SSH/Connecting issues

Otter · #1 11th May 2005, 06:02 PM

Hi, I am a linux newbie and am trying to get my system setup so I can access it remotely using secure shell.

I installed Fedora 3 about 2 weeks ago, and when I installed it, I remember specifying no trusted services when I setup the firewall during installation. Well now I do want people to be able to remotely access my system.

I have followed a few tutorials, and I think I have the sshd setup properly. But I am not positive. While logged in, I can open a terminal and ssh to 127.0.0.1, and everything works.

The problem is, when I use PuTTY on a WinXP machine (or SSH on a unix box) I get connection refused, or connection timed out. Which makes me think that the firewall is blocking the ports.

So from here I went to site about networking, and it lead me to check: the host files for allow/deny

My allow just has 127.0.0.1
and deny had nothing.

I tried to establish connections with the Firewall and SELinux set to off, and still got "connection refused".

Any suggestions?

Thanks,
Otter

bitrain · #2 11th May 2005, 06:05 PM

You have to edit the iptables configuration file to let ssh go through, don't know how however

. Do you have a router? It is possible that it blocks your connection.

AndyGreen · #3 11th May 2005, 06:07 PM

IIRC, if you have anything in your /etc/hosts.allow, it will ONLY allow connects from those addresses. Either add your other box to the list or delete the file.

iptables -I INPUT -p tcp --dport 22 -j ACCEPT
service iptables save

will open a hole in your firewall for incoming SSH connections.

Otter · #4 11th May 2005, 06:39 PM

When I look at the allow file it states at the top. DO NOT DELETE.... blah blah blah. in regards to the 127.0.0.1 being listed.

So instead of deleting, should I just add
::

?

The IP from the comps I will be connecting from is going to be random, as they are all on dialup accounts/VPNs so I can't really list them, is it safe to delete the allow file, or is there a syntax that says "allow all", I think that is what " :: " does, but I am not sure.

AndyGreen · #5 11th May 2005, 06:42 PM

Uhm.... /etc/hosts is a completely different animal from /etc/hosts.allow. Leave /etc/hosts be and if you have an /etc/hosts.allow file, kill it.

Otter · #6 11th May 2005, 06:52 PM

lol good point, duuno why I was thinking of the 2 ><

Otter · #7 12th May 2005, 01:17 AM

hm, it still not working
all attempts to connect from an outside source are refused or timing out.

Any thoughts?

also is there a log where things like this are stored? Where the system detects an incoming connection, but refuses it. Id like to be able to narrow my problem down a little more. But currently all I can say is the I can tracert with win XP to my Fedora box, and it succeeds, but finger says connection refused.

Otter · #8 12th May 2005, 03:39 AM

I have also tried completely disabling Linux Firewall / SELinux and still get the time outs =(

Can't think of anything else that could cause it. =\

AndyGreen · #9 12th May 2005, 08:08 AM

finger? :-) Unless you're running a finger server connection refused is all you'll get. finger is useless.

What happens with

service sshd status

and on the XP machine

telnet YOURLINUXBOXIP 22

Clunixchit · #10 12th May 2005, 08:26 AM

Quote:

Originally Posted by AndyGreen

IIRC, if you have anything in your /etc/hosts.allow, it will ONLY allow connects from those addresses. Either add your other box to the list or delete the file.

iptables -I INPUT -p tcp --dport 22 -j ACCEPT
service iptables save

will open a hole in your firewall for incoming SSH connections.

It didnt work for me

Quote:

[root@goorah ~]# iptables -I INPUT -p tcp --dport 22 -j ACCEPT
[root@goorah ~]# service iptables save
Saving firewall rules to /etc/sysconfig/iptables: [ OK ]
[root@goorah ~]# ssh -l goorah edumath.u-strasbg.fr
ssh: connect to host edumath.u-strasbg.fr port 22: Connection refused

Quote:

[root@goorah ~]# service sshd status
sshd (pid 3964) is running...

Clunixchit · #11 12th May 2005, 08:32 AM

how can i close that hole again?

AndyGreen · #12 12th May 2005, 09:10 AM

Does edumath.u-strasbg.fr really resolve to your machine's IP address?

host edumath.u-strasbg.fr
ifconfig eth0

Just from the DNS name representing a department I would expect some mighty router and firewall machine to be at that IP.

iptables -D INPUT -p tcp --dport 22 -j ACCEPT
service iptables save

will kill the hole, but it represents zero security risk while nothing can connect to it :-)

Clunixchit · #13 12th May 2005, 02:35 PM

Quote:

[root@goorah ~]# host edumath.u-strasbg.fr
edumath.u-strasbg.fr has address 130.79.7.2
[root@goorah ~]# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:03:0D:13:B6:AA
inet addr:172.18.2.24 Bcast:172.18.2.255 Mask:255.255.255.0
inet6 addr: fe80::203:dff:fe13:b6aa/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1073 errors:0 dropped:0 overruns:0 frame:0
TX packets:1159 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:536352 (523.7 KiB) TX bytes:190083 (185.6 KiB)
Interrupt:5 Base address:0xe800

actually edumath.u-strasbg.fr is my uni server, i would like to log in to my account

Clunixchit · #14 12th May 2005, 02:38 PM

Quote:

Originally Posted by AndyGreen

Does edumath.u-strasbg.fr really resolve to your machine's IP address?

host edumath.u-strasbg.fr
ifconfig eth0

Just from the DNS name representing a department I would expect some mighty router and firewall machine to be at that IP.

iptables -D INPUT -p tcp --dport 22 -j ACCEPT
service iptables save

will kill the hole, but it represents zero security risk while nothing can connect to it :-)

[root@goorah ~]# iptables -D INPUT -p tcp --dport 22 -j ACCEPT
iptables: Bad rule (does a matching rule exist in that chain?)
[root@goorah ~]#

AndyGreen · #15 12th May 2005, 02:42 PM

well does a matching rule exist?

iptables -L

please also do the other tests