LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 03-24-2005, 05:57 PM   #1
General_Tso
Member
 
Registered: Jan 2003
Location: New York, NY, USA
Distribution: Mac OS X (10.4.6), Ubuntu 6.06
Posts: 183

Rep: Reputation: 30
SSH Walkthrough?


Hey folks:

I setup a sshd server on my FC3 machine, and I had no problems. However, I disabled a few services relating to NFS, which I had been playing with, and now I keep getting the following error:

Quote:
ssh: connect to host 192.168.1.3 port 22: Operation timed out
Is there some walkthrough site for SSH including what services needed, open ports, and examples of appropriate hosts.allow and hosts.deny? I haven't had much luck, so I thought you folks might be able to push me in the right direction...
 
Old 03-24-2005, 06:06 PM   #2
mcd
Member
 
Registered: Aug 2003
Location: Denver, CO
Distribution: CentOS, Debian
Posts: 825

Rep: Reputation: 33
try using tcpdump to analyze the problem, ie watch the packets as you try to connect. as i recall you only need port 22 open. possibly port 53 for name resolution (i need this open to output for sendmail to work, iirc). and for services, all you need is sshd.
 
Old 03-24-2005, 06:12 PM   #3
General_Tso
Member
 
Registered: Jan 2003
Location: New York, NY, USA
Distribution: Mac OS X (10.4.6), Ubuntu 6.06
Posts: 183

Original Poster
Rep: Reputation: 30
Dumb question, but should I run tcpdump on the client or the server?
 
Old 03-24-2005, 07:19 PM   #4
mcd
Member
 
Registered: Aug 2003
Location: Denver, CO
Distribution: CentOS, Debian
Posts: 825

Rep: Reputation: 33
Quote:
Dumb question, but should I run tcpdump on the client or the server?
both? theoretically you should see the same thing on both, but i wouldn't take it for granted. also read man tcpdump just to get a feel for some of the options you can use. for instance

tcpdump -i eth1 -n

will listen on eth1 and provide ip addresses instead of domain names (iirc). i vaguely remember something about promiscuous mode, but i forget whether that's related to when you bring the interface up or when you run tcpdump.
 
Old 03-24-2005, 07:21 PM   #5
mcd
Member
 
Registered: Aug 2003
Location: Denver, CO
Distribution: CentOS, Debian
Posts: 825

Rep: Reputation: 33
oh, and either nmap or netstat (or both, hehe) can help you verify that you have a service (sshd) listening on a port (22). for instance, i think

netstat -anp

when run on the server, would show all the services. you want to look at the ones near the top, with LISTEN in the description.
 
Old 03-24-2005, 07:26 PM   #6
General_Tso
Member
 
Registered: Jan 2003
Location: New York, NY, USA
Distribution: Mac OS X (10.4.6), Ubuntu 6.06
Posts: 183

Original Poster
Rep: Reputation: 30
Quote:
unix 2 [ ACC ] STREAM LISTENING 9915 - /tmp/ssh-yEbVwu4734/agent.4734
Here's what I got.

ETA: One moment, didn't see your previous post. Let me get that output.

Last edited by General_Tso; 03-24-2005 at 07:33 PM.
 
Old 03-24-2005, 07:37 PM   #7
General_Tso
Member
 
Registered: Jan 2003
Location: New York, NY, USA
Distribution: Mac OS X (10.4.6), Ubuntu 6.06
Posts: 183

Original Poster
Rep: Reputation: 30
How much of the output (from tcpdump) is relevant? There doesn't seem to be an end to it...

Last edited by General_Tso; 03-24-2005 at 07:43 PM.
 
Old 03-25-2005, 04:38 AM   #8
mcd
Member
 
Registered: Aug 2003
Location: Denver, CO
Distribution: CentOS, Debian
Posts: 825

Rep: Reputation: 33
yeah, tcpdump will keep going until you tell it to stop. what you're looking for is connections accross the ip addresses you're interested in. you'll see every packet that gets transmitted on a given interface, so keep your eyes open for the ip addresses. if you have two terminals open, one running tcpdump -i eth0 -n, and the in the other you ping www.google.com, you'd first see a query go out on port 53 to resolve www.google.com into an ip address. you'd also see the response come back. there will probably be several packets that are just part of that transaction.

