Making Raspi visible – hardened SSH configuration

By default Raspbmc frobids SSH login from outside of our local network (192.168.*.*). It is a safety measure, because too many people exposed their Raspberry to the Internet without changing default passwords or generating new public keys. However what if we want to have constant access to our Raspi shell account from work or any other place? This tutorial will show how to expose Raspi to the Internet in a secure manner.

Preparations

First things first, login onto your Raspberry Pi:

and acquire root privileges:

By calling sudo bash  we open new shell session with root access, so we don’t need to prefix every command with sudo . Before continuing lets update package repository information:

Since pi is a globally-known user for Raspberry systems, i suggest creating a new user that we will use to access Raspberry from remote locations. Meanwhile pi will serve as localhost-only user. To create new user type (change user_name to whatever you want):

Make sure to choose strong, nondictionary password for new user!
We would like new user to be able to make sudo operations, so run visudo  and copy line

and change pi  to whatever user name you have chosen in previous step

SSH configuration

We can’t control default ssh daemon provided by Raspbmc, so we need to install full package:

apt-get install ssh

Now few new files should appear in /etc/ssh/ . We need to edit /etc/ssh/sshd_config . Append follwing commands:

This way we need to explicitly add every new user that should have rights to log in using SSH.

 iptables

There is one more thing to configure. By default Raspbmc blocks all incoming traffic from outside of our LAN. To change this behavior we need to edit /etc/network/if-up.d/secure-rmc .
At the end of this file find lines that populate iptables when network interface starts

and change them to:

 

Line that we added (order of those lines does matter!) makes Raspi accept incoming connections to port 22 (ssh port).

Now restart your Raspbmc to ensure that all settings get reloaded and that’s it!

Router port forwarding

…. or is it? It is quite probable, that although Raspbmc configuration is proper, you still can’t access Raspi from the outside. In most cases you have to configure port forwarding on your router. Detailed instructions are out of scope of this tutorial, but what you need to achieve is to forward all incoming connections on ports 22 to your Raspi port 22

where 192.168.x.x is your Raspberry Pi local network IP address and x.x.x.x is your router public address. There are plenty of tutorials on how to do it on Google, just search for router_manufacturer port forwarding.

Here is your raspberry pi ampilight system!
  • Guest

    I need to install this great add-on :)

  • http://www.facebook.com/jacek.tokar.7 Jacek Tokar

    I guess you need to have external IP to make use of this article…

  • Artemi Ollin

    Port-knocking might also be useful here. :)

    • Adam Dubiel

      Nice idea :) But in the most common config, when raspi is behind some router/firewall you would have to configure port forwarding for all knocked ports, so it becomes bit tedious. I will experiment a bit with knockd and update this post accordingly.

  • Rafał Zieliński

    fail2ban is also useful.