LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices



Reply
 
Search this Thread
Old 05-12-2006, 05:14 PM   #1
tredontho
LQ Newbie
 
Registered: Feb 2006
Distribution: FreeBSD 6.0-RELEASE
Posts: 15

Rep: Reputation: 0
cannot log in via ssh


Alright. I'm at my wit's end here (which isn't that far, but bear with me).
I'm running gentoo 2006.0, and I've gotten ssh to work over my LAN, but I cannot connect remotely. I've configured my router to forward port 1022 to my gentoo box, and edited the sshd_config file to listen on port 1022 (1022 isn't reserved, is it?). I can access the box from any computer on the lan, ssh xxx.xxx.xxx.xxx -p 1022, but cannot access it with ssh yyy.yyy.yyy.yyy -p 1022 (where yyy is my external ip address, and xxx is my internal address). I'll be honest, I don't know a whole lot about anything involved in this process. I have minimal knowledge of port forwarding, minimal knowledge of how external and internal IPs work with eachother, but any help is helpful, and much appreciated. I'm going to go look and see if 1022 is a reserved port, but if that isn't the case, I'd like whatever help you choose to offer. Thanks.

Tredontho
 
Old 05-12-2006, 05:26 PM   #2
haertig
Senior Member
 
Registered: Nov 2004
Distribution: Debian, Ubuntu, LinuxMint, Slackware, SysrescueCD
Posts: 2,032

Rep: Reputation: 309Reputation: 309Reputation: 309Reputation: 309
You need to set up port forwarding on your router. The actual configuration is different on each router, but they should all support it these days. Check your router documentation. The configuration will take a form something like this: "Incoming connections on yyy.yyy.yyy.yyy port 1022 should be forwarded to xxx.xxx.xxx.xxx port 1022" or this simpler version: "Incoming connections on port 1022 should be forwarded to xxx.xxx.xxx.xxx". The specifics will depend on your router.
 
Old 05-12-2006, 05:34 PM   #3
haertig
Senior Member
 
Registered: Nov 2004
Distribution: Debian, Ubuntu, LinuxMint, Slackware, SysrescueCD
Posts: 2,032

Rep: Reputation: 309Reputation: 309Reputation: 309Reputation: 309
Sorry, you said you already setup port forwarding. I got confused because first you said you configured it, then later you said you didn't know much about it. My feeble mind zeroed in on the "don't know much about it" part and forgot about the earlier statement. Getting old is hell!

Changing ports doesn't really buy you much security. It might take a cracker 0.47 milliseconds longer to determine you're running sshd on port 1022 rather than on port 22, but that's about it. I wouldn't waste my time on an alternate port personally. But many people do, and no harm is done by using an alternate port, other than the slightly added complexity. So go ahead if you want. For debugging though, I'd take this extra alternate port complexity out of the picture.

Last edited by haertig; 05-12-2006 at 05:36 PM.
 
Old 05-12-2006, 05:37 PM   #4
tredontho
LQ Newbie
 
Registered: Feb 2006
Distribution: FreeBSD 6.0-RELEASE
Posts: 15

Original Poster
Rep: Reputation: 0
Alright, first, I should take more care with my terminology. I don't have a router, per se. I have an Actiontec DSL Gateway, which acts as a router, in a basic sense. I have set up port forwarding on it. It forwards port 1022 to this (the linux box) computer. I know many routers allow forwarding in the sense of external port 1022 goes to internal port 22, but I don't think this is possible with the "router" I am using. For that reason, I edited the /etc/ssh/sshd_config file to listen on port 1022. I know that that part of it works, because I can connect locally. I can only assume that it's something with the port not being forwarded properly, but I don't really know what. Any ideas?
 
Old 05-12-2006, 05:39 PM   #5
haertig
Senior Member
 
Registered: Nov 2004
Distribution: Debian, Ubuntu, LinuxMint, Slackware, SysrescueCD
Posts: 2,032

Rep: Reputation: 309Reputation: 309Reputation: 309Reputation: 309
Check your sshd logfiles to see if your connection is getting through from the router to your computer. I don't know where Gentoo keeps these logs, but on my Debian box they're in /var/log/auth.log
 
Old 05-12-2006, 05:50 PM   #6
lleb
Senior Member
 
Registered: Dec 2005
Location: Florida
Distribution: CentOS/Fedora
Posts: 2,582

Rep: Reputation: 480Reputation: 480Reputation: 480Reputation: 480Reputation: 480
well for starters your command is wrong. it should not be ssh xxx.xxx.xxx.xxx -p 1022, it should be

ssh -p 1022 user@xxx.xxx.xxx.xxx



also it is normally a bad idea to run on ports sub 1024 as most of them are reserved for something or an other. turns out that port 1022 is the sasser worm virus and a lot of ISPs have blocked that port. that could be your problem.

you might want to try 922 instead. this is a bit more common of a port and is a secondary port for ssh. worst case you can move it to say 10022 that way you are above 1024.

good luck.
 
Old 05-12-2006, 07:07 PM   #7
tredontho
LQ Newbie
 
Registered: Feb 2006
Distribution: FreeBSD 6.0-RELEASE
Posts: 15

Original Poster
Rep: Reputation: 0
Ah, well, the way I was keying it in had worked, so I hadn't thought to change it. Thanks for the correction. I changed the port to 922, next time I should try a quick google maybe? In any case, I just tried the connection (I'm not sure if I restarted sshd correctly... I just su'd to root, then typed /usr/sbin/sshd at the prompt, and assumed that that process would kill the previous running one, and therefore would load the updated configuration file (with the port set to 922)... well, I think that it loaded the the updated configuration, because I just logged in locally... but I still cannot log in using the external IP address. It does nothing for quite a while, then (unsurprisingly) tells me that the connection has timed out. Any other ideas?
 
Old 05-12-2006, 07:20 PM   #8
Emerson
Senior Member
 
Registered: Nov 2004
Location: Saint Amant, Acadiana
Distribution: Gentoo ~
Posts: 3,177

Rep: Reputation: Disabled
Quote:
Originally Posted by tredontho
In any case, I just tried the connection (I'm not sure if I restarted sshd correctly... I just su'd to root, then typed /usr/sbin/sshd at the prompt, and assumed that that process would kill the previous running one, and therefore would load the updated configuration file (with the port set to 922)...
Ayaa ...
Code:
# /etc/init.d/sshd restart
is the proper way to restart a daemon. And to force it to re-read configuration without restarting:
Code:
pkill -SIGHUP sshd
 
Old 05-12-2006, 08:16 PM   #9
haertig
Senior Member
 
Registered: Nov 2004
Distribution: Debian, Ubuntu, LinuxMint, Slackware, SysrescueCD
Posts: 2,032

Rep: Reputation: 309Reputation: 309Reputation: 309Reputation: 309
What does:
Code:
netstat -an | grep "tcp.*LISTEN"
tell you about your current sshd port, 922?

:::922 ?

0.0.0.0:922 ?

127.0.0.1:922 ?

Here's mine (running on standard port 22):
Code:
tcp6       0      0 :::22                   :::*                    LISTEN
Do you have anything on the Gentoo box that might be killing the incoming connections? e.g., tcp_wrappers? iptables?

From the client end (assuming it's a *nix computer), run your login attempt with the -vv option. Like this:
Code:
ssh -vv -p 922 xxx.xxx.xxx.xxx
Does this tell you anything suspicious? I would expect not, given you're getting a timeout, but it doesn't hurt to check. Most likely it will just confirm that, ... you are timing out!
 
Old 05-12-2006, 08:24 PM   #10
tredontho
LQ Newbie
 
Registered: Feb 2006
Distribution: FreeBSD 6.0-RELEASE
Posts: 15

Original Poster
Rep: Reputation: 0
okay, well, here's the output from the netstat command
Code:
localhost ~ # netstat -an | grep "tcp.*LISTEN"
tcp        0      0 127.0.0.1:6880          0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:45100         0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:50000           0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:63320         0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:922             0.0.0.0:*               LISTEN
and here's what the verbose ssh attempt is giving me
Code:
user@localhost ~ $ ssh -vv -p 922 xxx.xxx.xxx.xxx
OpenSSH_4.3p2, OpenSSL 0.9.7i 14 Oct 2005
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to xxx.xxx.xxx.xxx [xxx.xxx.xxx.xxx] port 922.
debug1: connect to address xxx.xxx.xxx.xxx port 922: Connection timed out
ssh: connect to host xxx.xxx.xxx.xxx port 922: Connection timed out
Not a whole lot of information there that is useful to me, but if you can make anything of it, please feel free to do so.

Thanks all for the help you've given so far (if anything, I'm using better CLI syntax)

tredontho

Last edited by tredontho; 05-12-2006 at 08:58 PM.
 
