 |
 |
 |
 |
| Using Fedora General support for current versions. Ask questions about Fedora and it's software that do not belong in any other forum. |
20th September 2011, 02:50 AM
|
|
Registered User
|
|
Join Date: Feb 2007
Posts: 167
 
|
|
ssh not working after update
Hi guys,
I was on Fedora 13 and I just updated to fedora 14.
On fedora 13 everything worked fine, ssh, vnc, all through firestarter (I know is not the best option), so after I updated ssh is only working on lan, but is not working outside of it...
Any ideas why is this happening, did something change from 13 to 14?
This are my files:
sshd_config
PHP Code:
Port 1405
Protocol 2
SyslogFacility AUTHPRIV
LoginGraceTime 40
PermitRootLogin no
MaxAuthTries 2:50:10
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
X11Forwarding yes
Subsystem sftp /usr/libexec/openssh/sftp-server
iptables (generated through firestarter)
PHP Code:
# Generated by iptables-save v1.4.9 on Mon Sep 19 20:25:52 2011
*nat
:PREROUTING ACCEPT [391:33807]
:OUTPUT ACCEPT [46:4889]
:POSTROUTING ACCEPT [13:1744]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Mon Sep 19 20:25:52 2011
# Generated by iptables-save v1.4.9 on Mon Sep 19 20:25:52 2011
*mangle
:PREROUTING ACCEPT [7335:2058862]
:INPUT ACCEPT [3067:176163]
:FORWARD ACCEPT [4268:1882699]
:OUTPUT ACCEPT [4762:3494199]
:POSTROUTING ACCEPT [9120:5389769]
-A OUTPUT -p tcp -m tcp --dport 20:21 -j TOS --set-tos 0x08/0xff
-A OUTPUT -p tcp -m tcp --dport 22 -j TOS --set-tos 0x08/0xff
-A OUTPUT -p tcp -m tcp --dport 68 -j TOS --set-tos 0x08/0xff
-A OUTPUT -p tcp -m tcp --dport 80 -j TOS --set-tos 0x08/0xff
-A OUTPUT -p tcp -m tcp --dport 443 -j TOS --set-tos 0x08/0xff
COMMIT
# Completed on Mon Sep 19 20:25:52 2011
# Generated by iptables-save v1.4.9 on Mon Sep 19 20:25:52 2011
*filter
:INPUT DROP [23:3151]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:INBOUND - [0:0]
:LOG_FILTER - [0:0]
:LSI - [0:0]
:LSO - [0:0]
:OUTBOUND - [0:0]
-A INPUT -s 200.48.225.130/32 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -s 200.48.225.130/32 -p udp -j ACCEPT
-A INPUT -s 200.48.225.146/32 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -s 200.48.225.146/32 -p udp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -m limit --limit 1/sec -j ACCEPT
-A INPUT -p udp -m udp --dport 33434 -j LSI
-A INPUT -p icmp -j LSI
-A INPUT -d 255.255.255.255/32 -i eth0 -j DROP
-A INPUT -d 192.168.1.255/32 -j DROP
-A INPUT -s 255.255.255.255/32 -j DROP
-A INPUT -d 0.0.0.0/32 -j DROP
-A INPUT -m state --state INVALID -j DROP
-A INPUT -f -m limit --limit 10/min -j LSI
-A INPUT -i eth0 -j INBOUND
-A INPUT -d 192.168.2.1/32 -i eth1 -j INBOUND
-A INPUT -d 192.168.1.3/32 -i eth1 -j INBOUND
-A INPUT -d 192.168.2.255/32 -i eth1 -j INBOUND
-A INPUT -j LOG_FILTER
-A INPUT -j LOG --log-prefix "Unknown Input" --log-level 6
-A FORWARD -p icmp -m icmp --icmp-type 0 -m limit --limit 1/sec -j ACCEPT
-A FORWARD -p udp -m udp --dport 33434 -j LSI
-A FORWARD -p icmp -j LSI
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i eth1 -j OUTBOUND
-A FORWARD -d 192.168.2.0/24 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.2.0/24 -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j LOG_FILTER
-A FORWARD -j LOG --log-prefix "Unknown Forward" --log-level 6
-A OUTPUT -s 192.168.1.3/32 -d 200.48.225.130/32 -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -s 192.168.1.3/32 -d 200.48.225.130/32 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -s 192.168.1.3/32 -d 200.48.225.146/32 -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -s 192.168.1.3/32 -d 200.48.225.146/32 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -s 255.255.255.255/32 -j DROP
-A OUTPUT -d 0.0.0.0/32 -j DROP
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT -o eth0 -j OUTBOUND
-A OUTPUT -o eth1 -j OUTBOUND
-A OUTPUT -j LOG_FILTER
-A OUTPUT -j LOG --log-prefix "Unknown Output" --log-level 6
-A INBOUND -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INBOUND -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INBOUND -s 192.168.1.3/32 -j ACCEPT
-A INBOUND -s 192.168.2.2/32 -j ACCEPT
-A INBOUND -s 192.168.2.3/32 -j ACCEPT
-A INBOUND -s 192.168.1.33/32 -j ACCEPT
-A INBOUND -s 192.168.2.0/24 -p tcp -m tcp --dport 5900 -j ACCEPT
-A INBOUND -s 192.168.2.0/24 -p udp -m udp --dport 5900 -j ACCEPT
-A INBOUND -p tcp -m tcp --dport 1405 -j ACCEPT
-A INBOUND -p udp -m udp --dport 1405 -j ACCEPT
-A INBOUND -j LSI
-A LSI -j LOG_FILTER
-A LSI -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j LOG --log-prefix "Inbound " --log-level 6
-A LSI -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A LSI -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j LOG --log-prefix "Inbound " --log-level 6
-A LSI -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j DROP
-A LSI -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j LOG --log-prefix "Inbound " --log-level 6
-A LSI -p icmp -m icmp --icmp-type 8 -j DROP
-A LSI -m limit --limit 5/sec -j LOG --log-prefix "Inbound " --log-level 6
-A LSI -j DROP
-A LSO -j LOG_FILTER
-A LSO -m limit --limit 5/sec -j LOG --log-prefix "Outbound " --log-level 6
-A LSO -j REJECT --reject-with icmp-port-unreachable
-A OUTBOUND -p icmp -j ACCEPT
-A OUTBOUND -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTBOUND -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTBOUND -j ACCEPT
COMMIT
# Completed on Mon Sep 19 20:25:52 2011
__________________
Aventuras con Fedora: Fedorama
|
20th September 2011, 08:19 AM
|
 |
Registered User
|
|
Join Date: Apr 2006
Location: Ohio, USA
Posts: 8,346
|
|
|
Re: ssh not working after update
sudo netstat -alntp | grep ssh
SO my question - WHY do you have GSSAPIAuthentication enabled ? Are you using kerberos ?
__________________
None are more hopelessly enslaved than those who falsely believe they are free.
Johann Wolfgang von Goethe
|
20th September 2011, 01:58 PM
|
|
Registered User
|
|
Join Date: Feb 2007
Posts: 167
|
|
|
Re: ssh not working after update
Thanks for the fast replys guys,
Well GSSAPIAuthentication is my fault....My sshd hadnt changed since fedora 8....I will disable it asap
This is my netstat
PHP Code:
# netstat -alntp | grep ssh
tcp 0 0 0.0.0.0:1405 0.0.0.0:* LISTEN 2397/sshd
tcp 0 0 :::1405 :::* LISTEN 2397/sshd
Well apparently is working...Like I said my ssh works under my lan...Weird thing...so apparently this must be my iptables configuration...Any suggestions?
Thanks
__________________
Aventuras con Fedora: Fedorama
|
21st September 2011, 05:52 AM
|
|
Registered User
|
|
Join Date: Feb 2007
Posts: 167
|
|
|
Re: ssh not working after update
BTW
Everytime i connect to my box via ssh (lan) after i enter my user name
i get an Access Denied message...anyhow....I put my password and i still can login....What would cause that? sshd_config or iptables....I guess its a sshd_config issue...
Any ideas?
Thanks
---------- Post added at 08:52 PM ---------- Previous post was at 07:27 PM ----------
Well I got rid of:
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
And Im not getting "Access Denied" anymore...but still cant use ssh outside my lan.
I still guessing I has something to do with iptables, I get the message Connecting....and afeter a few minutes I get timeout....
Any Ideas?
Thanks!
__________________
Aventuras con Fedora: Fedorama
|
22nd September 2011, 05:12 AM
|
|
Registered User
|
|
Join Date: Feb 2007
Posts: 167
|
|
|
Re: ssh not working after update
Thanks!
Well i shutted down the iptables service...but i still got time out...Im really lost...
I tryed to restart the service and got error on line 55, i commented it and could restart the service, but i still cant connect...
any ideas?
Thanks again!
