps inadvertently,
to some other third party, who may then pass it on ...

As I keep stressing if the port is open and accepts password authorization,
there will be repeated attempts by port scanners to brute force password
guessing breakin attempts. With password authentication disabled, the
opportunity to try is just not possible.

With a passphrase/key combination, if the passphrase is compromised, there
is still a need for access to the key, and vice versa.

And the authorized key on the accepting host can easily be revoked by
removal.

> If you want to be able to log in from any PC, password protect the
> private key and save it on a USB stick, along with putty in case you
> have to use Windows.

Excellent advice!

Jasen Betts

unread,
May 20, 2013, 4:06:01 AM5/20/13
to
On 2013-05-19, root <NoE...@home.org> wrote:
> I am trying to set up an ssh tunnel so that I can ssh into
> a machine on my lan from some remote machine on the internet.
>
> I have a DLINK DIR-655 router no, but I am hoping the process will
> be easily adapted to some other router.
>
> Suppose when I am at home I go to whatismyip.com and find that my
> IP is 96.24.168.44
>
> Further suppose that I go to some distant location with, say,
> and IP address of 172.34.55.32
>
> When I am at this remote address I would like to set up
> something like this:
>
> ssh -p 2222 96.24.168.44

Everything that you say you've tried should have worked, except for a
possible confusion between 2222 and 22.

Could it be that you have a firewall rule on your PC that's blocking
external access? an iptables rule or something in /etc/hosts.deny or
/etc/hosts.allow* or /etc/ssh/sshd.conf

(*) yes, it's possible to deny in hosts.allow

Some routers don't reflect connections from inside to the external
address back to the inside so to test it you may need to test from
outside your LAN.

--
⚂⚃ 100% natural

--- news://freenews.netfront.net/ - complaints: ne...@netfront.net ---

Jasen Betts

unread,
May 20, 2013, 4:34:44 AM5/20/13
to
On 2013-05-19, J G Miller <mil...@yoyo.ORG> wrote:
> On Sunday, May 19th, 2013, at 14:44:01h +0000, R Oot explained:
>
>> I am trying to set up an ssh tunnel so that I can ssh into
>> a machine on my lan from some remote machine on the internet.
>
> For the best experience, you should follow these steps
>
> 1) get a free account on DynDNS.com and register a name
> for your home LAN (effectively the outfacing port on
> your DSL modem which is part of the DIR-655)

No, get an a accout with no-ip.org, DYN now requires a monthly
manual login to keep your free account.

noip provides an update tool, or you can use ddclient

Jasen Betts

unread,
May 20, 2013, 4:37:36 AM5/20/13
to
On 2013-05-19, J G Miller <mil...@yoyo.ORG> wrote:
If double NAT specify the router as DMZ on the upstream device.

Jim Diamond

unread,
May 20, 2013, 9:01:30 AM5/20/13
to
On 2013-05-20 at 05:34 ADT, Jasen Betts <ja...@xnet.co.nz> wrote:
> On 2013-05-19, J G Miller <mil...@yoyo.ORG> wrote:

>> 1) get a free account on DynDNS.com and register a name
>> for your home LAN (effectively the outfacing port on
>> your DSL modem which is part of the DIR-655)

> No, get an a accout with no-ip.org, DYN now requires a monthly
> manual login to keep your free account.

So they say. But I haven't logged in for over a year, and still my
account happily maintains itself. (I did receive some e-mails warning
me a long time ago, and I did manually log in once or twice, but since
then they stopped bugging me.)

Jim

root

unread,
May 20, 2013, 9:59:11 AM5/20/13
to
J G Miller <mil...@yoyo.ORG> wrote:
Thanks for the links, I have downloaded the strongswan package.

I have read, and understood, all your concerns about security.
Once again, I haven't been completely straightforward about
my intentions. The real story is that I have to administer
or at least help people with their linux machines and several
of them are quite a distance away. None of these people are
very computer savvy. Rather than tell them keystroke-by-keystroke
what to do, I would like to be able to gain root access to their
machines and do it myself. Next time I go there I will bring
my pub keys and install them.

When my friends need help I plan to ask them to, temporarily,
open the port 22 forwarding, and then to use whatsmyip.com
to give me their current IP address. I will then access
their machine, do what is needed, and log out. I will then
tell them to close the port-forwarding.

One of these people required configuration of a new kernel
can you imagine how difficult that was to do over the
phone?

Really, I do appreciate your efforts to help.

root

unread,
May 20, 2013, 10:00:59 AM5/20/13
to
As I said in a previous post, I have the setup working now. It "should"
have worked except that I must have screwed something up and not
known about it. Resetting the router to factory defaults and starting
over did the trick.

root

unread,
May 20, 2013, 10:04:54 AM5/20/13
to
My wife tells me that google offers a free service.

It isn't obvious to me how the dynamic part works. I can
see how DynDNS can see what IP address I am using at
the time since I go through their site. However, I
don't see how they have been able to recall what my
original address was and how it might have changed.

J G Miller

unread,
May 20, 2013, 11:58:57 AM5/20/13
to
On Monday, May 20th, 2013, at 13:59:11h +0000, Root wrote:

> I have read, and understood, all your concerns about security.

You see the issue with security is that for most of the time
everything is just fine even with a carefree approach, but it
only take one successful attempt at logging into your system
to bring it all crashing down.

And just take note that in Germany a precendent has been set
from a case of unsecured WiFi where somebody accessed the system
and used it for criminal actions, the owner was found to be negligent
and therefore, from what I recall, fined.

In England at the very least, you will probably be detained
without being charged for up to what is it now, six months,
until you sign a confession.

This is why one has to be methodical and the way to provide
external services is to gradually open things up in a controlled
but limited as possible manner/

> Once again, I haven't been completely straightforward about
> my intentions.

Well so long as your intentions are not criminal or deceptive ...

> Rather than tell them keystroke-by-keystroke what to do, I would
> like to be able to gain root access to their machines and do it myself.

If you are administering their machines for them, then you will
need to be able to ssh in, but for assisting them on the desktop,
VNC will probably be needed -- my recommendation is for tightvnc
server with sshvnc as client. This combination means least bandwidth
is used and is the most conveniet for ad hoc starting of the server,
no need to separately ssh in to start the server, the sshvnc does it
all for you.

And remember, just as it is important for you to ensure that sshd
on your machine is secure, you have an even greater responsiblity
to ensure that sshd on their machines is secure.

My advice to do this all most effectively with the least probability
of somebody else being to break in to their machines, is to create
IPSEC tunnels with certificates between your host and their host,
and then you can do ssh and VNC over the IPSEC tunnel.

If you trust your friends and your friends trust you, you can
even share other resources over the IPSEC tunnel, eg NFS or SAMBA shares
or with xorp or other multicast routers, even UpnP devices, and because
it is all encrypted it is quite safe from prying eyes.

> One of these people required configuration of a new kernel
> can you imagine how difficult that was to do over the
> phone?

Well it is tedious enough to do it (going through every single
option that is) on one's own machine ;)

And when you say phone I hope you mean VOIP, maybe with linphone
or equivalent.

J G Miller

unread,
May 20, 2013, 12:03:03 PM5/20/13
to
On Monday, May 20th, 2013, at 10:01:30h -0300, Jim Diamond wrote:

> But I haven't logged in for over a year, and still my
> account happily maintains itself.

But starting this month, the terms and conditions have changed
so that autoupdates from your router or software client are
not longer adequate and you must login via the web interface
to your account.

It is a minor inconvenience for the better free options than
those offered by NoIP, and DynDNS treats their workers so
much better.

<http://www.redorbit.COM/news/technology/1112821983/dyn-once-again-named-worldblu-most-democratic-workplace/>

Richard Kettlewell

unread,
May 20, 2013, 12:24:03 PM5/20/13
to
J G Miller <mil...@yoyo.ORG> writes:
> In England at the very least, you will probably be detained
> without being charged for up to what is it now, six months,
> until you sign a confession.

14 days is the maximum pre-charge detention, and AFAIK even that only
applies to terrorism suspects. It’s gone up and down over the last
decade or so but I don’t believe it ever exceeded 28 days.

--
http://www.greenend.org.uk/rjk/

J G Miller

unread,
May 20, 2013, 4:32:31 PM5/20/13
to
On Monday, May 20th, 2013, at 17:24:03h +0100, Richard Kettlewell wrote:

> but I donâ't believe it ever exceeded 28 days.

Ah yes, my recollection was in error --

<http://www.guardian.co.UK/politics/2008/oct/13/terrorism-uksecurity1>

Brown abandons 42-day detention after Lords defeat

> 14 days is the maximum pre-charge detention, and AFAIK even that only
> applies to terrorism suspects.

How odd then that Babar Ahmad, a subject of her Britannic Majesty, born
and lived his life in England was detained in one of her Britannic Majesty's
security institutions for over eight years without being charged or
brought to trial.

<http://www.guardian.co.UK/law/2012/oct/01/babar-ahmad-appeal-us-extradition>

Monday 1 October 2012 14.27 BST

"Ahmad, 38, has been held in detention without trial since 2004."


Is The Grauniad making this story up and/or not reporting the true facts
of detention for eight years without trial?

Even Wonkeypedia at <http://en.wikipedia.ORG/wiki/Babar_Ahmad> says

QUOTE

Babar Ahmad was arrested in London on 5 August 2004 ...

Having been refused bail, Ahmad was detained in prison until
his extradition on 5 October 2012.

UNQUOTE

So that is detained without trial for over eight years not just 28 days.

The reality of the situation is that in England the authorities can and
do detain subjects of Her Britannic Majesty without trial for as long as
they find convenient.

Richard Kettlewell

unread,
May 20, 2013, 5:37:47 PM5/20/13
to
J G Miller <mil...@yoyo.ORG> writes:
> Richard Kettlewell wrote:
>> but I don’t believe it ever exceeded 28 days.
>
> Ah yes, my recollection was in error --
>
> <http://www.guardian.co.UK/politics/2008/oct/13/terrorism-uksecurity1>
>
> Brown abandons 42-day detention after Lords defeat
>
>> 14 days is the maximum pre-charge detention, and AFAIK even that only
>> applies to terrorism suspects.
>
> How odd then that Babar Ahmad, a subject of her Britannic Majesty,
> born and lived his life in England was detained in one of her
> Britannic Majesty's security institutions for over eight years without
> being charged or brought to trial.

Even sites supporting him indicate that within a day of his 2004 arrest
a court had remanded him in custody. The subsequent delay in reaching a
decision to extradite or release seems to be largely due to the appeals
process. The total time is excessive, indeed, but not really the
arbitrary application of state power you’re trying to paint it as, and
it’s certainly nothing to do with the time limits on the police
detaining someone prior to charging them.

--
http://www.greenend.org.uk/rjk/

J G Miller

unread,
May 20, 2013, 5:47:19 PM5/20/13
to
On Monday, May 20th, 2013, at 22:37:47h +0100, Richard Kettlewell opined:

> The subsequent delay in reaching a decision to extradite or release seems
> to be largely due to the appeals process.

So you appear to be suggesting that if one does not want to be detained
for excessive lengths of time, one should not appeal one's detention.

Richard Kettlewell

unread,
May 21, 2013, 3:52:18 AM5/21/13
to
J G Miller <mil...@yoyo.ORG> writes:
> Richard Kettlewell opined:

>> The subsequent delay in reaching a decision to extradite or release
>> seems to be largely due to the appeals process.
>
> So you appear to be suggesting that if one does not want to be
> detained for excessive lengths of time, one should not appeal one's
> detention.

You’re reading between the lines when I’m not writing there, and
consequently finding nothing but your own prejudices.