so anyway, watch which ports are used and make sure they're open in your firewall, and that you have the appropriate service listed by netstat. oh, and the UNIX ones at the bottom you can ignore, they're just on your local machine. it's the top ones, tcp and udp sockets, and even then only the ones that have LISTEN next to them. i've got a mail server, and the only services netstat lists are

sshd - tcp 22
smtp - tcp 25
sendmail accept - tcp 587
inetd - tcp 143

i don't know what 587 is for, but i have it closed off in my firewall, so it must not be necessary. 25 is for smtp and 143 is for imap (which is called by inetd). i don't need anything else open in order to ssh in. on my firewall i've got ports 22, 25, and 143 open to INPUT and 25 and 53 (for name resolution) open to OUTPUT. i also allow all packets with state RELATED or ESTABLISHED.
 
Old 03-27-2005, 02:30 PM   #9
General_Tso
Member
 
Registered: Jan 2003
Location: New York, NY, USA
Distribution: Mac OS X (10.4.6), Ubuntu 6.06
Posts: 183

Original Poster
Rep: Reputation: 30
Cool. Thanks for the explanation.

Here's the output from the server on my first attempt, running the command "ssh 192.168.1.3."

Quote:
/usr/sbin/tcpdump -i eth0 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
15:13:58.309949 arp who-has 192.168.1.3 tell 192.168.1.2
15:14:00.918733 arp who-has 192.168.1.3 tell 192.168.1.2
15:14:03.919112 arp who-has 192.168.1.3 tell 192.168.1.2
15:14:06.919454 arp who-has 192.168.1.3 tell 192.168.1.2
15:14:09.919808 arp who-has 192.168.1.3 tell 192.168.1.2
15:14:39.687296 IP 192.168.1.2.bootpc > 192.168.1.1.bootps: BOOTP/DHCP, Request from 00:03:93:e9:76:72, length: 300
15:14:39.689743 arp who-has 192.168.1.2 tell 192.168.1.2
15:14:39.720828 arp who-has 192.168.1.1 tell 192.168.1.2
15:14:54.923468 arp who-has 192.168.1.3 tell 192.168.1.2
15:15:12.925562 arp who-has 192.168.1.3 tell 192.168.1.2
15:15:15.925109 arp who-has 192.168.1.3 tell 192.168.1.2
15:15:18.925322 arp who-has 192.168.1.3 tell 192.168.1.2
15:15:21.925634 arp who-has 192.168.1.3 tell 192.168.1.2

13 packets captured
13 packets received by filter
0 packets dropped by kernel
And here's the output from the client:

Quote:
tcpdump -i en1 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en1, link-type EN10MB (Ethernet), capture size 96 bytes
15:13:53.456282 arp who-has 192.168.1.3 tell 192.168.1.2
15:13:56.065106 arp who-has 192.168.1.3 tell 192.168.1.2
15:13:59.065324 arp who-has 192.168.1.3 tell 192.168.1.2
15:14:02.065487 arp who-has 192.168.1.3 tell 192.168.1.2
15:14:05.065683 arp who-has 192.168.1.3 tell 192.168.1.2
15:14:34.831598 IP 192.168.1.2.68 > 192.168.1.1.67: BOOTP/DHCP, Request from 00:03:93:e9:76:72, length: 300
15:14:34.833157 IP 192.168.1.1.67 > 192.168.1.2.68: BOOTP/DHCP, Reply, length: 548
15:14:34.834055 arp who-has 192.168.1.2 tell 192.168.1.2
15:14:34.865108 arp who-has 192.168.1.1 tell 192.168.1.2
15:14:34.866124 arp reply 192.168.1.1 is-at 00:03:93:e2:d0:9c
15:14:34.866187 IP 192.168.1.2.55468 > 192.168.1.1.192: UDP, length: 4
15:14:34.867263 IP 192.168.1.1.192 > 192.168.1.2.55468: UDP, length: 97
15:14:34.867511 IP 192.168.1.2.55468 > 192.168.1.1.192: UDP, length: 4
15:14:34.868519 IP 192.168.1.1.192 > 192.168.1.2.55468: UDP, length: 97
15:14:34.869226 IP 192.168.1.2.55469 > 192.168.1.1.192: UDP, length: 4
15:14:34.870347 IP 192.168.1.1.192 > 192.168.1.2.55469: UDP, length: 97
15:14:50.066940 arp who-has 192.168.1.3 tell 192.168.1.2
15:15:08.067994 arp who-has 192.168.1.3 tell 192.168.1.2
15:15:11.067335 arp who-has 192.168.1.3 tell 192.168.1.2
15:15:14.067502 arp who-has 192.168.1.3 tell 192.168.1.2
15:15:17.067655 arp who-has 192.168.1.3 tell 192.168.1.2
^C
21 packets captured
21 packets received by filter
0 packets dropped by kernel
So there are some dropped packets obviously. I thought it'd be useful to run the same ssh command with verbose output.