Old 05-12-2006, 08:59 PM   #11
tredontho
LQ Newbie
 
Registered: Feb 2006
Distribution: FreeBSD 6.0-RELEASE
Posts: 15

Original Poster
Rep: Reputation: 0
Update:
okay, I've found a partial answer (and another obstacle) to the problem. Dynamic IP Address (no idea how, or if it's possible, to make it static). I know that there are some services on the internet that offer redirection services for dynamic hosts, so I can look into that (but hey, if you have a favorite, feel free to share). That aside, I still cannot connect. Here is the outupt, again
Code:
trevor@localhost ~ $ ssh -vv -p 922 xxx.xxx.xxx.xxx
OpenSSH_4.3p2, OpenSSL 0.9.7i 14 Oct 2005
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to xxx.xxx.xxx.xxx [xxx.xxx.xxx.xxx] port 922.
debug1: connect to address xxx.xxx.xxx.xxx port 922: Connection refused
ssh: connect to host xxx.xxx.xxx.xxx port 922: Connection refused
Not timing out, but not any better, I suppose.
 
Old 05-12-2006, 09:09 PM   #12
haertig
Senior Member
 
Registered: Nov 2004
Distribution: Debian, Ubuntu, LinuxMint, Slackware, SysrescueCD
Posts: 2,032

Rep: Reputation: 309Reputation: 309Reputation: 309Reputation: 309
Take a look at your /etc/hosts.deny and /etc/hosts.allow files. If hosts.deny has an entry that looks like "ALL: ALL" or "ALL: PARANOID" then you will need to specifically allow the host you are trying to connect from in the hosts.allow file. An entry in hosts.allow that looks like "ALL: aaa.bbb.ccc.ddd" where aaa.bbb.ccc.ddd is the computer you are connecting FROM should do the trick (if this is your problem, that is).

Also check your firewall. Run "iptables --list" as root. Are you DROPPING packets from your connecting client?

BTW, since you've already told us your IP address and what ports you are listening on, you might not want to go dumping the content of your hosts.allow and hosts.deny files, nor the output of that iptables --list command, out here on the general internet. No offense intended, but it sounds like you might be a little new at configuring this security stuff. And maybe subject to a configuration error or two. I'd hate to see you post the keys to your house because you didn't realize.

Not that a good cracker really needs this info handed to them to break into your system, ... but it would make things quicker for 'em! Maybe I'm overly paranoid on the security bit, but it just feels strange seeing you post this stuff in the open.

Last edited by haertig; 05-12-2006 at 09:22 PM.
 
Old 05-12-2006, 09:11 PM   #13
haertig
Senior Member
 
Registered: Nov 2004
Distribution: Debian, Ubuntu, LinuxMint, Slackware, SysrescueCD
Posts: 2,032

Rep: Reputation: 309Reputation: 309Reputation: 309Reputation: 309
Oh good. Right after I posted I see you xxx'ed out your IP address and reported that it's a dynamic address anyway. That makes me feel better!
 
Old 05-12-2006, 09:21 PM   #14
haertig
Senior Member
 
Registered: Nov 2004
Distribution: Debian, Ubuntu, LinuxMint, Slackware, SysrescueCD
Posts: 2,032

Rep: Reputation: 309Reputation: 309Reputation: 309Reputation: 309
Quote:
Originally Posted by tredontho
Not timing out, but not any better, I suppose.
Much better, I'd say. At least you know you're getting somewhere. This is an active refusal. Somebody got your packet and said "No, I don't want it". This REJECT (vs a DROP - a silent rejection, which looks like a timeout to the client) could be coming from your DSL modem/router or your Gentoo box. Could be firewall, tcp_wrapper, sshd_config, the sshd service not actually running - many things. Now's the time to check you hosts.* files and things in your /var/log directory for clues if the packet made it past your router and into your Gentoo box.

Hopefully the "somebody" you heard back from this time is the computer you were actually trying to get to, given your dynamic IP situation. I know of dynamic dns services, but don't use them myself, so I'll let others recommend in this regard.
 
Old 05-12-2006, 09:22 PM   #15
tredontho
LQ Newbie
 
Registered: Feb 2006
Distribution: FreeBSD 6.0-RELEASE
Posts: 15

Original Poster
Rep: Reputation: 0
Heh, yah, that was a really stupid mistake on my part... hopefully no harm done. Well, as for checking either of those files, not really applicable at the moment, as they don't exist, and a quick slocate shows that they don't exist anywhere else either. And iptables doesn't turn up anything, because it isn't on here either. Should I put these on? And if so, what package are they part of, or is there some command to create them? Thanks.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ssh log? IchBin Linux - Newbie 9 08-25-2010 04:50 AM
SSH password less log-in provo1234 Linux - Networking 4 12-30-2004 07:07 PM
something very crazy in my SSH Log!! dexter_modem Linux - Security 3 03-26-2004 12:39 PM
ssh cant log on!! e1000 Linux - Networking 4 02-16-2004 02:59 PM
SSH Log Crashed_Again Linux - Security 4 01-25-2003 10:56 AM


All times are GMT -5. The time now is 02:40 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration