SSHD and remote management option

Discussion in 'DD-WRT Firmware' started by dolph, Jan 3, 2006.

  1. dolph

    dolph Network Guru Member

    I'm running V23 final and trying to get sshd to work. It seems to only work if the option "Remote Management" is enabled. I've setup port forwarding to forward 22 to the LAN ip of the router.
    For instance, if remote management is enabled and sshd is enabled, I can see the open port on a scan and can connect to it with a ssh client. If I just disable remote management, save settings, I can no longer see the port open and of course can't connect to the router via ssh from the WAN.

    Is this the expected or am I just not doing something correctly.

  2. sufrano63

    sufrano63 Network Guru Member

    I have remote management disabled and have no problem connecting to SSHD. I'm using final v23 and been using SSHD for couple months now.
  3. dolph

    dolph Network Guru Member

    Well I'll have to take a deeper look. I don't know what is going on here.
  4. sufrano63

    sufrano63 Network Guru Member

  5. jpark

    jpark Network Guru Member

    As an alternative, you can set up a PPTP connection, then SSH through the tunnel.
  6. dolph

    dolph Network Guru Member

    Looks like I can get an iptables rule inputed just fine but now I'm having trouble saving the rule. I choose the save firewall button, it appears to save it, but when I enumarate the rules my new rule is gone.

    I've read something about rc_startup, is that the right direction to go?
  7. sufrano63

    sufrano63 Network Guru Member

    Try telnet to your router, then run the command.
  8. dolph

    dolph Network Guru Member

    I've run this command from telnet, it accepts the code and I can see it when I run a "/usr/sbin/iptables -L INPUT".
    However, the code just goes away at some point. Like last night I entered the command "/usr/sbin/iptables -I INPUT -p tcp -s x.x.x.x --dport 22 -j logaccept" then veified it showed up in iptables then exited telnet. This morning I go back in and the code is gone. Very weird.
  9. sufrano63

    sufrano63 Network Guru Member

    Sounds like you'e forgetting the nvram commit command.
  10. dolph

    dolph Network Guru Member

    Well I entered my iptables commands again, made sure they displayed properly and were working and they were. Then I issued the "nvram commit" command and everything still checked out.
    I then rebooted the router from the web interface, when it came back up my commands were not longer in the router. I seem to be missing something still and I'm not sure what.
  11. sufrano63

    sufrano63 Network Guru Member

    make sure your boot wait is set to "on", then try the command again
  12. dolph

    dolph Network Guru Member

    Yes, boot wait is on. I'm pretty sure that's the default so it's been on the whole time.

    I think I may have found a way that works. I've entered the following and so far it's staying.

    nvram set rc_firewall="
    /usr/sbin/iptables -I INPUT -p tcp -s x.x.x.x --dport 22 -j logaccept
    nvram commit

    Thanks to all that helped, specifically sufrano63!
  13. XeviouS

    XeviouS Network Guru Member

    I found this tread because I have the exact same problem!!

    I issue the iptables command to open up port 22 from the WAN and it works.

    However when I "Save Firewall" the changes are not committed, in fact they get removed.

    I will try your suggestion above, but this may need to be tracked as a bug?
  14. vincentfox

    vincentfox Network Guru Member

    There is a LOT of TERRIBLE advice on this subject in various threads.

    You want the BEST way?

    FIRST, go into into the web-GUI Administration->Services and move ssh port from default 22 to something non-standard, let's use 34561 for this example.

    Reboot the router, make sure that ssh now responds on 34561.

    Okay, login to your router. I mean use ssh, not the web-GUI.

    Now you have a command prompt right? Fine.

    nvram set rc_firewall='/usr/sbin/iptables -I INPUT -p tcp --dport 34561 -j logaccept'
    nvram commit

    That's all you have to do.

    That business in the Wiki about doing a port-forward is irrelevant. This iptables rule works all by itself.

    You want to know why to move ssh off port 22? Well that is because everyone and their sister is running some tool that scans the net looking for ssh on port 22 and tries a list of common passwords on it. Move your ssh somewhere else and this attack will pass you right by.
  15. jpark

    jpark Network Guru Member

    Thanks for that. I'm not very familiar with iptables usage. If, for example, I wanted to remove that rule, how would I do that?
    (I've added a rule for port 22, want to remove that rule and add rule for higher port).

    I know I can just do a 30 sec. reset of the router, but it would be infinitely better to know how to just remove the rule.
  16. sufrano63

    sufrano63 Network Guru Member

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice