| LinHES Forums http://forums.linhes.org/ |
|
| Can only SSH in locally http://forums.linhes.org/viewtopic.php?f=21&t=20628 |
Page 1 of 1 |
| Author: | ceenvee703 [ Mon Nov 30, 2009 7:05 pm ] |
| Post subject: | Can only SSH in locally |
Just upgraded to R6 and am gradually trying to get things back to the way they were in R5.5. Here's the latest one I can't figure out. I know mythtv and root are denied ssh access. I can ssh into my machine when I do it from a local machine (IP # 192.168.blah) and from the one user account I set up when installing R6. I can't log in, however, when I am outside of my network. It doesn't even prompt me for username. For instance, when I use putty I get "server unexpectedly closed network connection." I have tried: * adding an "AllowUsers" and my one account username to /etc/ssh/sshd_config * tried commenting out the "ALL: ALL: DENY" line in /etc/hosts.deny I do a "sv restart sshd" after each of those attempts and still can't connect. What else should I be looking at? Thanks. |
|
| Author: | mihanson [ Mon Nov 30, 2009 7:13 pm ] |
| Post subject: | |
Here's what I have and I have no issues from WAN or LAN: Code: $ cat /etc/hosts.allow
# # /etc/hosts.allow # ALL: 192.168. ALL: 10. ALL: 127.0.0.1 # End of file $ cat /etc/hosts.deny # # /etc/hosts.deny # #ALL: ALL: DENY # End of file |
|
| Author: | ceenvee703 [ Mon Nov 30, 2009 8:09 pm ] |
| Post subject: | |
Thanks; coulda sworn I restarted sshd after commenting out the hosts.deny line, but I must not have, because now it works. Appreciate the double-check. |
|
| Author: | Golffies [ Sat Feb 13, 2010 9:56 am ] |
| Post subject: | ssh_exchange_identification: Connection closed by remote hos |
I confirm that commenting the line Quote: # # /etc/hosts.deny # # ALL: ALL: DENY is the easiest way to allow ssh connexions from WAN. The change took effect immediately, no sshd restart requiered. Unfortunately, it also lowers security. I tried a few other ways to selectively open access over ssh from the WAN, but they all failed; for instance: Quote: # # /etc/hosts.allow # ALL: .adsl.myisp.com: ALLOW fails to grant access from a host in that domain, or even Quote: # # /etc/hosts.deny # ALL: ALL: ALLOW seems ineffective (perhaps the command ALLOW is ignored in /etc/hosts.deny fileĀ ?). Connexion reads the following message, then drops: Quote: ssh_exchange_identification: Connection closed by remote host
Somebody skilled might turn us to a configuration better balanced between accessibility and security. BTW, here is an easy to read how-to covering /etc/hosts.allow and /etc/hosts.deny syntax : HOWTO - Limiting Access to TCP-wrapped services with hosts.allow |
|
| Author: | jbm2131 [ Sat Feb 13, 2010 10:39 pm ] |
| Post subject: | |
I think I had the same problem and stumbled upon this setup that works (can't remember where I got this solution): Code: $ cat /etc/hosts.allow
# # /etc/hosts.allow # ALL: 192.168. ALL: 127.0.0.1 sshd:ALL # End of file $ cat /etc/hosts.deny # # /etc/hosts.deny # ALL: ALL: DENY # End of file $ Seems a little more secure since it only opens up sshd to the whole world. Maybe there is an even more secure setup? |
|
| Author: | gatorback [ Fri Aug 13, 2010 8:22 pm ] |
| Post subject: | |
No restart of system or service needed: add the bolded line: [root@mythtv ~]# cat /etc/hosts.allow # # /etc/hosts.allow # sshd:ALL ALL: 192.168. ALL: 10. ALL: 127.0.0.1 ALL: 172.16. # End of file |
|
| Author: | tjc [ Sat Aug 14, 2010 9:29 am ] |
| Post subject: | |
Also recommended on the _useful_ security through obscurity front, if you're going to expose it to the outside changing your default ssh port can effectively reduce your exposure. Friends in the network security world tell me that the number of probes they see against default ports versus nonstandard ports are hundreds or even thousands to one. At the very least it'll reduce the amount of noise in your log files... |
|
| Author: | gatorback [ Sat Aug 14, 2010 12:18 pm ] |
| Post subject: | |
Additional Guidance and discussion regarding adaptive SSH security found in this thread: http://knoppmyth.net/phpBB2/viewtopic.php?p=129317#129317 |
|
| Page 1 of 1 | All times are UTC - 6 hours |
| Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/ |
|