ssh connection refused - trying to set up ssh server at home
Hi,
I'd like to be able to use ssh to connect to my home computer remotely. I've been trying things out and tweaking config files but I've not got very far. I can't tell exactly what the problem is at this stage, but I'll tell you what I've done and hopefully somebody can tell me how to diagnose it properly. I'm running Fedora 7 on my home PC, and for testing purposes I'm running Knoppix from a Live CD on another machine (although I eventually hope to connect using Putty on Windows). I believe this line confirms the ssh daemon is running on Fedora: Code:
> ps -ef | grep sshd Code:
PasswordAuthentication yes Both computers are connected to a router which is connected directly to the internet; the router is configured to forward a port to my Fedora box which matches the port specified in /etc/ssh/sshd_config. On the Knoppix box, I type Code:
ssh -p <port> guest@<IP> Can anyone tell me what I should try next? Is there a way to tell if the connection is actually being refused by my Fedora PC, or by the router, or elsewhere? |
Do you have the Fedora default firewall up. If so is post 22 for sshd open?
Brian |
it sounds like it could be a tcpwrapper problem you should check your /ets/hosts.allow and be sure connections to sshd are allowed correctly or especially if your /etc/hosts.deny is set to something like ALL: ALL
Hope this helps Freemor |
One thought. If you have a firewall on the machine and port 22 is open then this may be your issue. If you are on a lan machine trying to connect to the sshd machine using the external IP then it will more than likely work. Reason is many of these store bought routers lack the support to DNAT back onto itself that way. You need to goto a remote location and try to connect and see what happens.
Other thoguht is maybe the ISP is blocking common server ports. Goto here and run the advance portscan to see if it is open an up. http://www.hackerwatch.org/probe/ Brian |
Freemor: /etc/hosts.allow and /etc/hosts.deny are empty. I was hoping this wouldn't matter so long as password authentication and challenge-response authentication were enabled? My understanding is those files are used for host-based authentication, but any one type of authentication is acceptable. In any case, the man page for hosts_access says that if both files are empty, all hosts will be allowed.
Brian1: I do have the Fedora default firewall up, it's a little hard to be sure how it's configured though. I don't know if you're familiar with it, its config window has a list of trusted services (ssh is trusted; no others), and a list of "other ports". I think maybe it's simply identifying the various services (FTP, SMTP, HTTP, HTTPS etc) with different ports - I tried adding port 443 earlier, and when I looked at the firewall config again, the port wasn't listed but HTTPS was checked as a trusted source. Adding port 22 and then going back into the config tool, it looks like nothing has changed. At least, that's how it was yesterday - now I can't add port 443 or any other port, I think the config tool isn't working properly. Do you know what config files it might be using, or where I could find out? I tried the hackerwatch.org portscan, it seemed to ignore port 22 though. It said port 21 was closed but insecure (despite the firewall), port 23 was secure (invisible to outside world), and gave similar reports for 7 other ports. Quote:
|
OK from the other lan machine can you login into the sshd machine using the lan IP of the sshd machine?
If not then the port is close os sshd is not up, or sshd is not configured correctly. Since you have a live version cd on the other machine see if it has nmap or front-end gui interfaces for namp and scan the sshd machine. For the remote portscan you have to tell it to search for port 22. port 22 is not in the default search. Now if you were using the external IP when trying to connect to the sshd machine from another lan machine meaning you are acting like you were on the outside. Then it will more than likely not work. It is the basic store bought routers just lack the ability to redirect onto itself. Brian |
Quote:
|
So you have it working?
If so glad to see you have it going. Brian |
How to test for an open port
telnet ip ####
#### = port #. Doesn't matter what network service is involved, you should get a CONNECTED response like this: > telnet xxx.xxx.xxx.xxx 43 Trying... Connected to iap0ito0. Or, if a firewall or closed port issue exists then you'll get a REFUSED response like this: > telnet xxx.xxx.xxx.xxx 43 Trying... telnet: Unable to connect to remote host: Connection refused |
Yeah it's working on the LAN now, thanks. Haven't tried it externally yet, but I guess it should be fine so long as port forwarding's working ok on the router.
|
Glad to see you have it working.
Brian |
All times are GMT -5. The time now is 05:00 PM. |