Cannot ssh in to remote machine

todd_dsm · 06-10-2009, 11:16 AM

Hey all, my problem is fairly straight forward: I was able to log into a client's box remotely but I can't any longer. My computer and the remote are both CentOS 5.2. My putty session just hangs and eventually errors.

NOTES:
I remotely logged into their windows server and used putty to get into the linux box in question (from 10.0.0.3 ssh -> 10.0.0.2). Here's what I was able to dredge:

I used the 'last' utility to see the last time I was able to login from my home:
Sat May 2 19:04 - 19:25
---
I attempted a simple telnet session from my home to their box:
echo 'helo' | telnet mail.domain.com 22
Trying www.xxx.yyy.zzz...
telnet: connect to address www.xxx.yyy.zzz: Connection timed out

If I change it to port 25 it works:
# echo 'helo' | telnet mail.domain.com 25
Trying www.xxx.yyy.zzz...
Connected to mail.domain.com.
Escape character is '^]'.
Connection closed by foreign host.
So port forwarding is not the issue.

I went to http://www.canyouseeme.org (from their windows box) for a sanity check though. This site reported that it was able to get through on port 22.
---
nmap, iptables -L, and netstat -ant all show ssh as funtional.
---
If I pick through some of the logs I see entries like this:

Code:

Apr 16 15:42:37 localhost sshd[31913]: Address aaa.bbb.ccc.ddd maps to mail.example.org.ccc.bbb.aaa.in-addr.arpa, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!

aaa.bbb.ccc.ddd used to map to mail.example.org.ccc.bbb.aaa.in-addr.arpa, but I put a call into the ISP a few months ago to correct this, now it's correct: aaa.bbb.ccc.ddd <=> mail.example.org (fwd/rev)
---
I then vi ~/.ssh/known_hosts and removed the previous key from my server and saved. This didn't help - duh.
---
When I saw the above I checked /etc/hosts.deny on the remote box: empty
---
grep denied /var/log/audit/audit.log (nothing)
grep fail /var/log/audit/audit.log (a few things that looked appropriate)
---
I tightened the first rule and added the second:

Code:

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -s 10.0.0.0/24
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -s aaa.bbb.ccc.ddd

These rules both work on other servers. I copy/pasted them to avoid type-o's.

Then: 'service iptables restart' and still can't get in from home.
---
When I tail -f various logs (/var/log/{message,secure,audit}) while attempting an ssh session the logs don't budge. It's like I'm not hitting the box at all. Again though, I was able to at one time.
---
SELinux is fully functional by the way. Past greping the the audit log for failures I don't know what to do with SELinux (newb).
---
The clients' router is a consumer grade actiontec dsl modem. I shut off remote management for both ssh and telnet. If these are on, you'll end up telnet/sshing into the dsl modem.

I re-checked the port forwarding on the device as well. Both 'advanced port-forwarding' and 'applications' are doing the same thing forwarding all TCP port 22 requests to 10.0.0.2. This works for me at my home so it seems good.
===
At this point I'm drawing a blank. If there's anything else I'm missing please correct my troubleshooting.

Thanks in advance-
TT

todd_dsm · 06-10-2009, 01:09 PM

Update: I don't believe this is a routing or port-forwarding issue. I'm now noticing gazillions of these:

Code:

tail -f /var/log/audit/audit.log
type=USER_AUTH msg=audit(1244651558.747:9538): user pid=9617 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM: authentication acct="?" : exe="/usr/sbin/sshd" (hostname=216.151.134.136, addr=216.151.134.136, terminal=ssh res=failed)'
type=USER_LOGIN msg=audit(1244651558.748:9539): user pid=9617 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='acct="divine": exe="/usr/sbin/sshd" (hostname=?, addr=216.151.134.136, terminal=sshd res=failed)'
type=USER_LOGIN msg=audit(1244651560.260:9540): user pid=9621 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='acct="popa3d": exe="/usr/sbin/sshd" (hostname=?, addr=216.151.134.136, terminal=sshd res=failed)'
type=USER_AUTH msg=audit(1244651562.100:9541): user pid=9621 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM: authentication acct="?" : exe="/usr/sbin/sshd" (hostname=216.151.134.136, addr=216.151.134.136, terminal=ssh res=failed)'
type=USER_LOGIN msg=audit(1244651562.100:9542): user pid=9621 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='acct="popa3d": exe="/usr/sbin/sshd" (hostname=?, addr=216.151.134.136, terminal=sshd res=failed)'
type=USER_LOGIN msg=audit(1244651563.586:9543): user pid=9628 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='acct="aptproxy": exe="/usr/sbin/sshd" (hostname=?, addr=216.151.134.136, terminal=sshd res=failed)'
type=USER_AUTH msg=audit(1244651565.172:9544): user pid=9628 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM: authentication acct="?" : exe="/usr/sbin/sshd" (hostname=216.151.134.136, addr=216.151.134.136, terminal=ssh res=failed)'
type=USER_LOGIN msg=audit(1244651565.173:9545): user pid=9628 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='acct="aptproxy": exe="/usr/sbin/sshd" (hostname=?, addr=216.151.134.136, terminal=sshd res=failed)'
type=USER_LOGIN msg=audit(1244651566.794:9546): user pid=9631 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='acct="desktop": exe="/usr/sbin/sshd" (hostname=?, addr=216.151.134.136, terminal=sshd res=failed)'
type=USER_AUTH msg=audit(1244651568.123:9547): user pid=9631 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM: authentication acct="?" : exe="/usr/sbin/sshd" (hostname=216.151.134.136, addr=216.151.134.136, terminal=ssh res=failed)'
type=USER_LOGIN msg=audit(1244651568.123:9548): user pid=9631 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='acct="desktop": exe="/usr/sbin/sshd" (hostname=?, addr=216.151.134.136, terminal=sshd res=failed)'
type=USER_LOGIN msg=audit(1244651569.730:9549): user pid=9633 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='acct="workshop": exe="/usr/sbin/sshd" (hostname=?, addr=216.151.134.136, terminal=sshd res=failed)'
type=USER_AUTH msg=audit(1244651572.138:9550): user pid=9633 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM: authentication acct="?" : exe="/usr/sbin/sshd" (hostname=216.151.134.136, addr=216.151.134.136, terminal=ssh res=failed)'
type=USER_LOGIN msg=audit(1244651572.138:9551): user pid=9633 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='acct="workshop": exe="/usr/sbin/sshd" (hostname=?, addr=216.151.134.136, terminal=sshd res=failed)'
type=USER_AUTH msg=audit(1244651575.197:9552): user pid=9635 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM: authentication acct="mailnull" : exe="/usr/sbin/sshd" (hostname=216.151.134.136, addr=216.151.134.136, terminal=ssh res=failed)'
type=USER_LOGIN msg=audit(1244651575.198:9553): user pid=9635 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='acct="mailnull": exe="/usr/sbin/sshd" (hostname=?, addr=216.151.134.136, terminal=sshd res=failed)'
type=USER_AUTH msg=audit(1244651578.990:9554): user pid=9639 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM: authentication acct="nfsnobody" : exe="/usr/sbin/sshd" (hostname=216.151.134.136, addr=216.151.134.136, terminal=ssh res=failed)'
type=USER_LOGIN msg=audit(1244651578.990:9555): user pid=9639 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='acct="nfsnobody": exe="/usr/sbin/sshd" (hostname=?, addr=216.151.134.136, terminal=sshd res=failed)'
type=USER_AUTH msg=audit(1244651582.898:9556): user pid=9641 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM: authentication acct="rpcuser" : exe="/usr/sbin/sshd" (hostname=216.151.134.136, addr=216.151.134.136, terminal=ssh res=failed)'
type=USER_LOGIN msg=audit(1244651582.898:9557): user pid=9641 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='acct="rpcuser": exe="/usr/sbin/sshd" (hostname=?, addr=216.151.134.136, terminal=sshd res=failed)'
type=USER_AUTH msg=audit(1244651586.332:9558): user pid=9645 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM: authentication acct="rpc" : exe="/usr/sbin/sshd" (hostname=216.151.134.136, addr=216.151.134.136, terminal=ssh res=failed)'
type=USER_LOGIN msg=audit(1244651586.332:9559): user pid=9645 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='acct="rpc": exe="/usr/sbin/sshd" (hostname=?, addr=216.151.134.136, terminal=sshd res=failed)'
type=USER_AUTH msg=audit(1244651590.490:9560): user pid=9647 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM: authentication acct="gopher" : exe="/usr/sbin/sshd" (hostname=216.151.134.136, addr=216.151.134.136, terminal=ssh res=failed)'

These messages stopped when I modified the firewall rules in the previous post. So, at least others were able to hit the machine

NOTE: all time/date stamps are of course in epoch time. The last last attempt was: Wednesday, June 10, 2009 11:33:10 AM which seems about right. This is a great time converter by the way: http://www.epochconverter.com/

On a personal note: since Google crawls the web and caches sites like this I feel like I should put a shout out to the douche-bags @ Xeex XEEX-COMMUNICATIONS-2 for trying to jack my server. Nice try F-tards.

todd_dsm · 06-10-2009, 01:38 PM

ok, I checked one of the other posts and found a work-around:

I was doing it like this:
ssh mail.domain.com
like I do with all of my other connections.

When I specify the user root I am prompted for a password.
ssh root@mail.domain.com
root@mail.domain.com's password:
Last login: Wed Jun 10 13:30:24 2009 from mail.example.org
then, of course, I am given a shell:
[root@localhost ~]#
===

I'm not sure what causes this. Please let me know. For all of my other servers I only have to: ssh mail.domain.com

Thanks,
TT