Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Ok, I have spent all day searching and cannot find a solution to this. I am acting as a server admin for a Red Hat server running Apache but do not have physical access to the server. I have 2 main problems at the moment. The first is that I can SSH into the server while on the local network and make necessary changes but I cannot SSH from anywhere outside of the local network and this is necessary.
contents of /etc/hosts.allow
#
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
sshd:ALL
contents of iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
I have no idea what else to try. also i ran the command "service iptables stop" as root and tried to ssh from outside of the network and still couldn't get access. What happens is that when you tell it to connect it just sits there and never does anything. (Also, I can view my webpages stored on the server from anywhere.)
My second problem is that I have 3 users. Two of the users can connect locally via SSH and can use modify the server files. But the third account cannot connect via SSH. I have reset that users password via root and the third user still cannot connect. SSH secure file transfer (the name of the program being used) just continually asks for the password even after entered correctly (which I think means the password isn't being verified)
here is the /var/log/secure
Oct 21 05:12:37 sysb sshd[20815]: User XXX not allowed because shell /bin/
shell does not exist
Oct 21 05:12:37 sysb sshd[20816]: input_userauth_request: invalid user XXX
Oct 21 05:12:37 sysb sshd[20815]: reverse mapping checking getaddrinfo for
10.155.xxx.xxxxxxxx.edu failed - POSSIBLE BREAK-IN ATTEMPT!
Oct 21 05:12:50 sysb sshd[20815]: pam_unix(sshd:auth): authentication fail
ure; logname= uid=0 euid=0 tty=ssh ruser= rhost=1xx.xx.xxx.xx user=XXX
Oct 21 05:12:52 sysb sshd[20815]: Failed password for invalid user XXX fro
m 1xx.xx.xxx.xx port 51720 ssh2
I'm am completely lost as what to do here. I appreciate any help I can get.
P.S. sorry about the length, just wanted to show as much info as my day's worth of searching could provide
Oct 21 05:12:37 sysb sshd[20815]: User XXX not allowed because shell /bin/
shell does not exist
This is probably true, isn't it? I don't have a /bin/shell, and none of my friends do. /bin/bash, and /bin/sh exist, though. The user may have a messed up .profile or .bashrc. Can they login to any UNIX/Linux machine?
Last edited by jhwilliams; 10-21-2009 at 05:54 PM.
@jhwilliams
What do you mean do I need to VPN? I don't want to VPN into the network if at all possible.
@anomie
Here is the output:
XXX:x:503:504::/home/XXX:/bin/shell
(the 3 capital X's are me replacing the userName just for the forum, the lower case x in the above output was actual output)
Ok, thanks a lot for the suggestion, I will give this a shot tomorrow and let everyone know how it goes.
Also, to any who are interested I think that the problem is with SSH not working from outside the network has to do with a firewall from the agency providing my servers connection. I'm going to try to get in touch with those in charge and get them to open the port for me (hopefully thats the problem).
@anomie & alucardZero
Both of you rock. Thanks a lot now I can access the system via that user. I really can't thank you enough.
@chrism01
The server has a static public IP. So if I understand IP stuff correctly that just means there is a firewall that closes off those ports to my IP before it reaches me. In which case their would be no forwarding needed, just the port being opened, right? Unlike if I was hosting a website on a server behind a router with an IP of 192.xxx.xxx.xxx, which would need forwarding. Either way though its something that's out of my hands
Ok, So I have spoke with the person in charge of the network and they say they are not blocking port 22 that it must be something with my RedHat setup. So I'm back to square one with the original problem. I cannot SSH into the server unless I am on the local network that services the Server, I cannot SSH in even when iptables are disabled. Any ideas anyone?
Also my iptables is stopped right now. don't know if that matters. Also when I try to telnet to port 22 (just for testing) from outside the network it just times out without ever connecting.
OK, so sshd is listening on port 22 on all interfaces, both ipv4 and ipv6.
And your IP address is not on private IP space, right..? Please double check. If it is, we can't help you. (i.e. You'll need to work out NAT with your network staff.)
I'm pretty sure its public IP space. Its not 10.x 172.x or 192.x. And you can access the server via a web browser from anywhere(you can see the web pages on it).
Last edited by linuxlychallenged; 10-23-2009 at 02:48 PM.
Reason: grammar
Well, if you're not filtering traffic at the host level (iptables), and your network admin claims they're not filtering inbound tcp 22 traffic, then some other hop between your testing point and your Linux server is...
Can you access any tcp ports on your Linux server?
On the server, do: $ nc -l 9922
Then on the external testing workstation, do: $ nc -zvw 3 linux.host.here 9922
What do you see?
-------
BTW, how are you disabling iptables? Use: # service iptables stop
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.