SSH remote access and port forwarding

bob_mauranne · March 10, 2017, 9:19am

Hi.

I’am facing two issues.

1 - I want to remove or denied root access for SSH from a distant location (or i want only local adress to be able to connect to my WD MY CLOUD DL2100 with SSH protocol). I tried to change /etc/sshd_confid but i can’t restart ssh service with busybox and everytime i reload the My Cloud device, the modification i made in the sshd_confid file are remove. Is there a way to make this changes permanent ? or to restart ssh service with busybox ?

2 - an other interrogation is : why am i able to connect myself with my root login remotely from a distant location as i didn’t forward my 22 port on my WD MY CLOUD devices or on my isp router. My port 22 is not forward and i get acces from a distant location. That’s odd right ?

Thx in advance.

Myron · March 10, 2017, 5:28pm

Erm… On your router, don’t create a port forward for TCP port 22 and do not put the IP of your DL2100 onto the router’s DMZ. That will ensure that access to SSH (Port 22) remains accessible only to your local network.

Does that answer your question?

bob_mauranne · March 10, 2017, 11:14pm

Thx for your answer.

I didn’t forward the 22 port on my router and i can access to the device from outside my network with ssh protocole. that’s my problem.

I have UPNP port open but not the 22. So i don’t understand why i can connect from outside my local network.

Myron · March 11, 2017, 10:25pm

Have you put the NAS’s IP on the router’s DMZ?

Somewhere on your router you are exposing parts of your NAS or your entire NAS to the WAN side (Internet facing) side of the router.

UPnP is one, but you ruled that one out.
Fort forwarding is the other, but you also rules that one out.
The DMZ feature of the router is the only one left to check.

There does seem to be a reason where Port 22 would be forwarded and that would be if you’re using the remote back-up of the DL to another DL NAS and I believe for this port 22 need a port forward to the WAN if this is being done over the Internet, but then it’s not a wise thing to do. Better to set-up a VPN between sites, but that’s another topic.

bob_mauranne · March 12, 2017, 8:47pm

Thanks to you.

Indeed i added my NAS ip on the router’s DMZ.

I remove it but i steel can access the NAS on the 22 port.

So i’m going to disable SSH and only activate it when i need it…

Thank you…

Myron · March 12, 2017, 10:51pm

I got to ask. Why did you add your NAS to the router’s DMZ? From a security standpoint it’s a dangerous thing to do. When you disabled the router’s DMZ and port 22 was still being passed through then you need to take a close look at the router’s settings.

On some routers some settings may need the router to be rebooted.

bob_mauranne · March 13, 2017, 9:24pm

Well i modified some settings from my devices but i didn’t succeed to make nextcloud work so i decided to try others way to make it work.

i did a reboot but it wasn’t enough i had to reset my ISP router to stop the DMZ port.

Thanks for you help.

Myron · March 13, 2017, 9:28pm

Seems like it was the router at fault?

bob_mauranne · March 13, 2017, 10:00pm

yes.

After the ISP router reset i enable SSH on the device and i couldn’t connect from a remote location to the device.

So i’m done and now i’m trying to enable SSL for nextcloud.

Myron · March 14, 2017, 10:21am

Routers are something that are forgotten about and they all have their quirks. Now you reset it it should not need another reset. with some routers for a setting to take effect a reboot is needed. Wish others that same setting will take without a reboot.

Is the firmware within your router up-to-date? That’s another thing people forget about. Applying any firmware updates to routers.

Glad its sorted.