homepage Welcome to WebmasterWorld Guest from 54.237.98.229
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / Hardware and OS Related Technologies / Linux, Unix, and *nix like Operating Systems
Forum Library, Charter, Moderators: bakedjake

Linux, Unix, and *nix like Operating Systems Forum

    
Cannot SSH into new Red Hat 9 box
Something about a firewall?
SoCal resident

5+ Year Member



 
Msg#: 3131393 posted 6:48 am on Oct 23, 2006 (gmt 0)

I just put Red Hat Linux 9 on a fresh machine and have not been able to get it to cooperate ssh-wise.

Lately it just times out with no request for a password. I can ssh into other servers with the same terminal window on OS X.

The machine responds to a ping just fine. I can also do "ssh me@localhost" from the consol and that works, leading me to believe that ssh is working fine and that the problem is with the firewall.

With that in mind I've tried adding the following to /etc/init.d/iptables:
# Allow incoming TCP port 22 (ssh) traffic from office
/sbin/iptables -A INPUT -p tcp -s 192.168.1.100 --dport 22 -m state --state NEW -j ACCEPT

and

#ALLOW INCOMING SSHD REQUESTS.
iptables-N allow-ssh-input
iptables -F allow-ssh-input
ipatables -A allow-ssh-input -m limit --limit 1/second -p tcp --tcp-flags ALL RST --dport 22 -j ACCEPT
iptables -A allow-ssh-input -m limit --limit 1/second -p tcp --tcp-flags ALL FIN --dport 22 -j ACCEPT
iptables -A allow-ssh-input -m limit --limit 1/second -p tcp --tcp-flags ALL SYN --dport 22 -j ACCEPT
iptables -A allow-ssh-input -m state --state ESTABLISHED,RELATED -p tcp --dport 22 -j ACCEPT

One of the handy dandy port probing sites told me that I don't have port 22 (or any other port) open. Or could that be the result of a security measure?

I'm probably looking in the wrong places, a typical newbie scenario. I'd like to be able to ssh in from any computer, although it isn't really necessary. As I said earlier, this is a new install during which I checked off the "middle" of the three firewall security choices. Are there log files somewhere that could help me out?

 

Frank_Rizzo

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3131393 posted 9:24 am on Oct 23, 2006 (gmt 0)

I think RH9 may create firewall rules by default and not include port 22.

The ultimate test is to temporary switch off iptabes.

/etc/rc.d/init.d/iptables stop

If you can then ssh remotely that proves your firewall does not have the correct rules to allow port 22.

BTW, once you have it working change the port number to something else.

You can use a different number to 22. If you do change it you will find far less attempts at breaking in.

All you have to remember is on your client machines to change the port number to the same, and if you ssh, or scp via the command line then you need to add the port number

e.g.

ssh -p xyz widgetuser@widgetserver.com

SoCal resident

5+ Year Member



 
Msg#: 3131393 posted 6:58 am on Oct 24, 2006 (gmt 0)

Frank_Rizzo:

>> The ultimate test is to temporary switch off iptabes.

I tried that, no luck.

The odd thing is I can ssh in at the consol, i.e. ssh me@localhost works as expected. So now I am very confused.

>> BTW, once you have it working change the port number to something else.

>> You can use a different number to 22. If you do change it you will find far less attempts at breaking in.

How is that done?

Thanks for the response(s)!

SoCal resident

5+ Year Member



 
Msg#: 3131393 posted 8:28 am on Oct 24, 2006 (gmt 0)

I spoke too soon. Turning off iptables does allow me to ssh as expected. Turning iptables back on brings me back to my original problem.

Now I guess I have to figure out a way to configure iptables to cooperate!

Suggestions are welcome!

Frank_Rizzo

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3131393 posted 9:53 am on Oct 24, 2006 (gmt 0)

I'd recommend using something like webmin if you can. Using a gui is much more easier and less prone to typo's.

If you use that you will be easily able to update firewall rules and set the port for ssh.

A typical firewall rule for ssh on a different port would look like:

" ACCEPT If protocol is TCP and destination port is 2725 and state of connection is NEW"

One other tip: Never allow root to login to ssh. Always use a low key username for ssh and then when at the console su to root.

SoCal resident

5+ Year Member



 
Msg#: 3131393 posted 7:53 pm on Oct 24, 2006 (gmt 0)

>> I'd recommend using something like webmin if you can. Using a gui is much more easier and less prone to typo's.

You are correct about the gui being much easier and less prone to typos. I'm purposely using text based only as a learning / discipline thing.

>> A typical firewall rule for ssh on a different port would look like:

>> " ACCEPT If protocol is TCP and destination port is 2725 and state of connection is NEW"

I'm at my day job now, but I'll try it when I get home tonight.

>> One other tip: Never allow root to login to ssh. Always use a low key username for ssh and then when at the console su to root.

I've been told that and follow it religously.

Thanks for the response; I'll let you know how the new rule works out.

jtara

WebmasterWorld Senior Member jtara us a WebmasterWorld Top Contributor of All Time 5+ Year Member



 
Msg#: 3131393 posted 10:13 pm on Oct 24, 2006 (gmt 0)

/sbin/iptables -A INPUT -p tcp -s 192.168.1.100 --dport 22 -m state --state NEW -j ACCEPT

Is the IP address above an example, or is it the address you are actually using in the firewall rule?

If it's the real address, this isn't going to work, unless you have a VPN in place between your office and the server. I suspect you don't have a VPN, because if you did, you wouldn't have any need for SSH. ;)

192.168.1... is a private address. You need to substitute the public Internet address that your office traffic exits from. You probably have a router that NATs between a public Internet address and internal private addresses.

You will also have to make sure that you have a static address. If your Internet connection uses dynamic addresses (as is common with many DSL and cable modem connections), you will need to either obtain a static address or else use a dynamic DNS client to update a DNS server, and use the DNS name rather than an IP address in your firewall rule.
----
The rule never to allow root to log-in via SSH is a good one, but impractical. It's fine if all you do is shell access. You can always "su" after logging-in as another user.

If you intend to use SFTP, and particularly if you intend to use SFTP from a graphical file manager (say, with KIOSlaves), and need root access to files, not so easy. (Although I think there is a way to set up some scripting to switch users after login.)

I have ssh moved to an alternative port, and I don't allow passwords - only public/private keys. I feel that gives me reasonable-enough security to allow root.

I mount the root of my server as root from my local machine (using sshfs) as well as mounting each of several user's home directories as the owner's user ID. (A little .sh script mounts or unmounts the whole shebang.) That way, I can just browse my local machine with permissions as either root, or any of my users. (Each of several websites is set up under it's own user.)

SoCal resident

5+ Year Member



 
Msg#: 3131393 posted 6:18 am on Oct 25, 2006 (gmt 0)

>> Is the IP address above an example, or is it the address you are actually using in the firewall rule?

It is an example, copied off a web site recommendation. In the actual file I put in the static IP address of the computer (Mac OS X, FWIW). I have a cable modem with five static IP addresses as part of the deal. I had it working with a Red Hat 7 install, so I don't see my cable modem, etc. as a problem.

>>If you intend to use SFTP, and particularly if you intend to use SFTP from a graphical file manager (say, with KIOSlaves), and need root access to files, not so easy. (Although I think there is a way to set up some scripting to switch users after login.)

Interesting point. I do web development on that box with sftp via Interarchy, so root login isn't necessary. For functions requiring root login, I'll just ssh.

I tried adding the line " ACCEPT If protocol is TCP and destination port is 2725 and state of connection is NEW" I got the complaint of "Bad argument 'if'.

Time to do some more research, I guess.

Thanks for the replies!

jtara

WebmasterWorld Senior Member jtara us a WebmasterWorld Top Contributor of All Time 5+ Year Member



 
Msg#: 3131393 posted 4:11 pm on Oct 25, 2006 (gmt 0)

Just to be sure - make sure first that you can ping your office's static IP addresses from your web server.

It's a pretty unusual configuration for a cable modem to have static IP addresses on the workstation side. (i.e. be set up for routing, rather than NATing). This is, however, a common choice for business DSL.

So, just a double-check to make SURE it isn't NATing to private addresses. (Which could be static.)

If your addresses start with 198.168..., 10..., or 172.16.0.0 to 172,31.255.255, then they are private addresses.

Frank_Rizzo

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3131393 posted 4:47 pm on Oct 25, 2006 (gmt 0)

I tried the " ACCEPT If protocol is TCP and destination port is 2725 and state of connection is NEW"

Ahh. That was me just reading off what webmin gui was saying! I just gave it as an example to show an entry which works. If you are using webmin just click an existing rule which was created by default such as ftp, clone the rule, and change the port.

If you are on the command line you'll need to use the syntax you described earlier.

SoCal resident

5+ Year Member



 
Msg#: 3131393 posted 6:39 am on Nov 6, 2006 (gmt 0)

I was off on other projects for a while and am back trying to get the Red Hat 9 installation to behave.

