SSH doesn't work: No route to host

tezarin · 01-26-2012, 08:16 AM

Hi all,

I was connected to a mail server via PuTTY and all of a sudden the connecttion dropped and I've tried everything and no luck. My SSH is not the default port 22. Here are the commands I ran,

Code:

# ssh -l root mailservername -p [my ssh port number]
ssh: connect to host mailservername port [my ssh port number]: No route to host
# ssh -l root IPnumber -p [my ssh port number]
ssh: connect to host IPnumber port [my ssh port number]: No route to host

Ping works just fine

ssh localhost works just fine

Code:

#ps aux | grep ssh
root 6583    0.0   0.1  69452  15740   tty1   S+   14:05  0:00 ssh root@localhost –p [my ssh port number]
root 6584    0.0   0.0  88996  3492      ?       Ss    14:05  0:00 sshd:  root@pts.0
root 17285  0.0   0.0  61664  1188      ?       Ss    14:26  0:00  /user/sbin/sshd
root 29790  0.0   0.0  61208   772 pts/0      S+    14:49  0:00 grep ssh

Restarted iptables didn’t help either. SELinux is already in Permissive mode:

Code:

#getenforce
Permissive

Installed NMAP and scanned the ports and didn't see the SSH:

Code:

#nmap
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2012-01-25
Interesting ports on localhost.localdomain (127.0.0.1)
Not shown: 1669 closed ports
PORT STATE SERVICE
[number]/tcp open smtp
[number]/tcp open http
[number]/tcp open pop3
[number]/tcp open netbios-ssn
[number]/tcp open imap
[number]/tcp open https
[number]/tcp Microsoft-ds
[number]/tcp open smtps
[number]/tcp open ipp
[number]/tcp open imaps
[number]/tcp open pop3s

traceroute from a client to this mail server returns:

Code:

# traceroute [mailservername]
traceroute to mailservername (mail server IP), 30 hops max, 60 byte packets
 1  mailserver.domain.com (mail server IP)  8.850 ms !X  8.841 ms !X  8.832 ms !X

And from the mailserver to a client gave me a long output with some *** at the end. I was at the console and took pictures of the output but since that output was long couldn't capture it.

The mail server is up and running but SSH to that box just doesn't work.

would someone please help me fix this issue? I'd really appreciate it.

Thank you,
t

repo · 01-26-2012, 09:01 AM

Are you connecting from your LAN or from the outside?
Try to restart the ssh daemon.

Kind regards

tezarin · 01-26-2012, 09:22 AM

Thanks repo.

I'm trying to SSH from inside the LAN. But the mail server doesn't have a LAN address(i.e. 192.x.x.x). It has only one interface which should be accessible from anywhere. The ifconfig returns only 127.x.x.x address and that external address.

I've already rebooted the ssh many times, no luck. ssh localhost on the mail server works just fine.

repo · 01-26-2012, 09:24 AM

Did it worked before?
Did you forwarded port 22 on the router?
Try to connect from the outside.

Kind regards

tezarin · 01-26-2012, 09:28 AM

Thanks, I'll have to try to connect from the outside when I get home.

It has always been working just fine. The SSH port is not 22, have changed that years ago and apparently forwarding was working until couple days ago.

kbscores · 01-26-2012, 12:58 PM

If you have telnet on your localhost try doing:

Code:

# telnet localhost [port]

If it comes back with a similar message "no route to host" then it means a firewall is blocking that port.

If you get "connection refused" then odds are ssh is configured to only allow local connections.

If it allows than problem is most likely external to server.

Also, another place to check is /etc/services file. Make sure it is configured for correct port or some other perhaps new service isn't trying to take that port.

ALSO - by default firewalls are configured to allow port 22. If ssh port is changed it really sounds like the firewall is blocking connect. Especially based on error message you are receiving.

tezarin · 01-27-2012, 07:52 AM

Thanks for your reply. I get a "connection refused" if I try port 22. If I try the port I configured to be my new SSH port, it says "no route to host". It has been working for years now and never had a problem with it and the firewall never blocked that before. Haven't installed a new thing on that machine either.

I tried accessing from outside of the LAN but same thing happened.

I did stop and start the iptable and still no luck. Maybe the firewall detected something and automatically all of a sudden blocked that port? How can I make the firewall not block that custom port now?

I did this and no luck:

Code:

iptables -A INPUT -p tcp -d 0/0 -s 0/0 --dport {my ssh port} ACCEPT

Thanks

tezarin · 01-27-2012, 11:43 AM

This is what I found in each file:

iptables:

Code:

# Generated by iptables-save v1.3.5 on Fri Jan 27 12:16:54 2012
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10396207:8077141142]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A INPUT -p tcp -m tcp --dport {my ssh port} -j ACCEPT
-A INPUT -p tcp -m tcp --dport {my ssh port} -j ACCEPT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 143 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 465 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7071 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 993 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 995 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Fri Jan 27 12:16:54 2012

hosts.deny:

Code:

nginx: .google.com
68.x.x.x : sshd
ALL: .ru
ALL: .cn

hosts.allow:
This file was empty

deep27ak · 01-30-2012, 05:11 AM

try this command

Code:

#netstat -ntlp | grep (ssh port no)