Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Im using OpenSSH 3.8.1p1 (protocol 2.0) and whenever a friend of mine tries to ssh to me he gets ping timeout errors. At first I thought it was my router, then i configured my router to allow connections from 21 to 23 using tcp. But that didnt fix the problem, i then connected my pc to the modem without using the router and everything worked fine. I then checked my /var/sshd/current file and i saw this:
Code:
Oct 1 23:04:43 [sshd] Accepted keyboard-interactive/pam for user from 82.166.54.* port 4258 ssh2
(im using metalog to log that)
Why does it say that its connecting to port 4258 when ssh is on port 22. Another friend of mine logged in trough ssh but using a different port. The thing is that they dont intend to connect to a high port like that, they just ssh to the host. This would explain why they cant ssh to me when only port 22 is open.
I have not made any changes of /etc/ssh/sshd_config before the problem occured. Afterwards i edited the sshd_config file so it starts like this.
Code:
Port 22
Protocol 2
#ListenAddress 0.0.0.0
#ListenAddress ::
I dont think the router is the problem because i have been able to allow ssh connections to my slackware 9.1 when router had the same configuration.
That's the remote source port they are connecting with. The ssh2 part indicates that they are still connecting to port 22 on your machine (or more accuratelywhatever ssh2 is in /etc/services). If you have them connect multiple times, you'll probably be able to see the remote source port increment.
Couple of things to try:
- nmap'ing the linux box from outside the router to see if you even see the ssh port open
- turn on tcpdump on the linux box and try connecting to ssh from outside the box. If it works properly you should see the traffic make it through the router.
-Try running sshd in verbose mode
OK i did what u asked me to do and this is what i got.
A friend of mine nmaped me from his box and ssh port wasnt open.
This is what i got on my tcpdump when i did ssh -l oxide 192.168.0.2 (this is the IP of my box in the router)
Code:
root@linuxbox oxide # tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 68 bytes
10:37:47.586106 IP 192.168.0.2.32797 > 192.168.0.1.domain: 12750+[|domain]
10:37:47.586524 IP 192.168.0.2.32798 > 192.168.0.1.domain: 12289+[|domain]
10:37:52.585430 IP 192.168.0.2.32797 > 192.168.0.1.domain: 12750+[|domain]
10:37:52.586403 IP 192.168.0.2.32798 > 192.168.0.1.domain: 12289+[|domain]
10:37:56.212018 IP 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length: 278
10:37:56.212278 IP 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length: 334
10:37:56.212482 IP 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length: 262
10:37:56.212831 IP 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length: 254
10:37:56.213076 IP 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length: 298
10:37:56.213478 IP 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length: 274
10:37:56.213756 IP 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length: 328
10:37:56.214131 IP 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length: 326
10:37:56.214507 IP 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length: 330
10:37:56.214998 IP 192.168.0.1.1900 > 239.255.255.250.1900: UDP, length: 322
10:37:57.588873 IP 192.168.0.2.32798 > 192.168.0.1.domain: 12290+[|domain]
10:38:02.589428 IP 192.168.0.2.32798 > 192.168.0.1.domain: 12290+[|domain]
10:38:07.589821 IP 192.168.0.2.32798 > 192.168.0.1.domain: 12291+[|domain]
10:38:12.589427 IP 192.168.0.2.32798 > 192.168.0.1.domain: 12291+[|domain]
Code:
root@linuxbox oxide # ssh -v -l oxide 80.4.199.*
OpenSSH_3.8.1p1, OpenSSL 0.9.7d 17 Mar 2004
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to 80.4.199.200 [80.4.199.*] port 22.
debug1: Connection established.
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_3.8.1p1
debug1: match: OpenSSH_3.8.1p1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '80.4.199.*' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:2
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
Password:
debug1: Authentication succeeded (keyboard-interactive).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
Last login: Sun Oct 3 10:38:27 2004 from 192.168.0.2
This is the output when a friend of mine tried to ssh using ssh -v -l the 80.4.199.*
Code:
debug: SshAppCommon/sshappcommon.c:154/ssh_app_get_global_regex_context: Allocating global SshRegex context.
debug: SshConfig/sshconfig.c:2184/ssh2_parse_config: Unable to open /root/.ssh2/ssh2_config
debug: Connecting to 80.4.199.*, port 22...
debug: Ssh2/ssh2.c:1956/main: Entering event loop.
The tcpdump shows alot of DNS and multicast SSDP/UPnP but no ssh traffic at all. So either there is a problem with the router forwarding traffic or a problem on your friends end. Go to one of the online security scanners (www.grc.com and www.firewallls.com offer free scanners) and see if the online scan sees your ssh port open.
The ssh connection from your box (the middle code block you posted) looks good. I'm assuming that works ok, right?
The final code block from your friend, looks like his ssh config is borked or something. Specifically it looks like it's having a problem with the /root/.ssh2/ssh2_config file, but that may not be the problem. Specifically since your friend can't see the ssh port open with the nmap scan, that sounds like the real issue here.
i couldnt find any port scanners from the websites u gave me so i asked some1 else to scan me with these options nmap -sT -T insane -P0 -p 20-25 80.4.199.* .
This is the output
Code:
PORT STATE SERVICE
20/tcp filtered ftp-data
21/tcp filtered ftp
22/tcp filtered ssh
23/tcp filtered telnet
24/tcp filtered priv-mail
25/tcp open smtp
Yes i can connect to my box from my box, and its working fine.
This is what i get when i scan my own box
Code:
nmap -sT -T insane -P0 -vv 192.168.0.2
Starting nmap 3.55 ( http://www.insecure.org/nmap/ ) at 2004-10-03 17:26 Local time zone must be set--see zic manual page
Host 192.168.0.2 appears to be up ... good.
Initiating Connect() Scan against 192.168.0.2 at 17:26
Adding open port 22/tcp
Adding open port 738/tcp
Adding open port 111/tcp
The Connect() Scan took 0 seconds to scan 1660 ports.
Interesting ports on 192.168.0.2:
(The 1657 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
738/tcp open unknown
hm yes it is very strange. I dont remember doing any configurations on my router to block anything. Also another guy couldnt ssh to me either. Some guy was able to ssh to my box when others couldnt, but when he tried to ssh to me again, be couldnt. Could my router be broken or something? When i configure my router to open ports, there is that message saying "Special Applications can only be used by 1 user at any time." does that mean that only one guy can ssh to me at a time?
You might want to verify that people connecting to you are all using SSH protocol 2. Since you disabled protocol 1, anyone connect with the older protocol will be refused. However, that shouldn't prevent them from seeing the SSH port with an nmap scan.
In regards to the number of connection attempts your router supports, you'd need to check it's documentation but I'd be surprised if it only allowed one client at a time.
You can edit your sshd config file and add protocol 1 to it like:
Protocol 2,1
But that's a bad idea. SSH protocol 1 was found to be insecure and was replaced with SSH2. A better option would be to tell your friends to update to a client that uses protcol 2. There are plenty of free SSH2 clients available from openSSH (linux) or PuTTY;SSH.com (windows)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
