Re: [Fwknop-discuss] Fwknop doesn't open closed SSH port.

[Tomáš I. <tom...@gm...>]

Hi Jonathan,

thanks a lot, now it works as you wrote ;)

Thank you man.

Have a nice day,

Tom

2016-07-15 0:05 GMT+02:00 Jonathan Bennett <jbs...@gm...>:

> Hello,
>
> The SSH access setting in Openwrt sets which interface dropbear will bind
> to.  This means that dropbear will only accept ssh connections that arrive
> on that specific interface.  If all you need to do is connect from inside
> your network, then binding to LAN is fine.
> If you want to access ssh from anywhere else, then you need to instruct
> dropbear to bind to all interfaces.  This idea of binding to an interface
> is different from a firewall, though they do something of the same thing.
>
> What you probably want, is to tell dropbear to listen to all interfaces,
> and then make sure your firewall is configured to drop all incoming
> connections from the outside.  In that case, any SSH connections will be
> dropped, and your ssh service will be invisible to the outside world.
> Fwknop comes into play here.  It allows you to authenticate, and a
> temporary rule is added, allowing only your IP address to connect to the
> ssh service.
>
> So, set dropbear back to unspecified, and then look at your firewall
> settings.  In the web interface, go to Network-> Firewall.  Under zones,
> Input and Forward should be set to reject for the wan network.  You might
> have a rule in the "Traffic Rules" tab that is allowing ssh connections.
> I suppose one other thing to check is that in Network-> Interfaces, the
> wan interface is set to use the wan firewall zone.
>
> --Jonathan
>
> On 07/14/2016 04:43 PM, Tomáš Iglo wrote:
> > Hi,
> > in my OpenWRT (Chaos Calmer) if I've configured SSH Access in Dropbear
> to listening on WAN interface, SSH access is working and I can login to
> router via SSH to it, but this means, that my SSH port is open to the
> Internet.
> >
> > If I've configured SSH Access to LAN interface (as it is by default)
> fwknop2 sends SPA packet, in systemLog it shows me that port is open for
> that external IP for some time:
> >
> > Thu Jul 14 23:05:07 2016 daemon.info <http://daemon.info>
> fwknopd[7244]: (stanza #1) SPA Packet from IP: 46.XX.XX.XX received with
> access source match
> > Thu Jul 14 23:05:07 2016 daemon.info <http://daemon.info>
> fwknopd[7244]: Added access rule to FWKNOP_INPUT for 46.XX.XX.XX ->
> 0.0.0.0/0 <http://0.0.0.0/0> tcp/22, expires at 1468530367
> > Thu Jul 14 23:06:07 2016 daemon.info <http://daemon.info>
> fwknopd[7244]: Removed rule 1 from FWKNOP_INPUT with expire time of
> 1468530367
> >
> > but my SSH connection fails to "Connection timeout".
> >
> > Should be SSH Access setup to the LAN, right? Is this configuration
> below wrong?
> >
> > My setup:
> > - Using ssh keys, which are mentioned in /etc/dropbear/authorized_keys
> >
> > - UCI:
> > password - OFF
> > rootLogin - OFF
> >
> > - OpenWRT - System - Administration - SSH Access - Dropbear instance -
> Interface: LAN
> >
> > - Names of interfaces:
> > WAN: eth0.1
> > LAN: br-lan
> >
> > - access.conf
> > SOURCE ANY
> > keytype Base 64 key
> > hkeytype Base 64 key
> > KEY_BASE64 xxxxxx
> > HMAC_KEY_BASE64 xxxxxxx
> > OPEN_PORTS tcp/22
> >
> > - fwknopd.conf
> > PCAP_INTF eth0.1
> > ENABLE_IPT_FORWARDING y
> >
> >
> > Thank you for your help.
> >
> > Have a nice day,
> >
> > Tomas
> >
> >
> >
> ------------------------------------------------------------------------------
> > What NetFlow Analyzer can do for you? Monitors network bandwidth and
> traffic
> > patterns at an interface-level. Reveals which users, apps, and protocols
> are
> > consuming the most bandwidth. Provides multi-vendor support for NetFlow,
> > J-Flow, sFlow and other flows. Make informed decisions using capacity
> planning
> > reports.http://sdm.link/zohodev2dev
> >
> >
> >
> > _______________________________________________
> > Fwknop-discuss mailing list
> > Fwk...@li...
> > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
> >
>
>
>