FRITZ!Box tuning part 1: Enable remote access over ssh

Recently I changed my Internet service provider to Kabel Deutschland which offers some really good bandwidth for a reasonable price. You get 32 MBit in the download direction and 2 Mbit in the upload direction. Additionally to this you can order a FRITZ!Box 7270 which allows you to use VoIP for the phone part. As I always try to maximize the usage of new hardware I started to explore what is possible with this combination. In this post I will explain how you get access to your FRITZ!Box using ssh. Following this post, some articles about how you can turn the FRITZ!Box into a OpenVPN server and how you can use the VoIP access point remotely from any computer having a VoIP software installed, will be done. As I said the hardware used is a FRITZ!Box Fon WLAN 7270 with the firmware 54/74.04.80 from 2009/12/15 which is an official one from AVM. Other firmware versions may work also, but I haven’t tested that. The following topics are all for advanced user. So if you aren’t in touch with Linux or start asking what the hell is vi and how get I out of it, stop reading now. All the information in this and the following posts are based on several websites I found in the Internet. Mainly this are some forum entries at http://www.ip-phone-forum.de, the series about the FRITZ!Box at http://www.tecchannel.de, the posts on http://www.teamarbyte.de, the blog at http://www.realriot.de and this article at http://www.cswpro.de. So thanks to all the people for sharing this kind of information. Before we start some words of caution: It’s easily possible to render the FRITZ!Box unusable. So there is no warranty of any kind if you do some of the things mentioned in this blog. Also I’m not responsible for anything happen to your FRITZ!Box or the Internet connection. After all making a backup of your current configuration might be a good idea.

Preparing the FRITZ!Box

First of all you should register an account at http://www.dyndns.com or any other service for dynamic IP resolution. You can then add this information to the “DynamicDNS” tab of the Internet settings in the FRITZ!Box web frontend. This will allow you to connect to your FRITZ!Box without knowing the IP after a reconnect. Lets use us xtestx.dyndns.org in the following examples. Next you need telnet access to the FRITZ!Box to make the initial configuration for the ssh server. Enabling telnet is as simple as calling #96*7* with a local connected phone. To disable the telnet daemon later you call #96*8*. Now you need a usbstick where all the software will be installed on and which have to be connected to the FRITZ!Box all the time. In principle the size doesn’t matter, around 5 MBytes free space should be enough. Time to connect to the FRITZ!Box for the first time. A simple telnet fritz.box should do it.

Installation and configuration of the ssh server

For the ssh server software dropbear is used. You can get a prepared version for the FRITZ!Box from the spblinux server.

cd /var/tmp
wget http://www.spblinux.de/fbox.new/cfg_dropbear
chmod u+x cfg_dropbear

After downloading, the server has to be installed on the usbstick by executing

./cfg_dropbear usb_install

In my case the software is installed into /var/media/ftp/FLASH-DISK-01/addons. Now we will create a host key which will be reused even after a reboot of the FRITZ!Box.

cd /var/media/ftp/FLASH-DISK-01/addons
dropbear/bin/dropbearkey -t rsa -f dropbear/etc/sshd_rsa_host_key

The FRITZ!Box has initial no root password entry. We have to create one and save the password hash for later usage.

passwd
cat /etc/passwd

You have to note the part between root: and the next colon.

Putting all together

The initial starting point for all modifications on the FRITZ!Box is a file called /var/flash/debug.cfg. Its executed on every boot after all the other services are started. We will use it only to start a script which is located on the usbstick. This makes sure that even after a firmware upgrade our changes are not lost. The content looks like the following:

# execute the start script which is on the usb stick
/var/media/ftp/FLASH-DISK-01/addons/startup.sh

Please note that you have to use the nvi to edit files on the flash device from the FRITZ!Box, cause all files there are marked as non regular. The startup.sh will do all the work necessary for preparing and starting the ssh server. The content is:

#!/bin/sh
# whats the base usb directory
BASE=/var/media/ftp/FLASH-DISK-01/addons

# change to a temporary directory
cd /var/tmp

# install and start dropbear with our host key
${BASE}/cfg_dropbear usb_install
/bin/dropbear -E -r ${BASE}/dropbear/etc/sshd_rsa_host_key

# set passwords
echo 'root:XXXXXX:0:0:root:/var/tmp/:/bin/sh' > /var/tmp/passwd
echo 'ftpuser:any:1000:0:ftp user:/var/media/ftp:/bin/sh' >> /var/tmp/passwd

# add fritz box itself in resolv.conf to resolv dhcp attached machines in your network
echo "nameserver 192.168.220.1" >> /var/tmp/resolv.conf

You have to replace XXXXXX by the password hash you created above. In my case the network is in the 192.168.220.0/24 subnet and the FRITZ!Box has the IP 192.168.220.1. You have to adjust the name server entry to your environment. After a reboot which could be initiated with reboot you should be able to access your FRITZ!Box over ssh.

