| View previous topic :: View next topic |
| Author |
Message |
Tuxuser
Tux's lil' helper
Joined: 28 Oct 2002
Posts: 136
Location: Solingen / Germany
|
 Posted: Fri Dec 20, 2002 1:08 pm Post subject: ssh only works in wrong direction |
 |
|
I'm facing a strange thing which I can't explain. I'm running on one PC a Gentoo installation and on an other one a SuSE 7.2 installation (which I can't change for some reason). Now I'm trying to connect from Gentoo to SuSE using ssh. Actually in a LAN configuration accessing 192.168.1.x everything works fine. Using the WAN PPP-IP the PC gets from my ISP I can't connect.
After a while trying this and that I did it the other way round. Connect from SuSE to Gentoo. Everythig is alright this way hence I copied the sshd_config to the SuSE PC without any improvement. On the SsSE machine host.allow is meanwhile wide open, the only entry is "all:all".
Using the verbosity of ssh the message I'm getting is:
| Quote: |
OpenSSH_3.5p1, SSH protocols 1.5/2.0, OpenSSL 0x0090607f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: ssh_connect: needpriv 0
debug1: Connecting to 80.133.40.147 [80.133.40.147] port 22.
debug1: connect to address 80.133.40.147 port 22: Connection refused
ssh: connect to host 80.133.40.147 port 22: Connection refused
|
which is acutally the same I'm getting when the sshd is alreay killed.
Any ideas to improve the situation are welcome, I'm completely lost... |
|
| Back to top |
|
 |
Tarball
Tux's lil' helper
Joined: 19 Jun 2002
Posts: 142
Location: Cheshire, UK
|
| Posted: Fri Dec 20, 2002 1:48 pm Post subject: |
|
|
| Quote: | ssh: connect to host 80.133.40.147 port 22: Connection refused
|
This usually occurs when the daemon isn't running on the machine you are trying to connect to, thus port 22 isn't there!
Try the command
to make sure your machine is listening on port 22.
If I understand correctly, it fails when you are trying to connect via the ISP supplied IP address? I have known of ISPs than block ports other that port 80.
It might be worth checking with your ISP whether they let through traffic destined for port 22! |
|
| Back to top |
|
|
Tuxuser
Tux's lil' helper
Joined: 28 Oct 2002
Posts: 136
Location: Solingen / Germany
|
| Posted: Fri Dec 20, 2002 1:58 pm Post subject: |
|
|
Netstat says ssh related:
tcp 0 0 0 *:ssh *:* LISTEN
You are right, I'm trying to connect via ISP supplied address but I think I can exclude the port block, because as I mentioned, the other way round - with the same ISP - is absolutely fine. |
|
| Back to top |
|
|
Tuxuser
Tux's lil' helper
Joined: 28 Oct 2002
Posts: 136
Location: Solingen / Germany
|
| Posted: Fri Dec 20, 2002 2:00 pm Post subject: |
|
|
Ups, one zero too much
| Quote: | | tcp 0 0 *:ssh *:* LISTEN |
|
|
| Back to top |
|
|
Tarball
Tux's lil' helper
Joined: 19 Jun 2002
Posts: 142
Location: Cheshire, UK
|
| Posted: Fri Dec 20, 2002 2:26 pm Post subject: |
|
|
| So are both machines connected to your ISP, that is, do both machines get separate IP address from your ISP? What is the actual topology of your network? |
|
| Back to top |
|
|
Tuxuser
Tux's lil' helper
Joined: 28 Oct 2002
Posts: 136
Location: Solingen / Germany
|
| Posted: Fri Dec 20, 2002 2:33 pm Post subject: |
|
|
| Yes, they are getting different IPs (listed in ppp0) and their local IPs on eth0 are set different, too. The topology is: both machines are connected to a ethernet hub with its wan port on an ADSL modem. Both machines are establishing separate PPPoE connections to the same ISP. |
|
| Back to top |
|
|
Tarball
Tux's lil' helper
Joined: 19 Jun 2002
Posts: 142
Location: Cheshire, UK
|
| Posted: Fri Dec 20, 2002 2:38 pm Post subject: |
|
|
| I assume you can ping both machines by their respective ISP supplied IP addresses?!? |
|
| Back to top |
|
|
Tuxuser
Tux's lil' helper
Joined: 28 Oct 2002
Posts: 136
Location: Solingen / Germany
|
| Posted: Fri Dec 20, 2002 2:41 pm Post subject: |
|
|
| Yes, ping is possible. |
|
| Back to top |
|
|
Tuxuser
Tux's lil' helper
Joined: 28 Oct 2002
Posts: 136
Location: Solingen / Germany
|
| Posted: Fri Dec 20, 2002 2:43 pm Post subject: |
|
|
| By the way the deamon is currently running on 80.133.36.164 (probably till 16:00 Berlin time - then I have to leave) |
|
| Back to top |
|
|
indros
Tux's lil' helper
Joined: 27 Sep 2002
Posts: 139
|
| Posted: Fri Dec 20, 2002 3:38 pm Post subject: |
|
|
| Another possible reason is that your connection may be firewalled (by the ISP). |
|
| Back to top |
|
|
Tuxuser
Tux's lil' helper
Joined: 28 Oct 2002
Posts: 136
Location: Solingen / Germany
|
| Posted: Sat Dec 21, 2002 10:03 am Post subject: |
|
|
| I was thinking of a firewall, too. ISP can't be becasue it is working the other way round (same ISP). Is there a possibility to check whether port 22 is open? It could be something like a port ping... |
|
| Back to top |
|
|
puddpunk
l33t
Joined: 20 Jul 2002
Posts: 681
Location: New Zealand
|
| Posted: Mon Dec 23, 2002 2:37 am Post subject: |
|
|
try nmap
It will do a "portscan" to show which ports are open to you.
To use it, just type:
| Code: | | # nmap <IP you want to see open ports on> |
Don't use it on other internet computers though, it's classed as a hostile action! |
|
| Back to top |
|
|
rtn
Guru
Joined: 15 Nov 2002
Posts: 427
|
| Posted: Mon Dec 23, 2002 4:55 am Post subject: |
|
|
| Tuxuser wrote: | | I was thinking of a firewall, too. ISP can't be becasue it is working the other way round (same ISP). Is there a possibility to check whether port 22 is open? It could be something like a port ping... |
Sure, nmap would do it, but you just want to see if sshd is available, you
can just telnet to it.
| Code: | $ telnet 192.168.1.1 22
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.
SSH-1.99-OpenSSH_3.5p1
|
--rtn |
|
| Back to top |
|
|
Tuxuser
Tux's lil' helper
Joined: 28 Oct 2002
Posts: 136
Location: Solingen / Germany
|
| Posted: Mon Dec 23, 2002 6:10 am Post subject: |
|
|
| The telnet connection is refused as well. Next I did was nmap and the result is that all ports are filtered. I assume that somewhere in my (supposed to be) ssh host is an packet filter set, correct? |
|
| Back to top |
|
|
Tarball
Tux's lil' helper
Joined: 19 Jun 2002
Posts: 142
Location: Cheshire, UK
|
| Posted: Mon Dec 23, 2002 9:32 am Post subject: |
|
|
Do you have your own firewall running? If so it could possibly be a unwanted rule in your firewall setup.
Try:
You could also try running tcpdump to make sure the SSH requests are actually reaching your machine.
Try (substituting your network device if required):
If the SSH requests are reaching your machine, there is obviously something not quite setup right in your machine config so lets take it one step at a time!  |
|
| Back to top |
|
|
Tuxuser
Tux's lil' helper
Joined: 28 Oct 2002
Posts: 136
Location: Solingen / Germany
|
| Posted: Mon Dec 23, 2002 7:10 pm Post subject: |
|
|
tcpdump on the sshd PC show a complete different messages when accessing via ISP'S IP (almost nothing) opposed to what I see (tens of lines) using the LAN IP.
I'm now reading a lot of stuff on firewalls and playing with some settings. I'm not sure what SuSE did, but I'm quite sure now, this is related to a firewall I didn't notice a few hors ago. That's one reason why I chose gentoo, I want to know what my machine does and what's going on... |
|
| Back to top |
|
|
Tuxuser
Tux's lil' helper
Joined: 28 Oct 2002
Posts: 136
Location: Solingen / Germany
|
| Posted: Wed Dec 25, 2002 5:50 pm Post subject: |
|
|
Here is my final conclusion:
Yes, it actually is a firewall that prevents me from accessing the SuSE machine. I still don't know how SuSE have set it up and how to get port 22 open but removing the whole firewall package, ssh is possible. The rest is definatley a topic for a SuSE forum.
Thanks to all who have given help and a special "thank you" to Tarball who definately earned one of my remaining chocolate Santas. |
|
| Back to top |
|
|
|
Networking & Security