--
http://www.greenend.org.uk/rjk/

J G Miller

unread,
May 21, 2013, 6:38:58 AM5/21/13
to
On Tuesday, May 21st, 2013, at 08:52:18h +0100, R J Kettlewell wrote:

> You’re reading between the lines when I’m not writing there, and
> consequently finding nothing but your own prejudices.

You do not answer the point but resort to a unsubstantiated petty jibe.

How disappointing.

Obviously you are trying to avoid being reminded of detention without
trial in the Province of Northern Ireland, known as "internment".

<http://www.cageprisoners.COM/media/k2/items/cache/0b8cb179d05be7afdade5496eab553e2_M.jpg>

From

<http://www.belfasttelegraph.co.UK/news/local-national/northern-ireland/papers-spark-internment-test-case-28645538.html>

QUOTE

09 August 2011

Former internees detained without trial are set to serve papers
on the Government as they bid to sue the authorities over
their treatment

One man recounted having barbed wire wrapped around his wrists
before he was hooded and beaten by troops, while a woman jailed
without trial recalled the trauma of having to sign her two
children into care.

UNQUOTE

Jim Diamond

unread,
May 21, 2013, 11:13:45 AM5/21/13
to
On 2013-05-20 at 13:03 ADT, J G Miller <mil...@yoyo.ORG> wrote:
> On Monday, May 20th, 2013, at 10:01:30h -0300, Jim Diamond wrote:
>
>> But I haven't logged in for over a year, and still my
>> account happily maintains itself.
>
> But starting this month, the terms and conditions have changed
> so that autoupdates from your router or software client are
> not longer adequate and you must login via the web interface
> to your account.
I got an e-mail from them to that effect a long time ago (over a year).
I subsequently got some "warning" messages saying I need to manually
log in or else. I did a couple of times, and the reminder messages
stopped coming, and my account has continued to work. YMMV.

Cheers.
Jim

7

unread,
May 23, 2013, 3:59:08 PM5/23/13
to
root wrote:

> I am trying to set up an ssh tunnel so that I can ssh into
> a machine on my lan from some remote machine on the internet.
>
> I have a DLINK DIR-655 router no, but I am hoping the process will
> be easily adapted to some other router.
>
> Suppose when I am at home I go to whatismyip.com and find that my
> IP is 96.24.168.44
>
> Further suppose that I go to some distant location with, say,
> and IP address of 172.34.55.32
>
> When I am at this remote address I would like to set up
> something like this:
>
> ssh -p 2222 96.24.168.44
>
> by which I mean to tell ssh to use port 2222 while attempting
> to connect to 96.24.168.44.
>
> In order to set this up I have tried several things on my
> home router: port-forwarding, virtual-server, DMZ and access
> control without success.
>
> DMZ
> The router says that I can put one machine on my lan into
> the demilitarized zone and it will be outside the firewall.
> I had imagined that would be as if that one machine were
> directly connected to the modem. Not so, I cannot ssh
> into that machine.
>
> Access Control:
> The router suggests that I can filter incoming requests.
> I set up "allow" on all IP from 0.0.0.0 to 255.255.255.255
> for the target machine, still no success
>
> Virtual Server:
> I set a page that has entries like this:
> Name public protocol schedule
> ssh 2222 TCP always
> IP address
> 192.168.1.22 22 6 allow all
>
> with a little box on the left that I checked.
> I saved the settings and tried again. No luck.
>
> Port Forwarding:
> This time I set a page that looks like this:
> Name TCP Schedule
> ssh 22 Always
> IP address UDP Inbound Filter
> 192.168.1.22 22 Allow All
>
> Again with a little box on the left that I checked.
>
> Once again, no success. This time I used:
> ssh 96.24.168.44
> using the default port 22
>
> I have read wikipedia and googled for examples of ssh tunneling
> and I have read articles which lead to these attempts but
> nothing has worked.
>
> I don't expect anyone who will answer this has the same router
> but if you have set up any router at home to allow remote
> login could you tell me the procedure for your router?
>
> Thanks.

Remove the router and connect PC direct to internet
and set it up and see if it work.

0 new messages