Re: [vox-tech] SSH On Home Network

[Jim Angstadt]

--- Jeff Newmiller <[EMAIL PROTECTED]> wrote:
> On Mon, 10 Mar 2003, Jim Angstadt wrote:
> 
> > 
> > --- Mike Simons <[EMAIL PROTECTED]>
> wrote:
> > > Jim,
> > > 
> > >   Thanks for the output.
> > > 
> > > Two observations:
> > > 
> > > - You are using the wrong IP address when
> ssh'ing
> > > from the rh7.2 box to
> > >   the rh8.0 box.  rh8.0 is configured for IP
> address
> > > 192.168.0.3, and
> > >   you ran ssh to 192.168.0.11.  Try again with
> .3 
> > > ...
> > 
> > Good grief.  You are right.  I can ssh into .3
> > 
> > This is very confusing.  The rh8.0 box was set up
> with
> > a static (I thought) address of .11 and I verified
> > that it had .11 at the time with ifconfig.
> > 
> > Just looking at my router, I see 2 dynamic
> addresses
> > and 2 static addresses.  The last time I looked it
> was
> > 1 and 2.  Also, the win98 box was .3 and now it is
> .2
> > 
> > The rh7.2 box has kept it's .10 address since the
> > begining.
> > 
> > I guess that means I messed up the router config.
> > somehow.  Now, at least, I'll be working on the
> right
> > problem.
> > 
> > If anyone has a few tips for working with a
> Netgear
> > FR314 router, or a few good links, I would
> appreciate
> > the pointers.
> 
> Static IP addresses are configured in the device...
> check your rh8.0
> configuration files and make sure it is not
> requesting a DHCP address from
> the router.

Hi Jeff,

Monday night I changed the router config by deleting
the .3 address and by adding a static address
(192.168.0.11) and the mac address of the rh8.0 box.

This morning the rh8.0 box had the .11 address,
according to ifconfig.  I could also ssh into .11 from
rh7.2 and my win98 box.

Do you think I need to make additional changes in the
rh8.0 box?  Is this a stable situation, or will
addresses change again when I least expect it?

I would really like to have an address scheme that is
stable.

> Also make sure that if you want to access the
> machine using names, you can
> set up your internal names in "hosts" files on your
> various other
> machines.  This means that if you _change_ a static
> IP address in the
> device , you will have to alter all of those files
> on other machines as
> well so they will know about the change.


I'm glad you mentioned this.  It is something I want
to do after the addresses are stable.

Thanks for the help,
Jim

__
Do you Yahoo!?
Yahoo! Web Hosting - establish your business online
http://webhosting.yahoo.com
___
vox-tech mailing list
[EMAIL PROTECTED]
http://lists.lugod.org/mailman/listinfo/vox-tech

Re: [vox-tech] SSH On Home Network

[Jeff Newmiller]

On Mon, 10 Mar 2003, Jim Angstadt wrote:

> 
> --- Mike Simons <[EMAIL PROTECTED]> wrote:
> > Jim,
> > 
> >   Thanks for the output.
> > 
> > Two observations:
> > 
> > - You are using the wrong IP address when ssh'ing
> > from the rh7.2 box to
> >   the rh8.0 box.  rh8.0 is configured for IP address
> > 192.168.0.3, and
> >   you ran ssh to 192.168.0.11.  Try again with .3 
> > ...
> 
> Good grief.  You are right.  I can ssh into .3
> 
> This is very confusing.  The rh8.0 box was set up with
> a static (I thought) address of .11 and I verified
> that it had .11 at the time with ifconfig.
> 
> Just looking at my router, I see 2 dynamic addresses
> and 2 static addresses.  The last time I looked it was
> 1 and 2.  Also, the win98 box was .3 and now it is .2
> 
> The rh7.2 box has kept it's .10 address since the
> begining.
> 
> I guess that means I messed up the router config.
> somehow.  Now, at least, I'll be working on the right
> problem.
> 
> If anyone has a few tips for working with a Netgear
> FR314 router, or a few good links, I would appreciate
> the pointers.

Static IP addresses are configured in the device... check your rh8.0
configuration files and make sure it is not requesting a DHCP address from
the router.

Also make sure that if you want to access the machine using names, you can
set up your internal names in "hosts" files on your various other
machines.  This means that if you _change_ a static IP address in the
device , you will have to alter all of those files on other machines as
well so they will know about the change.

---
Jeff NewmillerThe .   .  Go Live...
DCN:<[EMAIL PROTECTED]>Basics: ##.#.   ##.#.  Live Go...
  Live:   OO#.. Dead: OO#..  Playing
Research Engineer (Solar/BatteriesO.O#.   #.O#.  with
/Software/Embedded Controllers)   .OO#.   .OO#.  rocks...2k
---


___
vox-tech mailing list
[EMAIL PROTECTED]
http://lists.lugod.org/mailman/listinfo/vox-tech

Re: [vox-tech] SSH On Home Network

[ME]

Mike Simons said:
> On Mon, Mar 10, 2003 at 04:16:01PM -0800, Jim Angstadt wrote:
>> > Could you try this:
>> > # iptables -t filter -D  INPUT 1 -p tcp -s
>> > 192.168.0.0/24 -d 192.168.0.3\
>> >  --destination-port 22 -j ACCEPT
>>
>> I get "Illegal option '-s' with this command".
>
> He meant a -A instead of -D, but I think you have confirmed that the
> firewall rules are really the problem you shouldn't waste time messing
> with them.

Sorry about that. I meant "-I" instead of -A or -D
-I inserts the rule a point "1" to be the first rule checked. This should
ensure that an ACCEPT is triggered for ssh to short-circuit the other
checks in-line.

-ME



-- 
-BEGIN GEEK CODE BLOCK-
Version: 3.12
GCS/CM$/IT$/LS$/S/O$ !d--(++) !s !a+++(-) C++$() U$(+$) P+$>+++
L+++$(++) E W+++$(+) N+ o K w+$>++>+++ O-@ M+$ V-$>- !PS !PE Y+ PGP++
[EMAIL PROTECTED](++) 5+@ X@ R- tv- b++ DI+++ D+ G--@ e+>++> h(++)>+ r*>? z?
--END GEEK CODE BLOCK--
decode: http://www.ebb.org/ungeek/ about: http://www.geekcode.com/geek.html
  Campus IT(/OS Security): Operating Systems Support Specialist Assistant

___
vox-tech mailing list
[EMAIL PROTECTED]
http://lists.lugod.org/mailman/listinfo/vox-tech

Re: [vox-tech] SSH On Home Network

[Jim Angstadt]

--- Mike Simons <[EMAIL PROTECTED]> wrote:
> Jim,
> 
>   Thanks for the output.
> 
> Two observations:
> 
> - You are using the wrong IP address when ssh'ing
> from the rh7.2 box to
>   the rh8.0 box.  rh8.0 is configured for IP address
> 192.168.0.3, and
>   you ran ssh to 192.168.0.11.  Try again with .3 
> ...

Good grief.  You are right.  I can ssh into .3

This is very confusing.  The rh8.0 box was set up with
a static (I thought) address of .11 and I verified
that it had .11 at the time with ifconfig.

Just looking at my router, I see 2 dynamic addresses
and 2 static addresses.  The last time I looked it was
1 and 2.  Also, the win98 box was .3 and now it is .2

The rh7.2 box has kept it's .10 address since the
begining.

I guess that means I messed up the router config.
somehow.  Now, at least, I'll be working on the right
problem.

If anyone has a few tips for working with a Netgear
FR314 router, or a few good links, I would appreciate
the pointers.

Meanwhile I'll be looking at the Netgear site and
doing a google search.

Much thanks to all who helped me get this far.

Jim

> 
> - You are running a firewall on the rh8.0 box... if
> things don't work
>   wit the correct IP address I would try running the
> following command
>   which will wipe out the firewall rules.  Test ssh
> to verify that
>   you can connect between machines if it works you
> know the redhat
>   firewall configuration is messing you up.  If not
> we need to check
>   other things first.
> ===
> iptables -F
> ===

I'll hold off with flushing for now.
[btw, sorry Nino for not seeing the -F option.]

> 
>   So let me know how this goes...
> 
> TTFN,
>   Mike
> 
> > > On Mon, Mar 10, 2003 at 02:28:44PM -0800, Jim
> > > Angstadt wrote:
> > Chain INPUT (policy ACCEPT 8045 packets, 9116K
> bytes)
> >  pkts bytes target prot opt in out
> source 
> >  destination 
> > 11039 9473K RH-Lokkit-0-50-INPUT  all  --  * 
> *   
> >0.0.0.0/00.0.0.0/0  
> > 
> > Chain RH-Lokkit-0-50-INPUT (1 references)
> >  pkts bytes target prot opt in out
> source 
> > 0 0 ACCEPT tcp  --  *  * 
> 0.0.0.0/00.0.0.0/0  tcp dpt:22
> flags:0x16/0x02 
> 
> > 6   360 REJECT tcp  --  *  * 
> 0.0.0.0/00.0.0.0/0  tcp
> dpts:0:1023 flags:0x16/0x02 reject-with
> icmp-port-unreachable 
> 
> > > ifconfig
> > 
> > eth0  Link encap:Ethernet  HWaddr
> > 00:09:5B:1A:31:9A  
> >   inet addr:192.168.0.3 
> Bcast:192.168.0.255 Mask:255.255.255.0
> >   UP BROADCAST RUNNING MULTICAST  MTU:1500
> 
> > > 
> > > 
> > >   Also for additional information try a "ssh -v"
> to
> > > connect from your
> > > rh7.2 box and include a ifconfig.
> > 
> > Script started on Mon Mar 10 15:20:06 2003
> > 
> > ssh -v [EMAIL PROTECTED]
> > OpenSSH_2.9p2, SSH protocols 1.5/2.0, OpenSSL
> > 0x0090602f
> > debug1: ssh_connect: getuid 500 geteuid 0 anon 1
> > debug1: Connecting to 192.168.0.11 [192.168.0.11]
> port
> > 22.
> > debug1: connect: No route to host
> ___
> vox-tech mailing list
> [EMAIL PROTECTED]
> http://lists.lugod.org/mailman/listinfo/vox-tech


__
Do you Yahoo!?
Yahoo! Tax Center - forms, calculators, tips, more
http://taxes.yahoo.com/
___
vox-tech mailing list
[EMAIL PROTECTED]
http://lists.lugod.org/mailman/listinfo/vox-tech

Re: [vox-tech] SSH On Home Network

[Nino Brown]

On Mon, 10 Mar 2003, Jim Angstadt wrote:
> Hi Nino,
> 
> During install I selected medium security and
> specified several servers that I wanted to run,
> including ssh.

Yeah after I sent the last email, I noticed that your iptables *seems* to
be allowing ssh in, but I'd still disable it just in case.


> > I'm not sure if 8.0's firewall runs ipchains or > iptables.  You can
> check > by typing "lsmod | grep ipchains".  If you see a > line there,
> then you can > disable the firewall by typing "ipchains -F".  If it >
> is running iptables, > typing "ipchains -F" should disable it.  Let us
> know > what happensi. 

