LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   ssh connection refused - trying to set up ssh server at home (http://www.linuxquestions.org/questions/linux-server-73/ssh-connection-refused-trying-to-set-up-ssh-server-at-home-591497/)

openSauce 10-13-2007 08:41 AM

ssh connection refused - trying to set up ssh server at home
 
Hi,

I'd like to be able to use ssh to connect to my home computer remotely. I've been trying things out and tweaking config files but I've not got very far. I can't tell exactly what the problem is at this stage, but I'll tell you what I've done and hopefully somebody can tell me how to diagnose it properly.

I'm running Fedora 7 on my home PC, and for testing purposes I'm running Knoppix from a Live CD on another machine (although I eventually hope to connect using Putty on Windows). I believe this line confirms the ssh daemon is running on Fedora:
Code:

> ps -ef | grep sshd
root      2038    1  0 11:37 ?        00:00:00 /usr/sbin/sshd

The file /etc/ssh/sshd_config includes the following lines:
Code:

PasswordAuthentication yes
ChallengeResponseAuthentication yes

Although as I understand it I should only really need one or the other, and once I've got everything working and I understand it properly, I'll be able to disable both and use only key authentication.

Both computers are connected to a router which is connected directly to the internet; the router is configured to forward a port to my Fedora box which matches the port specified in /etc/ssh/sshd_config. On the Knoppix box, I type
Code:

ssh -p <port> guest@<IP>
where <IP> is the external IP address of the router (i.e. the one that whatismyip.com tells me). ssh returns immediately with "connection refused", it seems as though it doesn't even have time to try to connect, but maybe the router doesn't need to forward to the DNS for its own address? Or maybe these things are just faster than I think.

Can anyone tell me what I should try next? Is there a way to tell if the connection is actually being refused by my Fedora PC, or by the router, or elsewhere?

Brian1 10-13-2007 10:22 AM

Do you have the Fedora default firewall up. If so is post 22 for sshd open?

Brian

Freemor 10-13-2007 10:25 AM

it sounds like it could be a tcpwrapper problem you should check your /ets/hosts.allow and be sure connections to sshd are allowed correctly or especially if your /etc/hosts.deny is set to something like ALL: ALL

Hope this helps
Freemor

Brian1 10-13-2007 12:53 PM

One thought. If you have a firewall on the machine and port 22 is open then this may be your issue. If you are on a lan machine trying to connect to the sshd machine using the external IP then it will more than likely work. Reason is many of these store bought routers lack the support to DNAT back onto itself that way. You need to goto a remote location and try to connect and see what happens.

Other thoguht is maybe the ISP is blocking common server ports.

Goto here and run the advance portscan to see if it is open an up.
http://www.hackerwatch.org/probe/

Brian

openSauce 10-14-2007 07:05 AM

Freemor: /etc/hosts.allow and /etc/hosts.deny are empty. I was hoping this wouldn't matter so long as password authentication and challenge-response authentication were enabled? My understanding is those files are used for host-based authentication, but any one type of authentication is acceptable. In any case, the man page for hosts_access says that if both files are empty, all hosts will be allowed.

Brian1: I do have the Fedora default firewall up, it's a little hard to be sure how it's configured though. I don't know if you're familiar with it, its config window has a list of trusted services (ssh is trusted; no others), and a list of "other ports". I think maybe it's simply identifying the various services (FTP, SMTP, HTTP, HTTPS etc) with different ports - I tried adding port 443 earlier, and when I looked at the firewall config again, the port wasn't listed but HTTPS was checked as a trusted source. Adding port 22 and then going back into the config tool, it looks like nothing has changed. At least, that's how it was yesterday - now I can't add port 443 or any other port, I think the config tool isn't working properly. Do you know what config files it might be using, or where I could find out?

I tried the hackerwatch.org portscan, it seemed to ignore port 22 though. It said port 21 was closed but insecure (despite the firewall), port 23 was secure (invisible to outside world), and gave similar reports for 7 other ports.

Quote:

Originally Posted by Brian1
If you are on a lan machine trying to connect to the sshd machine using the external IP then it will more than likely work.

Should this have read "more than likely not work"? If not, I'm not sure what you mean - that is what I'm doing, and it isn't working! If you meant to say "not", could you say why the router couldn't pass the request on to my ISP server which would then send it straight back here? I'll try it from a remote location when I get the chance, but I'm not very confident about getting it to work when I can't get it to work from home.

Brian1 10-14-2007 09:33 AM

OK from the other lan machine can you login into the sshd machine using the lan IP of the sshd machine?

If not then the port is close os sshd is not up, or sshd is not configured correctly.

Since you have a live version cd on the other machine see if it has nmap or front-end gui interfaces for namp and scan the sshd machine.

For the remote portscan you have to tell it to search for port 22. port 22 is not in the default search.

Now if you were using the external IP when trying to connect to the sshd machine from another lan machine meaning you are acting like you were on the outside. Then it will more than likely not work. It is the basic store bought routers just lack the ability to redirect onto itself.

Brian

openSauce 10-15-2007 03:42 PM

Quote:

OK from the other lan machine can you login into the sshd machine using the lan IP of the sshd machine?
Oops! Yes I can :"). Sorry, I was certain I'd already tried that, it's such an obvious thing to do. Feel like a right idiot now. Oh well, thanks for your help!

Brian1 10-15-2007 04:32 PM

So you have it working?
If so glad to see you have it going.

Brian

mfsteele1@hotmail.co 10-15-2007 06:09 PM

How to test for an open port
 
telnet ip ####

#### = port #.

Doesn't matter what network service is involved, you should get a CONNECTED response like this:

> telnet xxx.xxx.xxx.xxx 43

Trying...
Connected to iap0ito0.

Or, if a firewall or closed port issue exists then you'll get a REFUSED response like this:

> telnet xxx.xxx.xxx.xxx 43

Trying...
telnet: Unable to connect to remote host: Connection refused

openSauce 10-16-2007 10:59 AM

Yeah it's working on the LAN now, thanks. Haven't tried it externally yet, but I guess it should be fine so long as port forwarding's working ok on the router.

Brian1 10-18-2007 04:38 PM

Glad to see you have it working.

Brian


All times are GMT -5. The time now is 02:15 PM.