Can't SSH as root anymore (but can still FTP)
 

So at work, we host most of our clients websites on a server we have (from Lunar Pages) and I can ssh as root from work just fine, but from home, all of a sudden, I can't ssh as root anymore. I can't ssh as anyone (certain users have permission to ssh).

I can still FTP into the different sites and stuff from home, so it isn't an AFP issue (I doubled checked the deny_hosts.rules (or whatever it is) just in case).

I used to be able to ssh as root into the server from home... what could have changed? Has anyone had this problem? Being able to FTP from all IPs but only SSH from some?

Thanks

Compare 'ssh -v -v -v' from a denied and an accepted remote location with auth, system and daemon log output on the server. However using or accessing a root account directly over the network is not a security best practice. So whatever got changed, if server-side, was good.

Here's the one from the denied host:

cameron-laptop:~ cameron$ ssh -v -v -v root@hostrainmaker.com
OpenSSH_5.2p1, OpenSSL 0.9.8l 5 Nov 2009
debug1: Reading configuration data /etc/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to hostrainmaker.com [209.200.237.113] port 22.
debug1: connect to address 209.200.237.113 port 22: Operation timed out
ssh: connect to host hostrainmaker.com port 22: Operation timed out
cameron-laptop:~ cameron$

I'll check out the results from my work computer tomorrow.

Is there any company firewall out of your reach which was reconfigured?

No company firewall.

Here's the -v -v -v output from work:

Cameron:~ cameron$ ssh -v -v -v root@hostrainmaker.com
OpenSSH_5.2p1, OpenSSL 0.9.7l 28 Sep 2006
debug1: Reading configuration data /etc/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to hostrainmaker.com [209.200.237.113] port 22.
debug1: Connection established.
debug1: identity file /Users/cameron/.ssh/identity type -1
debug1: identity file /Users/cameron/.ssh/id_rsa type -1
debug1: identity file /Users/cameron/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH_4*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.2
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 131/256
debug2: bits set: 535/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /Users/cameron/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 2
debug3: check_host_in_hostfile: filename /Users/cameron/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 2
debug1: Host 'hostrainmaker.com' is known and matches the RSA host key.
debug1: Found key in /Users/cameron/.ssh/known_hosts:2
debug2: bits set: 493/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /Users/cameron/.ssh/identity (0x0)
debug2: key: /Users/cameron/.ssh/id_rsa (0x0)
debug2: key: /Users/cameron/.ssh/id_dsa (0x0)
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug3: start over, passed a different list publickey,gssapi-with-mic,password
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /Users/cameron/.ssh/identity
debug3: no such identity: /Users/cameron/.ssh/identity
debug1: Trying private key: /Users/cameron/.ssh/id_rsa
debug3: no such identity: /Users/cameron/.ssh/id_rsa
debug1: Trying private key: /Users/cameron/.ssh/id_dsa
debug3: no such identity: /Users/cameron/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
root@hostrainmaker.com's password:

I asked you to compare output with auth, system and daemon log output on the server.

// *snort* you don't even use pubkey auth...

Yeah... I don't know what either of those things means. I didn't set up this server, I don't own the server, I just want access.

Short and skinny: if you can't complete a tcp handshake from certain locations, then there is a device that is filtering packets at some point along the way. That could be something your ISP has in place, a corporate firewall, switch, router, or even a host-level firewall on hostrainmaker itself.

Ok, thanks. I'll dig further and let you know what I find out.

Thanks for your input.

I guess it needed to be specifically whitelisted. I could have sworn it was working before, but maybe not... Maybe I'm crazy.

Thanks for your guys' help and sorry for wasting you time =)

[edit]:
To be specific, I added my home IP to /etc/apf/allow_host.rules

check the port your trying to connect is correct & firewall is not blocking your connection.