LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 06-10-2009, 11:16 AM   #1
todd_dsm
LQ Newbie
 
Registered: Oct 2007
Location: Des Moines, IA
Distribution: Slacware 12
Posts: 23

Rep: Reputation: 16
Cannot ssh in to remote machine


Hey all, my problem is fairly straight forward: I was able to log into a client's box remotely but I can't any longer. My computer and the remote are both CentOS 5.2. My putty session just hangs and eventually errors.

NOTES:
I remotely logged into their windows server and used putty to get into the linux box in question (from 10.0.0.3 ssh -> 10.0.0.2). Here's what I was able to dredge:

I used the 'last' utility to see the last time I was able to login from my home:
Sat May 2 19:04 - 19:25
---
I attempted a simple telnet session from my home to their box:
echo 'helo' | telnet mail.domain.com 22
Trying www.xxx.yyy.zzz...
telnet: connect to address www.xxx.yyy.zzz: Connection timed out

If I change it to port 25 it works:
# echo 'helo' | telnet mail.domain.com 25
Trying www.xxx.yyy.zzz...
Connected to mail.domain.com.
Escape character is '^]'.
Connection closed by foreign host.
So port forwarding is not the issue.

I went to http://www.canyouseeme.org (from their windows box) for a sanity check though. This site reported that it was able to get through on port 22.
---
nmap, iptables -L, and netstat -ant all show ssh as funtional.
---
If I pick through some of the logs I see entries like this:
Code:
Apr 16 15:42:37 localhost sshd[31913]: Address aaa.bbb.ccc.ddd maps to mail.example.org.ccc.bbb.aaa.in-addr.arpa, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
aaa.bbb.ccc.ddd used to map to mail.example.org.ccc.bbb.aaa.in-addr.arpa, but I put a call into the ISP a few months ago to correct this, now it's correct: aaa.bbb.ccc.ddd <=> mail.example.org (fwd/rev)
---
I then vi ~/.ssh/known_hosts and removed the previous key from my server and saved. This didn't help - duh.
---
When I saw the above I checked /etc/hosts.deny on the remote box: empty
---
grep denied /var/log/audit/audit.log (nothing)
grep fail /var/log/audit/audit.log (a few things that looked appropriate)
---
I tightened the first rule and added the second:
Code:
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -s 10.0.0.0/24
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -s aaa.bbb.ccc.ddd
These rules both work on other servers. I copy/pasted them to avoid type-o's.

Then: 'service iptables restart' and still can't get in from home.
---
When I tail -f various logs (/var/log/{message,secure,audit}) while attempting an ssh session the logs don't budge. It's like I'm not hitting the box at all. Again though, I was able to at one time.
---
SELinux is fully functional by the way. Past greping the the audit log for failures I don't know what to do with SELinux (newb).
---
The clients' router is a consumer grade actiontec dsl modem. I shut off remote management for both ssh and telnet. If these are on, you'll end up telnet/sshing into the dsl modem.

I re-checked the port forwarding on the device as well. Both 'advanced port-forwarding' and 'applications' are doing the same thing forwarding all TCP port 22 requests to 10.0.0.2. This works for me at my home so it seems good.
===
At this point I'm drawing a blank. If there's anything else I'm missing please correct my troubleshooting.

Thanks in advance-
TT

Last edited by todd_dsm; 06-10-2009 at 01:28 PM.
 
Old 06-10-2009, 01:09 PM   #2
todd_dsm
LQ Newbie
 
Registered: Oct 2007
Location: Des Moines, IA
Distribution: Slacware 12
Posts: 23

