In this article, we will discuss how to configure and setup remote access to your IoT Secure Shell(SSH) over the internet.
The Internet of Things (IoT) has revolutionized the way we interact with the world around us.
With the ability to connect and control devices from anywhere in the world, IoT technology has brought convenience and efficiency to our daily lives.
However, with this increased connectivity comes the need for secure remote access to these devices. One way to achieve this is through the use of Secure Shell (SSH).
By the end of this article, you will have a better understanding of how to use SSH to securely access your IoT devices over the internet from outside network.
What is SSH?
SSH stands for Secure Shell, which is a cryptographic network protocol for secure remote access to devices over an unsecured network such as the internet.
How does SSH work?
SSH uses encryption to secure the connection between two devices. It creates a secure tunnel through which data can be transmitted and received.
SSH uses a client server model, wherein the SSH server runs in your IoT device and the SSH client runs in your access devices such as your PC or Laptop.
How to install and setup SSH server
You need to download, install and setup SSH server in your IoT device so that you could connect to it remotely via the internet.
You also need to download and install SSH client on your access device, such as your laptop or PC.
Why is SSH important for remote access?
SSH allows for remote management and monitoring of these devices from anywhere in the world. By using SSH, users can securely access their IoT devices and perform tasks such as updating firmware, changing settings, and troubleshooting issues.
Remotely connect to IoT device via SSH
Let’s say you have an IoT device in your office network or in your customer location. You want to connect remotely to the device via SSH over the internet so that you could execute a remote command.
You need to ensure that SSH is enabled in your IoT device and the SSH server is up and running in your device.
For this, you need an IoT secure remote access solution like SocketXP to remote SSH into your IoT device in 3 simple steps.
What is SocketXP
SocketXP is a cloud based IoT remote access and device management solution that provides remote SSH access to IoT devices behind NAT router or firewall over the internet using secure SSL/TLS VPN tunnels.
SocketXP IoT Solution does not require any changes to your gateway NAT router configuration.
SocketXP creates a secure tunnel through your firewall, NAT router and over the internet for secure remote SSH access.
SocketXP IoT Remote Access Features:
SocketXP IoT Remote Access Solution provides the following features:
- Remote SSH Access
- Remote File Transfer - SFTP/SCP
- Remote VNC Desktop Access - RDP/VNC
- Remote Device Management
- Remote IoT Device Monitoring
- Remote IoT Asset Live Tracking
How SocketXP IoT Remote Access solution works
First, you need to install a SocketXP IoT agent on your IoT device.
The SocketXP agent would connect the device to the SocketXP IoT Cloud Gateway by creating a secure SSL/TLS tunnel.
You could then remote SSH into the IoT device from the SocketXP IoT Cloud Gateway’s portal page (via this secure SSL/TLS tunnel).
Follow the below steps to setup SocketXP IoT agent and remote SSH into your IoT using SocketXP IoT Remote Access solution.
Step 1: Download and Install
Step 2: Get your Authentication Token
Sign up at https://portal.socketxp.com and get your authentication token.
Use the following command to login to the SocketXP IoT Cloud Gateway using the auth token.
$ socketxp login [your-auth-token-goes-here]
Step 3: Create SocketXP SSL Tunnel Endpoint for Remote SSH
Use the following command to create a secure and private SSL tunnel endpoint at the SocketXP IoT Cloud Gateway.
$ socketxp connect tcp://localhost:22 Connected to SocketXP Cloud Gateway. Access the TCP service securely using the SocketXP agent in IoT Slave Mode.
For the security of your device, SocketXP IoT Solution doesn’t create any public TCP tunnel endpoints that can be connected by any SSH client from the internet.
SocketXP private tunnel endpoints are not exposed to the internet and can be accessed only using the SocketXP agent (using the auth token of the user) or through the XTERM terminal in the SocketXP Portal page.
More importantly, this also means port scanners or hackers from the internet cannot access your IoT device SSH server port.
The screen capture above shows the “htop” command being executed from an SSH session created using the XTERM window from the SocketXP Portal page using a web browser. You could use any browser of your choice to remote SSH into your IoT device.
Single-Touch Installation Command
The 3 step instruction explained above to setup SocketXP on your IoT device is a tedious process, if you have thousands of IoT devices to install, configure and manage.
With this in mind, SocketXP IoT Remote Access Solution also provides a single-touch installation command for installing and configuring SocketXP IoT Agent on large number IoT devices.
Copy and paste the below single-touch installation command from the SocketXP Portal page on to the terminal of your IoT device. The command shown below will download a shell script that will install, configure, setup SocketXP IoT agent on your IoT device. After the command completes, the IoT device would show up as online in the SocketXP Portal page.
Configuring SocketXP agent to run in slave mode
This is an alternate method for connecting to your IoT device from a remote location using the SocketXP solution.
If you don’t want to access your IoT device from the browser and you want to access it using your SSH client (Eg: PuTTY, SecureCRT) then follow the instructions below.
First download and install the regular SocketXP agent software on your accessing device (such as a laptop running Windows or Mac OS).
Next, configure the agent to run in slave mode using the command option “–iot-slave” as shown in the example below.
$ socketxp connect tcp://localhost:3000 --iot-slave --peer-device-id "2233-4455-abcd-34445" --peer-device-port 22 --authtoken <auth token> Listening for TCP connections at: Local URL -> tcp://localhost:3000
You shall find the device ID of your IoT device from the SocketXP Portal page in the IoT Devices section.
Accessing the IoT device SSH from your laptop
Now you can access your IoT device’s SSH server using the above SocketXP local endpoint, as shown below.
$ ssh -i ~/.ssh/john-private.key john@localhost -p 3000
The above method uses SSH private key based authentication to SSH into your IoT device.
If you are stuck and need assistance with our SocketXP IoT Remote Access Solution, or you have a query that needs to be answered, please feel free to reach out to us. We’ll get back to you as soon as possible. Please email us at: [email protected]
SocketXP Scaling and Performance
SocketXP IoT Gateway easily supports upto 10K device per customer account. SocketXP IoT Gateway is a cloud native application has the built-in capability to grow on demand.
All Raspberry Pi based IoT devices come with SSH Server installed. If your IoT device is not Raspberry Pi based and you wanted to know how to install and configure SSH server, SSH clients and SSH public/private keys for remote access, continue reading the following sections.
The solution discussed in this article is a secure method to remote SSH into your home or office computer because the data is encrypted using SSL.
SSH uses the same cryptography technology used by banks and governments to exchange highly confidential data over the internet.
The data transferred gets encrypted end-to-end between the SSH client and the SSH server.
SocketXP has no way to decrypt or eavesdrop your encrypted data without knowing your SSH private keys. SocketXP merely acts as an online TCP reverse proxy server for your encrypted data traffic transmitted through the SSH connection.
IoT Remote SSH Security - Do’s and Don’ts
What is IoT
IoT means Internet of Things. The term IoT refers to the devices that are connected to the internet.
Today, almost all electrical and electronic gadgets at home such as your air conditioner, refrigerator, washing machine, light bulbs, fans, and security video cameras can be connected to the internet using home automation devices or IoT devices.
Automobiles such as cars, trucks, trains, airplanes and ships are connected to the internet through IoT devices to track the movement and operation of these vehicles.
Even industrial heavy machineries are connected to the internet via the IoT devices. Sensors are added to the machineries or placed at various locations in a plant to monitor the performance and operation of these machineries.
A simple IoT device based IoT device can be used to monitor, control and operate smart electronic gadgets and electrical appliances in your home or factory.
Remote SSH access to IoT devices
The primary reason why you deployed these IoT devices and connected them to the internet was to monitor, track and operate these devices from any remote locations.
Sometimes you need a way to gain access to those IoT devices for troubleshooting, configuration updates, and other operational tasks.
For example, a sensor device deployed at a factory that is hundreds of miles away is having trouble measuring the factory temperature.
You can use secure remote access tunnels to open and quickly start a session to that sensor device.
After you have identified the problem (for example, a misconfiguration or disk full error), you can reset the configuration, delete unwanted files or logs history and restart the sensor device through the same session.
In the traditional methods of troubleshooting you would typically wait until the next day to send a technician to the factory to investigate the sensor device.
But remote access using secure tunneling (using SocketXP) decreases incident response and recovery time and operational costs.
But gaining remote access to IoT devices is no simple task.
So often people take shortcuts and perform quick hacks on routers/firewall settings to permit internet traffic into the corporate network.
In the next section, we’ll discuss about some of these unsafe practices and the security risks associated with such configuration options.
Unsafe methods of SSH into Remote IoT devices
IoT devices in industries, factories, offices and homes are placed behind a firewall and NAT(Wifi Router or Gateway Router). IoT devices are always assigned a Local IP address using mechanisms such as DHCP. The local IP addresses are usually assigned in the 10.X.X.X or 192.X.X.X range. IoT devices do not have publicly reachable IP addresses assigned to them.
The IoT devices behind the firewall can talk to servers on the internet (via the gateway router) but not the other way around. This is because you want to prevent your IoT devices from being accessed from the internet by unwanted people or hackers.
So to gain remote access from the internet to IoT devices in your home or factory is not easy and straightforward.
Many people would practice the unsafe method of opening up ports (SSH port 22 or HTTP/HTTPS ports 80/443) in their firewall settings(ACL rules) or gateway router NAT configuration to allow a particular traffic to sneak into the local network.
Then they would use Dynamic DNS (DDNS) solutions to track the non-static public IP address of the gateway router.
This method is prone for errors and would create a security risk for your IoT installation.
Online hackers could scan such open ports and try sneaking into your local network and servers.
The common myth or the misunderstanding here is that, people falsely believe that as long as they use a secure shell connection (SSH) everything going to that port 22 is safe.
But they fail to understand that they have left a door to their industrial, corporate or home network wide open for any strangers to sneak in without being noticed.
The same door will be shared by hackers and your secure SSH session alike.
The problem is not in the SSH session but in the door you left wide open for anyone to sneak in.
Why SocketXP IoT Remote Access Solution Is More Secure?
SocketXP IoT Remote Access solution – part of IoT Device Management and Remote Access Platform, doesn’t require setting up port-forwarding on your WiFi router. SocketXP solution works without making any changes to your WiFi router settings.
SocketXP IoT Platform, unlike all other vendor solutions, does not open up your device ports to the internet. Therefore, port scanners and hackers cannot scan your device ports (SSH or VNC ports). SocketXP IoT Platform protects and handles all direct attacks from the internet, eliminating unnecessary traffic from reaching your IoT devices.
SocketXP connects users with remote devices over secure SSL/TLS connections(vpn tunnels). This is the same technology used by the banks and Governments to exchange confidential data securely over the internet.