How to Remote Access IoT SSH over the Internet

Author: Ganesh Velrajan

Last Updated: Fri, Sep 24, 2021

Let’s say you have an IoT device in your office network or in your customer location. You want to remote SSH into the IoT device over the internet to execute a remote command.

For this, you need a secure remote access solution like SocketXP to remote SSH into your IoT device in 3 simple steps.

What is SocketXP

SocketXP is a cloud based IoT remote access and device management solution that provides remote SSH access to IoT devices behind NAT router or firewall over the internet using secure SSL/TLS VPN tunnels. 

SocketXP IoT Solution does not require any changes to your gateway NAT router configuration. 

SocketXP creates a secure tunnel through your firewall, NAT router and over the internet for secure remote SSH access.

How SocketXP IoT Remote Access solution works

First, you need to install a SocketXP IoT agent on your IoT device. 

The SocketXP agent would connect the device to the SocketXP IoT Cloud Gateway by creating a secure SSL/TLS tunnel.

You could then remote SSH into the IoT device from the SocketXP IoT Cloud Gateway’s portal page (via this secure SSL/TLS tunnel).

IoT Remote SSH

Follow the below steps to setup SocketXP IoT agent and remote SSH into your IoT using SocketXP IoT Remote Access solution.

Step 1:  Download and Install

Download and install the SocketXP IoT agent on your IoT device from here.

Step 2: Get your Authentication Token

Sign up at https://portal.socketxp.com and get your authentication token.

SocketXP Portal - Authtoken for IoT Remote SSH

Use the following command to login to the SocketXP IoT Cloud Gateway using the auth token.

$ socketxp login [your-auth-token-goes-here]

Step 3: Create SocketXP SSL Tunnel Endpoint for Remote SSH

Use the following command to create a secure and private SSL tunnel endpoint at the SocketXP IoT Cloud Gateway.

 $ socketxp connect tcp://localhost:22

Connected to SocketXP Cloud Gateway.
Access the TCP service securely using the SocketXP agent in IoT Slave Mode.

Note:

For the security of your device, SocketXP IoT Solution doesn’t create any public TCP tunnel endpoints that can be connected by any SSH client from the internet.

SocketXP private tunnel endpoints are not exposed to the internet and can be accessed only using the SocketXP agent (using the auth token of the user) or through the XTERM terminal in the SocketXP Portal page.

More importantly, this also means port scanners or hackers from the internet cannot access your IoT device SSH server port.

SocketXP IoT Remote SSH IoT device Remote SSH xterm access from browser
IoT Remote SSH IoT device Remote SSH IoT device Fleet management

The screen capture above shows the “htop” command being executed from an SSH session created using the XTERM window from the SocketXP Portal page using a web browser. You could use any browser of your choice to remote SSH into your IoT device.

Single-Touch Installation Command

The 3 step instruction explained above to setup SocketXP on your IoT device is a tedious process, if you have thousands of IoT devices to install, configure and manage.

With this in mind, SocketXP IoT Remote Access Solution also provides a single-touch installation command for installing and configuring SocketXP IoT Agent on large number IoT devices. 

Copy and paste the below single-touch installation command from the SocketXP Portal page on to the terminal of your IoT device. The command shown below will download a shell script that will install, configure, setup SocketXP IoT agent on your IoT device. After the command completes, the IoT device would show up as online in the SocketXP Portal page.

SocketXP IoT Remote SSH installation script

Configuring SocketXP agent to run in slave mode

This is an alternate method for connecting to your IoT device from a remote location using the SocketXP solution.

If you don’t want to access your IoT device from the browser and you want to access it using your SSH client then follow the instructions below.

First download and install the regular SocketXP agent software on your accessing device (such as a laptop running Windows or Mac OS).

Next, configure the agent to run in slave mode using the command option “–iot-slave” as shown in the example below.

$ socketxp connect tcp://localhost:3000 --iot-slave --iot-device-id "2233-4455-abcd-34445" --iot-device-port 22

Listening for TCP connections at:
Local URL -> tcp://localhost:3000

You shall find the device ID of your IoT device from the SocketXP Portal page in the IoT Devices section.

Accessing the IoT device SSH from your laptop

Now you can access your IoT device’s SSH server using the above SocketXP local endpoint, as shown below.

$ ssh -i ~/.ssh/john-private.key john@localhost -p 3000

The above method uses SSH private key based authentication to SSH into your IoT device.

Need Assistance?

If you are stuck and need assistance with our SocketXP IoT Remote Access Solution, or you have a query that needs to be answered, please feel free to reach out to us. We’ll get back to you as soon as possible. Please email us at: support@socketxp.com

SocketXP IoT Remote Access Features:

SocketXP IoT Remote Access Solution provides the following features:

  • Remote SSH Access
  • Remote File Transfer - SFTP/SCP
  • Remote VNC Desktop Access - RDP/VNC
  • Remote Device Management
  • Remote IoT Device Monitoring
  • Remote IoT Asset Live Tracking

SocketXP Scaling and Performance

SocketXP IoT Gateway easily supports upto 10K device per customer account. SocketXP IoT Gateway is a cloud native application has the built-in capability to grow on demand.

SockertXP Iot remote ssh IoT device remote ssh fleet management

Note:

All Raspberry Pi based IoT devices come with SSH Server installed.  If your IoT device is not Raspberry Pi based and you wanted to know how to install and configure SSH server, SSH clients and SSH public/private keys for remote access, continue reading the following sections.

How to install OpenSSH server on your IoT device

OpenSSH is a free open source software that uses SSH protocol to create secure and encrypted communication channels over computer networks.  Open SSH is developed by the Open BST Community and it is released under a Simplified BSD License

OpenSSH comes with additional features such as SFTP and SCP to perform secure file transfer and secure copy over a computer network.

To install and run SSH server on your IoT device, execute the following commands:

Debian/Ubuntu Linux:

First update your linux and then install the openssh server

$ sudo apt-get update
$ sudo apt-get install openssh-server
The following commands will enable and run SSH server as a daemon in the background.
$ sudo systemctl enable ssh

$ sudo systemctl start ssh

RHEL/CentOS Linux:

$ sudo yum update

$ sudo yum -y install openssh-server
Then enable SSH server and start it.
$ sudo chkconfig sshd on

$ sudo service sshd start
SSH uses port 22 for communication.  If it is not enabled already, execute the following command to open up the SSH port on your linux system.

$ sudo /sbin/iptable -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
$ sudo service iptables save
 

How to install SSH client on your client machines

Use the following command to install SSH client on your laptops or any device from where you would remote SSH into your IoT device.

Debian/Ubuntu

$ sudo apt-get update
$ sudo apt-get install openssh-client

RHEL/CentOS

$ sudo yum update

$ sudo yum -y install openssh-client

How to create and setup SSH Keys

SSH uses a public/private key based encryption algorithm for encrypting the communication channel.  Use the ssh-keygen command to generate SSH keys for those clients that need to SSH into your IoT devices.

Go to your client machine (Laptop, for eg.) and open up a terminal and execute the following command.  Follow the instructions on the screen to create a public/private key pair.

$ ssh-keygen -b 4096

Generating public/private rsa key pair.

Enter file in which to save the key (/home/your_home/.ssh/id_rsa):
The keys will be saved usually in your home directory under the “.ssh” folder.  Leave the private key in your client machine.  Copy just the contents of /home/your_)home/.ssh/id_rsa.pub file and paste it (actually append it) to the “~/.ssh/authorized_keys” file in your IoT device where the SSH server runs.

From now on, you can login to your IoT device remotely using the SSH private key in your client machine using the following command

$ ssh -i ~/.ssh/id_rsa.key john@tunnel.socketxp.com -p 23224

Disable Password Authentication on your SSH Server

After configuring your SSH server and client to use private/public key for authentication, it is wise and safe to turn off password based authentication, because passwords are relatively easy to crack.

Before you perform this step, make sure you have setup your public/private key pairs correctly and you are able to login using them.  Otherwise, once you disable password authentication, you’ll be locked out of your IoT device.

To disable password authentication, open the SSH server’s configuration file as a sudo user.

sudo nano /etc/ssh/sshd_config
Inside the file, search for a directive called PasswordAuthentication.  This may be commented out. Uncomment the line and set the value to “no”.  This will disable your ability to log in to the SSH server using account passwords:

PasswordAuthentication no
Save and close the file when you are finished.

To actually implement the changes we just made, you must restart the service.

On Ubuntu or Debian machines, you can issue this command:

sudo service ssh restart
On CentOS/Fedora machines, issue the following command:

sudo service sshd restart
After completing this step, you’ve successfully transitioned your SSH daemon to only respond to SSH keys.

Conclusion:

The solution discussed in this article is a secure method to remote SSH into your home or office computer because the data is encrypted using SSL.

