How do I SSH into my Samba file server?

ssh configuration samba port-forwarding file-server
5,604

Scriptonaut, probably your problem has nothing to do with Samba, but has to do with port forwarding/NAT. If you have your SAMBA serving Debian computer in a LAN network, behind a router, you need it configured to transfer requests to some of its ports to your SAMBA running machine:

enter image description here

First, I'll tell, how outgoing connections work with router. When 2 machines speak via TCP/IP each machine (source machine and destination machine) is addressed with a pair IP/port number, so the connection is determined by 2 pairs: source IP/port number and destination IP/port number.

When you open a tab in Mozilla and access Google on your 192.168.1.2 machine, it transfers some IP packets to the Router with source address of itself IP=192.168.1.2 and arbitrary outgoing TCP port number it allocated for that tab of browser (like 43694) and asks the router to transfer that packets to Google machine with certain IP on 80 port of that machine, cause 80 is standard port for incoming http connections (you can see the list of standard TCP ports in /etc/services file on Linux). Router allocates a port of its own at random (e.g.12345), replaces source IP/port pair in that packets with its own WAN IP (74.25.14.86) and port 12345 and remembers, that if it gets response on port 12345 from Google, it should automatically transfer that response back to 192.168.1.2, port 43694.

Now, what happens when an outer machine wants to access your server?

When you try to access your SAMBA server from the outer machine, it sends IP packets to your WAN IP=74.25.14.86, port 22 of it (because, 22 is a standard TCP port for listening to SSH connections, you can see the list of standard TCP ports in /etc/services file on Linux). Your Router receives that packets. By default, firewalls on routers are configured to block all incoming connections to any port, if there was no outgoing connection, bound to that port (so, when you were accessing Google in previous case, router didn't block response from Google to port 12345 of itself, cause it remembered that your 192.168.1.2 initiated connection to Google and response from google should come to port 12345). But it would block attempts to initiate connections from the outer world to port 22 of it, cause port 22 was not mapped for any connections incoming from LAN.

So, what you need to do is to configure your router to transfer all the connections to its port 22 from the outside to port 22 of your 192.168.1.2. This can be done in web-interfaces of hardware routers, usually the menu option you need is called "Port-forwarding" or "NAT - network address translation".

Share:
5,604

Related videos on Youtube

Scriptonaut
Author by

Scriptonaut

Updated on September 18, 2022

Comments

  • Scriptonaut
    Scriptonaut over 1 year

    So I made a dedicated Samba file server on my Debian(3.2) machine. I have had great success accessing it from both Windows and Unix. I can SSH into it on the local network.

    When I try to SSH into it via the public IP address, it says connection refused.

    I would like to be able to ssh into it remotely, directing into the Samba share. How would I go about doing this? I hear I might have to port forward? Do I need to change anything in the smb.conf file?

    Here's my sshd_config file:

    # Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
    • Keith
      Keith over 11 years
      Most likely your filewall is blocking the incoming connection. Is your server on a private LAN? Do you have a firewall? Are you using NAT? What router do you have?
    • Scriptonaut
      Scriptonaut over 11 years
      What is a private LAN? Ya I have a firewall(as far as I can tell). I don't know what NAT is, and my router is a trendnet TEW-632BRP.
    • Keith
      Keith over 11 years
      What's the IP address of your server? PS. you can remove the rather long config file, we don't need it.
    • Scriptonaut
      Scriptonaut over 11 years
      Why is my IP address necessary(Sorry I'm paranoid, I posted on hear a few months ago and some guy got control of my machine and destroyed it).
    • Keith
      Keith over 11 years
      Just to tell if it's private or not. Also, are you getting an dynamic IP from your ISP, or static?
    • Scriptonaut
      Scriptonaut over 11 years
      I'm really weary about putting my IP up here, how can I easily tell you? The first 3 set of numbers is 67.161.81. The ip is static.
    • Keith
      Keith over 11 years
    • sparticvs
      sparticvs over 11 years
      By local network are you referring to 127.0.0.1? If so, check your /etc/ssh/sshd.conf and make sure its setup to listen on 0.0.0.0 instead of just on localhost. Also check to see if you have any iptable rules that might be restricting access: iptables --list
    • Scriptonaut
      Scriptonaut over 11 years
      I put my /etc/ssh/sshd.conf file up
  • Scriptonaut
    Scriptonaut over 11 years
    Alright, so I forwarded port 22, and put 192.168.10.110 as the address for the LAN server. This is the private IP address of the Samba machine. Now when I try to ssh remotely it times out, rather than saying connection refused for some reason.
  • Scriptonaut
    Scriptonaut over 11 years
    Hey, so I just read that it's possible that my ISB(comcast) blocks port 22. Would changing it to a different port be possible? How hard would it be to ssh on a different port(especially for programs like CVS and stuff)?
  • Bonsi Scott
    Bonsi Scott over 11 years
    This may help, but i must say, that I don't understand why comcast blocks port 22.
  • CoOl
    CoOl over 11 years
    Quite often Internet Service Providers block ports 80 and 8080, so that if computer illiterate users run their routers off the box without setting admin password, they don't have hackers immediately high-jacking their routers (although, I don't understand, why would router at all process any connections to its WAN IP's 80th port; IMO, it makes sense to show admin page on 80th port of LAN IP only and any access to 80th of WAN should be either forwarded or blocked). But I never heard of blocking 22 port. My ISP blocks 80 and 8080, but doesn't touch 22.
  • CoOl
    CoOl over 11 years
    Hm, I'm also not sure that 192.168.10.110 LAN IP is ok. Cause, typically LANs nowadays have /24 bit mask, which means that if your router's LAN IP is 192.168.1.1 you can access only 192.168.1.* machines, not 192.168.10.*. As for time out: may be you could run tcpdump on port 22 of your SAMBA server to check, whether it receives the packets at all. If it does - probably sshd is misconfigured, else - problems with port forwarding. There are good examples in man tcpdump just in case.
  • Scriptonaut
    Scriptonaut over 11 years
    I'm having a bit of trouble with tcpdump, how would I check? How do I find my routers LAN IP? My default gateway is 192.168.10.1 Another thing, I discovered that I can ssh into the server from outside of my network. If I'm somewhere else it works great. However using the public IP from within the network doesn't work, but the private IP still allows me access.
  • CoOl
    CoOl over 11 years
    Ah, it's fine that from within the LAN you can't access your server by WAN IP - it's a routers-side problem, that for some reason they wouldn't forward requests from within LAN back to LAN and typically don't allow to configure this (although, who knows about yours :)). It's a standard pain in the ass and I don't know how to overcome this accurately. I usually just write the LAN IP of my server in /etc/hosts on other linux machines in the network, so that they resolve "MYSERVER" as 192.168.1.2. With Windows machines - dunno.
  • CoOl
    CoOl over 11 years
    You don't need them by now as everything seems to work fine for you, but here are TCPdump examples: danielmiessler.com/study/tcpdump
  • CoOl
    CoOl over 11 years
    As for your Windows machines, /etc/hosts analogue is c:\windows\system32\drivers\etc\hosts. Also they should be able to identify your server by its NetBIOS name by now thanks to SAMBA (NetBIOS names are those, Windows uses for network workgroups like, \\Computer1). Though I don't know if there is any Windows SSH client, which can resolve NetBIOS name into LAN IP. So you're pretty much done now :)

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Can't SSH into a Vagrant Virtual Machine
How to setup a private dedicated Node.js Ubuntu Server?
smb.conf file location on different flavors of Solaris
What is a quick ssh command to know the system info/configuration
SSH from external network refused
How do I set up an SSH SOCKS proxy with Gnome SSH Tunnel Manager?
What made "smbd" stop running on boot-up?
How can I log on as root to a cloud instance?
How can I visit external website through ssh forwarding through a single port?
List ports forwarded by myself from ssh?