SSH to maintain remote computer?

Sheila_Flanagan · November 9, 2023, 11:58am

As the title suggests, I am trying to find a way to do more than use Anydesk to resolve issues on my mom’s computer on her home network.

I am setting up a desktop with Linux Mint for her (to get her off of windoze) and will be bringing it with me when I visit her next month.

I have never used or learned about SSH, but my limited look at it, in using it this way, some ‘port forwarding’ would be involved on her router? mine? both? Note I have my own router & modem so I control everything there, but she has a stock ISP gateway that I do not yet know if port forwarding is allowed, although I think it surely is as some gaming setups require it, if I recall.

Before I delve more into that, my main concern is doing something outside of the OS from my pc. So obviously I can use Anydesk as I have been doing, but what about at boot? in BIOS to change boot order or running a live session to resolve issues if she cannot boot into LM? Is there a way to do this?

It seems very complex from reading on this forum the discussion …establish ssh connection to remote computer…

Living so far away from my mom, and she having no understanding of computers, I need to find a way to resolve issues should they arise after getting her switched to Linux.

Thanks,
Sheila Flanagan

Manuel_Jordan · November 9, 2023, 6:14pm

Hello

My 2 cents, about remoting

SSH login is about access only for command (terminal)
SSH Keys are based to establish a secured connection between client and server
Remmina for GUI access

I use both in my LAN

The main concern is about the IP of your mother and yours, SSH (I am assuming Remmina too) handles the specifics IPs from the Client and Server, therefore theoretically should be static, it to reach home to home as first step - that info is handled by the ISP provider if the homes use IP static or not - and perhaps could be not free. Here in my country is not free and therefore all is based on DHCP.

About port forward would be other problem, but see “alpha” later. It is interesting, I would have the situation with my sister. Sadly due lack of time I can’t do more research on this. As a starting point, consider to do a research on YouTube… (alpha): BTW normally they use as example an external host as server, for example GitHub where the SSH’s public key is sent. Thus port forwarding perhaps would be not an issue. I use SSH for Github and other places without any problem. Being my House’s IP based on DHCP and none configuration was done about ports in my router.

Note: YouTube has excellent tutorials about to learn how to generate and use the public/private keys

HTH in someway. Pls, let us know your advance.

Sheila_Flanagan · November 9, 2023, 6:22pm

Thanks, @Manuel_Jordan I will see if YT can be of help. I read one article about Github, but did not understand how it can be used in my scenario. I am pretty sure both of us are DHCP, but I will confirm.

Sheila Flanagan

don.karon · November 9, 2023, 9:24pm

I use ssh and sftp to manage and communicate with my desktop-server. There are several steps involved, none hard, but the jargon is cryptic. I had help from a friend to get this going initially.

Here’s a list of things to do to start. I apologize if there are any mistakes. (This is where those tech-savvy friends come in.)

You need to give your mom’s computer a fixed IP address. This is done in the router. Where it’s located in the router menu varies with the brand. In my ASUS router it’s at LAN > DHCP Server > Manually assigned IP. You also have to adjust the IP’s that are available to DHCP so it doesn’t assign another device to the same address.

Then you set up port forwarding which is at WAN > Virtual Server/Port Forwarding. The “service name” is SFTP/SSH, the “external port” is 22, the “Internal IP Address” is the fixed address you assigned.

There is a file at /etc/ssh/sshd_config that tells the host computer what port to listen on. The default for this is port 22 so you should be good to go.

If you want to access the computer from outside your home network you ought to set up an account with a DNS. Most home users don’t get a fixed IP address from their ISP so this service keeps the address current and lets you have a URL.

Then, from a terminal, you can issue the command
ssh -p 22 you.yourcomputer.whatever

You can also use SFTP with the command
sftp -P 22 you.yourcomputer.whatever

Note that ssh uses a lowercase ‘p’ and sftp uses uppercase ‘P’. I don’t know why.
You may be able to leave out the ‘-p 22’ from both commands as this is the default.

The default is to authenticate with a password. I forget how to do this part since I started using Public Key Infrastructure authentication some years ago and disabled password logins by editing the config file. But that’s a project for later.

If you find you are getting overrun with login attempts at port 22 you can move everything to another port and things will be much quieter. That, too, is another project.

Don

daniel.m.tripp · November 9, 2023, 10:18pm

I do this often - I only have one port forwarding or “NAT” (Network Address Translation) rule on my VDSL Modem / Router - I forward a non-standard port number (i.e. NOT “22” itself") to my “headless” RPi4 - on port 22.

e.g. requests on Port 5000 (not the actual port) to my router’s public IP address are forwarded to port 22 on the Raspberry Pi 4 (running Ubuntu 22.04 server).

I have root login disabled - this is the first thing - this is the default with Ubuntu anyway.
I have installed fail2ban, this is the 2nd most important thing - I haven’t tweaked mine at all - however, I preferred the more restrictive rules that Debian Buster enforced when that Pi was running Debian - but it seems to work on Ubuntu anyway…

I also have No-IP dynamic DNS (on my router) - so I don’t need to know the public IP address.

Anyway - I can use the Pi as an SSH “jump host” to get further into my home network. e.g. I’m at work, I need a file that’s on my desktop machine, I ssh to my Pi4, then ssh to my desktop machine (or establish a tunnel using the Pi 4 as jumphost) - I could probably even “tunnel” other protocols (e.g. RDP) over SSH - but have no need for that.

Another thing - I do get the odd flood of port scanning on my router - so they (the attempted hackers) end up finding the non standard port I’m using anyway, and attempt to SSH as root or any other number of users, until they get banned / jailed.

But - I’d still HIGHLY recommend using a non standard port (e.g. one that your mum’s ISP allows! My ISP doesn’t block anything, the port I chose and have been using for years, was one my employer allowed out when I was working at the office).

When I “whois” the source IP addresses, they’re nearly always in China, or Russia.

Sheila_Flanagan · November 9, 2023, 11:33pm

@daniel.m.tripp so let me see if I understand so far:

On my Mom’s router, I forward a NON-standard port#, say 22.
I have root login disabled on my Mom’s Linux?
I install fail2ban (will have to look into the setup as I have not dealt with it before) on her computer?
Then I can use No-IP (a service offered to me but have never used) on my Mom’s Linux machine so that I will not need to know the public address? That address being the one I will be accessing from my home network?
No idea about flood of port scanning on my own router, but okay.

So I do not need to do anything on my router, only hers as it is her machine I need to access.

Now how does SSH come into play? There will be some address that I will input with SSH in terminal?
Does that mean I can only use CLI in accessing her machine when OS is not loaded?
I assume I cannot get into the UEFI/BIOS and switch boot order to the Ventoy USB I intend to leave with her?

Sorry for all the questions, but am a real noob to this type of stuff.

Thanks,
Sheila

Sheila_Flanagan · November 9, 2023, 11:56pm

Is this where No-IP service comes into play? I remember using this before i had a VPN and since i am not sure I am renewing it in January, may go back to it.

So the CLI is simply ssh -p 22 and /home/username that linux assigns her computer name or is it something I create/configure in another step? or do I type the assigned IP address here?

Quieter? Not sure what that means or why.

Thanks for your help. Once I get something concrete in listing my steps, I better do a trial run here on say one of my adult daughter’s routers and see if it will work.

Sheila Flanagan

don.karon · November 10, 2023, 12:27am

I’m not sure what No-IP but it sounds right. Your home has an IP address that is numeric. When you type an address like www.google.com there is a part of the internet called a DNS computer that turns www.google.com into its numeric form which is what’s actually used to find its way to google. You could use your actual numeric IP address instead. The only problem (which is rare) is that your ISP may change your address now and then. If you sign up with a DNS service you get to choose the address name (the first part of the address) and the service adds the last parts, names they’ve purchased the rights to use. (My DNS service has “mine.nu” as one of the suffixes they own. So you could choose “sheilasmom” as the name for her computer. Then the full address might look like sheilasmom.mine.nu

You have to tell mom’s computer to listen on port 22 (which it probably is already doing). You have to tell the router to forward all port 22 connection requests to her computer and not to any of the other computers on the home network.

What I meant by getting overrun: connection attempts coming in from the internet are logged. I would periodically look at the log and see that there were attempts every 35 seconds around the clock. All got rejected since they didn’t have my private RSA key. I changed the port from the default of 22 to another number (just like Dan did) and now I get less than one attempt per day. It makes no difference to the speed of my network but it made me feel like a smart guy.

Oh, one more important step may be needed. I use Ubuntu and it does NOT install the ssh server software by default. You have to add it. Here’s a link about how to do that:

I know it seems daunting but just take it step by step and don’t give up.

Don

don.karon · November 10, 2023, 12:44am

A network uses ports as addresses for the different computers in the network.

It’s like an office building with thousands of separate companies within. In the case of personal computers there are 65,535 (I think) different port numbers available to use. The first 1024 are reserved for the operating system (22 is used for ssh and sftp connections; 80 is used by browsers).

Other ports get “opened” when you install certain software, such as a game. “Opened” means the network knows that traffic coming in for, say, port 4090, goes to a particular machine that’s waiting for stuff coming in with that address.

In your case you want stuff coming in that’s looking for port 22 to be directed to your mom’s computer where the ssh server is waiting and listening. (You don’t have to install the server software on your computer, only on the host, the one that accepts connections from other computers.)

daniel.m.tripp · November 10, 2023, 1:47am

I use an ssh client config file in ~/.ssh/ on my local machine.

Host    xp expi pi-outside
        Hostname        blah.blah.blah
        User            user
        Port            nnnn

Note : “blah.blah.blah”, “user” and “nnnn” are redacted - in my actual config in ~/.ssh/ folder (on my local machine I’m going to SSH from) - I have the real actual values… The top line “Host xp expi pi-outside” is any arbitrary string you can choose for a nickname or shortcut - the only thing that matters is “Hostname blah.blah.blah” (it can also be just IP address e.g. “Hostname 200.1.200.44”).

You can use No-IP for free - you just get a monthly email reminder to renew your domain/host entry (I pay for mine bienially [i.e. 2 years]) - so you place the No-IP (you can use any dynamic DNS service - but - proviso - your mum’s router must support this service - or - you install a dynamic DNS client / agent on her Linux laptop) domain name into your ~/.ssh/config file.

“user” is some user that has sudo on your mum’s laptop.

“Port”, e.g. not “22” - could be anything arbitrarily chosen, e.g. 9000 (preferably one that’s not a common service like RDP 3389!) - most Linux and UNIX systems will have a list of ports in /etc/services - choose one that’s not listed (and hope your mum’s ISP doesn’t block any ports).

On your mum’s router - you forward port “nnnn” to the IP address (best to set a dedicated DHCP lease for your mum’s laptop on the router [e.g. via the MAC address of your mum’s laptop] - that’s a bit tricky to do from hundreds or thousands of miles away).

Anyway I just use a terminal window and type :

ssh expi

Note : you cannot use SSH until the laptop has booted into multiple user environment (e.g. after it’s booted into GUI)**. If you want to be able to access UEFI or BIOS - you’re out of luck - that’s what things like ILOM are for (most servers have ILOM - integrated lights out management - i.e. console console on a dedicated ethernet port - usually manages from a web browser).

There is a “project” out on the intertubes to be able to do just that - HDMI to a devices HDMI port, to view POST and UEFI / BIOS and pre-boot GRUB screens - but it’s hardware, and not really cheap - it uses a Raspberry Pi. What you’d need is some sort of IP KVM (and you’d have to port forward on your mum’s router to whatever port the IP KVM listens on), and your mum’s laptop would have to be connected via HDMI (and USB for HID [keyboard / mouse]).

My mum lives 3,000 km away (I’m in Perth West Oz, she’s in Melbourne) - she’s 86 - she used to have a laptop (Windows 7? XP?) - but now all she uses is an iPad - I’d never contemplate what you’re hoping to achieve in this scenario. My brother lives in Melbourne too - and he used to help her out with broadband, router, laptop etc. She’s a bit of a technophobe, but manages quite well on her iPad - he still does help her from time to time - but he’s about 50-60 km away across some of the worst traffic in an Australian metropolis (I’ve seen it - I wouldn’t cope with such traffic myself - 24 hours a day traffic snarls and congestion). My sister lives with her, but she’s a technophobe too - so not a great deal of help…

** in most cases, so long as the machine has booted past grub (and it’s got either sshd or openssh-server [different distros have different names for the SystemD daemon name/package] installed and enabled [e.g. “sudo systemctl enable sshd”]) - you can ssh to it even if e.g. the GUI fails to load. This is how I “rescue” my Thinkpad running Ubuntu 23.10 - I have to SSH to it and disable or kill gdm - otherwise it goes through a “loop” - once I’ve killed that thing causing the loop, I can then login to the TTY text console login physically on the device, then type “startx” to load my GUI (I need to re-install the O/S from scratch on it - will probably go for Pop!_OS).

kovacslt · November 10, 2023, 6:09am

That’s why I choosed Dynu.
I get no reminders, no need to renew monthly. It just works, and allows to add any type of DNS record, such as SPF, TXT, or PTR. The free service allows 4 entries per domain.

Sheila_Flanagan · November 10, 2023, 11:14pm

So I would be at the grub? where I can use CLI to repair, etc.?

That’s something at least.

I understand the rest of what you said, including that project out there right now to actually get into a remote computer but obviously this is not a “now” solution. But thanks for the heads up!

Had planned to work on this today, but now another issue has arisen on the desktop I am giving her: NO Linux OS will install on either SSD since I removed Windows 10.

Yes I have Secure Boot off and in fact, I saw errors during my attempts that made me think the BIOS might need updating…but why? This machine has been running windoze since I got it and according to the manufacturer, Windows Updates takes care of updating BIOS…hah.

So I flashed it and no issues there, and those error messages went away while trying to install Pop OS. I gave up on LM and Kubuntu when after I had a dual boot with Windows 10 and LM working fine on the larger SSD, I decided to try and install Kubuntu in place of W10 and it failed. From there, every single attempt, including Pop OS with the Nvidia driver already in the pkg install, it shows up in BIOS that Pop OS is on the drive, but when I boot, I get a blank screen.

So I have ordered another drive just in case and it will be here Monday and then I will attempt to get two different linux OS installed as dual boot, cause that is the only other fallback solution I can think of besides SSH as we discussed.

If one does not boot, maybe I can get her to hit the DEL key and get into BIOS and guide her to choose the other OS as primary. If the GRUB comes up, and I can SSH into her machine, great–I’ll see what’s up and try to resolve it. But I figured better to have 2 working rather than one.

Thanks so much!
Sheila

daniel.m.tripp · November 10, 2023, 11:19pm

No - SSH daemon runs AFTER grub has run and selected which kernel to boot…

Grub is before booting the operating system - no operating system, no sshd / openssh-server…

Sheila_Flanagan · November 10, 2023, 11:41pm

Oops…well providing Grub appears, she can at least choose the other OS.

Sheila

don.karon · November 14, 2023, 5:14pm

Sheila -

Something I forgot to add: you asked what I meant about the server computer being overrun with login requests.

Most users leave things set at the default port 22 for ssh login requests. There are folks out there looking for insecure computers that they can hack into and make them part of their bot net. They try various user names and default passwords that may have been installed by a particular piece of common software. By changing the port from 22 to something randomly chosen your server will simply not respond to port 22 attempts.

There is a command that will scan an IP address to find any open port. With more than 65,000 ports it takes a while to run through them. Eventually (it took two months in my case) someone will find you and you will see occasional login attempts. But instead of one attempt every 30 to 40 seconds around the clock it’s cut down to less than one a day. I did this hoping it would shrink the so-called “attack surface” of my server.

daniel.m.tripp · November 15, 2023, 7:13am

Just took a look at my fail2ban logs (my router is forwarding a non-standard port, to my Pi4) - last week - only 2 entries, one from Iran, one from China… Most of them seem to be from China…

Shame - would like to contact some Iranians, visiting that beautiful country has long been on my bucket list…

dbauthor · November 15, 2023, 4:01pm

@Sheila_Flanagan - There’s lots of good advice in this thread and many SSH resources on the web. However, if you’d like a relaxed, comprehensive tour of SSH from start to finish, check out my book, SSH, the Secure Shell: The Definitive Guide, 2nd Edition. It contains much more information than you need, and the software has changed quite a bit since publication (2005), but you may find the early chapters on concepts, clients, and keys helpful for basic understanding. Your local library may have the book, or you can read it online.

Sheila_Flanagan · November 15, 2023, 5:50pm

Thanks, @dbauthor I found it and will give it a whirl. Hopefully it will help with the gaps in my understanding.

Sheila Flanagan