I meant try typing "iptables -F" if running iptables, but you got the 
idea.


And yeah, its safe to type it even though you mysteriously have no man
pages on it.  It just flushes out any rules you have defined in your 
firewall.


___
vox-tech mailing list
[EMAIL PROTECTED]
http://lists.lugod.org/mailman/listinfo/vox-tech

Re: [vox-tech] SSH On Home Network

[Mike Simons]

On Mon, Mar 10, 2003 at 04:16:01PM -0800, Jim Angstadt wrote:
> > Could you try this:
> > # iptables -t filter -D  INPUT 1 -p tcp -s
> > 192.168.0.0/24 -d 192.168.0.3\
> >  --destination-port 22 -j ACCEPT
> 
> I get "Illegal option '-s' with this command".

He meant a -A instead of -D, but I think you have confirmed that the
firewall rules are really the problem you shouldn't waste time messing
with them.
___
vox-tech mailing list
[EMAIL PROTECTED]
http://lists.lugod.org/mailman/listinfo/vox-tech

Re: [vox-tech] SSH On Home Network

[Mike Simons]

On Mon, Mar 10, 2003 at 04:00:04PM -0800, ME wrote:
> Looking at the output from the iptables, I dont see a rule permitting
> packets with a syn flag set to port 22 for ssh.

Perhaps I've read it wrong... but

- The only TCP reject rule that has killed *any* packets got 6 packets.

- The machine is set to reply by icmp-port-unreachable and he is getting
  a no-route-to-host.

- There are no rules that appear to block ICMP traffic and her can't
  ping.

  So he has got to be testing the wrong IP... or have something
else preventing his tests from reaching the eth device.

TTFN,
  Mike

# Chain RH-Lokkit-0-50-INPUT (1 references)
#  pkts bytes target prot opt in out source 
# 0 0 ACCEPT tcp  --  *  *  0.0.0.0/0
# 0.0.0.0/0  tcp dpt:22 flags:0x16/0x02 

# 6   360 REJECT tcp  --  *  *  0.0.0.0/0
# 0.0.0.0/0  tcp dpts:0:1023 flags:0x16/0x02 reject-with
# icmp-port-unreachable 

> (Background: this is take from examination of the "flags" section, and
> having an understanding of a tcp packet and the flags
> http://mike.passwall.com/networking/tcppacket.html )

- Even then the tcp port 22 rule allows packets with flags:0x16/0x02,
  and the only tcp killing rule only drops packest with flags:0x16/0x02.
  So if ssh ever sent packets like that they would be indications in the
  accepted counters... which there are none.

- *IF* any packets fall off the end of this "RH-Lokkit-0-50-INPUT" chain,
  they will be accepted... because INPUT is set to ACCEPT by default.

ps:
  I personally don't like the style of those rules... if they want to
block everything that is not allowed the default rules should be REJECT
and there should be rules to only accept good traffic.

___
vox-tech mailing list
[EMAIL PROTECTED]
http://lists.lugod.org/mailman/listinfo/vox-tech

Re: [vox-tech] SSH On Home Network

[Jim Angstadt]

--- ME <[EMAIL PROTECTED]> wrote:
> Jim Angstadt said:
> > --- ME <[EMAIL PROTECTED]> wrote:
> >> Jim Angstadt said:


> Could you try this:
> # iptables -t filter -D  INPUT 1 -p tcp -s
> 192.168.0.0/24 -d 192.168.0.3\
>  --destination-port 22 -j ACCEPT

I get "Illegal option '-s' with this command".

Jim

__
Do you Yahoo!?
Yahoo! Tax Center - forms, calculators, tips, more
http://taxes.yahoo.com/
___
vox-tech mailing list
[EMAIL PROTECTED]
http://lists.lugod.org/mailman/listinfo/vox-tech

Re: [vox-tech] SSH On Home Network

[Mike Simons]

Jim,

  Thanks for the output.

Two observations:

- You are using the wrong IP address when ssh'ing from the rh7.2 box to
  the rh8.0 box.  rh8.0 is configured for IP address 192.168.0.3, and
  you ran ssh to 192.168.0.11.  Try again with .3  ...

- You are running a firewall on the rh8.0 box... if things don't work
  wit the correct IP address I would try running the following command
  which will wipe out the firewall rules.  Test ssh to verify that
  you can connect between machines if it works you know the redhat
  firewall configuration is messing you up.  If not we need to check
  other things first.
===
iptables -F
===

  So let me know how this goes...

TTFN,
  Mike

> > On Mon, Mar 10, 2003 at 02:28:44PM -0800, Jim
> > Angstadt wrote:
> Chain INPUT (policy ACCEPT 8045 packets, 9116K bytes)
>  pkts bytes target prot opt in out source 
>  destination 
> 11039 9473K RH-Lokkit-0-50-INPUT  all  --  *  *   
>0.0.0.0/00.0.0.0/0  
> 
> Chain RH-Lokkit-0-50-INPUT (1 references)
>  pkts bytes target prot opt in out source 
> 0 0 ACCEPT tcp  --  *  *  0.0.0.0/00.0.0.0/0 
>  tcp dpt:22 flags:0x16/0x02 

> 6   360 REJECT tcp  --  *  *  0.0.0.0/00.0.0.0/0 
>  tcp dpts:0:1023 flags:0x16/0x02 reject-with icmp-port-unreachable 

> > ifconfig
> 
> eth0  Link encap:Ethernet  HWaddr
> 00:09:5B:1A:31:9A  
>   inet addr:192.168.0.3  Bcast:192.168.0.255 Mask:255.255.255.0
>   UP BROADCAST RUNNING MULTICAST  MTU:1500 
> > 
> > 
> >   Also for additional information try a "ssh -v" to
> > connect from your
> > rh7.2 box and include a ifconfig.
> 
> Script started on Mon Mar 10 15:20:06 2003
> 
> ssh -v [EMAIL PROTECTED]
> OpenSSH_2.9p2, SSH protocols 1.5/2.0, OpenSSL
> 0x0090602f
> debug1: ssh_connect: getuid 500 geteuid 0 anon 1
> debug1: Connecting to 192.168.0.11 [192.168.0.11] port
> 22.
> debug1: connect: No route to host
___
vox-tech mailing list
[EMAIL PROTECTED]
http://lists.lugod.org/mailman/listinfo/vox-tech

Re: [vox-tech] SSH On Home Network

[ME]

Jim Angstadt said:
> --- Nino Brown <[EMAIL PROTECTED]> wrote:
>> On Mon, 10 Mar 2003, Jim Angstadt wrote:
> My 3 boxes are behind a Netgear FR314 router which has
> a firewall.  I have no idea just how good that
> firewall is.

Having extra rules does offer more security as you have two filters in
place instead of one. However, extra complexity is also created, and
problems can arise as a result. I prefer the control that Linux
iptables/ipchains offers, and would include them as well, just as you
have.


>> I'm not sure if 8.0's firewall runs ipchains or
>> iptables.  You can check
>> by typing "lsmod | grep ipchains".  If you see a
>> line there, then you can
>> disable the firewall by typing "ipchains -F".  If it
>> is running iptables,
>> typing "ipchains -F" should disable it.  Let us know
>> what happensi.
> 
>
> Here are 3 lines from lsmod output:
>
> ipt_REJECT  3736   6  (autoclean)
> iptable_filter  2412   1  (autoclean)
> ip_tables  14936   2  [ipt_REJECT
> iptable_filter]

What was being proposed, with the "-F" was to flush all of the firewall
rules from the box. If this is the intent, since you are running iptables,
you can "get there" with:
# iptables -F
Since your deafult rules for FORWARD, INPUT and OUTPUT are "ACCEPT", this
would likely permit other boxes to ssh to this box. However, this is also
not a permanent fix, but can be useful for testing to verify that the
problem you face is a filtering one.

I would only try this step if the prior step of inserting the rule should
fail.

Also, if you are going to go this far to "zap" all of your firewall rules
permanently, then we can cover not starting the firewall rules at boot
time. (Going to class, be back in 3 hours.)

-ME



-- 
-BEGIN GEEK CODE BLOCK-
Version: 3.12
GCS/CM$/IT$/LS$/S/O$ !d--(++) !s !a+++(-) C++$() U$(+$) P+$>+++
L+++$(++) E W+++$(+) N+ o K w+$>++>+++ O-@ M+$ V-$>- !PS !PE Y+ PGP++
[EMAIL PROTECTED](++) 5+@ X@ R- tv- b++ DI+++ D+ G--@ e+>++> h(++)>+ r*>? z?
--END GEEK CODE BLOCK--
decode: http://www.ebb.org/ungeek/ about: http://www.geekcode.com/geek.html
  Campus IT(/OS Security): Operating Systems Support Specialist Assistant

___
vox-tech mailing list
[EMAIL PROTECTED]
http://lists.lugod.org/mailman/listinfo/vox-tech

Re: [vox-tech] SSH On Home Network

[Jim Angstadt]

--- Nino Brown <[EMAIL PROTECTED]> wrote:
> On Mon, 10 Mar 2003, Jim Angstadt wrote:
 
> I'm not sure if 8.0's firewall runs ipchains or
> iptables.  You can check 
> by typing "lsmod | grep ipchains".  If you see a
> line there, then you can 
> disable the firewall by typing "ipchains -F".  If it
> is running iptables, 
> typing "ipchains -F" should disable it.  Let us know
> what happensi.

Oops, I should have added that 'man iptables' does not
show a -F option, and there is no ipchains man on my
system.  Should I still try it anyway?

Jim




__
Do you Yahoo!?
Yahoo! Tax Center - forms, calculators, tips, more
http://taxes.yahoo.com/
___
vox-tech mailing list
[EMAIL PROTECTED]
http://lists.lugod.org/mailman/listinfo/vox-tech

Re: [vox-tech] SSH On Home Network

[ME]

Jim Angstadt said:
> --- ME <[EMAIL PROTECTED]> wrote:
>> Jim Angstadt said:
>> [likely need works with filters]
>> > Could you give me a starting point for this,
>> please.
>>
>> Mike Simmons has asked for the output from two
>> commands in a response to
>> this. This should help you along this path.
>>
>> In addition to his request, could you also pass the
>> contents of the files:
>> /etc/hosts.allow
>
> sshd:  ALL
> [I added this earlier, following directions in a Linux
> Journal tech support article.  No apparent effect.]

This can be an issue if tcpwrappers support was included in your RH8 box.
It still looks like iptable is to blame.

Looking at the output from the iptables, I dont see a rule permitting
packets with a syn flag set to port 22 for ssh.

(Background: this is take from examination of the "flags" section, and
having an understanding of a tcp packet and the flags
http://mike.passwall.com/networking/tcppacket.html )

Pulling from other mail:

0 0 ACCEPT tcp  --  *  *
 0.0.0.0/00.0.0.0/0  tcp dpt:22
 flags:0x16/0x02


Could you try this:
# iptables -t filter -D  INPUT 1 -p tcp -s 192.168.0.0/24 -d 192.168.0.3\
 --destination-port 22 -j ACCEPT

(If the line sould wrap, the "\" at the end of the first should permit you
to paste it into a shell and then just press return.)

Then try to ssh to the box from one of the others. (This is just a test,
not a permanant fix. It inserts a rule at the top of the list to allow all
IP from your private net 192.168.0.[0-255] to connect with tcp to that
machine's port 22.)

If you can ssh to the box. Then we can proceed from here and try to make
the "fix" a permanent one.

If you cannot, then it would be a good idea to remove that rule we just
inserted:
# iptables -t filter -D INPUT 1

When you ssh from the other box to this one, please give it some time to
connect. Often ssh is configured to perform rDNS for each incoming
connection. When this is the case, and your ssh server is behind a private
network, it may take some time for the rDNS to fail before the ssh is
permitted to pass through.


>> /etc/hosts.deny
>
> empty.

OK.

-ME




-- 
-BEGIN GEEK CODE BLOCK-
Version: 3.12
GCS/CM$/IT$/LS$/S/O$ !d--(++) !s !a+++(-) C++$() U$(+$) P+$>+++
L+++$(++) E W+++$(+) N+ o K w+$>++>+++ O-@ M+$ V-$>- !PS !PE Y+ PGP++
[EMAIL PROTECTED](++) 5+@ X@ R- tv- b++ DI+++ D+ G--@ e+>++> h(++)>+ r*>? z?
--END GEEK CODE BLOCK--
decode: http://www.ebb.org/ungeek/ about: http://www.geekcode.com/geek.html
  Campus IT(/OS Security): Operating Systems Support Specialist Assistant

___
vox-tech mailing list
[EMAIL PROTECTED]
http://lists.lugod.org/mailman/listinfo/vox-tech

Re: [vox-tech] SSH On Home Network

[Jim Angstadt]

--- Nino Brown <[EMAIL PROTECTED]> wrote:
> On Mon, 10 Mar 2003, Jim Angstadt wrote:
> > Could you give me a starting point for this,
> please. 
> > I'm totally ignorant on firewalls and filters.
> 
> When you installed 8.0, did you include firewalling?

Hi Nino,

During install I selected medium security and
specified several servers that I wanted to run,
including ssh.

>  The redhat-installed
> firewall blocks out just about everything that is
> not selected as trusted.  
> If the machine is already behind a firewall on a
> trusted lan, or if it is
> not connected to the internet, I would disable the
> firewall.

My 3 boxes are behind a Netgear FR314 router which has
a firewall.  I have no idea just how good that
firewall is.

> 
> I'm not sure if 8.0's firewall runs ipchains or
> iptables.  You can check 
> by typing "lsmod | grep ipchains".  If you see a
> line there, then you can 
> disable the firewall by typing "ipchains -F".  If it
> is running iptables, 
> typing "ipchains -F" should disable it.  Let us know
> what happensi.


Here are 3 lines from lsmod output:

ipt_REJECT  3736   6  (autoclean)
iptable_filter  2412   1  (autoclean)
ip_tables  14936   2  [ipt_REJECT
iptable_filter]



__
Do you Yahoo!?
Yahoo! Tax Center - forms, calculators, tips, more
http://taxes.yahoo.com/
___
vox-tech mailing list
[EMAIL PROTECTED]
http://lists.lugod.org/mailman/listinfo/vox-tech

Re: [vox-tech] SSH On Home Network

[Nino Brown]

On Mon, 10 Mar 2003, Jim Angstadt wrote:
> Could you give me a starting point for this, please. 
> I'm totally ignorant on firewalls and filters.

When you installed 8.0, did you include firewalling?  The redhat-installed
firewall blocks out just about everything that is not selected as trusted.  
If the machine is already behind a firewall on a trusted lan, or if it is
not connected to the internet, I would disable the firewall.

I'm not sure if 8.0's firewall runs ipchains or iptables.  You can check 
by typing "lsmod | grep ipchains".  If you see a line there, then you can 
disable the firewall by typing "ipchains -F".  If it is running iptables, 
typing "ipchains -F" should disable it.  Let us know what happensi.





___
vox-tech mailing list
[EMAIL PROTECTED]
http://lists.lugod.org/mailman/listinfo/vox-tech

Re: [vox-tech] SSH On Home Network

[Jim Angstadt]

--- ME <[EMAIL PROTECTED]> wrote:
> Jim Angstadt said:
> [likely need works with filters]
> > Could you give me a starting point for this,
> please.
> 
> Mike Simmons has asked for the output from two
> commands in a response to
> this. This should help you along this path.
> 
> In addition to his request, could you also pass the
> contents of the files:
> /etc/hosts.allow

sshd:  ALL
[I added this earlier, following directions in a Linux
Journal tech support article.  No apparent effect.]

> /etc/hosts.deny

empty.

