SSH access via port 22 from outside Intranet fails

So if I understand correctly, you want to have your router Port Forward port 22 "AS" port 22 to the Internet and be able to connect from a remote system via ssh?

You can port forward port 4444 (or other high numbered port) and that does work for making a connection from a remote system.

If the above 2 are correct, and you have port forwarded port 22 to the internet via your router, then it is possible your ISP is blocking port 22 connections.

I do know that most ISPs block ports 80 (HTTP), 443 (HTTPS), 25 (mail), and maybe others. So it is possible the ISP is blocking port 22 as well. This is a guess, but it is an educated guess based on other ports ISPs commonly block.

In the case of 80 and 443, the ISP wants the customer to pay for a business connection before they will allow the customer to setup a public web server.

NOTE: I'm with EtreSoft in that opening port 22 through your router is a very VERY BAD idea. There are script kiddies that probe systems for an open port 22, and beat on the system attempting to login. Even if they cannot get it, it is a waste of your ISPs bandwidth, your routers CPU and your Mac's CPU resources.

If you are going to open an ssh port, then it is much better to choose a high numbered port below 65534, DO NOT enable the root account, and make sure any accounts on your system have very strong passwords.

https://www.grc.com/haystack.htm

LittleSnitch and Anti-Virus packages can accept local ssh connections, but reject ssh connections that originate from a different subnet. That is to say, they can reject ssh connection requests from the Internet.

Ventura depreciated RSA keys. If you are using ssh-keygen keys that might be your issue.

Doing 2 ssh connections

ssh -v -v -v using.local.system
ssh -v -v -v user.remote.system

Compare the output, and see where they make a major diversion.

Are any of the remote systems also Ventura? That might be a way to see if it is the older ssh on other systems that is causing issues.

That's going to be a question for your ISP. Maybe the router itself is already listening on port 22. Maybe you haven't established a route from port 22. Maybe you need to setup a DMZ. Maybe it is impossible with your router. There is no way for me to know. I just know the problem has nothing to do with the Mac.

I have been remotely ssh connecting to my Macs, my Mom’s Mac and my Synology NAS for years.

I always have the router port forward a high numbered unique port per system to port 22 on each system. I never open port 22, always a high numbered port.

To make connecting easier, I get a dynamic DNS name from No-IP.com, or Synology will provide one because I own a Synology NAS.

I ssh -p nnnnn my.dynamic.dns.name

The nnnnn is the unique port number I have opened for the system I wish to make an ssh connection.

I also create ssh tunnels for VNC and file sharing, so I can do that securely across the internet.

I used to backup my Mom’s iMac from 300 miles away over an ssh tunnel, and do remote admin services.

I do NOT enable the macOS firewall, as my router blocks unsolicited connection requests.

The Mac does not block ssh connection requests, as long as Remote Login Sharing is enabled, the firewall is off, there is no anti-virus software running, nor LittleSnitch. And connections from the outside work if the router port forwarding has been setup correctly, and the ISP is not blocking the port.

And by a lot of years, I started remote ssh connections in the mid-2000’s.

Note: I have an eero mesh router, and I can setup, enable and disable my port forwarding from anywhere. I typically keep my ports disabled, unless I need to make a connection. Keeps the script kiddies from annoying my systems all day and all night.

milan_sydney wrote:

I have an identical problem as described in BigSur SSH can connect a server in the in… - Apple Community• (that discussion is closed).

No such thing exists. But if you insist, then I'll give you a reply identical to my reply in that thread. 😄

I can connect to the SSH server from within my home Intranet without any problems

I can connect to the same• server from outside my Intranet if the server is listening on a port different from 22 (say, 4444). If I set up that router forwards port 22 to 4444 on the internal server, I can connect (ie. the router is not blocking 22). If I use any other port, it also works.

• if the server listens on port 22, then I cannot connect, whatever I do. I tried default, with enabling remote login (sshd is then started via launchd), I also tried disabling the remote log in and manually starting the server from the command line (to check if launchd was causing trouble) by executing sudo /usr/sbin/sshd -d -p 22 - still the same.

So, it doesn't appear that the problem is in the sshd server setup, nor forwarding setup on the router, nor anything in my client setup. I tried removing known_hosts file as well, no difference. I checked firewall settings etc, there's nothing there. Yet, something *IS* blocking port 22 *IF* the connection is coming from outside the Intranet.

Please described "the SSH server". Is this a Mac or a PC? Please describe "my Intranet". Is this an internal server or it is somewhere on the internet? Please describe "firewall settings". Most definitely please describe "etc".

To make a long reply short, your network is misconfigured for what you are trying to do, whatever that is. Consumer-grade equipment on consumer-grade services are not designed to run servers. We don't even know if your network has been even minimally configured for any of this to work.

From the point of view of the internet, your "server" doesn't exist. The only thing that exists is your ISP router. Hopefully, it does not listen on port 22. If it does, then it is your responsibility to forward those connections, through one of a number of means, depending on your router. It may not even be possible to route port 22, given the consumer nature of such things. If it was my network, I sure wouldn't want customers running any services on privileged ports. Or I'd make them pay $199/month for the privilege. And I'd probably still lose money on support costs.