Debian This forum is for the discussion of Debian Linux.
|
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
09-26-2007, 04:34 PM
|
#1
|
LQ Newbie
Registered: Aug 2006
Posts: 18
Rep:
|
openssh-server access denied from internet
I'm using lenny (kernel-image 2.6.21-2-686) with openssh-server (1:4.6p1-5). I can access the server via ssh from local workstations. I cannot access from the internet. I get the login prompt, but it only gives "access denied" errors after password input.
1.I have purged and reinstalled.
2.I have used the /etc/ssh directory from a working system.
3.I have compared /etc/pam.d/ssh between a working system and this one
4.There is no firewall
5.There are no entries in hosts.allow or hosts.deny
6.sshd_config is default debian
This has worked out-of-the-box for me numerous times. Another thing that is unusual about this system, is that even within the local network, I cannot assign and use a nonstandard port. This has also always worked on previous installs.
Since I am getting the login prompt, I am assuming that port-forwarding on the router is working properly.
I'm running out of places to look. I hope someone has seen this behavior before.
Thanks.
|
|
|
09-27-2007, 07:02 AM
|
#2
|
LQ Guru
Registered: Oct 2003
Location: Bonaire, Leeuwarden
Distribution: Debian /Jessie/Stretch/Sid, Linux Mint DE
Posts: 5,196
|
If you get a prompt, you are able to reach the ssh server, so it cannot be a network problem. In that case there should be an entry in auth.log. Did you check that? (And maybe /var/log/messages)
jlinkels
|
|
|
09-28-2007, 09:21 AM
|
#3
|
LQ Newbie
Registered: Aug 2006
Posts: 18
Original Poster
Rep:
|
Thank you for replying.
I have checked auth.log. Connection attempts from the lan are logged, but not from the internet. It is as if the attempt never happened. The log level is set to debug. I have not checked /var/log/messages, but have also checked syslog. Nothing there either. I used ssh -v to see if ssh-client would give me any clues; it did not. I will check the message log the next time I have physical access to the system.
|
|
|
09-28-2007, 09:54 AM
|
#4
|
LQ Guru
Registered: Oct 2003
Location: Bonaire, Leeuwarden
Distribution: Debian /Jessie/Stretch/Sid, Linux Mint DE
Posts: 5,196
|
Are you *sure* that you ssh into the right computer? There is no reason for an attempt not showing up in auth.log. I would not be surprised if you try to connect to another computer where the user name you use is not allowed or doesn't exist. Maybe even the router itself.
You could try a tcpdump on the machine where you try to shh into. It should show your traffic.
Also remember that if the user is not in the allowed users list you get an "access denied" error.
jlinkels
|
|
|
09-28-2007, 10:11 AM
|
#5
|
LQ Guru
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733
|
Do you use a router or are you connected on this computer directly to the internet. If the former, check if the router is forwarding the ssh port to the correct computer and make sure your computers firewall has that port open. If the latter, make sure that the port is open.
Also check the /etc/ssh/sshd_config file. You should disable root logins. Also, using the "allowusers" entries to control access is a good idea. If you have more than a handful of authorized users, use "allowgroups" instead.
Double check your /etc/hosts.allow and /etc/hosts.deny files. The /etc/security/access.conf may have restrictions on where you can log in.
You can check if you can reach a port using a telnet client.
Code:
$ telnet hpmedia 22
Trying 192.168.1.101...
Connected to hpmedia.jesnet.
Escape character is '^]'.
SSH-2.0-OpenSSH_4.4
Also, if you changed the port number that your ssh server uses, make sure you do the same at the client end.
Since you can access this host from the LAN but not from the internet, is is most likely a port forwarding or firewall issue.
Last edited by jschiwal; 09-28-2007 at 10:13 AM.
|
|
|
10-08-2007, 08:54 AM
|
#6
|
LQ Newbie
Registered: Aug 2006
Posts: 18
Original Poster
Rep:
|
To jlinkels:
It is definitely the right computer. It is the only one with ssh installed on it. In fact, it is the only linux system and the only one with a static IP. I agree with you that there is no reason login attempts are not shown in auth.log, but I checked after another attempt, and there is no recorded entry for the attempt - nothing in messages either. While I attempt to get this working, there are no user restrictions.
To jschiwal:
Unless there is some secret for Netgear routers, port-forwarding is set up correctly - port 22 forwarded to the IP of the linux server. /etc/hosts.allow, /etc/hosts.deny, and /etc/security/access.conf contain only default Debian comments - no directives. The telnet command gives me SSH-1.99-OpenSSH_4.2, but none of the other text that you show. The firewall possibility is what baffles me most. A default Debian network install does not install a firewall, and I did not install one either. Therefore, I don't know where to check for such a problem. I have another system located elsewhere that uses a non-standard port for ssh. It does not show up, using nmap, as an open port, but it works. On the other hand, the problem server does not even allow me to use a non-standard port through the local network. Unless someone has another suggestion, I'm just about resigned to the fact that I will have to go to the site to administer the server. I may try a Linksys router to rule that possibility out, but what else? I don't know.
Thanks for the replies.
|
|
|
10-08-2007, 09:27 AM
|
#7
|
LQ Guru
Registered: Oct 2003
Location: Bonaire, Leeuwarden
Distribution: Debian /Jessie/Stretch/Sid, Linux Mint DE
Posts: 5,196
|
Well, there is some more diagnostics to do.
Try (as root): tcpdump port 22
You should see any traffic on port 22. If you don't see any traffic, there is no traffic arriving at this host.
If you see your traffic arriving, but access is denied and nothing shows up in the log, well, maybe... the installation is damaged somehow.
jlinkels
|
|
|
09-30-2009, 01:34 PM
|
#8
|
LQ Newbie
Registered: Aug 2006
Posts: 18
Original Poster
Rep:
|
openssh-server access denied from internet [SOLVED]
I realized I had never posted the resolution for this problem. It was not the configuration of the linux server or the router, but rather a configuration issue of the ISP. Their network requires a static IP for this to work. The IP being returned before this change was actually that of the access point, not the dynamic IP of the local connection. Once the static IP was set up, everything magically worked.
I don't understand why their setup is this way, but that's how it is.
|
|
|
09-30-2009, 02:48 PM
|
#9
|
LQ Guru
Registered: Oct 2003
Location: Bonaire, Leeuwarden
Distribution: Debian /Jessie/Stretch/Sid, Linux Mint DE
Posts: 5,196
|
I like people giving feedback on their solved problems.
It is not as strange as you think. My Telco does the same thing with their ADSL modems. If you have a non-fixed IP, the modem is in NAT mode and you cannot get to your router.
If you have a fixed IP, you can ask them to put the modem in bridge mode and it will be transparent up to your router.
Apparently they assume that it you ask a fixed IP you want access from the outside, and if you want that you are smart enough to put your own router/firewall.
Glad that it is solved.
jlinkels
|
|
|
All times are GMT -5. The time now is 03:16 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|