hardening-script-el6 icon indicating copy to clipboard operation
hardening-script-el6 copied to clipboard

Published 20 hours ago verified publisher icon fcaviggia

Unable to ssh remotely

Open jlamb85 opened this issue 7 years ago • 11 comments

I am unable to ssh remotely unless coming from same subnet. Please advise me of fix action or things to try

jlamb85 avatar Apr 17 '17 01:04 jlamb85

Is your gateway setting correct? That's the first thing that comes to mind when networking works only on the same subnet IPs.

What does /var/log/secure say after the failed connection?

Have you tried ssh -vv to see how the ssh connection responds?

Lee

On Apr 16, 2017, at 20:08, Jim Lamb <[email protected]mailto:[email protected]> wrote:

I am unable to ssh remotely unless coming from same subnet. Please advise me of fix action or things to try

You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHubhttps://github.com/fcaviggia/hardening-script-el6/issues/86, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AICv3H_nL1gyjgGtJQC8jmIu7emvlQqAks5rwrr2gaJpZM4M-yMd.

lmeinecke avatar Apr 17 '17 01:04 lmeinecke

Check the TCP WRAPPERS (/etc/hosts.allow, /etc/hosts.deny), sshd_config (/etc/ssh/sshd_config), and your Firewall (/root/iptables.sh), and networking (/etc/sysconfig/network_scripts/ifcfg-*) configuration files.

fcaviggia avatar Apr 17 '17 10:04 fcaviggia

Thanks. I will check all of these things Wednesday and get back to you guys.

jlamb85 avatar Apr 17 '17 22:04 jlamb85

I forgot to mention that this is RHEL6

/etc/hosts.allow ALL: 127.0.0.1 [::1} sshd: ALL

/etc/hosts.deny ALL: ALL

/root/iptables.sh - not found

/etc/ssh/sshd_config

Port 22 ListenAddress 192.168.1.31 Protocol 2 SyslogFacility AUTHPRIV LogLevel INFO AllowGroups sshusers LoginGraceTime 2m PermitRootLogin no StrictModes yes MaxAuthTries 3 MaxSessions 3 HostbasedAuthentication no IgnoreRhosts yes PermitEmptyPasswords no PasswordAuthentication yes ChallengeResponseAuthentication no GSSAPIAuthentication yes GSSAPICleanupCredentials yes UsePAM yes AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS GatewayPorts no X11Forwarding no PrintLastLog yes UsePrivilegeSeparation yes PermitUserEnvironment no ClientAliveInterval 900 ClientAliveCountMax 0 Banner /etc/issue Subsystem sftp /usr/libexec/openssh/sftp-server RhostsRSAAuthentication no Compression delayed KerberosAuthentication no Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc Macs hmac-sha2-512,hmac-sha2-256,hmac-sha1

/etc/sysconfig/network_scripts/ifcfg-em1 DEVICE=eth0 TYPE=Ethernet UUID=.......e8e ONBOOT=yes NM_CONTROLLED=yes BOOTPROTO=none DEFROUTE=yes IPV4_FAILURE_FATAL=no IPV6INIT=yes NAME="System eth0" IPV6_AUTOCONF=no IPV6_DEFROUTE=yes IPV6_FAILURE_FATAL=yes IPADDR=192.168.1.31 PREFIX=24 GATEWAY=192.168.1.1 DNS1=8.8.8.8 DNS2=4.4.4.4 HWADDR=...:A8

jlamb85 avatar Apr 19 '17 09:04 jlamb85

/etc/sysconfig/iptables is where the firewall ACL lives.

You can try "service iptables stop" to rule that out as the problem.

Lee

On Apr 19, 2017, at 04:54, Jim Lamb <[email protected]mailto:[email protected]> wrote:

I forgot to mention that this is RHEL6 /etc/hosts.allow ALL: 127.0.0.1 [::1} sshd: ALL /etc/hosts.deny ALL: ALL /root/iptables.sh - not found

/etc/ssh/sshd_config

Port 22 ListenAddress 192.168.1.31 Protocol 2 SyslogFacility AUTHPRIV LogLevel INFO AllowGroups sshusers LoginGraceTime 2m PermitRootLogin no StrictModes yes MaxAuthTries 3 MaxSessions 3 HostbasedAuthentication no IgnoreRhosts yes PermitEmptyPasswords no PasswordAuthentication yes ChallengeResponseAuthentication no GSSAPIAuthentication yes GSSAPICleanupCredentials yes UsePAM yes AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS GatewayPorts no X11Forwarding no PrintLastLog yes UsePrivilegeSeparation yes PermitUserEnvironment no ClientAliveInterval 900 ClientAliveCountMax 0 Banner /etc/issue Subsystem sftp /usr/libexec/openssh/sftp-server RhostsRSAAuthentication no Compression delayed KerberosAuthentication no Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc Macs hmac-sha2-512,hmac-sha2-256,hmac-sha1

/etc/sysconfig/network_scripts/ifcfg-em1 DEVICE=eth0 TYPE=Ethernet UUID=.......e8e ONBOOT=yes NM_CONTROLLED=yes BOOTPROTO=none DEFROUTE=yes IPV4_FAILURE_FATAL=no IPV6INIT=yes NAME="System eth0" IPV6_AUTOCONF=no IPV6_DEFROUTE=yes IPV6_FAILURE_FATAL=yes IPADDR=192.168.1.31 PREFIX=24 GATEWAY=192.168.1.1 DNS1=8.8.8.8 DNS2=4.4.4.4 HWADDR=...:A8

You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://github.com/fcaviggia/hardening-script-el6/issues/86#issuecomment-295195378, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AICv3D_jRGS_NvMSmKBPiRzgOW8FfP3fks5rxdnLgaJpZM4M-yMd.

lmeinecke avatar Apr 19 '17 12:04 lmeinecke

Did that and still have issue

jlamb85 avatar Apr 19 '17 12:04 jlamb85

You have not posted the results from 'ssh -vv 192.168.1.31' from the other subnet, nor said whether there is anything useful/relevant in /var/log/secure. What is the other subnet? Are other servers in the same subnet reachable through the 192.168.1.1 router?

stephenwb avatar Apr 19 '17 13:04 stephenwb

Can't post the results. It is on a secure network. Entry in /var/log/secure says Connection closed by 192.168.1.31 There are other machines reachable on that subnet from the subnet I am using to try to reach this machine

jlamb85 avatar Apr 19 '17 14:04 jlamb85

?Make sure the user account that is trying to connect is in the sshusers group. You might also verify that /etc/security/limits.conf maxlogins is set to 10. There was some earlier revisions that had set it to 3 which causes issues sometimes if you have to many connections. Stig says 10 is proper setting.

Lee

From: Jim Lamb [email protected] Sent: Wednesday, April 19, 2017 9:23 AM To: fcaviggia/hardening-script-el6 Cc: Meinecke, Lee; Comment Subject: Re: [fcaviggia/hardening-script-el6] Unable to ssh remotely (#86)

Can't post the results. It is on a secure network. Entry in /var/log/secure says Connection closed by 192.168.1.31 There are other machines reachable on that subnet from the subnet I am using to try to reach this machine

You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://github.com/fcaviggia/hardening-script-el6/issues/86#issuecomment-295287707, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AICv3JUfcWCN96-AhezZDBRPjlwGGrH2ks5rxhjagaJpZM4M-yMd.

lmeinecke avatar Apr 19 '17 15:04 lmeinecke

Im thinking the route from the ssh server you are attempting to connect to is not in place. $ netstat -r $ route either command will reveal the routing table on the ssh server. can you ping the remote system from the ssh server?

other points of interest but not necessary yet:

/etc/ssh/sshd_config remove 128-cbc,3des-cbc,aes192-cbc,aes256-cbc cyphers

/etc/sysconfig/network_scripts/ifcfg-em1 NM_CONTROLLED=no

johncolley avatar Apr 20 '17 11:04 johncolley

@jlamb85 Did you get it to work? If you no longer have the problem then you should close the issue

stephenwb avatar May 24 '17 15:05 stephenwb