Making Raspi Visible - Hardened SSH Configuration
By default Raspbmc frobids SSH login from outside of our local network (192.168.*.*). It is a safety measure, because too many people exposed their Raspberry to the Internet without changing default passwords or generating new public keys. However what if we want to have constant access to our Raspi shell account from work or any other place? This tutorial will show how to expose Raspi to the Internet in a secure manner.
Preparations
First things first, login onto your Raspberry Pi:
and acquire root privileges:
sudo bash |
By calling sudo bash we open new shell session with root access, so we don’t need to prefix every command with sudo . Before continuing lets update package repository information:
apt-get update |
Since pi is a globally-known user for Raspberry systems, i suggest creating a new user that we will use to access Raspberry from remote locations. Meanwhile pi will serve as localhost-only user. To create new user type (change user_name to whatever you want):
adduser user_name |
Make sure to choose strong, nondictionary password for new user!
We would like new user to be able to make sudo operations, so run visudo and copy line
pi ALL=(ALL) NOPASSWD: ALL |
and change pi to whatever user name you have chosen in previous step
user_name ALL=(ALL) NOPASSWD: ALL |
SSH configuration
We can’t control default ssh daemon provided by Raspbmc, so we need to install full package:
apt-get install ssh
Now few new files should appear in /etc/ssh/ . We need to edit /etc/ssh/sshd_config . Append follwing commands:
# login options # root should never be accessible via ssh PermitRootLogin no # only one user will be able to log in from remote locations, others need to use # local network AllowUsers *@192.168.*.* user_name |
This way we need to explicitly add every new user that should have rights to log in using SSH.
iptables
There is one more thing to configure. By default Raspbmc blocks all incoming traffic from outside of our LAN. To change this behavior we need to edit /etc/network/if-up.d/secure-rmc .
At the end of this file find lines that populate iptables when network interface starts
logger -t iptables "Configuring ip tables for interface $IFACE" if [ "$IFACE" != "lo" ]; then NETMASK=$(get_subnet $IFACE) iptables -A INPUT -s $NETMASK -i $IFACE -j ACCEPT iptables -A INPUT -i $IFACE -j DROP |
and change them to:
logger -t iptables "Configuring ip tables for interface $IFACE" if [ "$IFACE" != "lo" ]; then NETMASK=$(get_subnet $IFACE) iptables -A INPUT -s $NETMASK -i $IFACE -j ACCEPT iptables -A INPUT -i $IFACE -p tcp --dport 22 -j ACCEPT iptables -A INPUT -i $IFACE -j DROP |
Line that we added (order of those lines does matter!) makes Raspi accept incoming connections to port 22 (ssh port).
Now restart your Raspbmc to ensure that all settings get reloaded and that’s it!
Router port forwarding
…. or is it? It is quite probable, that although Raspbmc configuration is proper, you still can’t access Raspi from the outside. In most cases you have to configure port forwarding on your router. Detailed instructions are out of scope of this tutorial, but what you need to achieve is to forward all incoming connections on ports 22 to your Raspi port 22
where 192.168.x.x is your Raspberry Pi local network IP address and x.x.x.x is your router public address. There are plenty of tutorials on how to do it on Google, just search for router_manufacturer port forwarding.
Continue reading here: Video Out Of Your TV Internal Tuner
Was this article helpful?