To recap: I cannot ssh into the new insatlation, at least with iptables started.

After I do a /etc/rc.d/init.d/iptables stop I am able to ssh as I would expect. I'm assuming that this is not the way I want to leave my machine on a permanent basis as I am then upprotected, correct? (Did I mention that I'm a newbie here?)

Restarting iptables with the /etc/rc.d/init.d/iptables start results in a "ssh: connect to host xx.xx.xx.xx port 22: Connection refused" response. I'm kind of assuming here that posting the real static IP address on Webmaster World is a no-no?

I can ping to the server box OK, even with iptables started. I am also able to ping my workstation (from where I am trying to ssh) OK using the console. I have a Road Runner cable modem with five IP addresses if that makes a difference.

Frank_Rizzo has mentioned webmin. I didn't install X Windows etc. when I did the install; would it be possible to use it?

Running /sbin/iptables -L results in:
Chain allow-ssh-input (0 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere limit: avg 1/sec burst 5 tcp dpt:ssh flags:FIN,SYN,RST,PSH,ACK,URG/RST
ACCEPT tcp -- anywhere anywhere limit: avg 1/sec burst 5 tcp dpt:ssh flags:FIN,SYN,RST,PSH,ACK,URG/FIN
ACCEPT tcp -- anywhere anywhere limit: avg 1/sec burst 5 tcp dpt:ssh flags:FIN,SYN,RST,PSH,ACK,URG/SYN
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED tcp dpt:ssh
This looks to me like ssh should work.

I have the following in /etc/rc.d/init.d/iptables:
/sbin/iptables -N allow-ssh-input
/sbin/iptables -F allow-ssh-input
/sbin/iptables -A allow-ssh-input -m limit --limit 1/second -p tcp --tcp-flags ALL RST --dport 22 -j ACCEPT
/sbin/iptables -A allow-ssh-input -m limit --limit 1/second -p tcp --tcp-flags ALL FIN --dport 22 -j ACCEPT
/sbin/iptables -A allow-ssh-input -m limit --limit 1/second -p tcp --tcp-flags ALL SYN --dport 22 -j ACCEPT
/sbin/iptables -A allow-ssh-input -m state --state ESTABLISHED,RELATED -p tcp --dport 22 -j ACCEPT
exit 0

As it stands now I can turn off iptables from the console which allows me to ssh. I then open a couple of terminal windows on my OS X machine and ssh. I then "/etc/rc.d/init.d/iptables start" but the connection via the open Terminal windows still works which, since physical access to the console on the Linux machine is difficult which is how I am working and also how I was able to copy and paste from the new box to here.

Clearly I am missing something obvious here. But what?

physics

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3131393 posted 11:47 pm on Nov 6, 2006 (gmt 0)


Frank_Rizzo has mentioned webmin. I didn't install X Windows etc. when I did the install; would it be possible to use it?

Yes webmin works over the web so you don't need XWindows. I've used it before and it can be helpful when you're in a jam ... but usually just do things on the console like you're doing honestly. If you install it I recommend that you do not have it on by default but rather start it when you need it from the console, do what you need to do, then turn it off (for security).

What do your hosts.allow and hosts.deny files say? For kicks try adding this to hosts.allow:

sshd: x.x.x.x ALLOW

Where x.x.x.x is the IP you're trying to SSH from.

SoCal resident

5+ Year Member



 
Msg#: 3131393 posted 5:40 am on Nov 7, 2006 (gmt 0)

physics:

My hosts.allow file had "ALL : xx.xx. LOCAL : ALLOW" which I found in a thread on another message board.

I have some notes that indicated that a colon with spaces is the way to go, so I tried your suggestion (sshd: x.x.x.x ALLOW) and sshd : xx.xx.xx.xx : ALLOW. No luck.

Am I supposed to do something to cause these changes to take effect? I tried stopping and starting /etc/rc.d/init.d/iptables but no luck.

The hosts.allow had the following:
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
What is the '/usr/sbin/tcpd' server? Might my problem be there?

The hosts.deny file was empty.

I installed webmin and under Networking > Linux Firewall I saw ACCEPT "If protocol is TCP and input interface is eth0 and destination port is 22"

The /etc/rc.d/init.d/iptables file now contains:
/sbin/iptables -A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

The port 1000 was required by webmin, which causes me to wonder how I was able to make that work and not ssh?!?!?!

Thanks to all who respond.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Hardware and OS Related Technologies / Linux, Unix, and *nix like Operating Systems
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved