ssh connection refused - trying to set up ssh server at home
 

Hi,

I'd like to be able to use ssh to connect to my home computer remotely. I've been trying things out and tweaking config files but I've not got very far. I can't tell exactly what the problem is at this stage, but I'll tell you what I've done and hopefully somebody can tell me how to diagnose it properly.

I'm running Fedora 7 on my home PC, and for testing purposes I'm running Knoppix from a Live CD on another machine (although I eventually hope to connect using Putty on Windows). I believe this line confirms the ssh daemon is running on Fedora:
The file /etc/ssh/sshd_config includes the following lines:
Although as I understand it I should only really need one or the other, and once I've got everything working and I understand it properly, I'll be able to disable both and use only key authentication.

Both computers are connected to a router which is connected directly to the internet; the router is configured to forward a port to my Fedora box which matches the port specified in /etc/ssh/sshd_config. On the Knoppix box, I type
where <IP> is the external IP address of the router (i.e. the one that whatismyip.com tells me). ssh returns immediately with "connection refused", it seems as though it doesn't even have time to try to connect, but maybe the router doesn't need to forward to the DNS for its own address? Or maybe these things are just faster than I think.

Can anyone tell me what I should try next? Is there a way to tell if the connection is actually being refused by my Fedora PC, or by the router, or elsewhere?

Do you have the Fedora default firewall up. If so is post 22 for sshd open?

Brian

it sounds like it could be a tcpwrapper problem you should check your /ets/hosts.allow and be sure connections to sshd are allowed correctly or especially if your /etc/hosts.deny is set to something like ALL: ALL

Hope this helps
Freemor

One thought. If you have a firewall on the machine and port 22 is open then this may be your issue. If you are on a lan machine trying to connect to the sshd machine using the external IP then it will more than likely work. Reason is many of these store bought routers lack the support to DNAT back onto itself that way. You need to goto a remote location and try to connect and see what happens.

Other thoguht is maybe the ISP is blocking common server ports.

Goto here and run the advance portscan to see if it is open an up.
http://www.hackerwatch.org/probe/

Brian

Freemor: /etc/hosts.allow and /etc/hosts.deny are empty. I was hoping this wouldn't matter so long as password authentication and challenge-response authentication were enabled? My understanding is those files are used for host-based authentication, but any one type of authentication is acceptable. In any case, the man page for hosts_access says that if both files are empty, all hosts will be allowed.

Brian1: I do have the Fedora default firewall up, it's a little hard to be sure how it's configured though. I don't know if you're familiar with it, its config window has a list of trusted services (ssh is trusted; no others), and a list of "other ports". I think maybe it's simply identifying the various services (FTP, SMTP, HTTP, HTTPS etc) with different ports - I tried adding port 443 earlier, and when I looked at the firewall config again, the port wasn't listed but HTTPS was checked as a trusted source. Adding port 22 and then going back into the config tool, it looks like nothing has changed. At least, that's how it was yesterday - now I can't add port 443 or any other port, I think the config tool isn't working properly. Do you know what config files it might be using, or where I could find out?

I tried the hackerwatch.org portscan, it seemed to ignore port 22 though. It said port 21 was closed but insecure (despite the firewall), port 23 was secure (invisible to outside world), and gave similar reports for 7 other ports.

Should this have read "more than likely not work"? If not, I'm not sure what you mean - that is what I'm doing, and it isn't working! If you meant to say "not", could you say why the router couldn't pass the request on to my ISP server which would then send it straight back here? I'll try it from a remote location when I get the chance, but I'm not very confident about getting it to work when I can't get it to work from home.

OK from the other lan machine can you login into the sshd machine using the lan IP of the sshd machine?

If not then the port is close os sshd is not up, or sshd is not configured correctly.

Since you have a live version cd on the other machine see if it has nmap or front-end gui interfaces for namp and scan the sshd machine.

For the remote portscan you have to tell it to search for port 22. port 22 is not in the default search.

Now if you were using the external IP when trying to connect to the sshd machine from another lan machine meaning you are acting like you were on the outside. Then it will more than likely not work. It is the basic store bought routers just lack the ability to redirect onto itself.

Brian

Oops! Yes I can :"). Sorry, I was certain I'd already tried that, it's such an obvious thing to do. Feel like a right idiot now. Oh well, thanks for your help!

So you have it working?
If so glad to see you have it going.

Brian

How to test for an open port
 

telnet ip ####

#### = port #.

Doesn't matter what network service is involved, you should get a CONNECTED response like this:

> telnet xxx.xxx.xxx.xxx 43

Trying...
Connected to iap0ito0.

Or, if a firewall or closed port issue exists then you'll get a REFUSED response like this:

> telnet xxx.xxx.xxx.xxx 43

Trying...
telnet: Unable to connect to remote host: Connection refused

Yeah it's working on the LAN now, thanks. Haven't tried it externally yet, but I guess it should be fine so long as port forwarding's working ok on the router.

Glad to see you have it working.

Brian