Currently, I have built a small datacenter environment in OTC with Terraform. based on Ubuntu 20.04 images.
The idea is to have a jump host in the setup phase and for operational purposes that allows spontaneous access to service frontends via ssh proxy jumps without permanently routing them to the public net.
Basic setup works fine so far - I can access the jump host with ssh, and can access the internal machines from there with ssh when I put the private key onto the jump host. So, cloudwise the security seems to be fine. Key pair is generated with ed25519, I use the same key for jump host and internal servers (for now).
What I cannot achieve is the proxy jump as a chained command from my outside machine.
On the jump host, I set AllowTcpForwarding to "yes" in /etc/ssh/sshd_config and restarted ssh and sshd services.
My current local ssh config looks like this:
Host otc
User ubuntu
Hostname <FloatingIP-Address>
Port 22
StrictHostKeyChecking=no
UserKnownHostsFile=/dev/null
IdentityFile= ~/.ssh/ssh_access
ControlPath ~/.ssh/cm-%r#%h:%p
ControlMaster auto
ControlPersist 10m
Host 10.*
User ubuntu
Port 22
IdentityFile=~/.ssh/ssh_access
ProxyJump otc
StrictHostKeyChecking=no
UserKnownHostsFile=/dev/null
I can use this to ssh otc to the jump host.
What I would expect is that I could use e.g. ssh 10.0.0.56 to reach an internal host without further ado. As well I should be able to use commands like ssh -L 8080:10.0.0.56:8080 10.0.0.56 -N to map an internal server's port to a localhost port on my external machine. This is how I managed that successfully on other hosting scenarios in the public cloud.
All I get is:
Stdio forwarding request failed: Session open refused by peer
kex_exchange_identification: Connection closed by remote host
Journal on the Jump host says:
Jul 30 07:19:04 dev-nc-o-bastion sshd[2176]: refused local port forward: originator 127.0.0.1 port 65535, target 10.0.0.56 port 22
What I checked as well:
ufw is off on the Jump Host.
replaced ProxyJump configuration with ProxyCommand
So I am at the end of my knowledge. Has anyone a hint what else could be the reason? Any help welcome!
Ok, cause is found (but not yet fully explained).
My local ssh setting was allowing multiplexed forwards (ControlMaster auto ) which caused the creation of a unix socket file for the Controlpath in ~/.ssh.
I had to login to the jump host to AllowTcpForwarding in the first place.
After rebooting the sshd, I returned to the local machine and the failure occured when trying to forward to the remote internal machine.
After deleting the socket file in ~/.ssh, the connection can now be established as needed. Obviously, the persistent tunnel was not impacted by the restarted daemon on the jump host and simply refused to follow the new directive.
This cost me two days. On the bright side, I learned a lot about ssh :o
I have bought a vps with debian linux operating system. I have webmin installed. my vps ip is '192.99.42.109'. when i type my ip in the browser address bar and press enter, it says 'this site can't be reached'. I have checked, apache is installed.
I have checked apache and webmin/virtualmin is installed. I have created a virtual host using virtualmin.
it should show up apache2 page. but, its not showing.
It was happening because of firewall blocking the port number 80 and 445. below is the command to release the block over port 80.
sudo iptables -I INPUT -p tcp --dport 80 -j ACCEPT
I set up vagrant to run a vm on a host os. What I would like to do is be able to ssh from other machines directly into the vagrant vm (ie, I shouldn't ssh into the host and then vagrant ssh, etc. into the vagrant vm).
Currently, I can ssh not using vagrant ssh from the host os using ssh vagrant#127.0.0.1 -p 2222. However, if I run the same command (replacing 127.0.0.1 with the host's ip address), I get "ssh connect to host XXXXX port 2222: Connection refused."
I tried adding my own port forwarding rule to vagrant:
config.vm.network :forwarded_port, guest: 22, host: 2222
But that doesn't allow ssh connection from either the host machine or any other machine in the network. Additionally, I spent a while with config.ssh in the vagrant docs. I think that most of those parameters though specify what port the vagrant vm is running ssh on.
I really don't think this should be that difficult. Does anyone know what I might be doing wrong, or what I should do differently to ssh into a vagrant vm from a remote server?
If you don't want to change network to public you can override default port forwarding for ssh by this:
config.vm.network :forwarded_port, guest: 22, host: 2222, host_ip: "0.0.0.0", id: "ssh", auto_correct: true
This will forward guest 22 port to 2222 on your host machine and will be available from any ip, so you can access it outside your local machine.
Since v1.2.3 Vagrant port forwarding by default binds with 127.0.0.1 so only local connections are allowed.
You got "Connection refused" because the port forwarding was NOT binding to your network interfaces (e.g. eth0, wlan0). The port 2222 on your host is NOT even open to hosts in the same network (loopback interfaces not accessible to other hosts).
If you want to SSH directly to the Vagrant VM from a remote host (in the same LAN), the best and easiest way is to use Public Network (VirtualBox's Bridged networking mode).
Add the following to your Vagrantfile and do a vagrant reload.
It should bridge through one of the public network interfaces, you should be able to get the IP address after VM is up, vagrant ssh into it and run ifconfig -a or ip addr to get the IP address to ssh to from remote hosts.
Sample Vagrantfile
<!-- language: lang-rb -->
config.vm.network :public_network # 2nd interface bridged mode
or more advanced, you can set default network interface for public network
<!-- language: lang-rb -->
config.vm.network "public_network", :bridge => 'en1: Wi-Fi (AirPort)'
See more => Public Network
You can also add another rule to Vagrantfile like the following:
config.vm.network :forwarded_port, guest: 1234, host: 22
Connect to Vagrant with the default port (2222) and edit /etc/ssh/sshd_config, then add below Port 22 the port previously configured as 'guest', resulting:
...
Port 22 #Uncomment this line if it's commented
Port 1234
....
Finally, restart the ssh daemon or do vagrant reload (if you edited Vagrantfile while the VM was running you have to reload it) and now you can connect to Vagrant using 'host' port (22 in my case) from outside the host computer.
You can't remove the default port, because Vagrant would hang when starting up.
Use vagrant share --ssh
Vagrant now has a service for registering a Vagrant VM
for remote SSH access automatically.
See here: https://www.vagrantup.com/docs/share/ssh.html
You call vagrant share --ssh.
This generates an SSH key (encrypted and password-protected),
uploads it to a Hashicorp server,
and returns a silly global box name (e.g. "rambunctious-deer-3496").
Then everybody who
has a Hashicorp Atlas account
knows the box name,
knows the password for the key, and
has Vagrant installed(!)
can perform remote SSH to the box via
vagrant connect --ssh BOXNAME.
Vagrant takes care of all the admin stuff behind the scenes (here are some details).
Works as advertised.
I guess this will even work if the Vagrant host (not merely the VM) is behind a NAT.
Limitations:
vagrant share sessions expire (currently after 8 hours)
expect some latency, because all traffic is (presumably)
routed through the Altas server
I have seen my remote connections close (for no obvious reason)
after I had not used them for maybe 15 minutes.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 4 years ago.
Improve this question
I have a Ubuntu VM running on my Windows 7 machine. How do I set it up so that I can access the webserver externally through SSH?
I found steps (Setup SSH access between VirtualBox Host and Guest VMs) to be able to ssh to my guest from my host, but that still leaves me with the problem of accessing it through my router.
I suppose that I could install an SSH server on my Windows machine and then tunnel a few times (though I'm not 100% sure what to use in terms of local, dynamic, etc. or how to set up multiple tunnels?), but is there a way to make the VM directly accessible to my router so I could directly port forward to it?
The best way to login to a guest Linux VirtualBox VM is port forwarding. By default, you should have one interface already which is using NAT. Then go to the Network settings and click the Port Forwarding button. Add a new Rule. As the rule name, insert "ssh". As "Host port", insert 3022. As "Guest port", insert 22. Everything else of the rule can be left blank.
or from the command line
VBoxManage modifyvm myserver --natpf1 "ssh,tcp,,3022,,22"
where 'myserver' is the name of the created VM. Check the added rules:
VBoxManage showvminfo myserver | grep 'Rule'
That's all! Please be sure you don't forget to install an SSH server in the VM:
sudo apt-get install openssh-server
To SSH into the guest VM, write:
ssh -p 3022 user#127.0.0.1
Where user is your username within the VM.
Change the adapter type in VirtualBox to bridged, and set the guest to use DHCP or set a static IP address outside of the bounds of DHCP. This will cause the Virtual Machine to act like a normal guest on your home network. You can then port forward.
