[Novalug] how to reach a computer through FiOS

Jon LaBadie novalugml@jgcomp.com
Wed Dec 3 18:10:52 EST 2014


On Wed, Dec 03, 2014 at 09:38:15AM -0500, pereira via Novalug wrote:
> List,
> 
> here's a question I have struggled with for some time, and managed to solve
> only in part.
> 
> What I want: external access to my own computer (ssh), get files (scp), etc.
> 
> I have FiOS; I can get its IP address. Right now it is 173.73.82.14.
> I can ping this ('ping -c 3  173.73.82.14'); typical time is 0.1 ms.
> The computer's address on the Local Area Network (LAN, right?) must be
> 192.168.1.5
> (ping -c 3 192.168.1.5; time 0.04 ms, typically).
> 
> What's the magic command that uses these two IP addresses in series? and let
> me to
> sign into my own computer?
> 

Just some comment on what others have correctly said.  And queries.

Do you have other computers on the LAN, i.e. other systems with
192.168.1.XYZ addresses?  If so, can you ssh to your target
system (192.168.1.5 I suppose)?

Have you set up your FiOS router to allways assign the same
IP address (192.168.1.5) to your target system?

These steps, involving local access, are the first steps in
getting remote access.

Then, as everyone notes, you have to set up the FiOS router
to send port 22 data to the target system (192.168.1.5).

That is all you "need".  You should now be able to ssh from
outside your LAN to your WAN address (173.73.82.14).  Every-
thing else is convenience and security.

A big convenience is to be able to have a known, stable
entity to remotely ssh into.  Sure, you can ssh to nino@173.73.82.14,
but what WAN address will Verizon change you to tomorrow?
There is no way for you to discover it remotely.  You have to
remember to check it when you leave and hope that Verizon
doesn't change it before you need it.

That's where all the DNS comments are coming from.  I have a
registered domain (jgcomp.com).  I use a DNS service (about $10/yr)
to report that the IP address of jgcomp.com is 96.255.27.65
which is my FiOS WAN IP address.  I.e. jgcomp.com is an alias
for "pool-96-255-27-65.washdc.fios.verizon.net", Verizons
name for 96.255.27.65.

With this setup I can do "ssh jon@jgcomp.com" and not have
to remember I'm 96.255.27.65.

But what if Verizon changes my WAN IP?  I run a script out
of cron that checks if my IP has changed.  It sends me email
if it has changed.  Then I log on to my DNS provider and
manually edit the alias to point to correct address.

If it changes while I'm remote then I'm screwed.  That is
where the "dynamic DNS" (DDNS) some mentioned comes to the
rescue.  DDNS is software that runs on your system and monitors
the WAN IP for changes, just like my cronjob.  If it sees a
change, rather than sending email, it automatically logs on
to your DNS provider and makes the changes.  I've just been
too lazy to implement this.

Some routers also can do the local part of DDNS for you.
I.e. they have monitoring software and can contact the
DNS provider with updates.  I think the FiOS router can
do this.  Again, I've been too lazy to implement it.  My
need for remote access is small and Verizon doesn't change
the IP very often.


As to security, once you open port 22 on the router you will
start to get crackers trying to get in.  Some will be very
persistant, obviously a machine trying a dictionary of
passwords.  Four common approaches for dealing with this.

1. Turn off port 22 on the router.  Only turn it on when you
need it.  For example, I might turn it on if I was going to
the beach for a week's vacation.

2. Use a non-standard port for external access.  Then set up
the router to forward that port to port 22 on your target.
For example, my router accepts port 222 traffic from the
internet and passes it to port 22 of my desktop machine.
It also passes port 223 and 224 to port 22 of two other
machines.

Inside your LAN you would still do normal ssh, but remotely
you would have to "ssh -p 222 jon@jgcomp.com".

3. Use software like "denyhost" or "fail2ban".  These monitor
for failed login attempts.  After a couple, they deny access
(i.e. connection) to the cracker's IP address for a brief time,
say 1 minute.  If the same IP fails again, deny for 2 minutes,
then 4, 8, and so forth.

4. Use a kind of software called a port knocker.  With this
you have to connect to one port, say it is port 4444.  After
a brief connection to that port you have to disconnect and
go to a different port, say 2222.  That port 2222 is normally
closed, but after the knock on 4444, it is opened briefly,
say for two minutes with an ssh server listening.  So you
have two minutes to log in.


I find it difficult to test my setup because I don't have any
accounts on remote machines.  If you need to do testing and
have a similar problem let me know.  You can either setup an
account for me on your machine and I can test it from my end,
or I can set up an account for you on my system and your can
try to connect back to yours.  Let me know if you need to
use either testing ideas.

Jon
-- 

Jon H. LaBadie                  novalugml@jgcomp.com
 11226 South Shore Rd		(703) 787-0688 (H)
 Reston, VA  20190		(703) 935-6720 (C)



More information about the Novalug mailing list