Original Poster
Rep: Reputation: 16
RE: Cannot ssh in to remote machine

Update: I don't believe this is a routing or port-forwarding issue. I'm now noticing gazillions of these:
Code:
tail -f /var/log/audit/audit.log
type=USER_AUTH msg=audit(1244651558.747:9538): user pid=9617 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM: authentication acct="?" : exe="/usr/sbin/sshd" (hostname=216.151.134.136, addr=216.151.134.136, terminal=ssh res=failed)'
type=USER_LOGIN msg=audit(1244651558.748:9539): user pid=9617 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='acct="divine": exe="/usr/sbin/sshd" (hostname=?, addr=216.151.134.136, terminal=sshd res=failed)'
type=USER_LOGIN msg=audit(1244651560.260:9540): user pid=9621 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='acct="popa3d": exe="/usr/sbin/sshd" (hostname=?, addr=216.151.134.136, terminal=sshd res=failed)'
type=USER_AUTH msg=audit(1244651562.100:9541): user pid=9621 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM: authentication acct="?" : exe="/usr/sbin/sshd" (hostname=216.151.134.136, addr=216.151.134.136, terminal=ssh res=failed)'
type=USER_LOGIN msg=audit(1244651562.100:9542): user pid=9621 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='acct="popa3d": exe="/usr/sbin/sshd" (hostname=?, addr=216.151.134.136, terminal=sshd res=failed)'
type=USER_LOGIN msg=audit(1244651563.586:9543): user pid=9628 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='acct="aptproxy": exe="/usr/sbin/sshd" (hostname=?, addr=216.151.134.136, terminal=sshd res=failed)'
type=USER_AUTH msg=audit(1244651565.172:9544): user pid=9628 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM: authentication acct="?" : exe="/usr/sbin/sshd" (hostname=216.151.134.136, addr=216.151.134.136, terminal=ssh res=failed)'
type=USER_LOGIN msg=audit(1244651565.173:9545): user pid=9628 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='acct="aptproxy": exe="/usr/sbin/sshd" (hostname=?, addr=216.151.134.136, terminal=sshd res=failed)'
type=USER_LOGIN msg=audit(1244651566.794:9546): user pid=9631 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='acct="desktop": exe="/usr/sbin/sshd" (hostname=?, addr=216.151.134.136, terminal=sshd res=failed)'
type=USER_AUTH msg=audit(1244651568.123:9547): user pid=9631 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM: authentication acct="?" : exe="/usr/sbin/sshd" (hostname=216.151.134.136, addr=216.151.134.136, terminal=ssh res=failed)'
type=USER_LOGIN msg=audit(1244651568.123:9548): user pid=9631 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='acct="desktop": exe="/usr/sbin/sshd" (hostname=?, addr=216.151.134.136, terminal=sshd res=failed)'
type=USER_LOGIN msg=audit(1244651569.730:9549): user pid=9633 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='acct="workshop": exe="/usr/sbin/sshd" (hostname=?, addr=216.151.134.136, terminal=sshd res=failed)'
type=USER_AUTH msg=audit(1244651572.138:9550): user pid=9633 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM: authentication acct="?" : exe="/usr/sbin/sshd" (hostname=216.151.134.136, addr=216.151.134.136, terminal=ssh res=failed)'
type=USER_LOGIN msg=audit(1244651572.138:9551): user pid=9633 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='acct="workshop": exe="/usr/sbin/sshd" (hostname=?, addr=216.151.134.136, terminal=sshd res=failed)'
type=USER_AUTH msg=audit(1244651575.197:9552): user pid=9635 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM: authentication acct="mailnull" : exe="/usr/sbin/sshd" (hostname=216.151.134.136, addr=216.151.134.136, terminal=ssh res=failed)'
type=USER_LOGIN msg=audit(1244651575.198:9553): user pid=9635 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='acct="mailnull": exe="/usr/sbin/sshd" (hostname=?, addr=216.151.134.136, terminal=sshd res=failed)'
type=USER_AUTH msg=audit(1244651578.990:9554): user pid=9639 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM: authentication acct="nfsnobody" : exe="/usr/sbin/sshd" (hostname=216.151.134.136, addr=216.151.134.136, terminal=ssh res=failed)'
type=USER_LOGIN msg=audit(1244651578.990:9555): user pid=9639 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='acct="nfsnobody": exe="/usr/sbin/sshd" (hostname=?, addr=216.151.134.136, terminal=sshd res=failed)'
type=USER_AUTH msg=audit(1244651582.898:9556): user pid=9641 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM: authentication acct="rpcuser" : exe="/usr/sbin/sshd" (hostname=216.151.134.136, addr=216.151.134.136, terminal=ssh res=failed)'
type=USER_LOGIN msg=audit(1244651582.898:9557): user pid=9641 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='acct="rpcuser": exe="/usr/sbin/sshd" (hostname=?, addr=216.151.134.136, terminal=sshd res=failed)'
type=USER_AUTH msg=audit(1244651586.332:9558): user pid=9645 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM: authentication acct="rpc" : exe="/usr/sbin/sshd" (hostname=216.151.134.136, addr=216.151.134.136, terminal=ssh res=failed)'
type=USER_LOGIN msg=audit(1244651586.332:9559): user pid=9645 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='acct="rpc": exe="/usr/sbin/sshd" (hostname=?, addr=216.151.134.136, terminal=sshd res=failed)'
type=USER_AUTH msg=audit(1244651590.490:9560): user pid=9647 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM: authentication acct="gopher" : exe="/usr/sbin/sshd" (hostname=216.151.134.136, addr=216.151.134.136, terminal=ssh res=failed)'
These messages stopped when I modified the firewall rules in the previous post. So, at least others were able to hit the machine NOTE: all time/date stamps are of course in epoch time. The last last attempt was: Wednesday, June 10, 2009 11:33:10 AM which seems about right. This is a great time converter by the way: http://www.epochconverter.com/

On a personal note: since Google crawls the web and caches sites like this I feel like I should put a shout out to the douche-bags @ Xeex XEEX-COMMUNICATIONS-2 for trying to jack my server. Nice try F-tards.

Last edited by todd_dsm; 06-10-2009 at 01:28 PM. Reason: add a link
 
Old 06-10-2009, 01:38 PM   #3
todd_dsm
LQ Newbie
 
Registered: Oct 2007
Location: Des Moines, IA
Distribution: Slacware 12
Posts: 23

Original Poster
Rep: Reputation: 16
Cannot ssh in to remote machine

ok, I checked one of the other posts and found a work-around:

I was doing it like this:
ssh mail.domain.com
like I do with all of my other connections.

When I specify the user root I am prompted for a password.
ssh root@mail.domain.com
root@mail.domain.com's password:
Last login: Wed Jun 10 13:30:24 2009 from mail.example.org
then, of course, I am given a shell:
[root@localhost ~]#
===

I'm not sure what causes this. Please let me know. For all of my other servers I only have to: ssh mail.domain.com


Thanks,
TT
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Can't SSH to remote machine: Connection closed by remote host Avatar Linux - Networking 34 05-24-2013 09:28 AM
Connect to Remote Machine using SSH deepu_linux Linux - Networking 4 09-18-2008 11:12 PM
SSH connection to remote machine... harishkrishnan Linux - Networking 5 11-10-2007 12:35 AM
how to open a dilog on local machine when i do ssh to remote machine fahad26 Programming 3 05-03-2005 07:39 PM
ssh not connecting to a remote machine. Eux Debian 5 09-22-2004 04:44 AM


All times are GMT -5. The time now is 12:19 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration