# can't ssh in from the interwebs [SOLVED]

## mounty1

Gentoo with sshd running.  I can ssh myself@localhost and from another box on the LAN but attempting to ssh in via my wireless broadband interface (set up wih dyndns --- I can ping it by name) results in:

```
ssh: connect to host mounteney.dyndns-server.com port 22: Connection refused
```

Any ideas ?  Password authentication is enabled.

----------

## wildbug

Is it possible that your wireless router has a firewall enabled that would block incoming traffic on port 22?

----------

## mounty1

 *wildbug wrote:*   

> Is it possible that your wireless router has a firewall enabled that would block incoming traffic on port 22?

 It's just a wireless broadband USB stick so I doubt it but thanks for the suggestion.

----------

## krinn

if you don't have a rule to route that port 22 and no computer is in dmz, you'll get the same result: works from local lan, fail from internet as no computer is able to get the info someone is trying to connect.

----------

## mounty1

 *krinn wrote:*   

> if you don't have a rule to route that port 22 and no computer is in dmz, you'll get the same result: works from local lan, fail from internet as no computer is able to get the info someone is trying to connect.

 The wireless broadband stick is plugged in to the computer into which I am trying to ssh, so no routing is involved

----------

## wildbug

And from where does the wireless USB adapter get its signal?

----------

## mounty1

 *wildbug wrote:*   

> And from where does the wireless USB adapter get its signal?

 From a "3" mobile-phone transmitter.  It's a mobile broadband stick, not a home wireless-network stick.  I apologise for giving a misleading description of the device.

I've just tried this from work, with the same result, so it isn't a consequence of connecting from inside the local network.

----------

## wildbug

 *mounty1 wrote:*   

>  *wildbug wrote:*   And from where does the wireless USB adapter get its signal? From a "3" mobile-phone transmitter.  It's a mobile broadband stick, not a home wireless-network stick.
> 
> I've just tried this from work, with the same result, so it isn't a consequence of connecting from inside the local network.

 

Ahh *light dawns* ...got it.  Like a 3G modem....

If you run /sbin/ifconfig, is the IP address of your interface the same as the IP address of mounteney.dyndns-server.com?

----------

## mounty1

 *wildbug wrote:*   

> Ahh *light dawns* ...got it.  Like a 3G modem....
> 
> If you run /sbin/ifconfig, is the IP address of your interface the same as the IP address of mounteney.dyndns-server.com?

 

Very much like a 3G modem in fact.  As mentioned above, I'm at work now but I happen to remember running the command and noticed that the interface didn't have a specific IP address.  I think it said BROADCAST where the IPv4 address should have appeared in the ifconfig output.

So presumably the interface should have the same IP as the device ?  Is there an automatic way of making it such ?

----------

## Hu

 *mounty1 wrote:*   

> Password authentication is enabled.

 You should fix that before you fix the inability to connect remotely.  There are many bots which scan for an open port 22 and try to break into the system.  You can substantially improve security by disallowing password authentication and requiring the peer to use public key based authentication.  Also, disallow root login, so that remote users must authenticate and then use su - to become root.

----------

## wildbug

 *mounty1 wrote:*   

> So presumably the interface should have the same IP as the device ?  Is there an automatic way of making it such ?

 

Well, I'm wondering if your ISP has you behind NAT.  Chances are your interface IP will be a private address, different from the one you appear as to the outside world.  This would explain your symptoms.

----------

## mounty1

My mistake.  The IP of the interface (ppp0) is 10.175.223.217.  But I still can't ssh in to the external IP and sshing to mounty@10.175.223.217 just times out.

----------

## NeddySeagoon

mounty1,

This will never work for you. 10.175.223.217 is not a public IP.  You need your ISP to forward port 22 to you and they won't do that.

They will have many users on the same public IP.

----------

## mounty1

 *NeddySeagoon wrote:*   

> This will never work for you. 10.175.223.217 is not a public IP.  You need your ISP to forward port 22 to you and they won't do that.
> 
> They will have many users on the same public IP.

 Yes.  It's a class A private address.  It is the IP for the mobile broadband interface (ppp0) but there is the IP allocated to the device (from memory (I'm at work now):  104.something) and it's to that that I expect to ssh.  Any 'forwarding' would be internal to the mobile broadband stick.

----------

## NeddySeagoon

mounty1,

It would be unusual to have a private IP on ppp0 and a public IP as the peer.

The whole idea of using private IPs is that with NAT, it allows multiple users on the same public IP and 3G providers need that.

There are not enough IPv4 addresses to go around.

----------

## mounty1

Thanks for the answers so far.  I've switched to a cable-modem connection which works ... in fact, it works too well.  Although /etc/ssh/sshd_config contains

```
# grep -v '^#' /etc/ssh/sshd_config|grep -v '^$'

PermitRootLogin no

PasswordAuthentication no

PermitEmptyPasswords no

UsePAM yes

PrintMotd no

PrintLastLog no

Subsystem       sftp    /usr/lib/misc/sftp-server
```

I can still login from a system that does not have my RSA pass-phrase.  How come ?

The configuration file is certainly exactly that with which the system was booted.

LATER: the answer is

```
ChallengeResponseAuthentication no
```

----------

## Hu

 *mounty1 wrote:*   

> LATER: the answer is
> 
> ```
> ChallengeResponseAuthentication no
> ```
> ...

 Assuming you have not stripped the comments, this is noted in the sshd_config itself: */etc/ssh/sshd_config wrote:*   

> # Set this to 'yes' to enable PAM authentication, account processing, 
> 
> # and session processing. If this is enabled, PAM authentication will 
> 
> # be allowed through the ChallengeResponseAuthentication and
> ...

 With regard to your grep for showing the file without comments, you may find grep -E '^[^#]' filename useful.  It prints all lines that start with a character that is not a sharp.  Blank lines have no characters, and so do not match.

----------

## mounty1

Thanks to Hu, Neddy etc. for their helpful replies.  It's all working well now and I can ssh in as required.  I'll mark this thread solved.

----------

