cannot reach ssh or https from outside the LAN

[pj]

Sorry if there is a post for this - I did look, but didn't find one.

I have eBox 1.2 installed on a network with 2 workstations. i can reach the eBox dashboard from the LAN without problem, and also with PuTTY on port 22, but I cannot reach either of these 2 ports from outside the LAN (i.e. the Internet). I just get "Firefox can't establish a connection to the server at..." instead of a server certificate offer. Currently, I am using RealVNC to connect to a MS workstation, and connecting from that to the server..! Can't be right!

Before I change settings that shouldn't be changed, I would very much appreciate if anyone could tell my why the secure ports are not reachable over the net, and how to solve this.

Under "Filtering rules from external networks to eBox" and "Filtering rules for traffic coming out from eBox" I have added ssh and https.

Under "List of services " I have added https with port 443. I noticed an odd entry for ssh :Internal with a red cross, any source port and destination port 22, but it was created by the system.

There are no entries under "Filtering rules from external networks to internal networks".

Any help gratefully received!

[jjm1982]

Here is where the concern comes in. Providing the access from the internet can allow malicious activity to occur on your eBox. If your willing to accept this then the following should help.

To do this you'll have to add an entry for https port 443 (assuming your using this port for https) to "Filtering rules from external networks to eBox". You would also have to add a rule for port 22.

Will you be connecting to you eBox from a static IP address, if so supply this in the "source" for the rule using the 32 bit CIDR notation to specify that it's an address not a segment. If it's a segment supply the segment and the appropriate CIDR notation (16, 24, 26 ...). You can also list "any" in the source field but this opens up your eBox to the world. Try to keep it limited, and don't supply you IP address to any posts...

You could also do this:
Create a rule as explained above for port 22 only or any given port that you would like to configure ssh for. You can then ssh and port forward into your eBox for a secure connection using the "-L" switch under SSH.

     ssh -L [port of your chosing]:localhost:443 username@Internet IP

You may require Admin or root privileges to port forward to that low of a port number.

[pj]

Hello JJM!

thanks for your prompt reply. You are of course right - what about security? I am currently using encrypted RealVNC to connect to a workstation, and then PuTTY or https from the workstation to the server, so it's probably safer that changing the settings! However, RealVNC is slower, smaller screen etc., and most importantly - why won't it connect ports 22 or 443 directly???

Although I have a fixed IP for the server, my connection from the Internet is dynamic, so that makes it difficult to pop in a source IP etc. In between my post and yours, I did add ssh to the "Filtering rules from external networks to internal networks", but I still get a connection refused from PuTTY. I have added redirects as well for ssh, any ip, anything goes just to get a result, but still no luck. I am not sure whether it is something to do with the certificate...

I will have a look at your ssh -L tomorrow, thanks!

[ejortegau]

Hello, there:

Why don't you try the VPN module? It should allow you to get an IP from the internal networks, from which you should be able to connect to your https port.

E.

[jjm1982]

I never thought of the VPN method for this use, I don't see why it wouldn't work.

Take a look at your firewall logs in eBox. This should help point you in the right direction. You may also have to add ssh rules to "Traffic from external network to internal networks", similar to the rule you created for "Traffic from external networks to eBox". You may also have to add a rule to each of your internal rules. Each rule set is separate, so when you add a rule to one you may have to add a rule to another in order get the results you want.

To help solve your dynamic IP assignment from your ISP, you can register and create your own domain name at DynDNS. It's a free service (limited when used free) and eBox supports updating your IP. I recently switched hardware and I was assigned a new IP address by my ISP, DynDNS was updated fairly quickly. No more having to remember IP addresses and worry about it if and when they change.

[pj]

Hello to all!

Well, I feel like a fraud here. I have been battling with this for 2 days. I'd asked my ISP (magic.fr for those who want the same service...) to add the ports 22 and 443 to the router. They confirmed that it had been done - ticket number etc. I did contact them again to make sure - yes, no problem, we added the port. Last night I ran nmap... no port 22 or 443! Heated conversation today - upshot, I received the password from them and added the ports myself... There was no chance to use Putty or ebox, was there?! Anyway PuTTY and eBox now work from the net! so does https! Hooray!

Unfortunately, http doesn't...

nmap shows ssh and https as open ports, but http as a filtered port. The port is open in the router. Could I have made an error in eBox? Firewall settings: "Filtering rules from internal networks to eBox" has 2 way traffic for http, "Filtering rules for internal networks" has no http entry, "Filtering rules for traffic coming out from eBox" has http with arrow down, "Filtering rules from external networks to eBox" has http with arrow down.

Any ideas please?

p.s.
Here is a security connection tip (hopefully!), thinking about what JJM wrote:

I have a fixed IP for the eBox, but also a private account with dyndns (I have it in my home ADSL box). I added the dynamic web address as an object in eBox, and then selected it as source in the firewall for ssh. It worked, in that I am not refused connection, but I have not tested it other than from here at the moment.

[sixstone]

Hello pj,

Check your http service has the following configuration:

Protocol: tcp
Source port: any
Destination port: 80

By the way, the secure official method to get into eBox from Internet is using VPN as road warrior. Check our doc [1] for details.

Cheers,

[1] http://doc.ebox-platform.com/en/vpn.html#remote-vpn-client

[pj]

Hello,

Thanks for the information. The http problem has been solved - it was the router! Port 80 was in the list and directed correctly, but there was a bug.

About the VPN. I will set it up, but I am not sure as to whether it will be helpful in my present setup. As far as I can see, it would be better to have 2 Ethernet cards, similar to SBS, to really make use of this. I connect by PuTTY using ssh to the eBox server, and by port 443 to the configuration program, but by RealVCN to the workstations, as they are connected from the hub directly at present, and access the net directly.

Do you think it would be helpful to install another card, and allow clients only to connect through the server? I have a wireless card in the box, but Ubuntu does not find it.

Kind regards

[kid_english]

Had the same problem, thanks for the thread