Quote:
ssh -v 192.168.1.3
OpenSSH_3.6.1p1+CAN-2004-0175, SSH protocols 1.5/2.0, OpenSSL 0x0090702f
debug1: Reading configuration data /etc/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: Connecting to 192.168.1.3 [192.168.1.3] port 22.
debug1: connect to address 192.168.1.3 port 22: Operation timed out
debug1: Connecting to 192.168.1.3 [192.168.1.3] port 22.
debug1: connect to address 192.168.1.3 port 22: Operation timed out
ssh: connect to host 192.168.1.3 port 22: Operation timed out
Here's the server this time:

Quote:
/usr/sbin/tcpdump -i eth0 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
15:16:05.447936 arp who-has 192.168.1.3 tell 192.168.1.2
15:16:08.429127 arp who-has 192.168.1.3 tell 192.168.1.2
15:16:11.429429 arp who-has 192.168.1.3 tell 192.168.1.2
15:16:14.429763 arp who-has 192.168.1.3 tell 192.168.1.2
15:16:17.430106 arp who-has 192.168.1.3 tell 192.168.1.2
15:17:02.433543 arp who-has 192.168.1.3 tell 192.168.1.2
15:17:20.438799 arp who-has 192.168.1.3 tell 192.168.1.2
15:17:23.435132 arp who-has 192.168.1.3 tell 192.168.1.2
15:17:26.435470 arp who-has 192.168.1.3 tell 192.168.1.2
15:17:29.435809 arp who-has 192.168.1.3 tell 192.168.1.2
15:17:53.439007 arp who-has 192.168.1.3 tell 192.168.1.2
15:18:17.439719 arp who-has 192.168.1.3 tell 192.168.1.2

12 packets captured
12 packets received by filter
0 packets dropped by kernel
And here's the client this time:

Quote:
tcpdump -i en1 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en1, link-type EN10MB (Ethernet), capture size 96 bytes
15:16:00.587461 arp who-has 192.168.1.3 tell 192.168.1.2
15:16:03.568607 arp who-has 192.168.1.3 tell 192.168.1.2
15:16:06.568801 arp who-has 192.168.1.3 tell 192.168.1.2
15:16:09.568983 arp who-has 192.168.1.3 tell 192.168.1.2
15:16:12.569160 arp who-has 192.168.1.3 tell 192.168.1.2
15:16:57.570190 arp who-has 192.168.1.3 tell 192.168.1.2
15:17:15.574478 arp who-has 192.168.1.3 tell 192.168.1.2
15:17:18.570647 arp who-has 192.168.1.3 tell 192.168.1.2
15:17:21.570824 arp who-has 192.168.1.3 tell 192.168.1.2
15:17:24.570995 arp who-has 192.168.1.3 tell 192.168.1.2
15:17:48.571854 arp who-has 192.168.1.3 tell 192.168.1.2
15:18:12.572324 arp who-has 192.168.1.3 tell 192.168.1.2
^C
12 packets captured
12 packets received by filter
0 packets dropped by kernel
I'm not sure what to make of this. Any thoughts anyone?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
WPC11 v4 Walkthrough technochef Linux - Wireless Networking 1 08-30-2004 07:07 AM
PPP Walkthrough borrrden Linux - Networking 1 06-11-2004 12:42 AM
Lilo walkthrough Balkman Slackware - Installation 8 05-11-2004 09:26 AM
Full Walkthrough slakwarenewbie Slackware 1 11-10-2003 04:32 PM
FTP walkthrough stewe151 Linux - Software 1 08-14-2002 01:12 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 09:35 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration