cannot connect via ssh from outside the network

clement172000 · 12-07-2010, 08:30 AM

Hi all,
I cannot connect to my server via ssh from outside my office network. Ssh from inside the network poses no problem. From outside the network, I can ping the server so I assume that there is no problem with the IP address. I am quite new to linux networking so pls forgive me if this is a stupid question. Is there any changes I need to make in the sshd_config file? Any comments will be appreciated.

Cheers,
Clement

Noway2 · 12-07-2010, 08:51 AM

Ping works with ICMP messaging and is independent of the ports, but it is a good indication that you are resolving the host and that there is a base connection to it. Chances are that the port is blocked by a firewall. Since you can connect inside of your office, you know that the server is listening. If you are the system admin, then open port 22, or another port for use with SSH. If you are not the admin, then you will need to talk to them about opening the port. Beware that this poses security risks and if you open this port that you WILL get numerous attempts to brute force entry into your system, so be sure to properly secure it.

clement172000 · 12-07-2010, 07:31 PM

thanks noway2.

I have checked my server's ports using nmap localhost and here are the results:
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
111/tcp open rpcbind
113/tcp open auth
512/tcp open exec
513/tcp open login
514/tcp open shell
873/tcp open rsync
32774/tcp open sometimes-rpc11

So I think that port 22 is open.

My server's ssh_config is as follow:
# Host *
# ForwardAgent no
# ForwardX11 no
# RhostsRSAAuthentication no
# RSAAuthentication yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# Port 22
# Protocol 2,1
etc...

Cheers,
Clement

clement172000 · 12-07-2010, 08:00 PM

I forgot to put more info. The server is running CentOS 4 and has two IP addresses. One is local inside my office's router (192.168-based) and another one is global (abc.d.efg.OOO. The error I got when trying to access from outside the network to the global ip address is "connection timed out". No problem accessing the local and global IP addresses from inside the office network.

Here are some information on my network:
Laptop: in the office, it is router-connected (192.168-based). When I checked my laptop's IP address using whatismyipaddress.com, it reports abc.d.efg.xxx
Server global IP address: abc.d.efg.OOO.

So I guess the server only accepts connections from the same IP family. Any advice on how to change this? Thanks.

Noway2 · 12-07-2010, 10:16 PM

You should be able to have two interfaces, one public, one private, like you do. This may be a dumb question, but did you set the port forward on your router to forward port 22 traffic from your public IP to your server's LAN IP? In other words, all inbound connections on port 22 will be sent to your SSH server?

clement172000 · 12-07-2010, 10:47 PM

noway2, thanks for your comments. I am sorry that I did not explain in detailed enough. What I meant with having two IP addresses is that the server has two ethernet cards, both are functional. Here is the result of ifconfig:
eth0 Link encap:Ethernet HWaddr
inet addr: xxx.x.xxx.9 Bcast:xxx.x.xxx.255 Mask:255.255.255.0
inet6 addr: fe80::222:19ff:fe25:5239/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1163911 errors:0 dropped:0 overruns:0 frame:0
TX packets:170367 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:395995668 (377.6 MiB) TX bytes:56359050 (53.7 MiB)
Interrupt:169 Memory:e6000000-e6012100

eth1 Link encap:Ethernet HWaddr 00:22:19:25:52:3B
inet addr:192.168.0.167 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::222:19ff:fe25:523b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2146613 errors:0 dropped:0 overruns:0 frame:0
TX packets:584646 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1585497051 (1.4 GiB) TX bytes:113112340 (107.8 MiB)
Interrupt:177 Memory:e8000000-e8012100

From inside the office network, I can ssh to both 192.168.0.167 and xxx.x.xxx.9.

when I checked my server's IP address using whatismyipaddress.com, it gave the same value as it is (xxx.x.xxx.9), no gateway to the internet.

dreamer.redeemer · 12-08-2010, 12:03 AM

It's not clear if the rest of the network is configured correctly, and with two interfaces ping doesn't necessarily rule this out. If the ssh daemon is running and the configured port open on localhost but the server isn't logging the SSH attempts from WAN, something is dropping them before they get there.

Noway2 · 12-08-2010, 05:31 AM

In your ssh configuration, do you have anything that could be binding SSH to only your 192.168.0.167, i.e. it is not listening on your xxx.x.xxx.9 port. Use a command like netstat -ane to see if it is listening on that interface. You could also run nmap on your xxx.x.xxx.9 address.

If you have a listen address directive, you may want to comment it out, even if it is set to 0:0:0:0. I have a similar setup with my servers with one NIC that is private (192.168.0.x) and one that is on my public IP block. Both of them will accept connections and show up as being bound to 0:0:0:0:22 in netstat.

Lastly, double check that you don't have Iptables blocking your application.

Reuti · 12-08-2010, 09:23 AM

Another place to look at are /etc/hosts.allow and /etc/hosts.deny which might block access from certain addresses. Any entry for sshd there?