SSH is blocking my connections

tarballedtux · 10-30-2002, 07:14 PM

OK I've beed trying to SSH to my LAN from an external host. I've gotten past configuring my firewall correctly. When I try to SSH to my box, PuTTY terminated without error. When I checked /var/log/messages it said:

SSHD: refused connect from xx.xx.xx.xx (xx.xx.xx.xx)

I made sure to make SSH listen on that interface. I known that SSH is listening because I can SSH out to a host and then back in. Any ideas?

--tarballedtux

lowlifeish · 10-30-2002, 09:44 PM

edit your sshd_config

Adding the line:
ListenAddress 192.168.0.1

Or whatever the server's address is should correct your problem.

- lowlife

markus1982 · 10-31-2002, 01:22 AM

If you're running SSH over xinetd check the only_from line in the ssh configuration. Running tcp_wrappers? (/etc/hosts.allow, /etc/hosts.deny)

daxy · 10-31-2002, 06:22 AM

99% change this is your /etc/hosts.allow file

enter this line to allow SSH connections from everywhere:
sshd: ALL

or from just 1 subnet:
sshd: 192.168.0.0/255.255.255.0

tarballedtux · 10-31-2002, 08:16 AM

OK, I should have said this the first time, but I already did put in an entry for SSHD in hosts.allow

SSHD: xx.34.56.

because there is a range of addresses that the connections will be coming from.

I also already said I put in a listen directive in sshd.conf

ListenAddress xx.xx.xx.xx

Which is the IP of the interface that touches the internet.
So I'm still confused. Maybe I will try a SSHD: ALL for testing purposes.

--tarballedtux

daxy · 10-31-2002, 08:19 AM

Try and find out

Also take a look in /var/log/auth.log which tells you probably more...

unSpawn · 10-31-2002, 10:14 AM

but I already did put in an entry for SSHD in hosts.allow
SSHD: xx.34.56.
Had the same prob time ago. If you have "ALL: ALL" in /etc/hosts.deny then it rules out the "ssh: xxx.xxx.xxx.xxx/yyy.yyy.yyy.yyy" in /etc/hosts.deny.
I think this ./makes sense, because you already restrict access in .*allow before .*deny is read, at least that's what I think the man page sez.

stickman · 11-01-2002, 01:28 PM

TCP Wrappers checks for matches in hosts.allow then hosts.deny. If no match is found in either, then the connection is allowed. It's best to put "ALL : ALL" in your hosts.deny so that it covers everthing that is not explicity named in hosts.allow.

unSpawn · 11-01-2002, 04:19 PM

Oops, my mistake, thnx for correcting Stickman.