Keeping the NAT adapter and adding a second host-only adapter works amazing, and is crucial for laptops (where the external network always changes).
http://muffinresearch.co.uk/archives/2010/02/08/howto-ssh-into-virtualbox-3-linux-guests/
Remember to create a host-only network in virtualbox itself (GUI -> settings -> network), otherwise you can't create the host-only interface on the guest.
You can also use a Bridged Network (or "Bridge Adapter", in newer versions) in network settings. This will put your VM in a VLAN with your machine. So you can just ssh into the VM like this.
ssh user#IP_OF_VM
How to do host-only network (better than bridged) for Solaris 10 and Ubuntu 16.04
Add Host-only interface
Virtualbox > File > Preferences > Network > Host-only Networks > Add
Shutdown vm.
VM's Settings > Network. First adapter should be Nat, second Host-only.
Start cmd.exe and run ipconfig /all. You should see lines:
Ethernet adapter VirtualBox Host-Only Network:
...
IPv4 Address. . . . . . . . . . . : 192.168.59.1
Second adapter in guest should also be in 192.168.59.*.
Start VM.
Solaris 10
Check settings ifconfig -a. You should see e1000g0 and e1000g1. We are interested in e1000g1.
ifconfig e1000g down
ifconfig e1000g 192.168.56.10 netmask 255.255.255.0 up
Check from host if this interface is reachable: ping 192.168.56.10
Preserve those settings upon reboot
# vi /etc/hostname.e1000g1
192.168.56.10 netmask 255.255.255.0
# reboot
Configure ssh service (administering) to login as root (not adviced)
Check if ssh is enabled
# svcs -a | grep ssh
online 15:29:57 svc:/network/ssh:default
Modify /etc/ssh/sshd_config so there is
PermitRootLogin yes
Restart ssh service
svcadm restart ssh
From host check it
ssh root#192.168.56.10
Ubuntu 16.04
List interfaces:
ip addr
You should see three interfaces like lo, enp0s3, enp0s8. We will use the third.
Edit /etc/network/interfaces
auto enp0s8
iface enp0s8 inet static
address 192.168.56.10
netmask 255.255.255.0
Then sudo ifup enp0s8. Check if enp0s8 got correct address. You should see your ip:
$ ip addr show enp0s8
...
inet 192.168.56.10/24 brd 192.168.56.255 scope global secondary enp0s8
If not, you may run sudo ifdown enp0s8 && sudo ifup enp0s8
https://superuser.com/questions/424083/virtualbox-host-ssh-to-guest/424115#424115
In order to ssh to a Ubuntu VM running in VirtualBox from your host machine, you need to set up two network adapters for the VM.
First of all, stop the VM if not yet.
Then select the VM and click the Settings menu in the VirtualBox toolbar:
Set up Adapter 1
Set up Adapter 2
(Note: you don't need to set up any port forwarding.)
That's it. Once set up, you can start your VM. In your VM, the network configuration will look like below and you'll have Internet access too:
Also in your host machine, you can ssh to your VM:
Be sure that the SSH server has been installed and up running in the VM.
$ ps aux | grep sshd
root 864 0.1 0.5 65512 5392 ? Ss 22:10 0:00 /usr/sbin/sshd -D
If not, install it:
$ sudo apt-get install openssh-server
Also for your information:
My VirtualBox version: 5.2.6 r120293 (Qt5.6.2), 2018
My Ubuntu version: Ubuntu 16.04.3 LTS
My host machine: Windows 10
SSH Back to Your Home / Office VirtualBox Guest Machine From The INTERNET
The answers provided by other users here : How to SSH to a VirtualBox guest externally through a host?
... helped me to accomplish the task of connecting from out on the internet to my home computer's guest machine. You should be able to connect using computers, tablets, and smart phones (android, IPhone,etc). I add a few more step in case it might be helpful to someone else:
Here is a quick diagram of my setup:
Remote device ---> INTERNET --> MODEM --> ROUTER --> HOST MACHINE --> GUEST VM
Remote device (ssh client) ---> PASS THRU DEVICES ---> GUEST VM (ssh server)
Remote device (leave ssh port 3022) ---> INTERNET --> MODEM --> ROUTER (FWD frm:p3022 to:p3022)--> HOST MACHINE (FWD frm:p3022 to:p22) --> GUEST VM (arrive ssh port 22)
The key for me was to realize that ALL connections was PASSING-THROUGH intermediary devices to get from my remote PC to my guest virtual-machine at home --Hence port forwarding!