> If they do not exist, or do not contain references
> to the number "22" or
> the word "ssh" then you do not need to include them
> here.
> 
> There are several ways to implement filters with
> ssh. The mostl likely
> cause for the problems you face is one of iptables
> being configured with a
> very aggressive rule to stop incoming ssh traffic.
> (Conclusions on this
> will be addressed when you provide the output of the
> iptables command he
> asked for.)
> 
> ssh also has a "built-in" for filtering. It is
> possible to build ssh with
> support for "tcp wrappers" which is why I wanted to
> also see the contents
> of /etc/hosts.allow and /etc/hosts.deny too.
> 
> (I'm almost certain, that iptables is where the
> problem resides.)
> 
> Thanks,
> -ME
> 
> 
> 
> -- 
> -BEGIN GEEK CODE BLOCK-
> Version: 3.12
> GCS/CM$/IT$/LS$/S/O$ !d--(++) !s !a+++(-)
> C++$() U$(+$) P+$>+++
> L+++$(++) E W+++$(+) N+ o K w+$>++>+++ O-@ M+$ V-$>-
> !PS !PE Y+ PGP++
> [EMAIL PROTECTED](++) 5+@ X@ R- tv- b++ DI+++ D+ G--@ e+>++>
> h(++)>+ r*>? z?
> --END GEEK CODE BLOCK--
> decode: http://www.ebb.org/ungeek/ about:
> http://www.geekcode.com/geek.html
> 
> 
> ___
> vox-tech mailing list
> [EMAIL PROTECTED]
> http://lists.lugod.org/mailman/listinfo/vox-tech


__
Do you Yahoo!?
Yahoo! Tax Center - forms, calculators, tips, more
http://taxes.yahoo.com/
___
vox-tech mailing list
[EMAIL PROTECTED]
http://lists.lugod.org/mailman/listinfo/vox-tech

Re: [vox-tech] SSH On Home Network

[Jim Angstadt]

Hi Mike,

Here is the output you requested.  Thanks for the
directions.

Jim

--- Mike Simons <[EMAIL PROTECTED]> wrote:
> On Mon, Mar 10, 2003 at 02:28:44PM -0800, Jim
> Angstadt wrote:
> > Immediately after failed ssh attempts, I did not
> find
> > any error messages in /var/log/messages.
> > 
> > Below is a summary of my attempts to connect
> between
> > various boxes.  What should I do?
> 
>   There are a number of possible problems... most
> likely you have some
> sort of firewall configuration running on the redhat
> box or maybe 
> sshd is configured to only accept connections with
> specific version of
> ssh protocol.
> 
>   run and send results.
> 
> iptables -nvL

Chain INPUT (policy ACCEPT 8045 packets, 9116K bytes)
 pkts bytes target prot opt in out source 
 destination 
11039 9473K RH-Lokkit-0-50-INPUT  all  --  *  *   
   0.0.0.0/00.0.0.0/0  

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source 
 destination 

Chain OUTPUT (policy ACCEPT 7697 packets, 1015K bytes)
 pkts bytes target prot opt in out source 
 destination 

Chain RH-Lokkit-0-50-INPUT (1 references)
 pkts bytes target prot opt in out source 
 destination 
3   597 ACCEPT udp  --  *  *  
204.127.202.40.0.0.0/0  udp spt:53
dpts:1025:65535 
  138 30741 ACCEPT udp  --  *  *  
216.148.227.68   0.0.0.0/0  udp spt:53
dpts:1025:65535 
   16   960 ACCEPT tcp  --  *  *  
0.0.0.0/00.0.0.0/0  tcp dpt:80
flags:0x16/0x02 
0 0 ACCEPT tcp  --  *  *  
0.0.0.0/00.0.0.0/0  tcp dpt:21
flags:0x16/0x02 
0 0 ACCEPT tcp  --  *  *  
0.0.0.0/00.0.0.0/0  tcp dpt:22
flags:0x16/0x02 
5  1904 ACCEPT udp  --  eth0   *  
0.0.0.0/00.0.0.0/0  udp spts:67:68
dpts:67:68 
0 0 ACCEPT udp  --  eth1   *  
0.0.0.0/00.0.0.0/0  udp spts:67:68
dpts:67:68 
 1367  121K ACCEPT all  --  lo *  
0.0.0.0/00.0.0.0/0  
6   360 REJECT tcp  --  *  *  
0.0.0.0/00.0.0.0/0  tcp
dpts:0:1023 flags:0x16/0x02 reject-with
icmp-port-unreachable 
0 0 REJECT tcp  --  *  *  
0.0.0.0/00.0.0.0/0  tcp dpt:2049
flags:0x16/0x02 reject-with icmp-port-unreachable 
 1459  202K REJECT udp  --  *  *  
0.0.0.0/00.0.0.0/0  udp
dpts:0:1023 reject-with icmp-port-unreachable 
0 0 REJECT udp  --  *  *  
0.0.0.0/00.0.0.0/0  udp dpt:2049
reject-with icmp-port-unreachable 
0 0 REJECT tcp  --  *  *  
0.0.0.0/00.0.0.0/0  tcp
dpts:6000:6009 flags:0x16/0x02 reject-with
icmp-port-unreachable 
0 0 REJECT tcp  --  *  *  
0.0.0.0/00.0.0.0/0  tcp dpt:7100
flags:0x16/0x02 reject-with icmp-port-unreachable 


> ifconfig

eth0  Link encap:Ethernet  HWaddr
00:09:5B:1A:31:9A  
  inet addr:192.168.0.3  Bcast:192.168.0.255 
Mask:255.255.255.0
  UP BROADCAST RUNNING MULTICAST  MTU:1500 
Metric:1
  RX packets:9921 errors:0 dropped:0
overruns:0 frame:0
  TX packets:6376 errors:0 dropped:0
overruns:0 carrier:0
  collisions:0 txqueuelen:100 
  RX bytes:9503575 (9.0 Mb)  TX bytes:983743
(960.6 Kb)
  Interrupt:11 Base address:0xf000 

loLink encap:Local Loopback  
  inet addr:127.0.0.1  Mask:255.0.0.0
  UP LOOPBACK RUNNING  MTU:16436  Metric:1
  RX packets:1403 errors:0 dropped:0
overruns:0 frame:0
  TX packets:1403 errors:0 dropped:0
overruns:0 carrier:0
  collisions:0 txqueuelen:0 
  RX bytes:123305 (120.4 Kb)  TX bytes:123305
(120.4 Kb)


> grep ^Protocol /etc/ssh/sshd*

There is no output from this command.
/etc/ssh/sshd_config has only 3 uncommented lines:
   SyslogFacility AUTHPRIV
   X11Forwarding yes
   Subsystem sftp /usr/libexec/openssh/sftp-server
There are no other matches for sshd*
 
> 
> 
>   Also for additional information try a "ssh -v" to
> connect from your
> rh7.2 box and include a ifconfig.

Script started on Mon Mar 10 15:20:06 2003

ssh -v [EMAIL PROTECTED]
OpenSSH_2.9p2, SSH protocols 1.5/2.0, OpenSSL
0x0090602f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Seeding random number generator
debug1: Rhosts Authentication disabled, originating
port will not be trusted.
debug1: restore_uid
debug1: ssh_connect: getuid 500 geteuid 0 anon 1
debug1: Connecting to 192.168.0.11 [192.168.0.11] port
22.
debug1: temporarily_use_uid: 500/500 (e=0)
debug1: restore_uid
debug1: temporarily_use_uid: 500/500 (e=0)
debug1: connect: No route to host
debug1: restore_uid
debug1: Trying again...
d

Re: [vox-tech] SSH On Home Network

[ME]

Jim Angstadt said:
[likely need works with filters]
> Could you give me a starting point for this, please.

Mike Simmons has asked for the output from two commands in a response to
this. This should help you along this path.

In addition to his request, could you also pass the contents of the files:
/etc/hosts.allow
/etc/hosts.deny
If they do not exist, or do not contain references to the number "22" or
the word "ssh" then you do not need to include them here.

There are several ways to implement filters with ssh. The mostl likely
cause for the problems you face is one of iptables being configured with a
very aggressive rule to stop incoming ssh traffic. (Conclusions on this
will be addressed when you provide the output of the iptables command he
asked for.)

ssh also has a "built-in" for filtering. It is possible to build ssh with
support for "tcp wrappers" which is why I wanted to also see the contents
of /etc/hosts.allow and /etc/hosts.deny too.

(I'm almost certain, that iptables is where the problem resides.)

Thanks,
-ME



-- 
-BEGIN GEEK CODE BLOCK-
Version: 3.12
GCS/CM$/IT$/LS$/S/O$ !d--(++) !s !a+++(-) C++$() U$(+$) P+$>+++
L+++$(++) E W+++$(+) N+ o K w+$>++>+++ O-@ M+$ V-$>- !PS !PE Y+ PGP++
[EMAIL PROTECTED](++) 5+@ X@ R- tv- b++ DI+++ D+ G--@ e+>++> h(++)>+ r*>? z?
--END GEEK CODE BLOCK--
decode: http://www.ebb.org/ungeek/ about: http://www.geekcode.com/geek.html


___
vox-tech mailing list
[EMAIL PROTECTED]
http://lists.lugod.org/mailman/listinfo/vox-tech

Re: [vox-tech] SSH On Home Network

[Jim Angstadt]

--- ME <[EMAIL PROTECTED]> wrote:
> With only the data you have provided, it looks more
> like the interface is
> down, or an interface is improperly configured.
> 
> Nothing can ping it.
> Nothing can ssh to it.
> 
> If it cannot ping others, and/or canont ssh to
> others, this further adds
> to this as being more likely. (Pinging yourself is
> not a sufficient test
> for use of the correct interface, but it can be
> useful in testing firewall
> rules. I mean here, to ping other boxes from the RH8
> one.
> 

Hi ME,

The rh8.0 box can ssh and ping to both other boxes.

> Things to do:
> 1) Check to see if the link light is on for the
> interface.

The light is on and green.

> 2) If it is on, are there multiple NIC interfaces?
> if so, make sure you
> are using the same physical NIC you configured.
> (Some systems come with
> integrated NICs and allow for extra NIC too.
> 

Only one NIC.

> When you type:
> # ifconfig
> does it list your "ethN" interface where "N" is a
> number greater than or
> equal to zero?

It lists eth0 and lo.

> How about:
> # route -N
> Does it list anything other than loopback
> (127.0.0.1) ?

Yes, there are 3 rows:
192.168.0.0
127.0.0.0
0.0.0.0 

> If you can ssh from this RH 8 box to others, then
> look into firewall rules
> and limits from filters.

I can ssh to other boxes from my rh8.0 box.

Could you give me a starting point for this, please. 
I'm totally ignorant on firewalls and filters.

> 
> -ME
> 
> 
> Jim Angstadt said:
> > I've added a Red Hat 8.0 box to my home network. 
> It
> > does not accept ssh or ping from the other boxes -
> > rh7.2 and win98 - on my home network.  I want my
> linux
> > boxes to serve ssh to the other boxes on my
> network.
> >
> > On the rh8.0 box, when I run:
> >netstat -at | grep ssh
> > it shows LISTEN.
> >
> > Immediately after failed ssh attempts, I did not
> find
> > any error messages in /var/log/messages.
> >
> > Below is a summary of my attempts to connect
> between
> > various boxes.  What should I do?
> >
> > Thanks,
> > Jim
> >
> > # ping between boxes on home network
> >
> > ping from win98 to rh7.2:   yes
> > ping from win98 to rh8.0:   Request timed out.
> > ping from win98 to win98:   yes
> > ping from win98 to lugod:   yes
> >
> > ping from rh7.2 to rh8.0:   Destination Host
> Unreachable
> > ping from rh7.2 to win98:   yes
> > ping from rh7.2 to rh7.2:   yes
> > ping from rh7.2 to lugod:   yes
> >
> > ping from rh8.0 to rh7.2:   yes
> > ping from rh8.0 to win98:   yes
> > ping from rh8.0 to rh8.0:   Destination Host
> Unreachable
> > ping from rh8.0 to lugod:   yes
> >
> > conclusion:  rh8.0 box does not serve ping.
> >
> >
> > # ssh between boxes on home network
> >
> > ssh from win98 to rh7.2:yes, using WinSCP2
> > ssh from win98 to rh8.0:no, using WinSCP2
> > ssh from win98 to other:yes, using WinSCP2.
> (other =
> > friends server)
> >
> > ssh from rh7.2 to rh8.0:Secure connection to
> > 192.168.0.11 refused.
> > ssh from rh7.2 to win98:n/a
> > ssh from rh7.2 to other:yes
> >
> > ssh from rh8.0 to rh7.2:yes
> > ssh from rh8.0 to win98:n/a
> > ssh from rh8.0 to other:yes
> >
> > conclusion:  rh8.0 does not server ssh
> >
> > # end
> 
> ___
> vox-tech mailing list
> [EMAIL PROTECTED]
> http://lists.lugod.org/mailman/listinfo/vox-tech

__
Do you Yahoo!?
Yahoo! Tax Center - forms, calculators, tips, more
http://taxes.yahoo.com/
___
vox-tech mailing list
[EMAIL PROTECTED]
http://lists.lugod.org/mailman/listinfo/vox-tech

Re: [vox-tech] SSH On Home Network

[Mike Simons]

On Mon, Mar 10, 2003 at 02:28:44PM -0800, Jim Angstadt wrote:
> Immediately after failed ssh attempts, I did not find
> any error messages in /var/log/messages.
> 
> Below is a summary of my attempts to connect between
> various boxes.  What should I do?

  There are a number of possible problems... most likely you have some
sort of firewall configuration running on the redhat box or maybe 
sshd is configured to only accept connections with specific version of
ssh protocol.

  run and send results.

iptables -nvL
ifconfig
grep ^Protocol /etc/ssh/sshd*


  Also for additional information try a "ssh -v" to connect from your
rh7.2 box and include a ifconfig.

TTFN,
  Mike
___
vox-tech mailing list
[EMAIL PROTECTED]
http://lists.lugod.org/mailman/listinfo/vox-tech

Re: [vox-tech] SSH On Home Network

[ME]

With only the data you have provided, it looks more like the interface is
down, or an interface is improperly configured.

Nothing can ping it.
Nothing can ssh to it.

If it cannot ping others, and/or canont ssh to others, this further adds
to this as being more likely. (Pinging yourself is not a sufficient test
for use of the correct interface, but it can be useful in testing firewall
rules. I mean here, to ping other boxes from the RH8 one.

Things to do:
1) Check to see if the link light is on for the interface.
2) If it is on, are there multiple NIC interfaces? if so, make sure you
are using the same physical NIC you configured. (Some systems come with
integrated NICs and allow for extra NIC too.

When you type:
# ifconfig
does it list your "ethN" interface where "N" is a number greater than or
equal to zero?

How about:
# route -N
Does it list anything other than loopback (127.0.0.1) ?


If you can ssh from this RH 8 box to others, then look into firewall rules
and limits from filters.

-ME


Jim Angstadt said:
> I've added a Red Hat 8.0 box to my home network.  It
> does not accept ssh or ping from the other boxes -
> rh7.2 and win98 - on my home network.  I want my linux
> boxes to serve ssh to the other boxes on my network.
>
> On the rh8.0 box, when I run:
>netstat -at | grep ssh
> it shows LISTEN.
>
> Immediately after failed ssh attempts, I did not find
> any error messages in /var/log/messages.
>
> Below is a summary of my attempts to connect between
> various boxes.  What should I do?
>
> Thanks,
> Jim
>
> # ping between boxes on home network
>
> ping from win98 to rh7.2: yes
> ping from win98 to rh8.0: Request timed out.
> ping from win98 to win98: yes
> ping from win98 to lugod: yes
>
> ping from rh7.2 to rh8.0: Destination Host Unreachable
> ping from rh7.2 to win98: yes
> ping from rh7.2 to rh7.2: yes
> ping from rh7.2 to lugod: yes
>
> ping from rh8.0 to rh7.2: yes
> ping from rh8.0 to win98: yes
> ping from rh8.0 to rh8.0: Destination Host Unreachable
> ping from rh8.0 to lugod: yes
>
> conclusion:  rh8.0 box does not serve ping.
>
>
> # ssh between boxes on home network
>
> ssh from win98 to rh7.2:  yes, using WinSCP2
> ssh from win98 to rh8.0:  no, using WinSCP2
> ssh from win98 to other:  yes, using WinSCP2. (other =
> friends server)
>
> ssh from rh7.2 to rh8.0:  Secure connection to
> 192.168.0.11 refused.
> ssh from rh7.2 to win98:  n/a
> ssh from rh7.2 to other:  yes
>
> ssh from rh8.0 to rh7.2:  yes
> ssh from rh8.0 to win98:  n/a
> ssh from rh8.0 to other:  yes
>
> conclusion:  rh8.0 does not server ssh
>
> # end

___
vox-tech mailing list
[EMAIL PROTECTED]
http://lists.lugod.org/mailman/listinfo/vox-tech