Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
ssh server refuses every login from LAN except the first one
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Amity88
Apprentice
Apprentice


Joined: 03 Jul 2010
Posts: 209
Location: Third planet from the Sun

PostPosted: Sat May 10, 2014 4:48 am    Post subject: ssh server refuses every login from LAN except the first one Reply with quote

Hi,
I've been facing this issue since the last few days on my Raspberry Pi SSH server. It allows any number of ssh logins from the internet but doesn't allow LAN logins except the first one, I've tried to diagnose the issue, these are my observations:

1) If I restart the server, I can log in from the local network BUT only ONCE. After I exit, I cannot log in again till I restart the server once again.
2) My Iptable logs do not show any packets from my client computer being dropped yet the packet capture at my client shows that I get no responses from the server.
3) I've tried rebooting my client computer into a different OS, I've tried shutting down the firewall on both the client and the server and I still have this problem.
4) Despite all this, I am still able to log in from the internet and I can open any number of ssh sessions.
5) netstat shows that on the server, it's listening on all addresses.
6) The auth.log doesn't show any error or failed log in attempts.
7) I can ping the server, I can attempt access the httpd. Both of these packets are dropped by my firewall at the server and I can see it in the logs, so clearly the packets are being correctly routed to it.

I'm at loss on what could be the issue, if you guys could give me some pointers, I'd appreciate it :)
_________________
Ant P. wrote:
The enterprise distros sell their binaries. Canonical sells their users.


Also... Be ignorant... Be happy! :)
Back to top
View user's profile Send private message
gerdesj
l33t
l33t


Joined: 29 Sep 2005
Posts: 621
Location: Yeovil, Somerset, UK

PostPosted: Mon May 12, 2014 12:00 pm    Post subject: Re: ssh server refuses every login from LAN except the first Reply with quote

On the server, enable debug logging. /etc/ssh/sshd_config, LogLevel DEBUG

Restart sshd and reproduce the problem.

What's in the log?

Cheers
Jon
Back to top
View user's profile Send private message
Amity88
Apprentice
Apprentice


Joined: 03 Jul 2010
Posts: 209
Location: Third planet from the Sun

PostPosted: Tue May 13, 2014 2:15 pm    Post subject: Reply with quote

Okay, did that. Here is the snippet from auth.log
Code:
May 13 19:32:25 minimee sshd[8027]: Received signal 15; terminating.
May 13 19:32:25 minimee sshd[8166]: Set /proc/self/oom_score_adj from 0 to -1000
May 13 19:32:25 minimee sshd[8166]: debug1: Bind to port X on 0.0.0.0.
May 13 19:32:25 minimee sshd[8166]: Server listening on 0.0.0.0 port X.
May 13 19:32:25 minimee sshd[8166]: socket: Address family not supported by protocol


I've been looking over my firewall rules and I think ... I might.. have found the cause.

Code:

#ssh client
$IPTABLES -A INPUT -p tcp --dport X -j ACCEPT -m state --state ESTABLISHED -m recent --remove
$IPTABLES -A INPUT -p tcp --dport X -m state --state NEW -m recent --update --seconds 1800 --hitcount 6 -j DROP
$IPTABLES -A INPUT -p tcp --dport X -m state --state NEW -m recent --update --seconds 1800 --hitcount 5 -j LOGDROP
$IPTABLES -A INPUT -p tcp --dport X -j ACCEPT -m state  --state NEW -m recent --set
$IPTABLES -A OUTPUT -p tcp --sport X -j ACCEPT -m state --state ESTABLISHED


Commenting out the hitcount based rules seems to have fixed it but it still doesn't explain why flushing the iptables didn't fix the issue the last time. Neither does it explain why it only effected connections from the LAN and not the internet. My idea was to limit the number of new connections.
_________________
Ant P. wrote:
The enterprise distros sell their binaries. Canonical sells their users.


Also... Be ignorant... Be happy! :)
Back to top
View user's profile Send private message
gentoo_lamb
n00b
n00b


Joined: 19 Apr 2014
Posts: 3

PostPosted: Fri May 16, 2014 7:21 pm    Post subject: Reply with quote

I am not near a computer now so I apologise if this is a bit vague. Iptables is not the problem if the -F option does not fix it. I would recommend you take a look at sshd_config file and look at the maximum session's and max auth retry, you could find something. Also take a look at the fail2ban and sshguard blocked lists to make sure your local ip is not in there.
Back to top
View user's profile Send private message
Logicien
Veteran
Veteran


Joined: 16 Sep 2005
Posts: 1361
Location: Montréal

PostPosted: Sat May 17, 2014 1:32 am    Post subject: Reply with quote

Hello,

if you cannot resolv the problem by configuring the /etc/ssh/sshd_config file, you may want to have a look at the files /etc/hosts.allow and /etc/hosts.deny and see the man pages hosts.allow and hosts.deny.

On my side, the file hosts.allow have only comment lines and hosts.deny do not exist. I can connect to my Gentoo sshd server from any machine on my local network. I have a very simple sshd_config configuration:
Code:
UsePAM yes
PrintMotd no
PrintLastLog no
Subsystem       sftp    /usr/lib64/misc/sftp-server
AcceptEnv LANG LC_*

Everything else is in comment.
_________________
Paul
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum