Hi,
I’m trying to connect to my HA (on Hassbian) from remote. I enabled the SSH option in raspi-config, and I’ve opened the port 22, but putty tells me that the connection is refused.
What I’m missing?
That should be all you need. Are you logging in as user pi? Or are you not getting that far?
Have you got ssh running on the server? Can you connect a keyboard and monitor to the pi and check?
Are you connecting within your network?
Within my network I can connect and operate as pi user. Its from outside that the connection is refused. So I suppose ssh is running.
sudo ssh pi@localhost works.
Ok, I’ve resolved. I set 2222 -> 22 on my external router, then 22->22 into my internal wifi router. And now I can access.
Be careful, now the whole world can access your pi. Deactivate user pi, root, admin or any common name from using SSH, because they will be tested (just look at your /var/log/auth.log, you should already see some login attempt).
Create a new user with a special name, and deactivate password for it, only allowing connection with keys, it’s much safer -> https://www.raspberrypi.org/documentation/remote-access/ssh/passwordless.md
And user pi is actively targeted, yesterday I still had some attack on my server:
Nov 11 23:21:40 username sshd[23559]: Failed password for invalid user pi from 59.30.101.105 port 58724 ssh2
Nov 11 23:21:40 username sshd[23560]: Failed password for invalid user pi from 59.30.101.105 port 58728 ssh2
2 Likes
Thanks for the reply. I will try to do so!! For Deactivate PI user, what’s best practice, create a new user as PI or rename it?
Or, since I know from I will connect remotely, can I set some
deny all / allow from My external IP rule on SSH?
Only use private key authentication for SSH access to devices available externally. If I can connect to your system via SSH I can open tunnels into your internal network, monitor all your network traffic, steal cookies and information, etc. You don’t want an SSH server compromised.
Best practice is to set up IP tables and Fail2Ban. Tie F2B into the appropriate log files so when someone starts brute forcing password attempts it’ll drop their traffic after 2-3 failed attempts.
double NAT…that’s not what you really want.
You should only have ONE router in your network, and the other device should be on the same subnet with NAT disabled, and acting as a switch and access point only.
Thanks, I’ll try to lock Pi user out.
mmm, I’m having issues, not with ssh, but with access from remote through Clouldflare. Not sure if that’s the cause of it.
Basically what should I do? I tried to put my modem router in bridge mode, but it doesn’t really have it, I enabled DMZ and disabled DHCPmode, but not sure it was the right thing to do. And in any case it didn’t help with the Cloudflare issue.
Alternatively, I have a Google WiFi, I can put Google Wifi into bridge mode, that should work?
Why not use your modem/router as your router and the other device as an access point and switch only? Why are you using 2 devices that do the same job?
mm, primary router is modem router and it is necessary to connect to internet. I turned off wifi and google wifi
is wired to it working as router and AP. I added it since wifi signal of my modem router was weak. This way I can reach all my house.
if your second router is using the WAN port and provides a DIFFERENT network, it isn’t acting as an AP, it’s acting as a router.
Yeah, it is acting as a router. I’m fully using as such, and delegated the primary router as modem. Despite being still active as router (and for voip). But having only the second router wired to it.
OK, I understand this layout, but it’s still working as a Double NAT.
What model is your main router?
OK, I understand this layout, but it’s still working as a Double NAT.
What model is your main router?
It’s produced or probably, re-branded by my ISP, it should be “fastgate askey rtv1907vw”.
ouch. translating that will be difficult for me, but I will look into it later
Thanks, but I fear I’ll have to turn off the google wifi and put it into bridge mode. For the primary router I read I have a DMZ option, but it didn’t sort any effect or so it seemed.