SSH Connection refused

[leone1]

I currently have two computers setup at home one running Fedora 12 and the other running Fedora 11. I am trying to learn how to use SSH to remote connect back and forth. I'm getting an error and not exactly sure where I'm going wrong. The command I use is ssh root@192.168.xx.xx The error it gives me is
ssh: connect to host 192.168.xx.xx port 22: Connection refused.
I have made sure that the firewalls on both computers allow the SSH protocol to pass through.
I am running behind a router and have tried configuring that to forward the SSH port 22 to the appropriate computer with no luck either. Does anyone know of anything that may be preventing me from connecting other than the firewall?

[glennzo]

Can't say as I actually know what's preventing the connection. All I can say is I use ssh every day here on my home network and it never works until I add ip addresses and hostnames to /etc/hosts. If there is another, or more proper way to enable ssh connections I'd like to hear about it.

[leone1]

I have found maybe what could be the problem but not sure how to fix it. On the machine running Fedora 11 I cannot locally log on using SSH it says connection refused the same as trying to remote log on. Is there a way to check to see if SSH is enabled?
On the machine running Fedora 12 it was easy to check i just opened System>Administration>Services

---------- Post added at 07:35 PM CST ---------- Previous post was at 07:27 PM CST ----------

I found the problem. I had to start the sshd on the Fedora 11 machine by executing the following command /etc/rc.d/init.d/sshd start . Is there a way to enable this to load at start-up?
Thank you for your help.

[glennzo]

To answer the question about how to tell if it's running ....

Code:

[glenn@leonardo ~>$ /sbin/service sshd status
openssh-daemon (pid  1139) is running...

To have it start automatically

Code:

su -c '/sbin/chkconfig --level 35 sshd on'

[leone1]

Thank you glennzo I executed that command on the Fedora 11 machine thorugh a SSH connection all is working fine now. Thanks again.

---------- Post added at 08:00 PM CST ---------- Previous post was at 07:50 PM CST ----------

To scot32746 this is the /etc/ssh/sshd_config entry
#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
Even though it is not using that parameter it is still allowing me to connect via ssh root@192.168.xx.xx as well as ssh user@192.168.xx.xx.

[scott32746]

check to see is SSH is running
# service sshd status
I also think if you are trying to use root to ssh over, you can't with out changing /etc/ssh/sshd_config
Need to change PermitRootLogin no to yes,, but not a good idea. If there is # infront of PermitRootLogin
too.

[scott32746]

hmmm, maybe the default is yes with #ed out

[wwwillem]

Moving from FC8 to FC12 (fresh install) I ran into the same problem. And the fix is indeed easy: 'chkconfig' followed by 'service sshd start'.

However, a) I think it's a weird choice to have this disabled by default, but b) there always was a GUI tool to control which services are enabled and to start/stop them. I can't find that anymore in FC12. Or is that now a separate app that needs to be installed first.

-

[Firewing1]

It's a separate application now, after installing "system-config-services" you should see it appear in the Administration menu.

As for SSH, I should mention from a security standpoint that allowing root logins is generally a bad idea - it would be best to configure users with sudo or to login as a regular user and use "su -" immediately instead. This way you still have root access, but a hacker who breaks in won't.

This is how I usually setup my SSH server (all these commands must be executed by root):

Code:

yum install denyhosts
chkconfig denyhosts on
service denyhosts start

This installs and starts DenyHosts, a handy service that bans IPs should they have too many failed authentications. Be careful! You can ban yourself as well if you make too many mistakes while entering the password (default is 5 authentication failures). Edit /etc/denyhosts.conf to fine-tune the settings, or add your hostname/IP range to /var/lib/denyhosts/allowed-hosts to have them whitelisted. Denyhosts will resolve hosts, so if you have a dynamic dns account active you can add it to the whitelist and that way your home IP will always be whitelisted!

Code:

sed -i'' 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
chkconfig sshd on
service sshd restart

This disables root login, configures the SSH service to start at boot and restarts the SSH daemon.

Code:

echo "-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT" >> /etc/sysconfig/iptables
service iptables restart

This allows incoming connections on TCP port 22 through the firewall so that you machine can accept external SSH requests. You can also configure this with the GUI firewall tool instead of execute the commands above.

The only thing left to do is to get the port forwarding setup - for this you will need a static IP address. Right-click on the NetworkManager icon near the clock and select "Edit connections". From there, you'll see that you can edit your default interface and set a manual address. If you're not sure what values to use, right-click again on the NetworkManager icon you should be able to view your current connection information - just copy those values. Once you know your static IP address, you'll need to input that into the router so that it knows where to send requests on port 22 to.

[wwwillem]

thanks for the pointer to system-config-services

agreed about default not allowing root, but FC12's default is not allowing anybody to log in because sshd is default not enabled

IMHO this is a bit of a stretch, but YMMV :-)

-

[Firewing1]

That policy is not just for sshd, but for any service - it's true as well for httpd (apache), mysqld and denyhosts for example. Although it can be annoying, I think it is a good idea since it's better to be safe than sorry... consider what could happen if an admin installed MySQL and rebooted, forgetting to set the root MySQL password first!

[waugh]

In my case, on Fedora 17, once I disabled the firewall, I was able to do "ssh localhost echo foo" and it did. So that proves that the daemon is running. But trying to come in from another machine on the local network gives:
jack-ntbk ~ $ ssh -vv jack-tower echo foo
OpenSSH_5.9p1 Debian-5ubuntu1, OpenSSL 1.0.1 14 Mar 2012
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to jack-tower [192.168.2.202] port 22.
debug1: connect to address 192.168.2.202 port 22: Connection refused
ssh: connect to host jack-tower port 22: Connection refused

On edit: After rebooting, using chkconfig to set sshd to be started, then rebooting again, I was able to ssh in.

However, a couple of other functionalities worked for a while and mysteriously broke, so I'm probably just going to go back to Ubuntu.