Re: [Fwknop-discuss] Fwknop doesn't open closed SSH port.
Brought to you by:
mbr
From: Tomáš I. <tom...@gm...> - 2016-07-14 22:54:39
|
Hi Jonathan, thanks a lot, now it works as you wrote ;) Thank you man. Have a nice day, Tom 2016-07-15 0:05 GMT+02:00 Jonathan Bennett <jbs...@gm...>: > Hello, > > The SSH access setting in Openwrt sets which interface dropbear will bind > to. This means that dropbear will only accept ssh connections that arrive > on that specific interface. If all you need to do is connect from inside > your network, then binding to LAN is fine. > If you want to access ssh from anywhere else, then you need to instruct > dropbear to bind to all interfaces. This idea of binding to an interface > is different from a firewall, though they do something of the same thing. > > What you probably want, is to tell dropbear to listen to all interfaces, > and then make sure your firewall is configured to drop all incoming > connections from the outside. In that case, any SSH connections will be > dropped, and your ssh service will be invisible to the outside world. > Fwknop comes into play here. It allows you to authenticate, and a > temporary rule is added, allowing only your IP address to connect to the > ssh service. > > So, set dropbear back to unspecified, and then look at your firewall > settings. In the web interface, go to Network-> Firewall. Under zones, > Input and Forward should be set to reject for the wan network. You might > have a rule in the "Traffic Rules" tab that is allowing ssh connections. > I suppose one other thing to check is that in Network-> Interfaces, the > wan interface is set to use the wan firewall zone. > > --Jonathan > > On 07/14/2016 04:43 PM, Tomáš Iglo wrote: > > Hi, > > in my OpenWRT (Chaos Calmer) if I've configured SSH Access in Dropbear > to listening on WAN interface, SSH access is working and I can login to > router via SSH to it, but this means, that my SSH port is open to the > Internet. > > > > If I've configured SSH Access to LAN interface (as it is by default) > fwknop2 sends SPA packet, in systemLog it shows me that port is open for > that external IP for some time: > > > > Thu Jul 14 23:05:07 2016 daemon.info <http://daemon.info> > fwknopd[7244]: (stanza #1) SPA Packet from IP: 46.XX.XX.XX received with > access source match > > Thu Jul 14 23:05:07 2016 daemon.info <http://daemon.info> > fwknopd[7244]: Added access rule to FWKNOP_INPUT for 46.XX.XX.XX -> > 0.0.0.0/0 <http://0.0.0.0/0> tcp/22, expires at 1468530367 > > Thu Jul 14 23:06:07 2016 daemon.info <http://daemon.info> > fwknopd[7244]: Removed rule 1 from FWKNOP_INPUT with expire time of > 1468530367 > > > > but my SSH connection fails to "Connection timeout". > > > > Should be SSH Access setup to the LAN, right? Is this configuration > below wrong? > > > > My setup: > > - Using ssh keys, which are mentioned in /etc/dropbear/authorized_keys > > > > - UCI: > > password - OFF > > rootLogin - OFF > > > > - OpenWRT - System - Administration - SSH Access - Dropbear instance - > Interface: LAN > > > > - Names of interfaces: > > WAN: eth0.1 > > LAN: br-lan > > > > - access.conf > > SOURCE ANY > > keytype Base 64 key > > hkeytype Base 64 key > > KEY_BASE64 xxxxxx > > HMAC_KEY_BASE64 xxxxxxx > > OPEN_PORTS tcp/22 > > > > - fwknopd.conf > > PCAP_INTF eth0.1 > > ENABLE_IPT_FORWARDING y > > > > > > Thank you for your help. > > > > Have a nice day, > > > > Tomas > > > > > > > ------------------------------------------------------------------------------ > > What NetFlow Analyzer can do for you? Monitors network bandwidth and > traffic > > patterns at an interface-level. Reveals which users, apps, and protocols > are > > consuming the most bandwidth. Provides multi-vendor support for NetFlow, > > J-Flow, sFlow and other flows. Make informed decisions using capacity > planning > > reports.http://sdm.link/zohodev2dev > > > > > > > > _______________________________________________ > > Fwknop-discuss mailing list > > Fwk...@li... > > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss > > > > > |