Allowing WAN Ubuntu server access

[NJC]

I have setup an extra account for a family member on my Ubuntu Server 12.04, @ 192.168.103. He will login remotely via Filezilla.

I have given him my external IP, and forwarded a port in my router which goes to 192.168.1.103. So far a few attempts have failed, although he hasn't tried the new port (he used 22 before). Anything I'm missing?

 

[RiceCake]

Passive FTP connections will request a range of other ports to be opened to allow data connections as they're requested. You'll need to force the FTP server to use a small range of ports and forward those as well. That all depends on your FTP server daemon.

 

[simple_gifts]

OT:No one should be using FTP. Filezilla supports ssh transfers (port 22). Cleaner and encrypted.

Not sure what you mean by (he used 22 before)

 

[NJC]

What I mean is that I initially had Port 22 forwarded to the server ... but it didn't work so I changed to a range of ports to forward in the router xx00 - xx10.

 

[rick9009]

Residential ISPs generally block inbound ports 20 through 25. You may need to specify a nonstandard port for ssh access.

 

[uc50ic4more]

Port 22 is for ssh (or FTP over an SSH tunnel: SFTP). Normal FTP uses port 21. Filezilla ought to use the appropriate port according to how the account was set up in Filezilla (FTP unencrypted versus SFTP). If an ISP blocks one of these ports then an alternate port must be used both on the server (I forget where the sshd config file is on Ubuntu, but someone on the Ubuntu forums'll get you hooked up) and the Filezilla client.

I cannot recommend highly enough that you do use ssh/ SFTP. Otherwise the data is entirely unencrypted.

 

[NJC]

He took a screen shot of his Filezilla login attempts, and it starts with sftp:/IP...

I agree about the SFTP and FTP security, and I typically ssh into the Server from my desktop.

 

[uc50ic4more]

Originally Posted By: NJC
He took a screen shot of his Filezilla login attempts, and it starts with sftp:/IP...

I agree about the SFTP and FTP security, and I typically ssh into the Server from my desktop.


I don't know if it was a typo, but there need to be two forward slashes. I'd typically (without using a GUI app like Filezilla which would have text fields into which the user would input the login parameters) use sftp://username@IP_or_hostname/path/to/somewhere

If you are using encryption, I wonder if Filezilla and the ssh server have mismatched or outdated certificates or key files. It might be worth it to (if it is possible to do so in Filezilla) clear out any cached encryption information and begin again anew.

Lastly, do you have a static IP? If not, you may have to use a dynamic DNS service.

 

[NJC]

uc50, thanks for the help. The server LAN IP is static @ 192.168.1.103, but external IP is still dynamic.

That was a typo regarding the sftp://

I normally login in using a key (or sometimes password), but configured him to access via password.

 

[uc50ic4more]

Originally Posted By: NJC
The server LAN IP is static @ 192.168.1.103, but external IP is still dynamic.


If the server's WAN IP keeps changing, you will absolutely need to either 1) remain constantly vigilant about having your remote user constantly change Filezilla's login info for your server as its WAN IP changes, or 2) register at a site like noip.com or dyndns.com. This way the remote user need only set up Filezilla to access the server at [your sub-domain @ noip or dyndns]

For example, (I admin about a dozen Debian boxen for friends, family and neighbours) I log into my "client" systems to perform upgrades, troubleshoot, etc., thusly: sftp://their_system_user_name@their_noip_subdomain/home/their_system_user_name/

FWIW, if your remote user uses Windows, I think (haven't touched a Windows system in years) that Windows Explorer can "speak" sftp. The odds are good that I am mistaken, though! If I am correct, though, you could set up your server to be mounted as a network (mapped) drive for your remote user upon boot or login.

 

[simple_gifts]

I don't believe sshd server is installed on Ubuntu desktop in the default install; perhaps in server it is.

sudo apt-get install openssh-server

The config file is /etc/ssh/sshd_config (not /etc/ssh/ssh_config)

Need to restart sshd if you change the port it listens on. Not sure why any ISP would block that, but I can see why they would block 25 (mail) and ftp

 

[NJC]

Originally Posted By: simple_gifts
I don't believe sshd server is installed on Ubuntu desktop in the default install; perhaps in server it is.

sudo apt-get install openssh-server

I thought indeed this would have been installed since I configured SSH et al upon installation, but appears it wasn't?

Code:
bitoguser@Ubuntu11:~$ sudo apt-get install openssh-server

Reading package lists... Done

Building dependency tree

Reading state information... Done

The following extra packages will be installed:

ssh-import-id

Suggested packages:

rssh molly-guard openssh-blacklist openssh-blacklist-extra monkeysphere

The following NEW packages will be installed:

openssh-server ssh-import-id

 

[simple_gifts]

Are you sure you weren't just configuring the FW for ssh access? I haven't used server before, but probably should take a look @ it under virtualbox.

 

[NJC]

All is well now, he was able to login. I reverted back to port 22 forwarded in router. All sessions are sftp.

Seems like a good way to share large files with friends and family, although maybe dropbox / Ubuntu One are adequate.

 

[uc50ic4more]

Originally Posted By: NJC
All is well now, he was able to login. I reverted back to port 22 forwarded in router. All sessions are sftp.

Seems like a good way to share large files with friends and family, although maybe dropbox / Ubuntu One are adequate.

Dropbox and U1 are capped (for free, at least) at 2GB and 5GB respectively, while your Ubuntu server is not. Mind you, both Dropbox and U1 will serve the files to your remote user much faster, in all likelihood, than your Ubuntu machine serving the files from a (presumably) residential internet connection.

If you do want to use an alternate port (I always do) you must define that port in the ssh daemon config on the Ubuntu server, the router and the SFTP client (Filezilla in this case).