well that was painful.
8 views
Skip to first unread message
Jack Ostroff
Mar 31, 2024, 9:22:15 PM3/31/24
to HartfordLUG
I will be SO glad to be done with Comcast in the very near future.
As part of preparing to move the jitsi server from xfinity to frontier,
I wanted to be sure I would be able to ssh in to it from my other
desktop boxes, or at least the main one. With the Xfinity setup, it
was easy, as I wanted to go from 192.168.1.x through the router at
192.168.1.1 to 10.0.0.5 where that side of the router is 10.0.0.2.
Don't really need any port forwarding. However, in the new setup, the
jitsi server will be outside the router, and I won't necessarily know
the IP address, or at least it will potentially change. However,
assuming I don't need to explicitly set any port forwarding on the ONT
itself, then that means exposing port 22 to the wild internet. My
intent is to configure sshd on that box to only allow conenctions from
me on my main PC, using PKI only, no passwords, and never any root ssh.
Anyway - to do further testing before rewiring, I needed to port
forward port 22 coming into the Xfinity Gateway to the jisti server.
Obviously I long ago set up port forwarding for the ports necessary for
the jitsi protocol, so it's theoretically possible. Not so easy, it
turns out.
First attempt - try what worked years ago. Go to the web interface of
the gateway. Get to the port forwarding page, and it says no can do,
you need to go to the web site. However, that link goes to a page
which says that's a dead site, and you have to use the app. (Note that
in order to force you closer to using the app for anything, logging in
to the website requires you to open the app to allow the login. In the
most circularly stupid thing I saw during my travails of the past days,
when I first tried to log onto the app on my new phone, it wanted me to
open the app to approve the login. I'm not actually sure how I did get
logged in.
Anyway - opening the app, clicking the appropriate buttons to get to
the port forwarding page, and it says "Something unexpected has
happened" so try again later. Over an hour on the chat did nothing but
have them give me the same instructions five time on using the app,
totally ignoring that it didn't work. That also included unplug/replug
of the gateway and uninstall/reinstall the app.
So, I searched on the Xfinity forums, and what do I find - a private
message chain with myself and support from eight months ago for EXACTLY
THE SAME ISSUE. So, I responded to that conversation, and the reply
said how much they would love to help me, but I should never send
unsolicited messages directly to Xfinity Support, and if I did it
again, they would ban me from the forums. No, can't just continue the
same conversation, but I need to post a new thread on the open forum
and then someone would tell me how to get a new private conversation
going.
Went thorough all that, and another unplug/replug. Then he says he
needs to send some provisioning signal to the gateway. That took over
fifteen minutes before it was truly back on line. And, (drumroll
pleast) the same error message. So, he then gives me instructions
which basically ask the automated assistant how to do a port forward,
and that leads me to the same port forward page, except now it works.
Sort of. It shows the existing jitsi server at the top, with its IP
address. Below that is a button to "add port forward" where I can
enter the port and protocol, but the only devices available to be
forwarded to are the two phones currently connected to the gateway.
I'm about ready to totally lose it, but just for kicks, I hit the
"edit" button on the existing device, and lo and behold, it shows me
the existing forwards, and at the bottom allows me to add the new one.
So - three days to do one or two minutes of work.
Ah - and during the conversation, he told me my equipment (gateway) is
so old they are less able to support it, so I'm eligible for an
upgrade. If I was nastier, I would have insisted I get it tomorrow,
but even I am not so angry as to cancel my service the same day they
upgrade my equipment.
Now, I need to research the sshd_config format to see how to limit it
to only accepting connection from me on my main PC. Can't be by IP,
since I'll obviously have problems if either IP ever changes. I'm
pretty sure I can use a combination of my own SSH key and the key for
the server itself. I just need to find the right syntax. If either of
you happen to know - please speak up. Otherwise I've got some reading
to do.
I'm exhausted.
Jack
As part of preparing to move the jitsi server from xfinity to frontier,
I wanted to be sure I would be able to ssh in to it from my other
desktop boxes, or at least the main one. With the Xfinity setup, it
was easy, as I wanted to go from 192.168.1.x through the router at
192.168.1.1 to 10.0.0.5 where that side of the router is 10.0.0.2.
Don't really need any port forwarding. However, in the new setup, the
jitsi server will be outside the router, and I won't necessarily know
the IP address, or at least it will potentially change. However,
assuming I don't need to explicitly set any port forwarding on the ONT
itself, then that means exposing port 22 to the wild internet. My
intent is to configure sshd on that box to only allow conenctions from
me on my main PC, using PKI only, no passwords, and never any root ssh.
Anyway - to do further testing before rewiring, I needed to port
forward port 22 coming into the Xfinity Gateway to the jisti server.
Obviously I long ago set up port forwarding for the ports necessary for
the jitsi protocol, so it's theoretically possible. Not so easy, it
turns out.
First attempt - try what worked years ago. Go to the web interface of
the gateway. Get to the port forwarding page, and it says no can do,
you need to go to the web site. However, that link goes to a page
which says that's a dead site, and you have to use the app. (Note that
in order to force you closer to using the app for anything, logging in
to the website requires you to open the app to allow the login. In the
most circularly stupid thing I saw during my travails of the past days,
when I first tried to log onto the app on my new phone, it wanted me to
open the app to approve the login. I'm not actually sure how I did get
logged in.
Anyway - opening the app, clicking the appropriate buttons to get to
the port forwarding page, and it says "Something unexpected has
happened" so try again later. Over an hour on the chat did nothing but
have them give me the same instructions five time on using the app,
totally ignoring that it didn't work. That also included unplug/replug
of the gateway and uninstall/reinstall the app.
So, I searched on the Xfinity forums, and what do I find - a private
message chain with myself and support from eight months ago for EXACTLY
THE SAME ISSUE. So, I responded to that conversation, and the reply
said how much they would love to help me, but I should never send
unsolicited messages directly to Xfinity Support, and if I did it
again, they would ban me from the forums. No, can't just continue the
same conversation, but I need to post a new thread on the open forum
and then someone would tell me how to get a new private conversation
going.
Went thorough all that, and another unplug/replug. Then he says he
needs to send some provisioning signal to the gateway. That took over
fifteen minutes before it was truly back on line. And, (drumroll
pleast) the same error message. So, he then gives me instructions
which basically ask the automated assistant how to do a port forward,
and that leads me to the same port forward page, except now it works.
Sort of. It shows the existing jitsi server at the top, with its IP
address. Below that is a button to "add port forward" where I can
enter the port and protocol, but the only devices available to be
forwarded to are the two phones currently connected to the gateway.
I'm about ready to totally lose it, but just for kicks, I hit the
"edit" button on the existing device, and lo and behold, it shows me
the existing forwards, and at the bottom allows me to add the new one.
So - three days to do one or two minutes of work.
Ah - and during the conversation, he told me my equipment (gateway) is
so old they are less able to support it, so I'm eligible for an
upgrade. If I was nastier, I would have insisted I get it tomorrow,
but even I am not so angry as to cancel my service the same day they
upgrade my equipment.
Now, I need to research the sshd_config format to see how to limit it
to only accepting connection from me on my main PC. Can't be by IP,
since I'll obviously have problems if either IP ever changes. I'm
pretty sure I can use a combination of my own SSH key and the key for
the server itself. I just need to find the right syntax. If either of
you happen to know - please speak up. Otherwise I've got some reading
to do.
I'm exhausted.
Jack
Rudy S
Apr 1, 2024, 8:20:03 AM4/1/24
to Jack Ostroff, HartfordLUG
Hello Jack,
I can help you with the ssh.
But I have a few different ways of getting the IP address if you want.
On my jump box I have a script that runs once a day that grabs the IP address and put’s it in a txt file.
I am sure I can write something that will send you the file using ssh from Jitsi server to your ip or web address.
I never got it to work, where it would send an email. Maybe Bob can help in this way.
Then each day on a 2nd script it will send the ip to you so you know what it is and if it changed.
I would not open the port 22, but I would change it to something like 1022
$ ssh -p 1022 yourname@ipaddress or web address
But what I would do is, when I setup shared key, I would add encryption to it, not like 1024 but maybe 500 or more
Also, I am not sure if you have another server or computer, I always have 2 computers with shared keys that I able to get in from 2 different places.
This way if your main computer breaks, now you are screwed. But if you have another server with keys that allow you to get in then you always have a back door.
If you do not have another computer, I can set one up with one of my computer. Then if you computer breaks, you just email me to log in with your new key and I can add it so you can get back in.
I have more to add, but I have to run right now.
Another email on its way later.
Rudy
> --
> You received this message because you are subscribed to the Google Groups "HartfordLUG" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to hartfordlug...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/hartfordlug/NEXEBFHP.SFKULI65.VGE3AFZZ%40A5MMJ3PL.Q2N7OZFF.XHUGKVRP.
I can help you with the ssh.
But I have a few different ways of getting the IP address if you want.
On my jump box I have a script that runs once a day that grabs the IP address and put’s it in a txt file.
I am sure I can write something that will send you the file using ssh from Jitsi server to your ip or web address.
I never got it to work, where it would send an email. Maybe Bob can help in this way.
Then each day on a 2nd script it will send the ip to you so you know what it is and if it changed.
I would not open the port 22, but I would change it to something like 1022
$ ssh -p 1022 yourname@ipaddress or web address
But what I would do is, when I setup shared key, I would add encryption to it, not like 1024 but maybe 500 or more
Also, I am not sure if you have another server or computer, I always have 2 computers with shared keys that I able to get in from 2 different places.
This way if your main computer breaks, now you are screwed. But if you have another server with keys that allow you to get in then you always have a back door.
If you do not have another computer, I can set one up with one of my computer. Then if you computer breaks, you just email me to log in with your new key and I can add it so you can get back in.
I have more to add, but I have to run right now.
Another email on its way later.
Rudy
> You received this message because you are subscribed to the Google Groups "HartfordLUG" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to hartfordlug...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/hartfordlug/NEXEBFHP.SFKULI65.VGE3AFZZ%40A5MMJ3PL.Q2N7OZFF.XHUGKVRP.
Rudy S
Apr 1, 2024, 9:17:12 AM4/1/24
to Jack Ostroff, HartfordLUG
Hello Jack,
Part 2 email,
First of all, I kinda got what you were saying about port forwarding on you home network. You got it to work and that is great.
Jitsi server,
As that goes, I do not want to tell you how to do it, but give you ideas of ways to get it to work.
If I had to do it, I would put in 2 ethernet cards.
1 = I would firewall everything but open only port 443
2 = I would firewall everything except for port 22
1 = I could connect directly to the internet.
2 = I would connect a wire to my home network and configure it with a static ip. Then when I am done ssh ing in, I would disconnect the either net cable and then there is no way anyone can hack in.
If I needed to ssh again, then I would connect the cable for that short time. If you do not have 2 cards or 2 ports on your computer, I have an extra one that you can take. I even have 10/100 that would work great because you are only ssh ing in not transferring files.
Take one of your old 10/100 ports and plug it into it, this way you do not have to disconnect your cable each time. All you would have to do is pull the plug on the 10/100 switch. Even better connect the switch to a surge protector and switch it off when you are not using it.
I will be around this afternoon if you want to Skype and I can help you. ( and yes include Bob if you want )
If I think of anything else,
I will let you know.
Thanks
Part 2 email,
First of all, I kinda got what you were saying about port forwarding on you home network. You got it to work and that is great.
Jitsi server,
As that goes, I do not want to tell you how to do it, but give you ideas of ways to get it to work.
If I had to do it, I would put in 2 ethernet cards.
1 = I would firewall everything but open only port 443
2 = I would firewall everything except for port 22
1 = I could connect directly to the internet.
2 = I would connect a wire to my home network and configure it with a static ip. Then when I am done ssh ing in, I would disconnect the either net cable and then there is no way anyone can hack in.
If I needed to ssh again, then I would connect the cable for that short time. If you do not have 2 cards or 2 ports on your computer, I have an extra one that you can take. I even have 10/100 that would work great because you are only ssh ing in not transferring files.
Take one of your old 10/100 ports and plug it into it, this way you do not have to disconnect your cable each time. All you would have to do is pull the plug on the 10/100 switch. Even better connect the switch to a surge protector and switch it off when you are not using it.
I will be around this afternoon if you want to Skype and I can help you. ( and yes include Bob if you want )
If I think of anything else,
I will let you know.
Thanks
Jack Ostroff
Apr 2, 2024, 7:44:49 PM4/2/24
to hartf...@googlegroups.com
I'm working on a longer response to Rudy's suggestions, but I've got a
new issue that is perplexing me.
The jitsi server is still connected to the Comcast gateway. The jitsi
server is running ddclient, which updates the dynamic dns entry for
meet.ostroff.xyz.
I have the sshd_config fairly restrictive - only allowing my user to
connect, no root login, no password login. I'll work later on
improving those restrictions.
For now, from any of my boxes on my LAN, all behind the Eero router
connected to the ONT, I can do "ssh meet.ostroff.xyz" and get
connected. The problem is that any such connection, if I leave it
alone for more than a few minutes, freezes, so when I go back to the
terminal it is in, I cannot get it to respond to anything. I can open
a new ssh session in a new terminal. Even after closing the terminal
with the dead session, I can see those sessions in "ps -auxf" but I
have not yet tried an strace to see if they are actually doing anything.
It has not died while I've been doing anything - only when it's been
idle, so it's not actually breaking anything, but I'd love to know
what's going on.
Any thoughts?
new issue that is perplexing me.
The jitsi server is still connected to the Comcast gateway. The jitsi
server is running ddclient, which updates the dynamic dns entry for
meet.ostroff.xyz.
I have the sshd_config fairly restrictive - only allowing my user to
connect, no root login, no password login. I'll work later on
improving those restrictions.
For now, from any of my boxes on my LAN, all behind the Eero router
connected to the ONT, I can do "ssh meet.ostroff.xyz" and get
connected. The problem is that any such connection, if I leave it
alone for more than a few minutes, freezes, so when I go back to the
terminal it is in, I cannot get it to respond to anything. I can open
a new ssh session in a new terminal. Even after closing the terminal
with the dead session, I can see those sessions in "ps -auxf" but I
have not yet tried an strace to see if they are actually doing anything.
It has not died while I've been doing anything - only when it's been
idle, so it's not actually breaking anything, but I'd love to know
what's going on.
Any thoughts?
Jack Ostroff
Apr 2, 2024, 8:07:49 PM4/2/24
to HartfordLUG
Keeping it on the list for future reference.
First, my second switch finally arrived today, so I'm close to
switching the jitsi server from Comcast to Frontier, once I'm happy
I've done whatever I'm going to do with all the below, although I'm
sure I'll continue to play with configuration for a while.
The goal here is to get the jitsi server moved over, but also have me
able to ssh into it from my main desktop or my laptop anywhere I am,
but block any other ssh access. Note that if I'm home, I always have
direct, physical access to the box, and it is a convenience, not a
necessity, so losing access if I'm on the road is not going to be a
disaster.
On 2024.04.01 08:19, Rudy S wrote:
> Hello Jack,
> I can help you with the ssh.
> But I have a few different ways of getting the IP address if you want.
I'm not sure any of this is necessary. Up to now, all my boxes are
behind a single public IP, and I've been using ddclient as a dynamic
DNS client to update NameCheap's DNS for meet.ostroff.xyz. I have
migrated ddclient to run on the jitsi box itself. It was not trivial,
as that Ubuntu system is using an older version than I had running on
my Gentoo box, so there was some minor change needed in the config
file, but it's working fine. I'm toying with creating a domain entry
for the IP of the Eero router, but at least for now, I don't need any
incoming connections to anything there. I had briefly thought to
restrict incoming ssh to the jitsi server to that IP, but that won't
help me if I'm on the road, so I don't see any point right now.
security does this actually give me? Just more to remember to type
when I need to get in.
~/.ssh on all the relevant boxes - the jitsi server and my main desktop
and laptop. I am not yet using the key of any the computers themselves
as part of the protection, but it's something I'd like to add, if I can
find the right config file syntax (assuming it is possible.)
desktop in the house. But, given I have easy physical access to the
server, getting locked out isn't really a problem unless the box gets
so compromised, I'd wipe and reinstall anyway.
>
I just copy/pasted from your second message to get everytihg together.
TCP/443 and UDP/10000. I thought there were more, but this is all I
can find right now in the docs. I recently added port TCP/22 for ssh.
the ONT and the Eero.
router, and the Jitsi server. The other switch is on the LAN side of
the Eero router with all my other wired devices.
> 2 = I would connect a wire to my home network and configure it with a
> static ip. Then when I am done ssh ing in, I would disconnect the
> either net cable and then there is no way anyone can hack in.
That's an interesting approach, but as I now think I'd like to be able
to ssh in from elsewhere, and not just from within my LAN, this would
be unnecessarily restrictive for me.
> If I needed to ssh again, then I would connect the cable for that
> short time. If you do not have 2 cards or 2 ports on your computer, I
> have an extra one that you can take. I even have 10/100 that would
> work great because you are only ssh ing in not transferring files.
If I were going to do this, I could probably also find a USB/ethernet
device.
> Take one of your old 10/100 ports and plug it into it, this way you
> do not have to disconnect your cable each time. All you would have to
> do is pull the plug on the 10/100 switch. Even better connect the
> switch to a surge protector and switch it off when you are not using
> it.
I do need to digest this approach, but still think it's not worth it if
I'm going to allow myself to ssh in from with interwebs. No final
decision here yet. Lots more thinking and talking. Not quite ready
for another working session with you and/or Bob yet. I'll let you know.
First, my second switch finally arrived today, so I'm close to
switching the jitsi server from Comcast to Frontier, once I'm happy
I've done whatever I'm going to do with all the below, although I'm
sure I'll continue to play with configuration for a while.
The goal here is to get the jitsi server moved over, but also have me
able to ssh into it from my main desktop or my laptop anywhere I am,
but block any other ssh access. Note that if I'm home, I always have
direct, physical access to the box, and it is a convenience, not a
necessity, so losing access if I'm on the road is not going to be a
disaster.
On 2024.04.01 08:19, Rudy S wrote:
> Hello Jack,
> I can help you with the ssh.
> But I have a few different ways of getting the IP address if you want.
behind a single public IP, and I've been using ddclient as a dynamic
DNS client to update NameCheap's DNS for meet.ostroff.xyz. I have
migrated ddclient to run on the jitsi box itself. It was not trivial,
as that Ubuntu system is using an older version than I had running on
my Gentoo box, so there was some minor change needed in the config
file, but it's working fine. I'm toying with creating a domain entry
for the IP of the Eero router, but at least for now, I don't need any
incoming connections to anything there. I had briefly thought to
restrict incoming ssh to the jitsi server to that IP, but that won't
help me if I'm on the road, so I don't see any point right now.
>
> On my jump box I have a script that runs once a day that grabs the IP
> address and put’s it in a txt file.
> I am sure I can write something that will send you the file using ssh
> from Jitsi server to your ip or web address.
> I never got it to work, where it would send an email. Maybe Bob can
> help in this way.
> Then each day on a 2nd script it will send the ip to you so you know
> what it is and if it changed.
>
> I would not open the port 22, but I would change it to something like
> 1022
Given I assume "they" will be doing port scans anyway, what extra
> On my jump box I have a script that runs once a day that grabs the IP
> address and put’s it in a txt file.
> I am sure I can write something that will send you the file using ssh
> from Jitsi server to your ip or web address.
> I never got it to work, where it would send an email. Maybe Bob can
> help in this way.
> Then each day on a 2nd script it will send the ip to you so you know
> what it is and if it changed.
>
> I would not open the port 22, but I would change it to something like
> 1022
security does this actually give me? Just more to remember to type
when I need to get in.
>
> $ ssh -p 1022 yourname@ipaddress or web address
>
> But what I would do is, when I setup shared key, I would add
> encryption to it, not like 1024 but maybe 500 or more
add encryption to what? At the moment, I have my private keys in
> $ ssh -p 1022 yourname@ipaddress or web address
>
> But what I would do is, when I setup shared key, I would add
> encryption to it, not like 1024 but maybe 500 or more
~/.ssh on all the relevant boxes - the jitsi server and my main desktop
and laptop. I am not yet using the key of any the computers themselves
as part of the protection, but it's something I'd like to add, if I can
find the right config file syntax (assuming it is possible.)
>
> Also, I am not sure if you have another server or computer, I always
> have 2 computers with shared keys that I able to get in from 2
> different places.
> This way if your main computer breaks, now you are screwed. But if
> you have another server with keys that allow you to get in then you
> always have a back door.
> If you do not have another computer, I can set one up with one of my
> computer. Then if you computer breaks, you just email me to log in
> with your new key and I can add it so you can get back in.
Yes - my main desktop and laptop. I also have my keys on another
> Also, I am not sure if you have another server or computer, I always
> have 2 computers with shared keys that I able to get in from 2
> different places.
> This way if your main computer breaks, now you are screwed. But if
> you have another server with keys that allow you to get in then you
> always have a back door.
> If you do not have another computer, I can set one up with one of my
> computer. Then if you computer breaks, you just email me to log in
> with your new key and I can add it so you can get back in.
desktop in the house. But, given I have easy physical access to the
server, getting locked out isn't really a problem unless the box gets
so compromised, I'd wipe and reinstall anyway.
>
I just copy/pasted from your second message to get everytihg together.
>
> First of all, I kinda got what you were saying about port forwarding
> on you home network. You got it to work and that is great.
Just to recap, the jitsi software requires By default these ports are
> First of all, I kinda got what you were saying about port forwarding
> on you home network. You got it to work and that is great.
TCP/443 and UDP/10000. I thought there were more, but this is all I
can find right now in the docs. I recently added port TCP/22 for ssh.
>
> Jitsi server,
> As that goes, I do not want to tell you how to do it, but give you
> ideas of ways to get it to work.
> If I had to do it, I would put in 2 ethernet cards.
> 1 = I would firewall everything but open only port 443
> 2 = I would firewall everything except for port 22
Why separate cards? Both would end up connecting to the switch between
> Jitsi server,
> As that goes, I do not want to tell you how to do it, but give you
> ideas of ways to get it to work.
> If I had to do it, I would put in 2 ethernet cards.
> 1 = I would firewall everything but open only port 443
> 2 = I would firewall everything except for port 22
the ONT and the Eero.
>
> 1 = I could connect directly to the internet.
Yes, that's the current plan - one switch with the ONT, the Eero
> 1 = I could connect directly to the internet.
router, and the Jitsi server. The other switch is on the LAN side of
the Eero router with all my other wired devices.
> 2 = I would connect a wire to my home network and configure it with a
> static ip. Then when I am done ssh ing in, I would disconnect the
> either net cable and then there is no way anyone can hack in.
to ssh in from elsewhere, and not just from within my LAN, this would
be unnecessarily restrictive for me.
> If I needed to ssh again, then I would connect the cable for that
> short time. If you do not have 2 cards or 2 ports on your computer, I
> have an extra one that you can take. I even have 10/100 that would
> work great because you are only ssh ing in not transferring files.
device.
> Take one of your old 10/100 ports and plug it into it, this way you
> do not have to disconnect your cable each time. All you would have to
> do is pull the plug on the 10/100 switch. Even better connect the
> switch to a surge protector and switch it off when you are not using
> it.
I'm going to allow myself to ssh in from with interwebs. No final
decision here yet. Lots more thinking and talking. Not quite ready
for another working session with you and/or Bob yet. I'll let you know.
Reply all
Reply to author
Forward
0 new messages