Need help with Remote SSH access

[DrJohnZoidberg]

Hi All,

I recently installed a Linux box (file/backup server) and would like to be able to access the machine remotely from home (in Pretoria). I installed ssh-server on the Linux box and the I have forwarded port 22 on the router to the IP of that machine.

How would I go about accessing the machine via terminal. I asked the guy on the Cape Town side to send me the IP (which was retrieved via whatismyip.com) - is this the correct address to be connecting to? When I try to connect I get the following message:

ssh_exchange_identification: Connection closed by remote host

I'm quite a noob when it comes to remote admin, so any help would be appreciated.

Thanks

 

[MickZA]

You don't say which Linux distro but check SELinux and Firewall settings.

 

[koffiejunkie]

That error could be one of many things. You'll have to check the logs when you get back to the office, but a common situation that will produce that output is that SSH is listed in /etc/hosts.deny

 

[MyWorld]

You did not tell us how you set up the ssh server, did you add restrictions to it, allow access for all or only certain users, or even what distro we are talking about, etc.

Wild shots in the dark:
You did start the ssh server?
/etc/init.d/sshd start (replace init.d with whatever your distro uses)

If you did nothing special and only started a dead standard ssh server, then you should be able to access it with:
ssh user@ip -p 22

 

[DrJohnZoidberg]

Thanks for the input guys. It seems I may have made an error on the router itself regarding the port forwarding, two errors actually. Firstly when we wanted to forward port 22 it gave some error and then changed it to 2222, secondly the stupid router has the option of setting the server and remote IP's for forwarding and we set both to the local machine.

Okay, so hopefully what should fix my problem is deleting the values in the Remote IP section of the port forwarding, then editing /etc/ssh/sshd_config so that it listens on port 2222 and then restarting sshd on the server.

I will give it a go tomorrow, hopefully it works. I'm such an idiot!

Thanks guys!

EDIT:

Oh yes, there was another issue, a bit off topic - but it was the initial problem. I set the /etc/network/interfaces file up so the machine had a static IP - I had all the setting correct (address, netmask, gateway) but there was no internet connectivity, as a last resort I set it up just to use DHCP and voila it worked. Now I'm confused as to why it didn't want to work when I had the static settings as I need the IP address to be static in order for the port forwarding to work correctly. Has anybody else experienced this issue? My static settings were:

auto eth0
iface eth0 inet static
address 192.168.1.3
netmask 255.255.255.0
gateway 192.168.1.1

which are exactly the same values DHCP provides me with - am I missing something here?

 

[koffiejunkie]

Were you able to ping 192.168.1.1? If so, did you remember to put your DNS servers in /etc/resolv.conf?

 

[DrJohnZoidberg]

I was able to access the routers control panel when using the static IP. Never had to put in DNS server settings before, thought it was resolved automatically. Will check that out though. Thanks.

EDIT: Ahh, just checked now that Network manager automatically inserts them for you, but I removed that pesky application before it was online. Will do that. Thanks a million!

 

[MyWorld]

Always handy to remember that there are just two reasons why you cannot get a internet connection on a static IP:
Your route is not set:
route add -net default gw gate.way.ip netmask 0.0.0.0

Or like koffiejunkie said, you forgot to add your DNS nameservers in /etc/resolv.conf. If you do not have an ISP specific nameserver then just use the router IP, that should also work.

 

[DrJohnZoidberg]

Ok. I'm still having issues connecting to this machine. I've forwarded ports 2222 and 5900 correctly on the router now and changed sshd to listen on 2222 instead of 22. I can ping the address, but it gives me this when checking the port status:

Starting Nmap 5.00 ( http://nmap.org ) at 2010-02-15 09:46 SAST
NSE: Loaded 0 scripts for scanning.
Initiating Ping Scan at 09:46
Scanning xxx.xxx.xxx.xxx [2 ports]
Completed Ping Scan at 09:46, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 09:46
Completed Parallel DNS resolution of 1 host. at 09:46, 0.01s elapsed
Initiating Connect Scan at 09:46
Scanning dsl-xxx-xxx-xxx.telkomadsl.co.za (xxx.xxx.xxx.xxx) [2 ports]
Discovered open port 5900/tcp on xxx.xxx.xxx.xxx
Completed Connect Scan at 09:46, 0.05s elapsed (2 total ports)
Host dsl-xxx-xxx-xxx.telkomadsl.co.za (xxx.xxx.xxx.xxx) is up (0.052s latency).
Interesting ports on dsl-xxx-xxx-xxx.telkomadsl.co.za (xxx.xxx.xxx.xxx):
PORT STATE SERVICE
2222/tcp closed unknown
5900/tcp open vnc

Any idea what the problem may be? I really need to get this service working, so any help would be appreciated.

 

[koffiejunkie]

Can you reach port 2222 from another machine on the same network?

 

[fskmh]

Hi All,
...

ssh_exchange_identification: Connection closed by remote host

This is a classic symptom of not adding the remote host's IP to the /etc/hosts.allow file. Just add an entry like this:

sshd: 111.222.333.444

Where 111.222.333.444 is the IP address of the remote box. If the address is dynamic, you can use the whole domain, *with a trailing dot*, i.e. 111.222.

Allowing the whole domain will introduce the possibility of ssh brute-force attacks, but you could probably alleviate this by only allowing ssh connections by MAC address. This is not bullet-proof either, but it's a lot better than leaving ssh open to packet kiddies that couldn't be bothered spending the time to try and figure out what MAC to spoof.

 

[DrJohnZoidberg]

Can you reach port 2222 from another machine on the same network?

It's a bit tough for me, because I don't have access to the direct access to the machine and have to ask the user to keep on performing these commands.

The output for ss -l did indicate that both 5900 and 2222 are open on that side.

It also shows that 5900 is open but I can't access it - I try to login with Remote Desktop viewer, but it just stays on a black screen and doesn't go any further. Also on his side, it says that Remote desktop is only available over the local network - thats what I'm trying to sort out now - Ideally I don't want to use Remote desktop via VNC, but at the moment thats the only port that appears to be open on my side.

When I configure remote desktop on my PC it gives me my IP for outside connections, I'm also running off a relatively fresh install. Missions.

 

[DrJohnZoidberg]

This is a classic symptom of not adding the remote host's IP to the /etc/hosts.allow file. Just add an entry like this:

sshd: 111.222.333.444

Where 111.222.333.444 is the IP address of the remote box. If the address is dynamic, you can use the whole domain, *with a trailing dot*, i.e. 111.222.

Allowing the whole domain will introduce the possibility of ssh brute-force attacks, but you could probably alleviate this by only allowing ssh connections by MAC address. This is not bullet-proof either, but it's a lot better than leaving ssh open to packet kiddies that couldn't be bothered spending the time to try and figure out what MAC to spoof.

Thanks for the post, the only thing is atm I cannot even reach the SSH port, even though the service is running on that side and the port is forwarded. I still don't understand why the one port is open, but not the other.

 

[koffiejunkie]

Sounds like your router isn't configured correctly.

 

[DrJohnZoidberg]

Sounds like your router isn't configured correctly.

Went back there to check and all seems fine, should I try change SSH to another port?

 

[koffiejunkie]

What happens when you telnet to the ssh port? Do you get the SSH banner at all? Is it rejected? Does it time out?

 

[DrJohnZoidberg]

What happens when you telnet to the ssh port? Do you get the SSH banner at all? Is it rejected? Does it time out?

telnet: Unable to connect to remote host: Connection refused

Figures though, because that port isn't open. canyouseeme.org shows the port as not accessible. I'm moving the port now to an unassigned one, see if this helps with anything.

 

[koffiejunkie]

Without knowing your router, I can think of two possible problems:

1. Your router uses said port for something.
2. Your router requires you to add an appropriate firewall rule in addition to setting the port forward.

 

[DrJohnZoidberg]

The router is a D-Link 2640U and we have disabled the firewall temporarily to see if this is the case. I will check now with the new port once it is set up. Thanks again,

 

[DrJohnZoidberg]

Thanks for all you assistance guys, the new port did the trick. Must have been something to do with the original port number and the router not mixing well.