Re: [vox-tech] SSH On Home Network
--- Jeff Newmiller <[EMAIL PROTECTED]> wrote: > On Mon, 10 Mar 2003, Jim Angstadt wrote: > > > > > --- Mike Simons <[EMAIL PROTECTED]> > wrote: > > > Jim, > > > > > > Thanks for the output. > > > > > > Two observations: > > > > > > - You are using the wrong IP address when > ssh'ing > > > from the rh7.2 box to > > > the rh8.0 box. rh8.0 is configured for IP > address > > > 192.168.0.3, and > > > you ran ssh to 192.168.0.11. Try again with > .3 > > > ... > > > > Good grief. You are right. I can ssh into .3 > > > > This is very confusing. The rh8.0 box was set up > with > > a static (I thought) address of .11 and I verified > > that it had .11 at the time with ifconfig. > > > > Just looking at my router, I see 2 dynamic > addresses > > and 2 static addresses. The last time I looked it > was > > 1 and 2. Also, the win98 box was .3 and now it is > .2 > > > > The rh7.2 box has kept it's .10 address since the > > begining. > > > > I guess that means I messed up the router config. > > somehow. Now, at least, I'll be working on the > right > > problem. > > > > If anyone has a few tips for working with a > Netgear > > FR314 router, or a few good links, I would > appreciate > > the pointers. > > Static IP addresses are configured in the device... > check your rh8.0 > configuration files and make sure it is not > requesting a DHCP address from > the router. Hi Jeff, Monday night I changed the router config by deleting the .3 address and by adding a static address (192.168.0.11) and the mac address of the rh8.0 box. This morning the rh8.0 box had the .11 address, according to ifconfig. I could also ssh into .11 from rh7.2 and my win98 box. Do you think I need to make additional changes in the rh8.0 box? Is this a stable situation, or will addresses change again when I least expect it? I would really like to have an address scheme that is stable. > Also make sure that if you want to access the > machine using names, you can > set up your internal names in "hosts" files on your > various other > machines. This means that if you _change_ a static > IP address in the > device , you will have to alter all of those files > on other machines as > well so they will know about the change. I'm glad you mentioned this. It is something I want to do after the addresses are stable. Thanks for the help, Jim __ Do you Yahoo!? Yahoo! Web Hosting - establish your business online http://webhosting.yahoo.com ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] SSH On Home Network
On Mon, 10 Mar 2003, Jim Angstadt wrote: > > --- Mike Simons <[EMAIL PROTECTED]> wrote: > > Jim, > > > > Thanks for the output. > > > > Two observations: > > > > - You are using the wrong IP address when ssh'ing > > from the rh7.2 box to > > the rh8.0 box. rh8.0 is configured for IP address > > 192.168.0.3, and > > you ran ssh to 192.168.0.11. Try again with .3 > > ... > > Good grief. You are right. I can ssh into .3 > > This is very confusing. The rh8.0 box was set up with > a static (I thought) address of .11 and I verified > that it had .11 at the time with ifconfig. > > Just looking at my router, I see 2 dynamic addresses > and 2 static addresses. The last time I looked it was > 1 and 2. Also, the win98 box was .3 and now it is .2 > > The rh7.2 box has kept it's .10 address since the > begining. > > I guess that means I messed up the router config. > somehow. Now, at least, I'll be working on the right > problem. > > If anyone has a few tips for working with a Netgear > FR314 router, or a few good links, I would appreciate > the pointers. Static IP addresses are configured in the device... check your rh8.0 configuration files and make sure it is not requesting a DHCP address from the router. Also make sure that if you want to access the machine using names, you can set up your internal names in "hosts" files on your various other machines. This means that if you _change_ a static IP address in the device , you will have to alter all of those files on other machines as well so they will know about the change. --- Jeff NewmillerThe . . Go Live... DCN:<[EMAIL PROTECTED]>Basics: ##.#. ##.#. Live Go... Live: OO#.. Dead: OO#.. Playing Research Engineer (Solar/BatteriesO.O#. #.O#. with /Software/Embedded Controllers) .OO#. .OO#. rocks...2k --- ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] SSH On Home Network
Mike Simons said: > On Mon, Mar 10, 2003 at 04:16:01PM -0800, Jim Angstadt wrote: >> > Could you try this: >> > # iptables -t filter -D INPUT 1 -p tcp -s >> > 192.168.0.0/24 -d 192.168.0.3\ >> > --destination-port 22 -j ACCEPT >> >> I get "Illegal option '-s' with this command". > > He meant a -A instead of -D, but I think you have confirmed that the > firewall rules are really the problem you shouldn't waste time messing > with them. Sorry about that. I meant "-I" instead of -A or -D -I inserts the rule a point "1" to be the first rule checked. This should ensure that an ACCEPT is triggered for ssh to short-circuit the other checks in-line. -ME -- -BEGIN GEEK CODE BLOCK- Version: 3.12 GCS/CM$/IT$/LS$/S/O$ !d--(++) !s !a+++(-) C++$() U$(+$) P+$>+++ L+++$(++) E W+++$(+) N+ o K w+$>++>+++ O-@ M+$ V-$>- !PS !PE Y+ PGP++ [EMAIL PROTECTED](++) 5+@ X@ R- tv- b++ DI+++ D+ G--@ e+>++> h(++)>+ r*>? z? --END GEEK CODE BLOCK-- decode: http://www.ebb.org/ungeek/ about: http://www.geekcode.com/geek.html Campus IT(/OS Security): Operating Systems Support Specialist Assistant ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] SSH On Home Network
--- Mike Simons <[EMAIL PROTECTED]> wrote: > Jim, > > Thanks for the output. > > Two observations: > > - You are using the wrong IP address when ssh'ing > from the rh7.2 box to > the rh8.0 box. rh8.0 is configured for IP address > 192.168.0.3, and > you ran ssh to 192.168.0.11. Try again with .3 > ... Good grief. You are right. I can ssh into .3 This is very confusing. The rh8.0 box was set up with a static (I thought) address of .11 and I verified that it had .11 at the time with ifconfig. Just looking at my router, I see 2 dynamic addresses and 2 static addresses. The last time I looked it was 1 and 2. Also, the win98 box was .3 and now it is .2 The rh7.2 box has kept it's .10 address since the begining. I guess that means I messed up the router config. somehow. Now, at least, I'll be working on the right problem. If anyone has a few tips for working with a Netgear FR314 router, or a few good links, I would appreciate the pointers. Meanwhile I'll be looking at the Netgear site and doing a google search. Much thanks to all who helped me get this far. Jim > > - You are running a firewall on the rh8.0 box... if > things don't work > wit the correct IP address I would try running the > following command > which will wipe out the firewall rules. Test ssh > to verify that > you can connect between machines if it works you > know the redhat > firewall configuration is messing you up. If not > we need to check > other things first. > === > iptables -F > === I'll hold off with flushing for now. [btw, sorry Nino for not seeing the -F option.] > > So let me know how this goes... > > TTFN, > Mike > > > > On Mon, Mar 10, 2003 at 02:28:44PM -0800, Jim > > > Angstadt wrote: > > Chain INPUT (policy ACCEPT 8045 packets, 9116K > bytes) > > pkts bytes target prot opt in out > source > > destination > > 11039 9473K RH-Lokkit-0-50-INPUT all -- * > * > >0.0.0.0/00.0.0.0/0 > > > > Chain RH-Lokkit-0-50-INPUT (1 references) > > pkts bytes target prot opt in out > source > > 0 0 ACCEPT tcp -- * * > 0.0.0.0/00.0.0.0/0 tcp dpt:22 > flags:0x16/0x02 > > > 6 360 REJECT tcp -- * * > 0.0.0.0/00.0.0.0/0 tcp > dpts:0:1023 flags:0x16/0x02 reject-with > icmp-port-unreachable > > > > ifconfig > > > > eth0 Link encap:Ethernet HWaddr > > 00:09:5B:1A:31:9A > > inet addr:192.168.0.3 > Bcast:192.168.0.255 Mask:255.255.255.0 > > UP BROADCAST RUNNING MULTICAST MTU:1500 > > > > > > > > > > Also for additional information try a "ssh -v" > to > > > connect from your > > > rh7.2 box and include a ifconfig. > > > > Script started on Mon Mar 10 15:20:06 2003 > > > > ssh -v [EMAIL PROTECTED] > > OpenSSH_2.9p2, SSH protocols 1.5/2.0, OpenSSL > > 0x0090602f > > debug1: ssh_connect: getuid 500 geteuid 0 anon 1 > > debug1: Connecting to 192.168.0.11 [192.168.0.11] > port > > 22. > > debug1: connect: No route to host > ___ > vox-tech mailing list > [EMAIL PROTECTED] > http://lists.lugod.org/mailman/listinfo/vox-tech __ Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, more http://taxes.yahoo.com/ ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] SSH On Home Network
On Mon, 10 Mar 2003, Jim Angstadt wrote: > Hi Nino, > > During install I selected medium security and > specified several servers that I wanted to run, > including ssh. Yeah after I sent the last email, I noticed that your iptables *seems* to be allowing ssh in, but I'd still disable it just in case. > > I'm not sure if 8.0's firewall runs ipchains or > iptables. You can > check > by typing "lsmod | grep ipchains". If you see a > line there, > then you can > disable the firewall by typing "ipchains -F". If it > > is running iptables, > typing "ipchains -F" should disable it. Let us > know > what happensi. I meant try typing "iptables -F" if running iptables, but you got the idea. And yeah, its safe to type it even though you mysteriously have no man pages on it. It just flushes out any rules you have defined in your firewall. ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] SSH On Home Network
On Mon, Mar 10, 2003 at 04:16:01PM -0800, Jim Angstadt wrote: > > Could you try this: > > # iptables -t filter -D INPUT 1 -p tcp -s > > 192.168.0.0/24 -d 192.168.0.3\ > > --destination-port 22 -j ACCEPT > > I get "Illegal option '-s' with this command". He meant a -A instead of -D, but I think you have confirmed that the firewall rules are really the problem you shouldn't waste time messing with them. ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] SSH On Home Network
On Mon, Mar 10, 2003 at 04:00:04PM -0800, ME wrote: > Looking at the output from the iptables, I dont see a rule permitting > packets with a syn flag set to port 22 for ssh. Perhaps I've read it wrong... but - The only TCP reject rule that has killed *any* packets got 6 packets. - The machine is set to reply by icmp-port-unreachable and he is getting a no-route-to-host. - There are no rules that appear to block ICMP traffic and her can't ping. So he has got to be testing the wrong IP... or have something else preventing his tests from reaching the eth device. TTFN, Mike # Chain RH-Lokkit-0-50-INPUT (1 references) # pkts bytes target prot opt in out source # 0 0 ACCEPT tcp -- * * 0.0.0.0/0 # 0.0.0.0/0 tcp dpt:22 flags:0x16/0x02 # 6 360 REJECT tcp -- * * 0.0.0.0/0 # 0.0.0.0/0 tcp dpts:0:1023 flags:0x16/0x02 reject-with # icmp-port-unreachable > (Background: this is take from examination of the "flags" section, and > having an understanding of a tcp packet and the flags > http://mike.passwall.com/networking/tcppacket.html ) - Even then the tcp port 22 rule allows packets with flags:0x16/0x02, and the only tcp killing rule only drops packest with flags:0x16/0x02. So if ssh ever sent packets like that they would be indications in the accepted counters... which there are none. - *IF* any packets fall off the end of this "RH-Lokkit-0-50-INPUT" chain, they will be accepted... because INPUT is set to ACCEPT by default. ps: I personally don't like the style of those rules... if they want to block everything that is not allowed the default rules should be REJECT and there should be rules to only accept good traffic. ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] SSH On Home Network
--- ME <[EMAIL PROTECTED]> wrote: > Jim Angstadt said: > > --- ME <[EMAIL PROTECTED]> wrote: > >> Jim Angstadt said: > Could you try this: > # iptables -t filter -D INPUT 1 -p tcp -s > 192.168.0.0/24 -d 192.168.0.3\ > --destination-port 22 -j ACCEPT I get "Illegal option '-s' with this command". Jim __ Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, more http://taxes.yahoo.com/ ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] SSH On Home Network
Jim, Thanks for the output. Two observations: - You are using the wrong IP address when ssh'ing from the rh7.2 box to the rh8.0 box. rh8.0 is configured for IP address 192.168.0.3, and you ran ssh to 192.168.0.11. Try again with .3 ... - You are running a firewall on the rh8.0 box... if things don't work wit the correct IP address I would try running the following command which will wipe out the firewall rules. Test ssh to verify that you can connect between machines if it works you know the redhat firewall configuration is messing you up. If not we need to check other things first. === iptables -F === So let me know how this goes... TTFN, Mike > > On Mon, Mar 10, 2003 at 02:28:44PM -0800, Jim > > Angstadt wrote: > Chain INPUT (policy ACCEPT 8045 packets, 9116K bytes) > pkts bytes target prot opt in out source > destination > 11039 9473K RH-Lokkit-0-50-INPUT all -- * * >0.0.0.0/00.0.0.0/0 > > Chain RH-Lokkit-0-50-INPUT (1 references) > pkts bytes target prot opt in out source > 0 0 ACCEPT tcp -- * * 0.0.0.0/00.0.0.0/0 > tcp dpt:22 flags:0x16/0x02 > 6 360 REJECT tcp -- * * 0.0.0.0/00.0.0.0/0 > tcp dpts:0:1023 flags:0x16/0x02 reject-with icmp-port-unreachable > > ifconfig > > eth0 Link encap:Ethernet HWaddr > 00:09:5B:1A:31:9A > inet addr:192.168.0.3 Bcast:192.168.0.255 Mask:255.255.255.0 > UP BROADCAST RUNNING MULTICAST MTU:1500 > > > > > > Also for additional information try a "ssh -v" to > > connect from your > > rh7.2 box and include a ifconfig. > > Script started on Mon Mar 10 15:20:06 2003 > > ssh -v [EMAIL PROTECTED] > OpenSSH_2.9p2, SSH protocols 1.5/2.0, OpenSSL > 0x0090602f > debug1: ssh_connect: getuid 500 geteuid 0 anon 1 > debug1: Connecting to 192.168.0.11 [192.168.0.11] port > 22. > debug1: connect: No route to host ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] SSH On Home Network
Jim Angstadt said: > --- Nino Brown <[EMAIL PROTECTED]> wrote: >> On Mon, 10 Mar 2003, Jim Angstadt wrote: > My 3 boxes are behind a Netgear FR314 router which has > a firewall. I have no idea just how good that > firewall is. Having extra rules does offer more security as you have two filters in place instead of one. However, extra complexity is also created, and problems can arise as a result. I prefer the control that Linux iptables/ipchains offers, and would include them as well, just as you have. >> I'm not sure if 8.0's firewall runs ipchains or >> iptables. You can check >> by typing "lsmod | grep ipchains". If you see a >> line there, then you can >> disable the firewall by typing "ipchains -F". If it >> is running iptables, >> typing "ipchains -F" should disable it. Let us know >> what happensi. > > > Here are 3 lines from lsmod output: > > ipt_REJECT 3736 6 (autoclean) > iptable_filter 2412 1 (autoclean) > ip_tables 14936 2 [ipt_REJECT > iptable_filter] What was being proposed, with the "-F" was to flush all of the firewall rules from the box. If this is the intent, since you are running iptables, you can "get there" with: # iptables -F Since your deafult rules for FORWARD, INPUT and OUTPUT are "ACCEPT", this would likely permit other boxes to ssh to this box. However, this is also not a permanent fix, but can be useful for testing to verify that the problem you face is a filtering one. I would only try this step if the prior step of inserting the rule should fail. Also, if you are going to go this far to "zap" all of your firewall rules permanently, then we can cover not starting the firewall rules at boot time. (Going to class, be back in 3 hours.) -ME -- -BEGIN GEEK CODE BLOCK- Version: 3.12 GCS/CM$/IT$/LS$/S/O$ !d--(++) !s !a+++(-) C++$() U$(+$) P+$>+++ L+++$(++) E W+++$(+) N+ o K w+$>++>+++ O-@ M+$ V-$>- !PS !PE Y+ PGP++ [EMAIL PROTECTED](++) 5+@ X@ R- tv- b++ DI+++ D+ G--@ e+>++> h(++)>+ r*>? z? --END GEEK CODE BLOCK-- decode: http://www.ebb.org/ungeek/ about: http://www.geekcode.com/geek.html Campus IT(/OS Security): Operating Systems Support Specialist Assistant ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] SSH On Home Network
--- Nino Brown <[EMAIL PROTECTED]> wrote: > On Mon, 10 Mar 2003, Jim Angstadt wrote: > I'm not sure if 8.0's firewall runs ipchains or > iptables. You can check > by typing "lsmod | grep ipchains". If you see a > line there, then you can > disable the firewall by typing "ipchains -F". If it > is running iptables, > typing "ipchains -F" should disable it. Let us know > what happensi. Oops, I should have added that 'man iptables' does not show a -F option, and there is no ipchains man on my system. Should I still try it anyway? Jim __ Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, more http://taxes.yahoo.com/ ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] SSH On Home Network
Jim Angstadt said: > --- ME <[EMAIL PROTECTED]> wrote: >> Jim Angstadt said: >> [likely need works with filters] >> > Could you give me a starting point for this, >> please. >> >> Mike Simmons has asked for the output from two >> commands in a response to >> this. This should help you along this path. >> >> In addition to his request, could you also pass the >> contents of the files: >> /etc/hosts.allow > > sshd: ALL > [I added this earlier, following directions in a Linux > Journal tech support article. No apparent effect.] This can be an issue if tcpwrappers support was included in your RH8 box. It still looks like iptable is to blame. Looking at the output from the iptables, I dont see a rule permitting packets with a syn flag set to port 22 for ssh. (Background: this is take from examination of the "flags" section, and having an understanding of a tcp packet and the flags http://mike.passwall.com/networking/tcppacket.html ) Pulling from other mail: 0 0 ACCEPT tcp -- * * 0.0.0.0/00.0.0.0/0 tcp dpt:22 flags:0x16/0x02 Could you try this: # iptables -t filter -D INPUT 1 -p tcp -s 192.168.0.0/24 -d 192.168.0.3\ --destination-port 22 -j ACCEPT (If the line sould wrap, the "\" at the end of the first should permit you to paste it into a shell and then just press return.) Then try to ssh to the box from one of the others. (This is just a test, not a permanant fix. It inserts a rule at the top of the list to allow all IP from your private net 192.168.0.[0-255] to connect with tcp to that machine's port 22.) If you can ssh to the box. Then we can proceed from here and try to make the "fix" a permanent one. If you cannot, then it would be a good idea to remove that rule we just inserted: # iptables -t filter -D INPUT 1 When you ssh from the other box to this one, please give it some time to connect. Often ssh is configured to perform rDNS for each incoming connection. When this is the case, and your ssh server is behind a private network, it may take some time for the rDNS to fail before the ssh is permitted to pass through. >> /etc/hosts.deny > > empty. OK. -ME -- -BEGIN GEEK CODE BLOCK- Version: 3.12 GCS/CM$/IT$/LS$/S/O$ !d--(++) !s !a+++(-) C++$() U$(+$) P+$>+++ L+++$(++) E W+++$(+) N+ o K w+$>++>+++ O-@ M+$ V-$>- !PS !PE Y+ PGP++ [EMAIL PROTECTED](++) 5+@ X@ R- tv- b++ DI+++ D+ G--@ e+>++> h(++)>+ r*>? z? --END GEEK CODE BLOCK-- decode: http://www.ebb.org/ungeek/ about: http://www.geekcode.com/geek.html Campus IT(/OS Security): Operating Systems Support Specialist Assistant ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] SSH On Home Network
--- Nino Brown <[EMAIL PROTECTED]> wrote: > On Mon, 10 Mar 2003, Jim Angstadt wrote: > > Could you give me a starting point for this, > please. > > I'm totally ignorant on firewalls and filters. > > When you installed 8.0, did you include firewalling? Hi Nino, During install I selected medium security and specified several servers that I wanted to run, including ssh. > The redhat-installed > firewall blocks out just about everything that is > not selected as trusted. > If the machine is already behind a firewall on a > trusted lan, or if it is > not connected to the internet, I would disable the > firewall. My 3 boxes are behind a Netgear FR314 router which has a firewall. I have no idea just how good that firewall is. > > I'm not sure if 8.0's firewall runs ipchains or > iptables. You can check > by typing "lsmod | grep ipchains". If you see a > line there, then you can > disable the firewall by typing "ipchains -F". If it > is running iptables, > typing "ipchains -F" should disable it. Let us know > what happensi. Here are 3 lines from lsmod output: ipt_REJECT 3736 6 (autoclean) iptable_filter 2412 1 (autoclean) ip_tables 14936 2 [ipt_REJECT iptable_filter] __ Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, more http://taxes.yahoo.com/ ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] SSH On Home Network
On Mon, 10 Mar 2003, Jim Angstadt wrote: > Could you give me a starting point for this, please. > I'm totally ignorant on firewalls and filters. When you installed 8.0, did you include firewalling? The redhat-installed firewall blocks out just about everything that is not selected as trusted. If the machine is already behind a firewall on a trusted lan, or if it is not connected to the internet, I would disable the firewall. I'm not sure if 8.0's firewall runs ipchains or iptables. You can check by typing "lsmod | grep ipchains". If you see a line there, then you can disable the firewall by typing "ipchains -F". If it is running iptables, typing "ipchains -F" should disable it. Let us know what happensi. ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] SSH On Home Network
--- ME <[EMAIL PROTECTED]> wrote: > Jim Angstadt said: > [likely need works with filters] > > Could you give me a starting point for this, > please. > > Mike Simmons has asked for the output from two > commands in a response to > this. This should help you along this path. > > In addition to his request, could you also pass the > contents of the files: > /etc/hosts.allow sshd: ALL [I added this earlier, following directions in a Linux Journal tech support article. No apparent effect.] > /etc/hosts.deny empty. > If they do not exist, or do not contain references > to the number "22" or > the word "ssh" then you do not need to include them > here. > > There are several ways to implement filters with > ssh. The mostl likely > cause for the problems you face is one of iptables > being configured with a > very aggressive rule to stop incoming ssh traffic. > (Conclusions on this > will be addressed when you provide the output of the > iptables command he > asked for.) > > ssh also has a "built-in" for filtering. It is > possible to build ssh with > support for "tcp wrappers" which is why I wanted to > also see the contents > of /etc/hosts.allow and /etc/hosts.deny too. > > (I'm almost certain, that iptables is where the > problem resides.) > > Thanks, > -ME > > > > -- > -BEGIN GEEK CODE BLOCK- > Version: 3.12 > GCS/CM$/IT$/LS$/S/O$ !d--(++) !s !a+++(-) > C++$() U$(+$) P+$>+++ > L+++$(++) E W+++$(+) N+ o K w+$>++>+++ O-@ M+$ V-$>- > !PS !PE Y+ PGP++ > [EMAIL PROTECTED](++) 5+@ X@ R- tv- b++ DI+++ D+ G--@ e+>++> > h(++)>+ r*>? z? > --END GEEK CODE BLOCK-- > decode: http://www.ebb.org/ungeek/ about: > http://www.geekcode.com/geek.html > > > ___ > vox-tech mailing list > [EMAIL PROTECTED] > http://lists.lugod.org/mailman/listinfo/vox-tech __ Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, more http://taxes.yahoo.com/ ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] SSH On Home Network
Hi Mike, Here is the output you requested. Thanks for the directions. Jim --- Mike Simons <[EMAIL PROTECTED]> wrote: > On Mon, Mar 10, 2003 at 02:28:44PM -0800, Jim > Angstadt wrote: > > Immediately after failed ssh attempts, I did not > find > > any error messages in /var/log/messages. > > > > Below is a summary of my attempts to connect > between > > various boxes. What should I do? > > There are a number of possible problems... most > likely you have some > sort of firewall configuration running on the redhat > box or maybe > sshd is configured to only accept connections with > specific version of > ssh protocol. > > run and send results. > > iptables -nvL Chain INPUT (policy ACCEPT 8045 packets, 9116K bytes) pkts bytes target prot opt in out source destination 11039 9473K RH-Lokkit-0-50-INPUT all -- * * 0.0.0.0/00.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 7697 packets, 1015K bytes) pkts bytes target prot opt in out source destination Chain RH-Lokkit-0-50-INPUT (1 references) pkts bytes target prot opt in out source destination 3 597 ACCEPT udp -- * * 204.127.202.40.0.0.0/0 udp spt:53 dpts:1025:65535 138 30741 ACCEPT udp -- * * 216.148.227.68 0.0.0.0/0 udp spt:53 dpts:1025:65535 16 960 ACCEPT tcp -- * * 0.0.0.0/00.0.0.0/0 tcp dpt:80 flags:0x16/0x02 0 0 ACCEPT tcp -- * * 0.0.0.0/00.0.0.0/0 tcp dpt:21 flags:0x16/0x02 0 0 ACCEPT tcp -- * * 0.0.0.0/00.0.0.0/0 tcp dpt:22 flags:0x16/0x02 5 1904 ACCEPT udp -- eth0 * 0.0.0.0/00.0.0.0/0 udp spts:67:68 dpts:67:68 0 0 ACCEPT udp -- eth1 * 0.0.0.0/00.0.0.0/0 udp spts:67:68 dpts:67:68 1367 121K ACCEPT all -- lo * 0.0.0.0/00.0.0.0/0 6 360 REJECT tcp -- * * 0.0.0.0/00.0.0.0/0 tcp dpts:0:1023 flags:0x16/0x02 reject-with icmp-port-unreachable 0 0 REJECT tcp -- * * 0.0.0.0/00.0.0.0/0 tcp dpt:2049 flags:0x16/0x02 reject-with icmp-port-unreachable 1459 202K REJECT udp -- * * 0.0.0.0/00.0.0.0/0 udp dpts:0:1023 reject-with icmp-port-unreachable 0 0 REJECT udp -- * * 0.0.0.0/00.0.0.0/0 udp dpt:2049 reject-with icmp-port-unreachable 0 0 REJECT tcp -- * * 0.0.0.0/00.0.0.0/0 tcp dpts:6000:6009 flags:0x16/0x02 reject-with icmp-port-unreachable 0 0 REJECT tcp -- * * 0.0.0.0/00.0.0.0/0 tcp dpt:7100 flags:0x16/0x02 reject-with icmp-port-unreachable > ifconfig eth0 Link encap:Ethernet HWaddr 00:09:5B:1A:31:9A inet addr:192.168.0.3 Bcast:192.168.0.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:9921 errors:0 dropped:0 overruns:0 frame:0 TX packets:6376 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:9503575 (9.0 Mb) TX bytes:983743 (960.6 Kb) Interrupt:11 Base address:0xf000 loLink encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:1403 errors:0 dropped:0 overruns:0 frame:0 TX packets:1403 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:123305 (120.4 Kb) TX bytes:123305 (120.4 Kb) > grep ^Protocol /etc/ssh/sshd* There is no output from this command. /etc/ssh/sshd_config has only 3 uncommented lines: SyslogFacility AUTHPRIV X11Forwarding yes Subsystem sftp /usr/libexec/openssh/sftp-server There are no other matches for sshd* > > > Also for additional information try a "ssh -v" to > connect from your > rh7.2 box and include a ifconfig. Script started on Mon Mar 10 15:20:06 2003 ssh -v [EMAIL PROTECTED] OpenSSH_2.9p2, SSH protocols 1.5/2.0, OpenSSL 0x0090602f debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Seeding random number generator debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: restore_uid debug1: ssh_connect: getuid 500 geteuid 0 anon 1 debug1: Connecting to 192.168.0.11 [192.168.0.11] port 22. debug1: temporarily_use_uid: 500/500 (e=0) debug1: restore_uid debug1: temporarily_use_uid: 500/500 (e=0) debug1: connect: No route to host debug1: restore_uid debug1: Trying again... d
Re: [vox-tech] SSH On Home Network
Jim Angstadt said: [likely need works with filters] > Could you give me a starting point for this, please. Mike Simmons has asked for the output from two commands in a response to this. This should help you along this path. In addition to his request, could you also pass the contents of the files: /etc/hosts.allow /etc/hosts.deny If they do not exist, or do not contain references to the number "22" or the word "ssh" then you do not need to include them here. There are several ways to implement filters with ssh. The mostl likely cause for the problems you face is one of iptables being configured with a very aggressive rule to stop incoming ssh traffic. (Conclusions on this will be addressed when you provide the output of the iptables command he asked for.) ssh also has a "built-in" for filtering. It is possible to build ssh with support for "tcp wrappers" which is why I wanted to also see the contents of /etc/hosts.allow and /etc/hosts.deny too. (I'm almost certain, that iptables is where the problem resides.) Thanks, -ME -- -BEGIN GEEK CODE BLOCK- Version: 3.12 GCS/CM$/IT$/LS$/S/O$ !d--(++) !s !a+++(-) C++$() U$(+$) P+$>+++ L+++$(++) E W+++$(+) N+ o K w+$>++>+++ O-@ M+$ V-$>- !PS !PE Y+ PGP++ [EMAIL PROTECTED](++) 5+@ X@ R- tv- b++ DI+++ D+ G--@ e+>++> h(++)>+ r*>? z? --END GEEK CODE BLOCK-- decode: http://www.ebb.org/ungeek/ about: http://www.geekcode.com/geek.html ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] SSH On Home Network
--- ME <[EMAIL PROTECTED]> wrote: > With only the data you have provided, it looks more > like the interface is > down, or an interface is improperly configured. > > Nothing can ping it. > Nothing can ssh to it. > > If it cannot ping others, and/or canont ssh to > others, this further adds > to this as being more likely. (Pinging yourself is > not a sufficient test > for use of the correct interface, but it can be > useful in testing firewall > rules. I mean here, to ping other boxes from the RH8 > one. > Hi ME, The rh8.0 box can ssh and ping to both other boxes. > Things to do: > 1) Check to see if the link light is on for the > interface. The light is on and green. > 2) If it is on, are there multiple NIC interfaces? > if so, make sure you > are using the same physical NIC you configured. > (Some systems come with > integrated NICs and allow for extra NIC too. > Only one NIC. > When you type: > # ifconfig > does it list your "ethN" interface where "N" is a > number greater than or > equal to zero? It lists eth0 and lo. > How about: > # route -N > Does it list anything other than loopback > (127.0.0.1) ? Yes, there are 3 rows: 192.168.0.0 127.0.0.0 0.0.0.0 > If you can ssh from this RH 8 box to others, then > look into firewall rules > and limits from filters. I can ssh to other boxes from my rh8.0 box. Could you give me a starting point for this, please. I'm totally ignorant on firewalls and filters. > > -ME > > > Jim Angstadt said: > > I've added a Red Hat 8.0 box to my home network. > It > > does not accept ssh or ping from the other boxes - > > rh7.2 and win98 - on my home network. I want my > linux > > boxes to serve ssh to the other boxes on my > network. > > > > On the rh8.0 box, when I run: > >netstat -at | grep ssh > > it shows LISTEN. > > > > Immediately after failed ssh attempts, I did not > find > > any error messages in /var/log/messages. > > > > Below is a summary of my attempts to connect > between > > various boxes. What should I do? > > > > Thanks, > > Jim > > > > # ping between boxes on home network > > > > ping from win98 to rh7.2: yes > > ping from win98 to rh8.0: Request timed out. > > ping from win98 to win98: yes > > ping from win98 to lugod: yes > > > > ping from rh7.2 to rh8.0: Destination Host > Unreachable > > ping from rh7.2 to win98: yes > > ping from rh7.2 to rh7.2: yes > > ping from rh7.2 to lugod: yes > > > > ping from rh8.0 to rh7.2: yes > > ping from rh8.0 to win98: yes > > ping from rh8.0 to rh8.0: Destination Host > Unreachable > > ping from rh8.0 to lugod: yes > > > > conclusion: rh8.0 box does not serve ping. > > > > > > # ssh between boxes on home network > > > > ssh from win98 to rh7.2:yes, using WinSCP2 > > ssh from win98 to rh8.0:no, using WinSCP2 > > ssh from win98 to other:yes, using WinSCP2. > (other = > > friends server) > > > > ssh from rh7.2 to rh8.0:Secure connection to > > 192.168.0.11 refused. > > ssh from rh7.2 to win98:n/a > > ssh from rh7.2 to other:yes > > > > ssh from rh8.0 to rh7.2:yes > > ssh from rh8.0 to win98:n/a > > ssh from rh8.0 to other:yes > > > > conclusion: rh8.0 does not server ssh > > > > # end > > ___ > vox-tech mailing list > [EMAIL PROTECTED] > http://lists.lugod.org/mailman/listinfo/vox-tech __ Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, more http://taxes.yahoo.com/ ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] SSH On Home Network
On Mon, Mar 10, 2003 at 02:28:44PM -0800, Jim Angstadt wrote: > Immediately after failed ssh attempts, I did not find > any error messages in /var/log/messages. > > Below is a summary of my attempts to connect between > various boxes. What should I do? There are a number of possible problems... most likely you have some sort of firewall configuration running on the redhat box or maybe sshd is configured to only accept connections with specific version of ssh protocol. run and send results. iptables -nvL ifconfig grep ^Protocol /etc/ssh/sshd* Also for additional information try a "ssh -v" to connect from your rh7.2 box and include a ifconfig. TTFN, Mike ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
Re: [vox-tech] SSH On Home Network
With only the data you have provided, it looks more like the interface is down, or an interface is improperly configured. Nothing can ping it. Nothing can ssh to it. If it cannot ping others, and/or canont ssh to others, this further adds to this as being more likely. (Pinging yourself is not a sufficient test for use of the correct interface, but it can be useful in testing firewall rules. I mean here, to ping other boxes from the RH8 one. Things to do: 1) Check to see if the link light is on for the interface. 2) If it is on, are there multiple NIC interfaces? if so, make sure you are using the same physical NIC you configured. (Some systems come with integrated NICs and allow for extra NIC too. When you type: # ifconfig does it list your "ethN" interface where "N" is a number greater than or equal to zero? How about: # route -N Does it list anything other than loopback (127.0.0.1) ? If you can ssh from this RH 8 box to others, then look into firewall rules and limits from filters. -ME Jim Angstadt said: > I've added a Red Hat 8.0 box to my home network. It > does not accept ssh or ping from the other boxes - > rh7.2 and win98 - on my home network. I want my linux > boxes to serve ssh to the other boxes on my network. > > On the rh8.0 box, when I run: >netstat -at | grep ssh > it shows LISTEN. > > Immediately after failed ssh attempts, I did not find > any error messages in /var/log/messages. > > Below is a summary of my attempts to connect between > various boxes. What should I do? > > Thanks, > Jim > > # ping between boxes on home network > > ping from win98 to rh7.2: yes > ping from win98 to rh8.0: Request timed out. > ping from win98 to win98: yes > ping from win98 to lugod: yes > > ping from rh7.2 to rh8.0: Destination Host Unreachable > ping from rh7.2 to win98: yes > ping from rh7.2 to rh7.2: yes > ping from rh7.2 to lugod: yes > > ping from rh8.0 to rh7.2: yes > ping from rh8.0 to win98: yes > ping from rh8.0 to rh8.0: Destination Host Unreachable > ping from rh8.0 to lugod: yes > > conclusion: rh8.0 box does not serve ping. > > > # ssh between boxes on home network > > ssh from win98 to rh7.2: yes, using WinSCP2 > ssh from win98 to rh8.0: no, using WinSCP2 > ssh from win98 to other: yes, using WinSCP2. (other = > friends server) > > ssh from rh7.2 to rh8.0: Secure connection to > 192.168.0.11 refused. > ssh from rh7.2 to win98: n/a > ssh from rh7.2 to other: yes > > ssh from rh8.0 to rh7.2: yes > ssh from rh8.0 to win98: n/a > ssh from rh8.0 to other: yes > > conclusion: rh8.0 does not server ssh > > # end ___ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech