LungenStrudel
Posts: 4
Joined: Tue Jun 25, 2013 4:02 pm

Forwarding Port 22 (SSH) stopped working [RP3 / Raspbian]

Tue Apr 12, 2016 9:09 am

Hey folks,

I was successfully forwarding SSH port 22 to my Raspberry Pi 3 running Raspbian Jessie by mapping port 22 on my router to port 22 on my local Pi (192.168.0.5).

However, at some point (i think it _might_ have been a Raspbian upgrade) it stopped working.

I still can access the Pi via SSH on local IP 192.168.0.5 from inside my network, but from the outside, the forwarded port is not seen anymore and appears to be closed.

Forwarding port 22 to other devices on my local network does work, though. I can for instance SSH into my NAS at local IP 192.168.0.14 from the outside.

I hope that you can help, since i am tired of clueless Raspbian re-installs ;(

best regards from Vienna/Austria,

Heinz

User avatar
MarkHaysHarris777
Posts: 1820
Joined: Mon Mar 23, 2015 7:39 am
Location: Rochester, MN
Contact: Website

Re: Forwarding Port 22 (SSH) stopped working [RP3 / Raspbian

Tue Apr 12, 2016 1:51 pm

Forwarding port 22 is a bad idea; mostly because the bot armies out there can find them and bring them down in a matter of days. More likely than not your router has been hacked.

Its a really good idea to change the ssh port that you use. You can use port 443. If you forward port 443 to your internal ssh port (and I would change that too, by the way) you'll be able to ssh from more spots... often wifi spots will block port 22 anyways... but they usually keep 443 open for https traffic... which as it turns out is 'almost' indistinguishable from sshd traffic.

I created a 'honey pot' with one of my PIs on a forwarded port 22... and it was being hit in just a matter of minutes from all over the earth. You can slow this down with iptables adjustments that auto-block on too many missed attempts... but, its still a mess.

Good luck... you'll probably need to update|upgrade| or replace your router is my guess...
marcus
:ugeek:

LungenStrudel
Posts: 4
Joined: Tue Jun 25, 2013 4:02 pm

Re: Forwarding Port 22 (SSH) stopped working [RP3 / Raspbian

Tue Apr 12, 2016 2:14 pm

Good luck... you'll probably need to update|upgrade| or replace your router is my guess...
hey mark, thanks for your reply! why do you suggest to replace my router? wouldn't it be sufficient to (once more) re-install raspbian?

just for the case i haven't been hacked - are there other reasons that could prevent the pi from accepting forwarded SSH requests? maybe some configuration-files i could check?

best, heinz

User avatar
MarkHaysHarris777
Posts: 1820
Joined: Mon Mar 23, 2015 7:39 am
Location: Rochester, MN
Contact: Website

Re: Forwarding Port 22 (SSH) stopped working [RP3 / Raspbian

Tue Apr 12, 2016 2:33 pm

LungenStrudel wrote:
hey mark, thanks for your reply! why do you suggest to replace my router? wouldn't it be sufficient to (once more) re-install raspbian?
I hope I didn't misunderstand you... I think you said you can still ssh to the machine inside the firewall? If so, its not raspbian that's the problem... its the thing that is forwarding the port from the outside --> to raspbian (and that's your router).

I change my sshd port number on all my machines to something other than 22; above 5000 preferably. Then, I usually forward a port (not 22) on the outside like 443, or 8080, or 8081; a common port that probably won't be blocked by the wifi hotspots and won't also be 'hit' so hard from the bot machines. I have a NetGear WR2000v3 which I recommend... its a hot modem|router and it does port forwarding and port triggering; very nice.

If I misunderstood you, sorry. I always backup my SD cards so that if my raspbian gets hacked I can make a new SD card (with all my settings in place) in about 10 minutes; <--- really good idea

If your raspbian got bonked, then well, I guess you'll be reloading again today. <sorry>

Otherwise, you'll need to figure out why that router is failing to forward to this one machine.

PS... no, there isn't anything magic about port forwarding on the inside raspbian machine... ports are just numbers (that's it) and the magic happens on the router. It 'sends' traffic (either udp, or tcp) based on 'port number' to the ip address that number 'points' to in its table; that's it. If you can ssh to the PI from the inside there is no reason (on the PI side) why you should not also be able to forward traffic to that same PI from the outside (provided the port-forwarding on the router has not been bonked) by the way, did you try rebooting your router????
marcus
:ugeek:

User avatar
MarkHaysHarris777
Posts: 1820
Joined: Mon Mar 23, 2015 7:39 am
Location: Rochester, MN
Contact: Website

Re: Forwarding Port 22 (SSH) stopped working [RP3 / Raspbian

Tue Apr 12, 2016 2:51 pm

Also, almost forgot... make sure you don't have an ARP cache problem... (address resolution protocol)

All IP machines actually communicate via mach numbers (34:89:76:34:ca:b3) and those numbers are mapped to IP addresses in what is called an arp cache... sometimes the arp cache gets bonked so that your valid IP addresses no longer work until the arp cache gets reloaded and mapped correctly. Again, a reboot of the router will fix this... also... you might need to reboot any range extenders you have running, or other switches, etc.

There have been rare times when I had to reboot everything because of an arp cache problem.

peace
marcus
:ugeek:

klricks
Posts: 6609
Joined: Sat Jan 12, 2013 3:01 am
Location: Grants Pass, OR, USA
Contact: Website

Re: Forwarding Port 22 (SSH) stopped working [RP3 / Raspbian

Tue Apr 12, 2016 5:19 pm

Try an online port scan tool to see if your port is still open: http://www.t1shopper.com/tools/port-scan/
Many ISP's block common ports such as 80, 21, 22 etc. Your ISP may have noticed traffic and put a block on.
Unless specified otherwise my response is based on the latest and fully updated Raspbian Buster w/ Desktop OS.

User avatar
MarkHaysHarris777
Posts: 1820
Joined: Mon Mar 23, 2015 7:39 am
Location: Rochester, MN
Contact: Website

Re: Forwarding Port 22 (SSH) stopped working [RP3 / Raspbian

Tue Apr 12, 2016 5:30 pm

klricks wrote:Try an online port scan tool to see if your port is still open: http://www.t1shopper.com/tools/port-scan/
Many ISP's block common ports such as 80, 21, 22 etc. Your ISP may have noticed traffic and put a block on.
The idea to use the scan tool is good, but the OP did say that he can forward to his other PIs... if there was a block on the port would be blocked to all ...
marcus
:ugeek:

klricks
Posts: 6609
Joined: Sat Jan 12, 2013 3:01 am
Location: Grants Pass, OR, USA
Contact: Website

Re: Forwarding Port 22 (SSH) stopped working [RP3 / Raspbian

Tue Apr 12, 2016 7:23 pm

I did not notice it working on other devices....


Are you sure you are using the correct IP? The RPi 3 will get 2 concurrent local IPs one for the wired and one for the WIFI (if you have configured WIFI).
Unless specified otherwise my response is based on the latest and fully updated Raspbian Buster w/ Desktop OS.

LungenStrudel
Posts: 4
Joined: Tue Jun 25, 2013 4:02 pm

Re: Forwarding Port 22 (SSH) stopped working [RP3 / Raspbian

Wed Apr 13, 2016 8:56 am

klricks wrote:The RPi 3 will get 2 concurrent local IPs one for the wired and one for the WIFI (if you have configured WIFI).
oh. that _might_be the problem. the device was connected to my router via ethernet cable (192.168.0.18), but wanted to test the new internal wifi adapter and additionally connected it via wifi, which got me another IP, 192.168.0.20.

i tried to disconnect wifi again, but i failed, since the graphical UI seemingly does not offer any option for that and i am not yet capable of configuring network stuff via CLI.

i think this could have been the point where the port-forwarding stopped working.

so i disconnected ethernet and tried to forward port 22 to the wifi IP, 192.168.0.20. worked from the inside but not from the outside. so i was thinking it must be a router problem.

next step - i exchanged the router for a newer model, which got me a new dhcp IP, 192.168.0.5. since the pi was now unable to re-connect to the wifi, i at least considered my dual IP problem solved.

however, even with the new router, i am unable to forward port 22 to the pi.

is there a way i can check if these two IPs are the source of the problem?

best, heinz

LungenStrudel
Posts: 4
Joined: Tue Jun 25, 2013 4:02 pm

Re: Forwarding Port 22 (SSH) stopped working [RP3 / Raspbian

Wed Apr 13, 2016 1:03 pm

dear marcus,

thanks for your help! however, i am now re-installing raspbian since the thing is becoming too cumbersome and there wasn't much on it anyway.

however,
I always backup my SD cards so that if my raspbian gets hacked I can make a new SD card (with all my settings in place) in about 10 minutes; <--- really good idea
are you backing up your card automatically? i am actually searching for a method that works like OSX time machine, which appears to only store differences to the previous backup. this way i could do a backup every day and just go back to the last working one if something goes south.

best, heinz

User avatar
RDK
Posts: 262
Joined: Wed Aug 13, 2014 10:19 am
Location: Wyoming and France

Re: Forwarding Port 22 (SSH) stopped working [RP3 / Raspbian

Wed Jul 05, 2017 5:19 pm

I realize that this an old thread, but I'm having exactly the same issue - Pi is not responding to port forwarding on a newly installed Pi Version 2 with Jessie -- New Pi V2 and fresh Jessie install with all of the updates.

Details:
I have my Pi's on a NetGear router which is itself connected to another Firewall and then to my DSL modem/router Internet connection. Except for this issues all is working FINE.

I have four Pi's on the Netgear network, 3 Pi B+ Wheezy OS's and a Pi V2 with Jessie. The Jessie Pi is the issue and is a new build with latest updates. I have added port 9000 to the /etc/ssh/sshd_config file. From the Netgear network I can access all of my Pi's via each ones unique port number, as well as port 22.

From the Firewall network, the DSL modem/router network and/or the Internet I can get, via the correct port numbers, to each of the Pi's, except the new Jessie build.

SSH is enabled on the Jessie build as I can get to that Pi via Putty when on the Netgear network. When trying to access from outside the Netgear network, the Putty connection times out. I have set up the Pi to listen on both port 22 and port 9000, which works on the Netgear network. From outside the Netgear network it does not respond to either port.

I know the putty request is getting through the Netgear router as it shows up in the Netgear log: [
LAN access from remote] from 192.168.xx.11:58075 to 192.168.yy.163:9000, Wednesday, Jul 05,2017 10:47:19
. 192.168.xx.11 is the address of my Windows PC on the firewall network and 192.168.yy.163 is the Pi's address on the Netgear network

This is the Netgear log entry when I successfully access one of the other Pi's:
[LAN access from remote] from 192.168.xx.11:58955 to 192.168.yy.155:9201, Wednesday, Jul 05,2017 11:09:41
Is there something I'm missing here? Something new in Jessie?

Thanks...RDK

Return to “Troubleshooting”