Can't ssh into linux box via PUBLIC_URL

Support Network
,
1

Hello all,
thank you for Manjaro!
I have already successfully managed to:

  • ssh via password authentication into my linux box on localhost
  • nmap says the port 22 is open on localhost

What I’ve tried already:

  • disable gufw/open port 22
  • connect PUBLIC_URL to exposed host in fritz.box
  • add ‘sshd:PUBLIC_URL’ to ‘/etc/hosts’

What I cannot accomplish:

  • ssh into PUBLIC_URL of the same linux box
  • nmap says the port 22 is closed on the PUBLIC_URL

How can I ssh via password authentication and open port on PUBLIC_URL?

Error message is always:

ssh: connect to host PUBLIC_URL port 22: Connection refused

and

PORT   STATE  SERVICE
22/tcp closed ssh
2

Hi @leder11011, and welcome!

What you’ll need is the publicly accessible IP of your connection. It can be mapped to a public URL, or not.

You’ll also need port forwarding from your router to your computer. Each brand, and in some cases, each model has it’s own way of configuring this. And it can become quite complex.

All of this is assuming you’re not using IPv6 but IPv4. If you use IIPv6 instead, well then:

:man_shrugging:

Best would be for you to find out about IP addresses, ports and port forwarding. What they do and how to set it up.

This might be useful:

Port forwarding defined

Port forwarding, sometimes called port mapping, allows computers or services in private networks to connect over the internet with other public or private computers or services.

3

As @Mirdarthos said above you will need to set port fowarding on the router - but do you really want to open port 22 to WAN? You will likely also need DDNS.

I use Wireguard running on my OPNsense box (previously on a Raspberry Pi) to access services on my LAN from outside, must safer.

4

You need Port Forwarding - the feature may be called by a different name in the FritzBox interface.
Forward port 22 from your localhost IP to some random high port on the routers internet facing IP.
This is just to mitigate the attack vector - anyone who scans your IP will first look at port 22.
Also set up key based authentication instead of allowing password login.

re your usage of PUBLIC_URL:
You usually do not have an URL
What you do have is an IP address.

5

Please see → [root tip] [How To] Set up your own SSH service

To access you service from a location outside your home network

  • Ensure the device exposing the ssh service is secure
  • Ensure the device is using a static IP in your local network
  • Open your routers web administration interface
  • Create a rule to forward traffic on specific port
    • Do not use the default 22
    • Instead map e.g. 33022 to your the local static IP
    • Save the rule
1 Like
6

thank you for the link! I followed a similar guide for ubuntu. Changing the port is good advice. Though I think it is still the closed nmap service that hinders me, b/c I already:

  • port forwarded on the router
  • connected the PUBLIC_URL to the dynamic IP of my router
  • set up gufw with a rule for port 22
  • disabled gufw at all

In ubuntu I used to successfully ssh into this setting. There must be some other configuration missing…

Thanks all!

7

sshd is not enabled by default - you will need to enable it.

If you are testing by using reverse nat - that is, being on the inside of the public IP - instead of e.g. VPN - some routers do not allow this - some can be configured to allow … if that is the case, we cannot know.

1 Like
8

nmap is not a constantly running thing. And it cannot be opened or closed like a port. It’s not even a service:

I have it installed on my PC. Here’s a little demonstration of me scanning my RPi:

$ nmap -p 80 10.0.0.254                                                                                                                                                                                                                               1 ↵
Starting Nmap 7.94 ( https://nmap.org ) at 2024-03-02 12:05 SAST
Nmap scan report for 10.0.0.254
Host is up (0.00031s latency).

PORT   STATE SERVICE
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 0.03 seconds

So you can see it’s installed and working, yet:

$ sudo systemctl list-units | grep -i nm

…there’s no such service. And,

$ sudo netstat -ltpnae | grep 'nmap'

…neither is it listening on any port.

Make sure openssh is installed:

pamac install openssh

…and the sshd service running:

systemctl enable --now sshd.service
9 
systemctl enable --now sshd.service

…how can I enable the service at startup?

Now I cannot even ssh into localhost:

ssh localhost                                                                                                                                                                                ``` 

returns: nothing!

Though I previously did this and `.ssh/known_hosts` is present and I disabled `gufw`.

What is (not) happening there right now?

P. S. sorry for the formatting: it's broken
10

you just did - why would you run ssh localhost? that makes no sense.

11

I double checked with smartphone:

  • ssh LOCAL_IP is working, though it is currently broken on desktop, too
  • ssh PUBLIC_URL from outside the local network is Connection refused

P. S. dear maintainer @linux-aarhus: I think the error is on your side not on mine

12

This makes no sense. It works or it is brocken. It can’t be both. localhost is specific for a system. The localhost of your Smartphone is a different localhost as on your Desktop.

Did you even check if the service is running? Did you check if there is something listing?

On the system that should running the ssh service do,

systemctl status sshd

and

ss -tnlp sport = :ssh
13

Then your portforward is not working or your ISP do not allow external access to your ISP ip address.

Why would you think that?

I.am not the one having problems - you are …

I know exactly how this works - I am using it every day in some form - either server configuration, or external access to servers or git repo access via SSH - so I know I have no problems with SSH.

To be able to verify this you need to use a system which is external - otherwise your ISP provided router configuration may refuse connection - because traffic is from inside network accessing inside network via outside IP is blocked (AKA reverse NAT is blocked).

14

State is LISTEN and service is running.

BTW: It perfectly makes sense to me… did you even try to reproduce the error on your side?

15

As has been said 10 times in this thread already; you need to port forward in your router.

16

I use SSH daily with many different systems and it always works.

Please post the full output. The command tells a lot more.

17

I have double checked and verified with my external access on my smartphone already.

18 
ss -tnlp sport = :ssh                                                                                                                                                                          

State                    Recv-Q                   Send-Q                                     Local Address:Port                                      Peer Address:Port                   Process                   
LISTEN                   0                        128                                              0.0.0.0:22                                             0.0.0.0:*                                                
LISTEN                   0                        128                                                 [::]:22                                                [::]:*
19

To be able to access a service not provided by your ISP router - you to create a rule to forward the ssh traffic to an internal IP.

There is a website which has guides on portforwardning for 100’s of consumer routers.

20

Yes, qoute:

I added my linux box as an exposed host on my fritz.box