Find the answer to your Linux question:
Results 1 to 9 of 9
Systems information: Ubuntu 11.10 (GNU/Linux 3.0.0-17-generic i686) SSH-2.0-OpenSSH_5.8p1 Debian-7ubuntu1 Diagram: mylinuxbox<>wlan0<>router<>internet (router also serves other machines - ether and wireless - on lan) Problem: Using ssh, I CAN connect to ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Oct 2011
    Posts
    20

    SSH Connection Refused


    Systems information:
    Ubuntu 11.10 (GNU/Linux 3.0.0-17-generic i686)
    SSH-2.0-OpenSSH_5.8p1 Debian-7ubuntu1

    Diagram:
    mylinuxbox<>wlan0<>router<>internet
    (router also serves other machines - ether and wireless - on lan)

    Problem:
    Using ssh, I CAN connect to my server via localhost and using other machines on my lan but CANNOT connect via the internet. Running ssh -v [myserver] from a remote site, I get the following:

    Code:
    remote host:~$ ssh -v [myserver]
    OpenSSH_5.8p1 Debian-7ubuntu1, OpenSSL 1.0.0e 6 Sep 2011
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: Applying options for *
    debug1: Connecting to linuxone.homelinux.com [myIP] port [myport].
    debug1: connect to address [myip] port [myport]: Connection refused
    ssh: connect to host [my ip name] port [myport]: Connection refused
    remote host:~$
    I know from the local tests, and from the fact that at some point in the not-too-distant past I was able to connect remotely that the ssh and sshd config files are correct. Something has changed to cause "connection refused" but I cannot seem to pin down the problem. I use port forwarding and linuxbox is assigned a static ip.

    I have read a variety of posts with similar titles as mine but no satisfactory solutions have been provided. Suggestions appreciated.

  2. #2
    Just Joined!
    Join Date
    Oct 2011
    Posts
    20

    Solved

    PROBLEM SOLVED

    NOTE TO SELF:

    Watched a remote connect attempt using wireshark and saw that the router was looking for a local ip different from my linuxbox.

    Checked the router to find DMZ hosting set to the wrong ip.

    Changed ip to linuxbox ip and resolved the problem.

  3. #3
    Just Joined!
    Join Date
    Oct 2011
    Posts
    20
    NOT SO FAST
    Using DMZ hosting is not really solving my problem. First of all, I don't understand DMZ all that much. Fact is, if I have another computer ip listed as DMZ host then I lose ssh connectivity to my linux computer so I'm back to sqaure one.

    Still need advice.

  4. #4
    Super Moderator Roxoff's Avatar
    Join Date
    Aug 2005
    Location
    Nottingham, England
    Posts
    3,885
    About the DMZ, you should think of it as a firewalled network. Some implement a DMZ as a buffer zone between the internet and the real LAN - a place to put a proxy server, maybe a web server, so you get this, which is the classic implementation of a DMZ:

    Internet <= (fw) => DMZ <=(fw)=> LAN

    others implement it just as a more open section of the lan, but still allow direct connection between the main LAN and the Internet. It then becomes a place where the 'unsafe' services live, and again the main LAN is protected.

    As far as the SSH connection goes, this does sound like a firewall issue.

    First things to check is your servers ssh configuration, which is normally somewhere like /etc/ssh/sshd.conf. If that config is limiting connection by IP address you may find that some places you try to connect from are denied.

    Also check your firewall settings. If your router has a firewall built-in and you're using it, then it may be that it's denying your access when you didn't expect it.

    Then check your SSH server's configuration to see what access limitations it's imposing - there may be something in that config that's not allowing access.

    In general, I'd suggest that you use key-only ssh login (i.e. turn off password-logon), forward a port directly from your outside interface (on your router or main firewall) straight to your ssh server (but use a different port to 22 to stop idiots making lots of failed attempts to hack you). It is possible, although I've never done it, to use a different port to ssh through to a machine in your DMZ.
    Linux user #126863 - see http://linuxcounter.net/

  5. #5
    Just Joined!
    Join Date
    Oct 2011
    Posts
    20
    Roxoff: Thanks for the reply. Since the DMZ hosting feature on my router is 'dedicated' to one IP address - one that is a virtual IP assigned to an application - I believe (admittedly, I could be wrong) - that only the dedicated IP is the only unfiltered host on my LAN. Since my router's DMZ is not a true DMZ (so I'm told) I would prefer to use port forwarding which, in most cases, I do. But it doesn't do the trick as relates to my application or to ssh. In other words, the only way to get my application and/or ssh to communicate over the internet is by using the DMZ hosting feature and THAT feature can only be assigned to one or the other: the application or to the linux machine on which my ssh server resides.

    Regarding the second half of your message, firewall on the router is turned off. I will check the sshd.conf file this evening but I'm fairly certain it is set up correctly since, as I have mentioned, I CAN connect when there is a path from the router to my linux box.

  6. #6
    Linux Engineer rcgreen's Avatar
    Join Date
    May 2006
    Location
    the hills
    Posts
    1,134
    In order to successfully use port forwarding on your router,
    you must make sure that the router/DHCP server always
    assigns the same IP address to the ssh server, or that you give
    the ssh server a fixed address on the LAN. Little details like this can
    drive you crazy.

  7. #7
    Just Joined!
    Join Date
    Oct 2011
    Posts
    20
    Quote Originally Posted by rcgreen View Post
    In order to successfully use port forwarding on your router,
    you must make sure that the router/DHCP server always
    assigns the same IP address to the ssh server, or that you give
    the ssh server a fixed address on the LAN. Little details like this can
    drive you crazy.
    It does drive me crazy. Here's a more complete version of a diagram that shows the relationships I'm trying to solve (only last digits of ipaddr's shown)

    application(.120)<tun0>linuxbox(.100)<wlan0>router (.1)<>internet

    Router Settings:
    - port forwarding to .120 using several standard ports
    - port forwarding to .100 for ssh (on a non-standard port)
    - static route: destination .120 ; subnet mask 255x4 ; gateway ip .100
    - static route: destination .100 ; subnet mask 255.255.255.0 ; gateway ip .1
    - DHCP reservation: linuxbox .100
    - DHCP reservation: I would set one for the application but I don't have a MAC address

    DMZ Hosting:
    I set the host to .120 if I want the application to operate correctly; to .100 if I want SSH to work, or I disable it if I need to use VPN from a LAN computer to an outside site via the internet.

    I would like to get rid of DMZ hosting altogether and be able to use my application, ssh and vpn without resetting things.

  8. #8
    Just Joined!
    Join Date
    Oct 2011
    Posts
    20
    Further investigation is leading to some enlightenment. Having now observed various routing behaviors I believe my needs will be met with a more flexible, customizable network by bypassing the cheap DSL modem/router combination altogether and building a linux router. So in a new configuration the DSL modem/router (actiontec) would be taken out of PPPoE mode and put in transparent bridging mode; and the ROUTER would be one of my old PC's running linux and customized to do nothing more than be a router. I'll need some help with that one.

  9. #9
    Super Moderator Roxoff's Avatar
    Join Date
    Aug 2005
    Location
    Nottingham, England
    Posts
    3,885
    There are already distros around that do this kind of thing. Take a look at Smoothwall
    Linux user #126863 - see http://linuxcounter.net/

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •