Fedora Linux Support Community & Resources Center
  #1  
Old 22nd December 2005, 04:33 AM
lindan Offline
Registered User
 
Join Date: Dec 2005
Posts: 11
Question can't open port 22

Hello everybody!

2 days ago I wanted to know how to get my dynamic IP and got very usefull help, thanx again!

So, after sleeping a little I visited DynDNS, installed ddclient and wrote a little one-liner that would give me my IP. In fact, I'm even too lazy to type host xxx.xxx.xxx, so now /usr/bin/myip is:
Quote:
#!/bin/sh

echo $(host xxx.xxx.xxx | awk '{print $4}')
Everything works fine, so I wanted to log myself in with ssh. I forwarded port 22 in my hardware router -just the same way I did for aMule-, but it still keeps blocked. So I tried to log in from localhost to localhost (got just the router and my PC) and everything works fine.
I turned off both my router's firewall and my desktop's iptables, but nmap still goes like:

Quote:
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-12-22 04:27 CET
Initiating SYN Stealth Scan against xxxxxxxxxx.dip.t-dialin.net (xx.xxx.xx.xx) [1 port] at 04:27
The SYN Stealth Scan took 0.05s to scan 1 total ports.
Host xxxxxxxxxxx.dip.t-dialin.net (xx.xxx.xx.xx) appears to be up ... good.
Interesting ports on xxxxxxxxxx.dip.t-dialin.net (xx.xxx.xx.xx):
PORT STATE SERVICE
22/tcp closed ssh

Nmap finished: 1 IP address (1 host up) scanned in 0.413 seconds
Raw packets sent: 3 (108B) | Rcvd: 2 (92B)
So the port is definetely closed.

Well, since I can login from localhost to itself, I assume sshd is running fine. Also, since my forwarding for aMule worked, i guess it's not my router configuration (but I'm not sure).
I asked a few friends, looked at faqs and stuff, but I just don't get it working.

Maybe it's because I want to login from the same machine, but nmap shouldn't say the port was closed.

Any ideas?
Reply With Quote
  #2  
Old 24th December 2005, 05:39 AM
Jman Offline
Registered User
 
Join Date: Mar 2004
Location: Minnesota, USA
Age: 28
Posts: 7,909
Let's be sure the local firewall isn't blocking anything.

Code:
iptables --list
should return a line like
Code:
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
If there isn't and you configured it you probablyhave to reload the firewall config.
Code:
service iptables restart
Reply With Quote
  #3  
Old 24th December 2005, 08:51 AM
funchords Offline
Registered User
 
Join Date: Jul 2004
Location: Hillsboro, Oregon USA
Posts: 91
in /etc/ssh/sshd_config do you have ListenAddress set to a specific address? By default, it listens on all addresses ... so since that's what you want, you can comment out any uncommented ListenAddress lines.

Setting it to 127.0.0.1 would cause it to respond ONLY to localhost.
__________________
Robb Topolski
www.funchords.com
Networks/Wi-Fi: Expert, Windows/DOS: Expert, Linux: Shell User, some config skills
Reply With Quote
  #4  
Old 24th December 2005, 04:26 PM
lindan Offline
Registered User
 
Join Date: Dec 2005
Posts: 11
Jman:

Yes, I've got thal line saying:
Quote:
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
funchords:

I have worked about the problem in the last few days, and my sshd_config looks like this:
Quote:
# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 600
PermitRootLogin no
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Change to yes to enable tunnelled clear text passwords
PasswordAuthentication no


# To change Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#AFSTokenPassing no
#KerberosTicketCleanup no

# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
KeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/sftp-server

UsePAM yes
As far as I know, it should just work fine like that.

Also, I am able to log in at my eth0 (192.168.2.32); I was told at some other forum (the german unixboard.de) that being able to log in at eth0 would mean that my sshd configuration should be fine.

I tought it could be possible that logging in from the same host, using the wan ip, might be the problem. Since I do not have the possibility to try from some other place, I am not really sure if it depends on that.

Does someone know if that might cause the problem?
Reply With Quote
  #5  
Old 24th December 2005, 04:31 PM
lindan Offline
Registered User
 
Join Date: Dec 2005
Posts: 11
By the way:

Thanx for your help and merry christmas to all!!!
Reply With Quote
  #6  
Old 25th December 2005, 12:28 AM
funchords Offline
Registered User
 
Join Date: Jul 2004
Location: Hillsboro, Oregon USA
Posts: 91
Quote:
Originally Posted by lindan
I tought it could be possible that logging in from the same host, using the wan ip, might be the problem. Since I do not have the possibility to try from some other place, I am not really sure if it depends on that.

Does someone know if that might cause the problem?
It appeared further up in the thread that you ran a portscan and got a closed response, so I'm somewhat sure this is not the problem.

Still, you might want to try an outside portscanner, like the one at Shields Up (about 2/3rds down the page).
__________________
Robb Topolski
www.funchords.com
Networks/Wi-Fi: Expert, Windows/DOS: Expert, Linux: Shell User, some config skills
Reply With Quote
  #7  
Old 25th December 2005, 02:51 AM
lindan Offline
Registered User
 
Join Date: Dec 2005
Posts: 11
That was a very good tip! Thanks, funchords. I should have tried that a lot earlier!

As Shields Up told me, my ssh port 22 is open!!! So I guess the problem really is related to the attempt to log in from the same host. I used to think that using nmap would give me some sort of outside scan!?! (I thought -using nmap- the signal, or packages or whatever would leave the lan and return via wan to my router's ports, but I don't know exactly)

By the way: pinging my wan ip is successful (But I don't know if that's important now)

Maybe the router can't handle an inside signal turning into an external request for wan_ip:22/tcp. But all that lies far beyond my knowledge and experience. I set up ssh in order to learn something about all this.

One thing I feel really good about is that I now have my firewalls activated again. Scanning my port 22 via Shields Up , 22 is still open.
Do you think there could be something else done wrong? I have no more ideas.

Concluding, I assume that everything concerning sshd and my lan is configured correctly. Also the forwarding in my router should be set up properly. (Please DO correct me, if I might still be wrong in those points, because I can't trust any conclusions I make at my state of knowledge )

I think, the only way to really find out what's going on is to go to a friend of mine and try to log myself in from a different location. I think tomorrow or the day after I'll have the possibillity to do so.

If some of you know that problem, or think that I am wrong in some other points: I really appreciate hearing your opinion and learning from you.

Thanks again...
Reply With Quote
  #8  
Old 25th December 2005, 08:33 AM
funchords Offline
Registered User
 
Join Date: Jul 2004
Location: Hillsboro, Oregon USA
Posts: 91
Quote:
Originally Posted by lindan
I think, the only way to really find out what's going on is to go to a friend of mine and try to log myself in from a different location. I think tomorrow or the day after I'll have the possibillity to do so.

If some of you know that problem, or think that I am wrong in some other points: I really appreciate hearing your opinion and learning from you.
I think you're right -- next step is to try it from the outside. You really don't need anyone to login, just have someone connect with Putty or some other SSH client and get a username/password prompt.

SSHD tip: There's a script/program/virus/zombie out there that scans port 22 and then spends hours doing dictionary attacks on both usernames and passwords. Use strong passwords and do not allow root access via SSH. As soon as you can figure it out, enable key authentication instead of password authentication. That'll stop 'em cold.
__________________
Robb Topolski
www.funchords.com
Networks/Wi-Fi: Expert, Windows/DOS: Expert, Linux: Shell User, some config skills
Reply With Quote
  #9  
Old 25th December 2005, 06:25 PM
lindan Offline
Registered User
 
Join Date: Dec 2005
Posts: 11
Tomorrow I'll visit a friend of mine and figure it out.

Quote:
Use strong passwords and do not allow root access via SSH. As soon as you can figure it out, enable key authentication instead of password authentication.
I always close port 22 when I'm done, so I think I should be somewhat safe. I also have blocked root login via ssh in my sshd_config. If I try to log in as root (lan), my password is not accepted).
I posted the file already, so you can have a look at it.
Do I have to do something else in order to have key authentication enabled? I have PasswordAuthentication set to no and there are lines set for rsa and dsa host keys. But I must admit I haven't spent any time with that...
But I remember that, when I first run ssh, some keys were generated.

Anyway, thanks for the tip. I'm very interested in those security topics, but I've still got to check the basics out
Reply With Quote
  #10  
Old 26th December 2005, 03:51 AM
funchords Offline
Registered User
 
Join Date: Jul 2004
Location: Hillsboro, Oregon USA
Posts: 91
You do have to do something else, on both the client and the server machine. It is documented well -- I've followed it. It's been a while since I've gone through that, so RTFM first and if you get stuck, just post back.

Good luck with your test!
__________________
Robb Topolski
www.funchords.com
Networks/Wi-Fi: Expert, Windows/DOS: Expert, Linux: Shell User, some config skills
Reply With Quote
  #11  
Old 26th December 2005, 10:35 PM
lindan Offline
Registered User
 
Join Date: Dec 2005
Posts: 11
It worked!!!

There was absolutely no problem, everything worked fine!

I still don't know why nmap said the ports were closed, and why logging in at home wouldn't work, but maybe it's a routing problem.

Thanks, funchords!!! Checking my ports at Shields Up was just what I needed to do!

I will read about key authentification and post if there are any problems. But before I do so, I'll try to make a little homepage (maybe using apache). Also wanted to set up an ftp server.

cu
Reply With Quote
Reply

Tags
open, port

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Need to open port 443 simplestar Servers & Networking 4 19th January 2006 03:50 AM
How do i open a port !!! hurrycane Servers & Networking 5 12th November 2005 08:54 AM
Which is better....open port or open service? backroger Security and Privacy 12 20th February 2005 01:49 PM


Current GMT-time: 14:28 (Sunday, 23-11-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat
Patrocinio - Lewiston Orchards Photos - Domodossola Instagram Photos