cannot log in via ssh
Alright. I'm at my wit's end here (which isn't that far, but bear with me).
I'm running gentoo 2006.0, and I've gotten ssh to work over my LAN, but I cannot connect remotely. I've configured my router to forward port 1022 to my gentoo box, and edited the sshd_config file to listen on port 1022 (1022 isn't reserved, is it?). I can access the box from any computer on the lan, ssh xxx.xxx.xxx.xxx -p 1022, but cannot access it with ssh yyy.yyy.yyy.yyy -p 1022 (where yyy is my external ip address, and xxx is my internal address). I'll be honest, I don't know a whole lot about anything involved in this process. I have minimal knowledge of port forwarding, minimal knowledge of how external and internal IPs work with eachother, but any help is helpful, and much appreciated. I'm going to go look and see if 1022 is a reserved port, but if that isn't the case, I'd like whatever help you choose to offer. Thanks. Tredontho |
You need to set up port forwarding on your router. The actual configuration is different on each router, but they should all support it these days. Check your router documentation. The configuration will take a form something like this: "Incoming connections on yyy.yyy.yyy.yyy port 1022 should be forwarded to xxx.xxx.xxx.xxx port 1022" or this simpler version: "Incoming connections on port 1022 should be forwarded to xxx.xxx.xxx.xxx". The specifics will depend on your router.
|
Sorry, you said you already setup port forwarding. I got confused because first you said you configured it, then later you said you didn't know much about it. My feeble mind zeroed in on the "don't know much about it" part and forgot about the earlier statement. Getting old is hell!
Changing ports doesn't really buy you much security. It might take a cracker 0.47 milliseconds longer to determine you're running sshd on port 1022 rather than on port 22, but that's about it. I wouldn't waste my time on an alternate port personally. But many people do, and no harm is done by using an alternate port, other than the slightly added complexity. So go ahead if you want. For debugging though, I'd take this extra alternate port complexity out of the picture. |
Alright, first, I should take more care with my terminology. I don't have a router, per se. I have an Actiontec DSL Gateway, which acts as a router, in a basic sense. I have set up port forwarding on it. It forwards port 1022 to this (the linux box) computer. I know many routers allow forwarding in the sense of external port 1022 goes to internal port 22, but I don't think this is possible with the "router" I am using. For that reason, I edited the /etc/ssh/sshd_config file to listen on port 1022. I know that that part of it works, because I can connect locally. I can only assume that it's something with the port not being forwarded properly, but I don't really know what. Any ideas?
|
Check your sshd logfiles to see if your connection is getting through from the router to your computer. I don't know where Gentoo keeps these logs, but on my Debian box they're in /var/log/auth.log
|
well for starters your command is wrong. it should not be ssh xxx.xxx.xxx.xxx -p 1022, it should be
ssh -p 1022 user@xxx.xxx.xxx.xxx also it is normally a bad idea to run on ports sub 1024 as most of them are reserved for something or an other. turns out that port 1022 is the sasser worm virus and a lot of ISPs have blocked that port. that could be your problem. you might want to try 922 instead. this is a bit more common of a port and is a secondary port for ssh. worst case you can move it to say 10022 that way you are above 1024. good luck. |
Ah, well, the way I was keying it in had worked, so I hadn't thought to change it. Thanks for the correction. I changed the port to 922, next time I should try a quick google maybe? In any case, I just tried the connection (I'm not sure if I restarted sshd correctly... I just su'd to root, then typed /usr/sbin/sshd at the prompt, and assumed that that process would kill the previous running one, and therefore would load the updated configuration file (with the port set to 922)... well, I think that it loaded the the updated configuration, because I just logged in locally... but I still cannot log in using the external IP address. It does nothing for quite a while, then (unsurprisingly) tells me that the connection has timed out. Any other ideas?
|
Quote:
Code:
# /etc/init.d/sshd restart Code:
pkill -SIGHUP sshd |
What does:
Code:
netstat -an | grep "tcp.*LISTEN" :::922 ? 0.0.0.0:922 ? 127.0.0.1:922 ? Here's mine (running on standard port 22): Code:
tcp6 0 0 :::22 :::* LISTEN From the client end (assuming it's a *nix computer), run your login attempt with the -vv option. Like this: Code:
ssh -vv -p 922 xxx.xxx.xxx.xxx |
okay, well, here's the output from the netstat command
Code:
localhost ~ # netstat -an | grep "tcp.*LISTEN" Code:
user@localhost ~ $ ssh -vv -p 922 xxx.xxx.xxx.xxx Thanks all for the help you've given so far (if anything, I'm using better CLI syntax) tredontho |
Update:
okay, I've found a partial answer (and another obstacle) to the problem. Dynamic IP Address (no idea how, or if it's possible, to make it static). I know that there are some services on the internet that offer redirection services for dynamic hosts, so I can look into that (but hey, if you have a favorite, feel free to share). That aside, I still cannot connect. Here is the outupt, again Code:
trevor@localhost ~ $ ssh -vv -p 922 xxx.xxx.xxx.xxx |
Take a look at your /etc/hosts.deny and /etc/hosts.allow files. If hosts.deny has an entry that looks like "ALL: ALL" or "ALL: PARANOID" then you will need to specifically allow the host you are trying to connect from in the hosts.allow file. An entry in hosts.allow that looks like "ALL: aaa.bbb.ccc.ddd" where aaa.bbb.ccc.ddd is the computer you are connecting FROM should do the trick (if this is your problem, that is).
Also check your firewall. Run "iptables --list" as root. Are you DROPPING packets from your connecting client? BTW, since you've already told us your IP address and what ports you are listening on, you might not want to go dumping the content of your hosts.allow and hosts.deny files, nor the output of that iptables --list command, out here on the general internet. No offense intended, but it sounds like you might be a little new at configuring this security stuff. And maybe subject to a configuration error or two. I'd hate to see you post the keys to your house because you didn't realize. Not that a good cracker really needs this info handed to them to break into your system, ... but it would make things quicker for 'em! Maybe I'm overly paranoid on the security bit, but it just feels strange seeing you post this stuff in the open. |
Oh good. Right after I posted I see you xxx'ed out your IP address and reported that it's a dynamic address anyway. That makes me feel better!
|
Quote:
Hopefully the "somebody" you heard back from this time is the computer you were actually trying to get to, given your dynamic IP situation. I know of dynamic dns services, but don't use them myself, so I'll let others recommend in this regard. |
Heh, yah, that was a really stupid mistake on my part... hopefully no harm done. Well, as for checking either of those files, not really applicable at the moment, as they don't exist, and a quick slocate shows that they don't exist anywhere else either. And iptables doesn't turn up anything, because it isn't on here either. Should I put these on? And if so, what package are they part of, or is there some command to create them? Thanks.
|
All times are GMT -5. The time now is 06:00 AM. |