SSH uses the same cryptography technology used by banks and governments to exchange highly confidential data over the internet.

The data transferred gets encrypted end-to-end between the SSH client and the SSH server.

SocketXP has no way to decrypt or eavesdrop your encrypted data without knowing your SSH private keys.  SocketXP merely acts as an online TCP reverse proxy server for your encrypted data traffic transmitted through the SSH connection.

IoT Remote SSH Security - Do’s and Don’ts

What is IoT

IoT means Internet of Things.  The term IoT refers to the devices that are connected to the internet. 

Today, almost all electrical and electronic gadgets at home such as your air conditioner, refrigerator, washing machine, light bulbs, fans, and security video cameras can be connected to the internet using home automation devices or IoT devices.

Automobiles such as cars, trucks, trains, airplanes and ships are connected to the internet through IoT devices to track the movement and operation of these vehicles.

Even industrial heavy machineries are connected to the internet via the IoT devices.  Sensors are added to the machineries or placed at various locations in a plant to monitor the performance and operation of these machineries.

A simple IoT device based IoT device can be used to monitor, control and operate smart electronic gadgets and electrical appliances in your home or factory.

Remote SSH access to IoT devices

The primary reason why you deployed these IoT devices and connected them to the internet was to monitor, track and operate these devices from any remote locations.

Sometimes you need a way to gain access to those IoT devices for troubleshooting, configuration updates, and other operational tasks.

For example, a sensor device deployed at a factory that is hundreds of miles away is having trouble measuring the factory temperature.

You can use secure remote access tunnels to open and quickly start a session to that sensor device.

After you have identified the problem (for example, a misconfiguration or disk full error), you can reset the configuration, delete unwanted files or logs history and restart the sensor device through the same session.

In the  traditional methods of troubleshooting you would typically wait until the next day to send a technician to the factory to investigate the sensor device. 

But remote access using secure tunneling (using SocketXP) decreases incident response and recovery time and operational costs.

But gaining remote access to IoT devices is no simple task.

So often people take shortcuts and perform quick hacks on routers/firewall settings to permit internet traffic into the corporate network.

In the next section, we’ll discuss about some of these unsafe practices and the security risks associated with such configuration options.

Unsafe methods of SSH into Remote IoT devices

IoT devices in industries, factories, offices and homes are placed behind a firewall and NAT(Wifi Router or Gateway Router).  IoT devices are always assigned a Local IP address using mechanisms such as DHCP.  The local IP addresses are usually assigned in the 10.X.X.X  or 192.X.X.X range.  IoT devices do not have publicly reachable IP addresses assigned to them.

The IoT devices behind the firewall can talk to servers on the internet (via the gateway router) but not the other way around.  This is because you want to prevent your IoT devices from being accessed from the internet by unwanted people or hackers.

So to gain remote access from the internet to IoT devices in your home or factory is not easy and straightforward.

Many people would practice the unsafe method of opening up ports (SSH port 22 or HTTP/HTTPS ports 80/443) in their firewall settings(ACL rules) or gateway router NAT configuration to allow a particular traffic to sneak into the local network. 

Then they would use Dynamic DNS (DDNS) solutions to track the non-static public IP address of the gateway router. 

This method is prone for errors and would create a security risk for your IoT installation. 

Online hackers could scan such open ports and try sneaking into your local network and servers.

The common myth or the misunderstanding here is that, people falsely believe that as long as they use a secure shell connection (SSH) everything going to that port 22 is safe.

But they fail to understand that they have left a door to their industrial, corporate or home network wide open for any strangers to sneak in without being noticed.

The same door will be shared by hackers and your secure SSH session alike.

The problem is not in the SSH session but in the door you left wide open for anyone to sneak in.

How secure is SocketXP IoT Remote Access Solution:

SocketXP IoT Remote Access solution doesn’t require setting up port-forwarding on your WiFi router. SocketXP solution works without making any changes to your WiFi router settings.

SocketXP IoT Platform, unlike all other vendor solutions, does not open up your device ports to the internet. Therefore, port scanners and hackers cannot scan your device ports (SSH or VNC ports). SocketXP IoT Platform protects and handles all direct attacks from the internet, eliminating unnecessary traffic from reaching your IoT devices.

SocketXP connects users with remote devices over secure SSL/TLS connections(vpn tunnels). This is the same technology used by the banks and Governments to exchange confidential data securely over the internet.