To allow connections from the outside of your home you need to change the forward rules of the internal FRITZ!Box firewall. Unfortunately you can’t add this rule using the web frontend cause it isn’t allowed to add rules which targeting the FRITZ!Box itself. Most of the settings for the FRITZ!Box configuration are located in a file called /var/flash/ar7.cfg. Use nvi to edit it and search for the string forwardrules. If this string is missing you could temporary create a rule in the web frontend, which will you later remove again. You have to change the line so that it looks like this:

forwardrules =
               "tcp 0.0.0.0:7777 0.0.0.0:22 0 # SSH-Server";

Here the connection port is 7777, but of course could you use any valid port number. You could also add more rules by separating them with a comma. To make the configuration change happen the execution of ar7cfgchanged is sufficient.

Conclusion

With this setup its possible to connect to the FRITZ!Box with the very secure ssh protocol from inside of your home environment and from the outside. This makes it easily possible to change parameters without manually starting the telnet daemon which is in addition very insecure. Don’t forget to remove any temporary rules from the ar7.cfg file and to disable the telnet daemon with the procedure explained above. Stay tuned for the next post about going one step further and making the FRITZ!Box an OpenVPN connection point for your internal network.

Update

There is a new article about installing ssh on the FRITZ!Box. If you are interested have a look at this post.

22 thoughts on “FRITZ!Box tuning part 1: Enable remote access over ssh

  1. Trying to make this work. Seems that when the box is rebooted my debug.sh is gone. The root pass I configured is gone. And, obviously, I cannot ssh into the box. Of note, if I execute each startup.sh command manually from the cli, when I get to the ssh server start portion it tells me that there the port is already in use. Is i possible that AVM has prevented these changes in an updated firmware release? My fritz is brand new (ripe for the cracking… 🙂

  2. Update… wasn’t using NVI which is probably why the debug.cfg did not show up. It does now. However, still can’t ssh in because it says something is already running on port 22 and the connection is refused. Also, my password won’t stick. Goes back to root:x:0:0:root:/:/bin/sh after reboot.

    1. Hi David,

      At least from AVM’s website is no new firmware for the FRITZ!Box 7270 available. You can check if someone is using port 22 already by executing netstat -l -n. Also check if there is a ssh server already running by executing ps. If there is a process like sshd or dropbear running, then someone is wrong.

      Christian

  3. Works great here, but after an reboot root password is not valid anymore.
    Have to reset the password with “passwd” to get it working then again.
    Hash is everytime different with the same password.
    Any idea?

    1. Hi Evert,

      Yes, the hash is different every time because of the salt used in the hash function. So this is normal. Are you sure the startup.sh is executed correctly? Also double check that there is no typo in the script.

      Christian

      1. Hi Christian,

        It’s working now!
        Made indeed an small typo, my usb-stick is called “CBM-Flash-disk-01”.
        Did add the CBM to the name, but forgot the rest is in lower case.
        That are the handicaps if work your whole live with ms-dos and windows that isn’t case sensitive.
        Thanks for sharing.
        The openVPN tutorial is also working, even with my Nokia N900 linux phone.

  4. It did work at my Fritz but after a reboot the dropbear service wasn’t started again.
    It tuned out when adding the line:
    sleep 30
    in /var/flash/debug.cfg
    the scripts where executed correctly.

    1. so my /var/flash/debug.cfg contains now:

      # execute the start script which is on the usb stick
      sleep 30
      /var/media/ftp/USB-DISK2-0-01/addons/startup.sh

  5. Hello.
    I have en 7270-V3, with the labor firmware, and everything seems to work, until I change the forward rules (with nvi) Then, after ar7cfgchanged and reboot it thinks it’s fresh out-of-the-box, and starts the configuration wizard.

    Thankfully I saved the configuration, so I can just do a restore, but it is impossible to add the forward rule.

    Has anyone encountered this?
    And what was the solution?

    1. Hi,

      I just installed the latest labor firmware on my FRITZ!Box and ssh is still working. So either there is something different on V3 (I have V2) or you made a spelling error when adding the rule to the file and the FRITZ!Box believes something is messed up with the configuration.

      Christian

  6. Well, it looks like “tcp 0.0.0.0:22 192.168.178.2:22 0 # dropbear works.
    It now starts dropbear (after adding sleep 30, as suggested), but passwords fail (for now 😉

    I used cat /etc/passwd >> startup.sh, and added the echo’s by hand.

    I’ll check the filename etc later.

  7. Can you tell me why I don’t have the start up script at /var/media/ftp/FLASH-DISK-01/addons/startup.sh ?
    I tried to create it as well but to no avail.

    Thanks

    ZS

  8. quick update – I can use dropbear attached to my fritzbox but I reboot I loose evertyhing. The passwd is back to 0:0 and the /bin/cfg_dropbear is not existant. I need to use the script to reinstall dropbear, recreate the key and I am back to a usable SSH working server.
    Any idea ?

    ZS

  9. Hi,
    great tutorial, however, i wish to add the following: please stress that a filesystem on the usb-stick MUST BE ABLE to support symlinks , and b: in this series 1, please explain how to change the ./cfg_dropbear usb_install because off the change in url!!

  10. Hi,
    I managed tot around the new location of freeramdisk problem by removing ${uclibc#/0.9.28} from each of the _fct wgetx commands.

    However, I now get this error:
    insmod: can’t insert ‘/var/rd.ko’: invalid module format

    Any ideas please?

  11. As of version 6.30, AVM have permanently disabled telnetd on all FritzBoxes.

    This makes installing anything else “difficult”

    AVM are _not_ customer focussed and seem determined to alienate power users.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.