Notes:
* Need ssh client to request a secure connection and a running ssh server to process the secure connection.
I will forward the port 3022 as used in the chosen answer from above.
Enter your IPs where needed (home modem/router, host IP, guest IP,etc.), Names chosen are just examples-use or change.
1.Create ssh tunnel to port 3022 on your modem's IP / router's external IP address.
ssh client/device possible commands: ssh -p 3022 user-name#home_external_IP
2.Port forward = we are passing thru the connection from router to host machine
Also make sure firewall /IPtable rules on router is allowing ports to be forward (open if needed)
Router's Pfwd SCREEN required entries: AppName:SSH_Fwd, Port_from: 3022, Protocol:both (UDP/TCP), IP_address:hostIP_address, Port_to:3022, everything else can be blank
DD-WRT router software resources / Info:
DD-WRT Port_Forwarding
DD-WRT Static_DHCP
3.Host Machine Firewall: open port 3022 #so forwarded port can pass thru to guest machine
Host Machine: Install VirtualBox, guest additions, and guest machine if not done already
Configure guest machine and then follow the Network section below
I used VirtualBox GUI to setup guest's network- easier than CLI
If you want to use other methods refer to : VirtualBox/manual/ch06.html#natforward
4.Some suggest using Network Bridge adapter for guest = access to LAN and other machines on your LAN. This also pose an increase security risk, because now your guest machine is now exposed to LAN machines and possibly the INTERNET hackers if firewall not setup properly. So I selected Network adapter attached to NAT for less exposure to bridged security risks.
On the guest machine do the following:
Guest Machine VirtualBox Network settings: Adapter 1: Attached to NAT
Guest Machine VirtualBox Port Forwarding Rule: Name:External_SSH, Protocol:TCP, Host Port: 3022, Guest Port 22, Host&guest IPs:leave blank
click on advance in Network section then click on Port forwarding to enter rules
Guest Machine Firewall: open port 22 #so ssh connection can enter
Guest Machine: Make sure that ssh server is installed, configured properly, and running
LINUX test to see if ssh server running w/command: sudo service ssh status
Can check netstat to see if connection made to port 22 on the guest machine
Also there are different ssh servers and clients depending on platform using.
wikipedia/Secure_Shell
wikipedia/Comparison_of_SSH_servers
wikipedia/Comparison_of_SSH_clients
For Ubuntu Users:
ubuntu community: SSHOpenSSH/Configuring
ubuntu/community: OpenSSH/Keys
That should be it. If I made a mistake or want to add anything -feel free to do so-- I am still a noob.
Hope this helps someone. Good luck!
For Windows host, you can :
In virtualbox manager:
select ctrl+G in your virtualbox manager,
then go to network pannel
add a private network
make sure that activate DHCP is NOT selected
In network management (windows)
Select the newly created virtualbox host only adapter and the physical network card
Right-Click and select "Make bridge"
Enjoy
You can also initiate a port forward TO your HOST, OR ANY OTHER SERVER, from your Guest. This is especially useful if your Guest is 'locked' or can't otherwise complete the ModifyVM option (e.g. no permission to VBoxManage).
Three minor requirements are 1) you are/can log into the VirtualBox Guest (via 'console' GUI, another Guest, etc), 2) you have an account on the VirtualBox HOST (or other Server), and 3) SSH and TCP forwarding is not blocked.
Presuming you can meet the 3 requirements, these are the steps:
On the Guest, run netstat -rn and find the Gateway address to the default route destination 0.0.0.0. Let's say it's "10.0.2.2". This 'Gateway' address is (one of) the VirtualBox Host virtual IP(s).
On the Guest, run ssh -R 2222:localhost:22 10.0.2.2 where "10.0.2.2" is the VirtualBox server's IP address -OR- any other server IP you wish to port forward to.
On the Host, run ssh 10.0.2.2 -p2222 where 10.0.2.2 is the default gateway/VBHost virtual IP found in step 1. If it is NOT the VirtualBox host you are port forwarding to, then the command is ssh localhost -p2222
Follow below steps to login to your ubuntu VM running in virtual box from the host machine using putty (Without port forwarding):
On Virtualbox manager select the vm, click on settings icon. Then go Networks and enable two adaptors as below:
Adaptor 1 (For internet access): Attached to -> NAT, Advanced -> Check the cable connected.
Adaptor 2: Attached to -> Host only adaptor, Advanced -> Check the cable connected and Promiscuous mode -> Allow all.
Start the ubuntu vm.
Login to the VM as root.
Edit the file '/etc/network/interfaces' as below and save it:
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet dhcp
auto eth1
iface eth1 inet dhcp
Restart the VM.
Login to the VM and run below command to check the IP allocated to eth1:
ifconfig
Use this IP to open putty session for the VM.
A good explanation about how to configure port forwarding with NAT is found in the VirtualBox documents:
http://www.virtualbox.org/manual/ch06.html#natforward
Ubuntu 18.04 LTS
Configuration with bridged to see the server ip, and connect without "port forwarding"
VirtualBox > right click in server > settings > Network > enable adapter 2 > select "bridged" > Promiscuous mode: allow all > Check the cable connected > start server
On ubuntu server, edit sudo nano /etc/netplan/*init.yaml file,
My sample file:
network:
ethernets:
enp0s3:
addresses: []
dhcp4: true
enp0s8:
addresses: [192.168.0.200/24]
dhcp4: no
dhcp6: no
nameservers:
addresses: [8.8.8.8, 8.8.4.4]
version: 2
Commands that will help you
nano /etc/netplan/file.yaml # file to specify the rules of network
reboot now # restart ubuntu server right now
netplan apply # do after edited *.yaml, to apply changes
ifconfig -a # show interfaces with ip, netmask, broadcast, etc...
ping google.com # to see if there is internet
Configure Static IP Addresses On Ubuntu 18.04 LTS Server - with NetPlan
Simply setting the Network Setting to bridged did the trick for me.
Your IP will change when you do this. However, in my case it didn't change immediately. ifconfig returned the same ip. I rebooted the vm and boom, the ip set itself to one start with 192.* and I was immediately allowed ssh access.
On secure networks setting your network to bridge might not work. Administrators could only allow one mac address per port or even worse block the port should the switches detect multiple macs on one port.
The best solution in my opinion is to set up additional network interfaces to handle additional services you would like to run on your machines. So I have a bridge interface to allow for bridging when I take my laptop home and can SSH into it from other devices on my network as well as a host only adapter when I would like to SSH into my VM from my laptop when I am connected to the eduroam wifi network on campus.
Use NAT network adapter and Add port forward. Mention actual host ip.Do not use 127.0.0.1 or localhost.
Recently I buyed a Foscam wireless IP camera:
http://www.foscam.com/Products_List.asp?id=173
In my home, my laptop and my IP camera are behind a cable modem (my ISP gives me a dynamic IP) using a linksys router (I dont have a public IP).
Actually I use SSH in a basic way to learn / manage some basic things in my VPS server.
My question is (the right ssh flags and commands to achieve this):
I think that I need to create:
A tunnel from my local router to a remote VPS server where I have root access.
A portforward in the router.
Thanks in advance.
You need to add a port forward in your router from port X to port 22 on your home computer.
You can then ssh -p X username#your-home-ip.
Include the -L Y:foscamip:80 command line switch when you run ssh, assuming focscam runs a web server on port 80 (standard). Use something over 1024 for Y, like 8080.
Open up a web browser, and go to http://localhost:Y.
You have access! When you're done, simply log out of your ssh session.
Old question, but I will answer in the hope it helps someone like me. Given:
you have a VPS with root access at root#example.com
you have an RTSP-compatible IP camera in your LAN at address 192.168.1.100
you have a PC/router/Raspberry Pi able to create the tunnel
what I did was
ssh -N -f -R 10554:192.168.1.100:554 root#example.com
Exaplanation:
-N: don't execute any command via SSH
-f: put SSH in the background
-R: remote port forwarding
10554: a port to open on the VPS to access the IP camera (better if > 1024)
192.168.1.100:554: IP address and port you want to access remotely
root#example.com: user and address of your VPS
To access the RTSP stream of the camera, open rtsp://<username>:<password>#example.com:10554/<path-to-stream>.
Of course it works fine also for other kind of streams (e.g. HTTP).
Better yet, use autossh.
/usr/bin/autossh -N -f -M 0 -i /home/pi/.ssh/id_rsa -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -R 10554:192.168.1.100:554 root#example.com.
I ended up with this command reading a lot of articles on the web. I even created an autossh user on the VPS without a shell, so it can do nothing apart from port forwarding.