LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Debian
User Name
Password
Debian This forum is for the discussion of Debian Linux.

Notices


Reply
  Search this Thread
Old 09-26-2007, 04:34 PM   #1
drdale
LQ Newbie
 
Registered: Aug 2006
Posts: 18

Rep: Reputation: 0
openssh-server access denied from internet


I'm using lenny (kernel-image 2.6.21-2-686) with openssh-server (1:4.6p1-5). I can access the server via ssh from local workstations. I cannot access from the internet. I get the login prompt, but it only gives "access denied" errors after password input.
1.I have purged and reinstalled.
2.I have used the /etc/ssh directory from a working system.
3.I have compared /etc/pam.d/ssh between a working system and this one
4.There is no firewall
5.There are no entries in hosts.allow or hosts.deny
6.sshd_config is default debian

This has worked out-of-the-box for me numerous times. Another thing that is unusual about this system, is that even within the local network, I cannot assign and use a nonstandard port. This has also always worked on previous installs.
Since I am getting the login prompt, I am assuming that port-forwarding on the router is working properly.
I'm running out of places to look. I hope someone has seen this behavior before.
Thanks.
 
Old 09-27-2007, 07:02 AM   #2
jlinkels
LQ Guru
 
Registered: Oct 2003
Location: Bonaire, Leeuwarden
Distribution: Debian /Jessie/Stretch/Sid, Linux Mint DE
Posts: 5,196

Rep: Reputation: 1044Reputation: 1044Reputation: 1044Reputation: 1044Reputation: 1044Reputation: 1044Reputation: 1044Reputation: 1044
If you get a prompt, you are able to reach the ssh server, so it cannot be a network problem. In that case there should be an entry in auth.log. Did you check that? (And maybe /var/log/messages)

jlinkels
 
Old 09-28-2007, 09:21 AM   #3
drdale
LQ Newbie
 
Registered: Aug 2006
Posts: 18

Original Poster
Rep: Reputation: 0
Thank you for replying.
I have checked auth.log. Connection attempts from the lan are logged, but not from the internet. It is as if the attempt never happened. The log level is set to debug. I have not checked /var/log/messages, but have also checked syslog. Nothing there either. I used ssh -v to see if ssh-client would give me any clues; it did not. I will check the message log the next time I have physical access to the system.
 
Old 09-28-2007, 09:54 AM   #4
jlinkels
LQ Guru
 
Registered: Oct 2003
Location: Bonaire, Leeuwarden
Distribution: Debian /Jessie/Stretch/Sid, Linux Mint DE
Posts: 5,196

Rep: Reputation: 1044Reputation: 1044Reputation: 1044Reputation: 1044Reputation: 1044Reputation: 1044Reputation: 1044Reputation: 1044
Are you *sure* that you ssh into the right computer? There is no reason for an attempt not showing up in auth.log. I would not be surprised if you try to connect to another computer where the user name you use is not allowed or doesn't exist. Maybe even the router itself.

You could try a tcpdump on the machine where you try to shh into. It should show your traffic.

Also remember that if the user is not in the allowed users list you get an "access denied" error.

jlinkels
 
Old 09-28-2007, 10:11 AM   #5
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 682Reputation: 682Reputation: 682Reputation: 682Reputation: 682Reputation: 682
Do you use a router or are you connected on this computer directly to the internet. If the former, check if the router is forwarding the ssh port to the correct computer and make sure your computers firewall has that port open. If the latter, make sure that the port is open.

Also check the /etc/ssh/sshd_config file. You should disable root logins. Also, using the "allowusers" entries to control access is a good idea. If you have more than a handful of authorized users, use "allowgroups" instead.

Double check your /etc/hosts.allow and /etc/hosts.deny files. The /etc/security/access.conf may have restrictions on where you can log in.

You can check if you can reach a port using a telnet client.
Code:
$ telnet hpmedia 22
Trying 192.168.1.101...
Connected to hpmedia.jesnet.
Escape character is '^]'.
SSH-2.0-OpenSSH_4.4
Also, if you changed the port number that your ssh server uses, make sure you do the same at the client end.

Since you can access this host from the LAN but not from the internet, is is most likely a port forwarding or firewall issue.

Last edited by jschiwal; 09-28-2007 at 10:13 AM.
 
Old 10-08-2007, 08:54 AM   #6
drdale
LQ Newbie
 
Registered: Aug 2006
Posts: 18

Original Poster
Rep: Reputation: 0
To jlinkels:
It is definitely the right computer. It is the only one with ssh installed on it. In fact, it is the only linux system and the only one with a static IP. I agree with you that there is no reason login attempts are not shown in auth.log, but I checked after another attempt, and there is no recorded entry for the attempt - nothing in messages either. While I attempt to get this working, there are no user restrictions.

To jschiwal:
Unless there is some secret for Netgear routers, port-forwarding is set up correctly - port 22 forwarded to the IP of the linux server. /etc/hosts.allow, /etc/hosts.deny, and /etc/security/access.conf contain only default Debian comments - no directives. The telnet command gives me SSH-1.99-OpenSSH_4.2, but none of the other text that you show. The firewall possibility is what baffles me most. A default Debian network install does not install a firewall, and I did not install one either. Therefore, I don't know where to check for such a problem. I have another system located elsewhere that uses a non-standard port for ssh. It does not show up, using nmap, as an open port, but it works. On the other hand, the problem server does not even allow me to use a non-standard port through the local network. Unless someone has another suggestion, I'm just about resigned to the fact that I will have to go to the site to administer the server. I may try a Linksys router to rule that possibility out, but what else? I don't know.

Thanks for the replies.
 
Old 10-08-2007, 09:27 AM   #7
jlinkels
LQ Guru
 
Registered: Oct 2003
Location: Bonaire, Leeuwarden
Distribution: Debian /Jessie/Stretch/Sid, Linux Mint DE
Posts: 5,196

Rep: Reputation: 1044Reputation: 1044Reputation: 1044Reputation: 1044Reputation: 1044Reputation: 1044Reputation: 1044Reputation: 1044
Well, there is some more diagnostics to do.

Try (as root): tcpdump port 22

You should see any traffic on port 22. If you don't see any traffic, there is no traffic arriving at this host.

If you see your traffic arriving, but access is denied and nothing shows up in the log, well, maybe... the installation is damaged somehow.

jlinkels
 
Old 09-30-2009, 01:34 PM   #8
drdale
LQ Newbie
 
Registered: Aug 2006
Posts: 18

Original Poster
Rep: Reputation: 0
openssh-server access denied from internet [SOLVED]

I realized I had never posted the resolution for this problem. It was not the configuration of the linux server or the router, but rather a configuration issue of the ISP. Their network requires a static IP for this to work. The IP being returned before this change was actually that of the access point, not the dynamic IP of the local connection. Once the static IP was set up, everything magically worked.

I don't understand why their setup is this way, but that's how it is.
 
Old 09-30-2009, 02:48 PM   #9
jlinkels
LQ Guru
 
Registered: Oct 2003
Location: Bonaire, Leeuwarden
Distribution: Debian /Jessie/Stretch/Sid, Linux Mint DE
Posts: 5,196

Rep: Reputation: 1044Reputation: 1044Reputation: 1044Reputation: 1044Reputation: 1044Reputation: 1044Reputation: 1044Reputation: 1044
I like people giving feedback on their solved problems.

It is not as strange as you think. My Telco does the same thing with their ADSL modems. If you have a non-fixed IP, the modem is in NAT mode and you cannot get to your router.

If you have a fixed IP, you can ask them to put the modem in bridge mode and it will be transparent up to your router.

Apparently they assume that it you ask a fixed IP you want access from the outside, and if you want that you are smart enough to put your own router/firewall.

Glad that it is solved.

jlinkels
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Web server access denied fhleung Linux - Networking 4 08-04-2016 10:30 PM
I would not connect to suse 10 server from a windows PC using ssh. 'access denied' zhangy Linux - Networking 3 10-12-2006 06:24 AM
access to Internet denied paulgiles Linux - Hardware 15 06-02-2005 05:35 PM
Samba server: access denied error vharishankar Linux - General 7 09-07-2004 01:17 AM
access denied to a windows 2003 server Tanc Linux - Networking 2 01-08-2004 10:06 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Debian

All times are GMT -5. The time now is 03:16 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration