Re: Problem using reverse ssh tunnel (remote port forwading)
For anyone wondering, we figured out that Dropbear wasn't configured to listen on localhost on the device - only external interfaces. Cheers, Matt > On Wed 30/5/2018, at 8:15 pm, Ben Kinsella wrote: > > Hi Matt. > > There is no /var/log/auth.log, only /var/log/messages. > (This is an OpenWrt-type device, loosely based on Chaos Calmer, using > logd/logread. Is there anything I should do to increase dropbear’s log > verbosity?) > > I can see that successful ssh connections are logged to /var/log/messages. > But nothing is logged for my unsuccessful attempts to connect via the reverse > tunnel. > > Attempted telnet from relayserver: > $ telnet localhost 10022 > Trying 127.0.0.1... > Connected to localhost. > Escape character is '^]'. > Connection closed by foreign host. > > Attempted ssh from relayserver: > $ ssh -p 10022 root@localhost > ssh_exchange_identification: Connection closed by remote host > > Using tcpdump on the device, I can see that there is activity when the ssh > connection attempt fails: > > # tcpdump host -i eth1 -vvvX > tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 262144 > bytes > 12:13:06.442928 IP (tos 0x0, ttl 53, id 9167, offset 0, flags [DF], proto TCP > (6), length 152) > ec2-.eu-west-2.compute.amazonaws.com.ssh > > 172.24.20.205.58658: Flags [P.], cksum 0x1e43 (correct), seq > 4215067679:4215067779, ack 1099402958, win 227, options [nop,nop,TS val > 327307585 ecr 103952497], length 100 >0x: 4500 0098 23cf 4000 3506 e2fb 23b1 59ff > E...#.@.5...#.Y. >0x0010: ac18 14cd 0016 e522 fb3c d41f 4187 8ece > ...".<..A... >0x0020: 8018 00e3 1e43 0101 080a 1382 5141 > .CQA >0x0030: 0632 3071 b4df 8dd6 21d3 a1a9 10db 5274 > .20q!.Rt >0x0040: 3da0 76c5 8894 0298 a40c 92af db23 dc63 > =.v..#.c >0x0050: 2434 786e 86a0 f2ec 3fd7 3844 46b4 c42e > $4xn?.8DF... >0x0060: e3fd f14c f210 da47 0aca 3902 ca94 6d63 > ...L...G..9...mc >0x0070: b475 bc0b 7ece efe3 0f89 8476 cdd6 2ee9 > .u..~..v >0x0080: 3948 8d8b 421d 4a34 4720 04ed 17a9 d451 > 9H..B.J4G..Q >0x0090: 8275 d002 bca2 a018 .u.. > 12:13:06.471362 IP (tos 0x10, ttl 64, id 16162, offset 0, flags [DF], proto > TCP (6), length 104) > 172.24.20.205.58658 > > ec2-.eu-west-2.compute.amazonaws.com.ssh: Flags [P.], cksum > 0x4da8 (correct), seq 1:53, ack 100, win 587, options [nop,nop,TS val > 103968949 ecr 327307585], length 52 >0x: 4510 0068 3f22 4000 4006 bcc8 ac18 14cd > E..h?"@.@... >0x0010: 23b1 59ff e522 0016 4187 8ece fb3c d483 > #.Y.."..A<.. >0x0020: 8018 024b 4da8 0101 080a 0632 70b5 > ...KM2p. >0x0030: 1382 5141 e61a ae5a 656a 3caa 4621 9194 > ..QA...Zej<.F!.. >0x0040: 8302 c4fd 1267 b3bb 9396 d358 aabd c6ce > .g.X >0x0050: e4fc 96b6 3c9e 8db2 3e70 9d00 0137 fb50 > <...>p...7.P >0x0060: 60a7 26f8 0cef df93 `.&. > 12:13:06.489051 IP (tos 0x0, ttl 53, id 9168, offset 0, flags [DF], proto TCP > (6), length 52) > ec2-.eu-west-2.compute.amazonaws.com.ssh > > 172.24.20.205.58658: Flags [.], cksum 0xd60a (correct), seq 100, ack 53, win > 227, options [nop,nop,TS val 327307597 ecr 103968949], length 0 >0x: 4500 0034 23d0 4000 3506 e35e 23b1 59ff > E..4#.@.5..^#.Y. >0x0010: ac18 14cd 0016 e522 fb3c d483 4187 8f02 > ...".<..A... >0x0020: 8010 00e3 d60a 0101 080a 1382 514d > ..........QM > 0x0030: 0632 70b5.2p. > > Can you glean anything from these packets? > > Thanks, > Ben. > > > From: Matt Johnston [mailto:m...@ucc.asn.au] > Sent: 29 May 2018 14:45 > To: Ben Kinsella > Cc: dropbear@ucc.asn.au > Subject: Re: Problem using reverse ssh tunnel (remote port forwading) > > Hi Ben, > > Does the device log anything from Dropbear in /var/log/auth.log or similar? > If you "telnet localhost 10022" does it print anything? > > Cheers, > Matt > > > On Fri 25/5/2018, at 11:05 pm, Ben Kinsella <mailto:bkinse...@advantech-bb.com>> wrote: > > I have various devices on a private network behind a router, and I typically > use “ssh -R” to access them. > i.e. On the device I run > $ ss
RE: Problem using reverse ssh tunnel (remote port forwading)
Hi Matt. There is no /var/log/auth.log, only /var/log/messages. (This is an OpenWrt-type device, loosely based on Chaos Calmer, using logd/logread. Is there anything I should do to increase dropbear’s log verbosity?) I can see that successful ssh connections are logged to /var/log/messages. But nothing is logged for my unsuccessful attempts to connect via the reverse tunnel. Attempted telnet from relayserver: $ telnet localhost 10022 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Connection closed by foreign host. Attempted ssh from relayserver: $ ssh -p 10022 root@localhost ssh_exchange_identification: Connection closed by remote host Using tcpdump on the device, I can see that there is activity when the ssh connection attempt fails: # tcpdump host -i eth1 -vvvX tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes 12:13:06.442928 IP (tos 0x0, ttl 53, id 9167, offset 0, flags [DF], proto TCP (6), length 152) ec2-.eu-west-2.compute.amazonaws.com.ssh > 172.24.20.205.58658: Flags [P.], cksum 0x1e43 (correct), seq 4215067679:4215067779, ack 1099402958, win 227, options [nop,nop,TS val 327307585 ecr 103952497], length 100 0x: 4500 0098 23cf 4000 3506 e2fb 23b1 59ff E...#.@.5...#.Y. 0x0010: ac18 14cd 0016 e522 fb3c d41f 4187 8ece ...".<..A... 0x0020: 8018 00e3 1e43 0101 080a 1382 5141 .CQA 0x0030: 0632 3071 b4df 8dd6 21d3 a1a9 10db 5274 .20q!.Rt 0x0040: 3da0 76c5 8894 0298 a40c 92af db23 dc63 =.v..#.c 0x0050: 2434 786e 86a0 f2ec 3fd7 3844 46b4 c42e $4xn?.8DF... 0x0060: e3fd f14c f210 da47 0aca 3902 ca94 6d63 ...L...G..9...mc 0x0070: b475 bc0b 7ece efe3 0f89 8476 cdd6 2ee9 .u..~..v 0x0080: 3948 8d8b 421d 4a34 4720 04ed 17a9 d451 9H..B.J4G..Q 0x0090: 8275 d002 bca2 a018 .u.. 12:13:06.471362 IP (tos 0x10, ttl 64, id 16162, offset 0, flags [DF], proto TCP (6), length 104) 172.24.20.205.58658 > ec2-.eu-west-2.compute.amazonaws.com.ssh: Flags [P.], cksum 0x4da8 (correct), seq 1:53, ack 100, win 587, options [nop,nop,TS val 103968949 ecr 327307585], length 52 0x: 4510 0068 3f22 4000 4006 bcc8 ac18 14cd E..h?"@.@... 0x0010: 23b1 59ff e522 0016 4187 8ece fb3c d483 #.Y.."..A<.. 0x0020: 8018 024b 4da8 0101 080a 0632 70b5 ...KM2p. 0x0030: 1382 5141 e61a ae5a 656a 3caa 4621 9194 ..QA...Zej<.F!.. 0x0040: 8302 c4fd 1267 b3bb 9396 d358 aabd c6ce .g.X 0x0050: e4fc 96b6 3c9e 8db2 3e70 9d00 0137 fb50 <...>p...7.P 0x0060: 60a7 26f8 0cef df93 `.&. 12:13:06.489051 IP (tos 0x0, ttl 53, id 9168, offset 0, flags [DF], proto TCP (6), length 52) ec2-.eu-west-2.compute.amazonaws.com.ssh > 172.24.20.205.58658: Flags [.], cksum 0xd60a (correct), seq 100, ack 53, win 227, options [nop,nop,TS val 327307597 ecr 103968949], length 0 0x: 4500 0034 23d0 4000 3506 e35e 23b1 59ff E..4#.@.5..^#.Y. 0x0010: ac18 14cd 0016 e522 fb3c d483 4187 8f02 ...".<..A... 0x0020: 8010 00e3 d60a 0101 080a 1382 514d ..QM 0x0030: 0632 70b5.2p. Can you glean anything from these packets? Thanks, Ben. From: Matt Johnston [mailto:m...@ucc.asn.au] Sent: 29 May 2018 14:45 To: Ben Kinsella Cc: dropbear@ucc.asn.au Subject: Re: Problem using reverse ssh tunnel (remote port forwading) Hi Ben, Does the device log anything from Dropbear in /var/log/auth.log or similar? If you "telnet localhost 10022" does it print anything? Cheers, Matt On Fri 25/5/2018, at 11:05 pm, Ben Kinsella mailto:bkinse...@advantech-bb.com>> wrote: I have various devices on a private network behind a router, and I typically use “ssh -R” to access them. i.e. On the device I run $ ssh -fN -R :10022:localhost:22 user@relayserver Then I can ssh in via relayserver. This works for several different device types. However, it is not working for a particular device with dropbear v2017.75. The initial “ssh -R” command works (I can confirm with netstat on relayserver), but when I attempt to connect I get an error: $ ssh -p 10022 root@localhost ssh_exchange_identification: Connection closed by remote host Any suggestions? Regards, Ben.
Re: Problem using reverse ssh tunnel (remote port forwading)
Hi Ben, Does the device log anything from Dropbear in /var/log/auth.log or similar? If you "telnet localhost 10022" does it print anything? Cheers, Matt > On Fri 25/5/2018, at 11:05 pm, Ben Kinsella > wrote: > > I have various devices on a private network behind a router, and I typically > use “ssh -R” to access them. > i.e. On the device I run > $ ssh -fN -R :10022:localhost:22 user@relayserver > Then I can ssh in via relayserver. > > This works for several different device types. > However, it is not working for a particular device with dropbear v2017.75. > The initial “ssh -R” command works (I can confirm with netstat on > relayserver), but when I attempt to connect I get an error: > $ ssh -p 10022 root@localhost > ssh_exchange_identification: Connection closed by remote host > > Any suggestions? > > Regards, > Ben.