On 6/12/24 15:54, Greg Marks wrote:
I'm running a Debian server from my home with a static IP address,
with ssh configured to use key-based authentication rather than
password-based. As of a couple weeks ago, I have been unable to ssh to
my server from external locations. When I ssh from a laptop connected
to the wireless network on the same router as my home server, I do
successfully connect to the server. But when I ssh from an external
location, I get this error:
OpenSSH_8.4p1 Debian-5+deb11u3, OpenSSL 1.1.1w 11 Sep 2023
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf
matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug2: resolve_canonicalize: hostname xxx.xxx.xxx.xxx is address
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' ->
'/home/user/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' ->
'/home/user/.ssh/known_hosts2'
debug2: ssh_connect_direct
debug1: Connecting to xxx.xxx.xxx.xxx [xxx.xxx.xxx.xxx] port 22.
debug1: Connection established.
debug1: identity file /home/user/.ssh/id_rsa type -1
debug1: identity file /home/user/.ssh/id_rsa-cert type -1
debug1: identity file /home/user/.ssh/id_dsa type -1
debug1: identity file /home/user/.ssh/id_dsa-cert type -1
debug1: identity file /home/user/.ssh/id_ecdsa type -1
debug1: identity file /home/user/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/user/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/user/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/user/.ssh/id_ed25519 type -1
debug1: identity file /home/user/.ssh/id_ed25519-cert type -1
debug1: identity file /home/user/.ssh/id_ed25519_sk type -1
debug1: identity file /home/user/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/user/.ssh/id_xmss type -1
debug1: identity file /home/user/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u3
kex_exchange_identification: read: Connection timed out
banner exchange: Connection to xxx.xxx.xxx.xxx port 22: Connection timed out
When I ping the server from external locations, I get 100% packet loss;
whereas when I ping the server from my local wireless network, there
is 0% packet loss. (I do have nftables set to drop connections from
numerous IP addresses that have attempted hacks in the past; however,
the problem persists after flushing nftables, and at any rate, using
check-host.net and www.site24x7.com to ping my server from various
worldwide locations also results in 100% packet loss.) Port 22 is open.
The package ufw is not installed on my server.
The apache2 Web server running on my home server is correctly hosting
my Web pages: from external locations, my Web page gmarks.org will
open in a Web browser (even though "ping -c 10 gmarks.org" shows 100%
packet loss). Running "traceroute xxx.xxx.xxx.xxx" from external
locations reported four successful steps, not reaching my server IP,
followed by a series of "* * *" lines.
Running "sudo service sshd status" on my server shows ssh.service
is active and running. Running "ip address show" on my server shows
nothing unusual. I've restarted my router, and I've restarted my server;
neither helped.
The problem began a couple weeks ago; previously (and for many years)
I had been able to ssh to my server without issue. The first time it
failed, I was using free wireless at an airport; I was able to ssh to my
server from the hotel that morning, and maybe, the first time I tried,
from the airport, but then subsequent ssh attempts from the airport
failed to connect. I mention this only because nothing had changed in
my server's configuration when this problem began.
This is a real problem for me, as a lot of my work involves sending
files via scp between work and home. Any suggestions about how to
troubleshoot and hopefully fix the problem will be greatly appreciated.
Best regards,
Greg Marks
Ping:
2024-06-12 16:19:25 dpchrist@laalaa ~
$ ping -c 1 -v gmarks.org
PING gmarks.org (76.235.90.201) 56(84) bytes of data.
--- gmarks.org ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms
HTTPS works:
https://gmarks.org/
Greg Marks
Office: 313 Ritter Hall
Phone: (314)977-7206
E-mail address: local-part consists of surname, domain name identical
to that of the present Web page
PGP encryption public key ID: 0x53F269E8
Postal Address:
Department of Mathematics and Statistics
St. Louis University
221 N. Grand Blvd.
St. Louis, MO 63103-2006
U.S.A.
Resources for students
Resources for mathematicians
Research papers
It appears that someone who controls one or more of the routers between
the Internet and your router has blocked ICMP echo requests, ICMP echo
replies, and TCP port 22 (SSH).
I suggest that you submit a support request with your university
information technology people.
David
