Secure Connection Series: Port Forwarding and SSH

From our general outline, this article will revolve around the first three items:

  1. Open a Port on your home networks router/modem
  2. Install OpenSSH on your home machine
  3. Configuring the SSH server: sshd_config

Port Forwarding
Most networks today are set up with a router or firewall between you and the internet at large. Because of this fact, we need to make you (or your home computer) accessible to the Internet. We do this through “Port Forwarding” where we assign a port on your router (or firewall) to forward any traffic to a specific port on your home machine. [More information on ports]

For our purposes I will start referring to your home computer as the Server (since it is serving your data), and your remote computer as the Client (since you want to connect home to the Server).

So our network looks like this:

Server <–> Router <–> Internet <–> Client

As a best practice, it is recommended that you use a port other than the default port for your application. Its a very basic means of security, but by making it something different than the default makes it harder for someone to find it on a casual scan.

For our example I will choose port 30000 on the router and forward that to port 22 on the Server.

Now the tricky part: How do you configure this on your router? Unfortunately, I can’t tell you because there are too many choices out there. However, here is a whole list of guides for many routers can be found at portforward.com

Personally, I would recommend loading the DD-WRT firmware on your router if your router is on their supported devices list, and follow their instructions for port forwarding.

Once this is done, the Internet can get to port 22 on your Server machine, which is where SSH will reside.

SSH – Secure SHell
You can find all the info you would ever want to know about SSH at OpenSSH.org. However, the basics of it is that it is a server and client application that will allow you to establish a connection between computers securely.

A brief analogy I will use is that of the postal system. When you connect to a website (with http://) this is just like a postcard in the mail. Anyone can read what is going on between you (the client) and the website (the server). With a Secure SHell connection (or when you view a webpage with https://) an encrypted tunnel is created. This is like sending a letter in a priority envelope, however its really more like sending a letter inside a locked safe since letters can be easily opened by a third party, which is illegal.

In order to build this secure connection or tunnel, you will need to have the SSH server program running on your Server machine.

  • Linux: this is typically included by default, but if its not just use whatever Package Manager your system uses and install OpenSSH-server or sometimes packaged SSH.
  • Mac OSX: ssh is built into the latest versions. To enable it, all you need to do is open up System Preferences, go to Sharing, and then enable Remote Login
  • Windows: You will need to download and install the ssh server from SSH for Windows (Note: I have no experience with the ssh server on Windows)

Once the ssh server (known as SSHD) is installed and running, it is ready for connections, and is listening on Port 22 of the Server, and Port 30000 of the router is forwarding to it.

A word of warning: At this point your Server is exposed to the internet, and you can log in using any of the user accounts on the Server computer. If you have accounts with insecure passwords, then someone may easily access your system by hacking those passwords.

It is at this point we look to add some protective measures.

Configuring the SSH Server: sshd_config
The configuration file for SSHD is sshd_config and is located on linux at /etc/ssh/sshd_config and on Mac OSX at /etc/sshd_config
We will look into advanced settings in the future, but for now we want to restrict which user accounts can login using ssh.

Open sshd_config in an editor and add a line to the bottom of the file:

AllowUsers username

Where username is the login name you use for your system. You can add multiple users by simply putting a space between the names on this line.

You may also notice at the top of the file

#Port 22

This allows you to change the port SSHD listens on. If you change this port, you will need to make sure your router is forwarding to whatever port you changed it to, and not the default ssh port 22. The # symbol in this file means the line is commented out. If you want to change this port simply add a line with Port number

After making changes to your sshd_config file you need to restart the server.
This can be done in linux by executing the command

sudo /etc/init.d/ssh restart

in Mac OSX by disabling and re-enabling through System Preferences -> Sharing
and in Windows by restarting the sshd application.

Connecting to your SSH server
Now that your server is running, go to your client machine and attempt to connect.
From Linux or Mac OSX, go to a command line and simply type:

ssh -p 30000 username@routeraddress

Your router address can be found by going to whatismyip.com, or using a dynamic dns address as I will describe in the following post.
If you want to test this from the Server itself, you can use the command:

ssh username@localhost

There are various graphical applications you can use to connect to your Server, I cannot list them all, but common ones are Putty (Windows), WinSCP (Windows), Cyberduck (Mac OSX), Konqueror (Linux), etc.

At this point you have a fully functioning way to create secure connections from a remote computer to your home computer, and be able to transfer files back and forth, and even remote control your desktop.

In the next segment, I will go through creating a security key pair, and how to further secure your computer by using key encryption instead of a password. This can save you time by not requiring you to type in a password, and will be much more secure from attacks on the server.