View previous topic :: View next topic |
Author |
Message |
audiodef Watchman
Joined: 06 Jul 2005 Posts: 6639 Location: The soundosphere
|
Posted: Mon Mar 01, 2021 7:55 pm Post subject: SSH: Connection closed by remote host [SOLVED] |
|
|
Code: |
ssh user@x.x.x.x
kex_exchange_identification: Connection closed by remote host
Connection closed by x.x.x.x port 22
|
Never encountered this before. Did some searching, but I don't even know what I'm looking for. The SSH is to a remote hosted server, so I have no access unless I fix this. (Although I can get a virtual screen on request from the data center, so that's an option.)
Happened after my SSH terminated because my laptop was on a hotspot and I left the house with my phone. I was expecting that but that has never triggered this issue and I don't think it did. Mentioning it for completeness. _________________ decibel Linux: https://decibellinux.org
Github: https://github.com/Gentoo-Music-and-Audio-Technology
Facebook: https://www.facebook.com/decibellinux
Discord: https://discord.gg/73XV24dNPN
Last edited by audiodef on Tue Mar 02, 2021 9:21 pm; edited 1 time in total |
|
Back to top |
|
|
mike155 Advocate
Joined: 17 Sep 2010 Posts: 4438 Location: Frankfurt, Germany
|
Posted: Mon Mar 01, 2021 8:56 pm Post subject: |
|
|
Code: | ssh -v user@x.x.x.x |
Code: | ssh -v -v user@x.x.x.x |
Code: | ssh -v -v -v user@x.x.x.x |
|
|
Back to top |
|
|
Banana Veteran
Joined: 21 May 2004 Posts: 1384 Location: Germany
|
|
Back to top |
|
|
audiodef Watchman
Joined: 06 Jul 2005 Posts: 6639 Location: The soundosphere
|
Posted: Tue Mar 02, 2021 12:32 am Post subject: |
|
|
I have it set on the server side to not time out, but thanks.
-v -v -v:
Code: |
OpenSSH_8.4p1, OpenSSL 1.1.1j 16 Feb 2021
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: resolve_canonicalize: hostname x.x.x.x is address
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/audiodef/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/audiodef/.ssh/known_hosts2'
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug2: ssh_connect_direct
debug1: Connecting to x.x.x.x [x.x.x.x] port 22.
debug1: Connection established.
debug1: identity file /home/audiodef/.ssh/id_rsa type -1
debug1: identity file /home/audiodef/.ssh/id_rsa-cert type -1
debug1: identity file /home/audiodef/.ssh/id_dsa type -1
debug1: identity file /home/audiodef/.ssh/id_dsa-cert type -1
debug1: identity file /home/audiodef/.ssh/id_ecdsa type -1
debug1: identity file /home/audiodef/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/audiodef/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/audiodef/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/audiodef/.ssh/id_ed25519 type -1
debug1: identity file /home/audiodef/.ssh/id_ed25519-cert type -1
debug1: identity file /home/audiodef/.ssh/id_ed25519_sk type -1
debug1: identity file /home/audiodef/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/audiodef/.ssh/id_xmss type -1
debug1: identity file /home/audiodef/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.4
kex_exchange_identification: Connection closed by remote host
Connection closed by x.x.x.x port 22
|
_________________ decibel Linux: https://decibellinux.org
Github: https://github.com/Gentoo-Music-and-Audio-Technology
Facebook: https://www.facebook.com/decibellinux
Discord: https://discord.gg/73XV24dNPN |
|
Back to top |
|
|
mike155 Advocate
Joined: 17 Sep 2010 Posts: 4438 Location: Frankfurt, Germany
|
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54216 Location: 56N 3W
|
Posted: Tue Mar 02, 2021 10:11 am Post subject: |
|
|
audiodef.
Some old now insecure ciphers were dropped from ssh.
If one end is new, with the old ciphers missing and the other end is old, with the new ciphers missing, both ends try all their ciphers but can't negotiate a common cipher, so they won't talk to one another.
You can force old ciphers from your end if they are built into ssh but they won't be offered by default.
Hmm. it goes back to news item Code: | [22] N 2015-08-13 (2015-08-13-openssh-weak-keys - removed?) |
I remember it as it bit me. :) _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
mike155 Advocate
Joined: 17 Sep 2010 Posts: 4438 Location: Frankfurt, Germany
|
Posted: Tue Mar 02, 2021 1:45 pm Post subject: |
|
|
@NeddySeagoon: the connection seems to terminate long before cipher negotiation starts. Audiodef doesn't even get the 'remote protocol' message, which usually follows directly after the 'local version' message.
Most likely, Audiodef doesn't to talk to a SSH server at all. That's what the Serverfault article discusses. |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54216 Location: 56N 3W
|
Posted: Tue Mar 02, 2021 2:12 pm Post subject: |
|
|
mike155,
Well spotted.
Something is listening on port 22 though. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
mike155 Advocate
Joined: 17 Sep 2010 Posts: 4438 Location: Frankfurt, Germany
|
Posted: Tue Mar 02, 2021 3:15 pm Post subject: |
|
|
@Audiodef: please try
If it is an SSH server, it will answer:
Code: | Trying x.x.x.x...
Connected to x.x.x.x.
Escape character is '^]'.
SSH-2.0-OpenSSH_8.4 |
|
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9677 Location: almost Mile High in the USA
|
Posted: Tue Mar 02, 2021 6:05 pm Post subject: |
|
|
If it's a Gentoo box, might be that update that required sshd to be restarted before you log back in :( _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
audiodef Watchman
Joined: 06 Jul 2005 Posts: 6639 Location: The soundosphere
|
|
Back to top |
|
|
figueroa Advocate
Joined: 14 Aug 2005 Posts: 2961 Location: Edge of marsh USA
|
Posted: Wed Mar 03, 2021 3:18 am Post subject: |
|
|
On a remote server, I keep net-misc/dropbear installed and running on a different port as a backup method of accessing the machine should (when) openssh becomes difficult. _________________ Andy Figueroa
hp pavilion hpe h8-1260t/2AB5; spinning rust x3
i7-2600 @ 3.40GHz; 16 gb; Radeon HD 7570
amd64/23.0/split-usr/desktop (stable), OpenRC, -systemd -pulseaudio -uefi |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9677 Location: almost Mile High in the USA
|
Posted: Wed Mar 03, 2021 4:01 pm Post subject: |
|
|
Have the dictionary ssh hackers found the extra dropbear port? :(
Seems people do portscan my machines. Very annoying.
I was thinking: I wonder if anyone tried doing this:
Run dropbear on port... get this...
($dayofmonth)+31*($hourofday)+($fixedoffset)
So if someone finds your ssh port, in one hour, it disappears for a month! But only if you remember the offset you chose and if you have a watch and calendar, you can always calculate this very simple hash and connect to your box. Of course you can use a modulus and make a truely pseudorandom but this would make calculation harder to compute.
Still security by obscurity but it keeps exposure down from drive-by portscanners without making it too difficult to connect to your box. Of course you will only have an hour to fix what you need to fix... _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
figueroa Advocate
Joined: 14 Aug 2005 Posts: 2961 Location: Edge of marsh USA
|
Posted: Wed Mar 03, 2021 4:38 pm Post subject: |
|
|
Actually, the Dropbear port can only be reached from inside the LAN from one of several other desktop computers that can also be reached from the WAN.
All are protected by fail2ban. Two fails in 48 hrs get one banned for 72 hrs.
I have found in our use case that some ports, in addition to 22, are ssh hacker magnets. Switching ports a few times helped me find ports that appear to be free of ssh probes (knock on wood), and that for about six months now.
I have occasionally opened a service for as few as 5 minutes to allow another machine on the LAN perform a specific transaction. I could do something like that with Dropbear, but I think I'm good for now. The pseudorandom schedule idea made my stomach growl, but, it's a good idea if you can live with the constraints. _________________ Andy Figueroa
hp pavilion hpe h8-1260t/2AB5; spinning rust x3
i7-2600 @ 3.40GHz; 16 gb; Radeon HD 7570
amd64/23.0/split-usr/desktop (stable), OpenRC, -systemd -pulseaudio -uefi |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21607
|
Posted: Wed Mar 03, 2021 5:58 pm Post subject: |
|
|
To make the pseudorandom bit really interesting, you could pick the port using a variant of the algorithm that drives common MFA schemes: a shared secret, hashed with the time, and some number of bits pulled out of that result gives you the port number to use. You would probably want to move far less often than a typical MFA jump (30 seconds), but relocating every 10-15 minutes would provide pretty good protection. Deriving it from the MFA secret instead of just a formula would make it much harder to predict, so linear scans would not likely stumble back into it. |
|
Back to top |
|
|
|