4

I have a home server running Ubuntu 18.04 that hosts some private services. For access from the outside world, I have a domain that points through my router at my home server. This way I can access webservices, as well as SSH from anywhere, which works fine.

When I am at home I would like to use the same domain address to login to my server. For the webservices this works. However, I cannot login through SSH from my internal network using the domain. I get the following message:

ssh: connect to host xyz.abc.com port 22: Connection refused

In the interal network I can only connect with SSH if I use the internal IP address of the server.

Do I have to set special configurations for SSH somewhere to make this work?

erik
  • 151
  • 1
  • 3
  • 1
    First: Did you port forward/NAT in your home router (port 22 in particular) - to be safe only allow the IP of your remote server in the forward.If needs to be public, run fail2ban for ssh/services. Better - use a VPN for whole thing. Also, what user is trying to connect? root perhaps? Not enough info to make a clear answer. – B. Shea Feb 10 '19 at 21:05
  • And if it's talking (connection refused; but went through) Check your logs and see why it's denied. (If it's talking but getting 'refused', it will be in your logging.) May try verbose ssh logging. Many answers on this already. If root you need to allow it in ssh-server config usually. – B. Shea Feb 10 '19 at 21:10
  • also be sure to add your host.domain.tld & IP to your remote & local host files (/etc/hosts on Linux) so it resolves correctly (important: put the LAN address in if it's local machine). But 'refused' seems to indicate it's already attempting a connection already - at least somewhere. – B. Shea Feb 10 '19 at 21:20
  • Thanks for your comments. Port forwarding is set, and NAT is working for the webserver. Hosts has the domain in it. Will try to see what the ash logs say. – erik Feb 10 '19 at 21:28
  • Yes (verbose) logging will tell u. Could be permissions on your ssh user: ~user/.ssh among many other things. – B. Shea Feb 10 '19 at 21:47
  • Thanks for all the ideas, but unfortunately none of them resolved my issue. As I said, NAT works fine for all other ports. I decided to change the SSH port to a non-standard port, also because I got weird login attempts from bots (?). For the new port I set, the access from the internal network works just fine without any special settings. My guess is that this is some problem of my router (fritz box). – erik Feb 17 '19 at 16:39

1 Answers1

3

There's a few ways that this could be configured.

  1. Have a DNS server for your internal domain that gives internal addresses for hosts in your domain, and forwards requests for other domains to your ISP's name servers. This answer may be overkill, but it's a relatively straightforward way to do it that could work for your whole home network. For example, DNS server for LAN.

  2. Set up a bastion host to the Internet that these requests have to go through. Configure its firewall to port forward that specific address to the internal host that serves that address.

  3. Configure the server that is handling that traffic to be a bastion host. Configure one of its interfaces to also listen to that particular address.

  4. Configure your hosts files on your internal systems to know the internal IP address for the domain.

  5. Configure your .ssh/config files on your internal machines to know that host name as the address on the internal network. ssh config per dns domains

Each of these options is probably an already answered Question somewhere on Stack Exchange, most likely here or Super User, but Stack Overflow is also a possibility. There are admittedly a lot of similar questions to sift through.

Ed Grimm
  • 298
  • 3
  • 8
  • Although I didn't follow these suggestions, I'm sure they would have helped to make everything work (especially the DNS server option). That's why I'll mark this as the best answer. However, for me changing the SSH port was sufficient. – erik Feb 17 '19 at 16:42
  • I tried to cover all the bases, and then find places where those bases were already covered. I stopped when I needed to go to bed soon. I'm surprised by your response, because I didn't see anything that suggested SSH wasn't using the default port, or that the port would be problematic. That sounds like something that could possibly be useful for someone to know about. Would it be possible for you to write answer-level detail about that? – Ed Grimm Feb 18 '19 at 02:57
  • I mean, I've encountered a situation where the port was a problem more than a decade ago, but it was specific to an ISP, and it was the reverse of your situation - the address was working fine inside the domain, but not from outside the ISP. It turned out the ISP had a block for all incoming port 22 traffic to all of their servers and all of their customers' servers. I didn't mention that, because it didn't sound like your problem, and it was too long ago for me to be able to adequately report on it. – Ed Grimm Feb 18 '19 at 03:01