__________________
Aventuras con Fedora: Fedorama
|
26th September 2011, 03:27 AM
|
|
Registered User
|
|
Join Date: Feb 2007
Posts: 167
|
|
|
Re: ssh not working after update
This is my iptables:
PHP Code:
# Generated by iptables-save v1.4.9 on Mon Sep 19 20:25:52 2011
*nat
:PREROUTING ACCEPT [391:33807]
:OUTPUT ACCEPT [46:4889]
:POSTROUTING ACCEPT [13:1744]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Mon Sep 19 20:25:52 2011
# Generated by iptables-save v1.4.9 on Mon Sep 19 20:25:52 2011
*mangle
:PREROUTING ACCEPT [7335:2058862]
:INPUT ACCEPT [3067:176163]
:FORWARD ACCEPT [4268:1882699]
:OUTPUT ACCEPT [4762:3494199]
:POSTROUTING ACCEPT [9120:5389769]
-A OUTPUT -p tcp -m tcp --dport 20:21 -j TOS --set-tos 0x08/0xff
-A OUTPUT -p tcp -m tcp --dport 22 -j TOS --set-tos 0x08/0xff
-A OUTPUT -p tcp -m tcp --dport 68 -j TOS --set-tos 0x08/0xff
-A OUTPUT -p tcp -m tcp --dport 80 -j TOS --set-tos 0x08/0xff
-A OUTPUT -p tcp -m tcp --dport 443 -j TOS --set-tos 0x08/0xff
COMMIT
# Completed on Mon Sep 19 20:25:52 2011
# Generated by iptables-save v1.4.9 on Mon Sep 19 20:25:52 2011
*filter
:INPUT DROP [23:3151]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:INBOUND - [0:0]
:LOG_FILTER - [0:0]
:LSI - [0:0]
:LSO - [0:0]
:OUTBOUND - [0:0]
-A INPUT -s 200.48.225.130/32 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -s 200.48.225.130/32 -p udp -j ACCEPT
-A INPUT -s 200.48.225.146/32 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -s 200.48.225.146/32 -p udp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -m limit --limit 1/sec -j ACCEPT
-A INPUT -p udp -m udp --dport 33434 -j LSI
-A INPUT -p icmp -j LSI
-A INPUT -d 255.255.255.255/32 -i eth0 -j DROP
-A INPUT -d 192.168.1.255/32 -j DROP
-A INPUT -s 255.255.255.255/32 -j DROP
-A INPUT -d 0.0.0.0/32 -j DROP
-A INPUT -m state --state INVALID -j DROP
-A INPUT -f -m limit --limit 10/min -j LSI
-A INPUT -i eth0 -j INBOUND
-A INPUT -d 192.168.2.1/32 -i eth1 -j INBOUND
-A INPUT -d 192.168.1.3/32 -i eth1 -j INBOUND
-A INPUT -d 192.168.2.255/32 -i eth1 -j INBOUND
-A INPUT -j LOG_FILTER
-A INPUT -j LOG --log-prefix "Unknown Input" --log-level 6
-A FORWARD -p icmp -m icmp --icmp-type 0 -m limit --limit 1/sec -j ACCEPT
-A FORWARD -p udp -m udp --dport 33434 -j LSI
-A FORWARD -p icmp -j LSI
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i eth1 -j OUTBOUND
-A FORWARD -d 192.168.2.0/24 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.2.0/24 -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j LOG_FILTER
-A FORWARD -j LOG --log-prefix "Unknown Forward" --log-level 6
-A OUTPUT -s 192.168.1.3/32 -d 200.48.225.130/32 -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -s 192.168.1.3/32 -d 200.48.225.130/32 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -s 192.168.1.3/32 -d 200.48.225.146/32 -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -s 192.168.1.3/32 -d 200.48.225.146/32 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -s 255.255.255.255/32 -j DROP
-A OUTPUT -d 0.0.0.0/32 -j DROP
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT -o eth0 -j OUTBOUND
-A OUTPUT -o eth1 -j OUTBOUND
-A OUTPUT -j LOG_FILTER
-A OUTPUT -j LOG --log-prefix "Unknown Output" --log-level 6
-A INBOUND -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INBOUND -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INBOUND -s 192.168.1.3/32 -j ACCEPT
-A INBOUND -s 192.168.2.2/32 -j ACCEPT
-A INBOUND -s 192.168.2.3/32 -j ACCEPT
-A INBOUND -s 192.168.1.33/32 -j ACCEPT
-A INBOUND -s 192.168.2.0/24 -p tcp -m tcp --dport 5900 -j ACCEPT
-A INBOUND -s 192.168.2.0/24 -p udp -m udp --dport 5900 -j ACCEPT
-A INBOUND -p tcp -m tcp --dport 1405 -j ACCEPT
-A INBOUND -p udp -m udp --dport 1405 -j ACCEPT
-A INBOUND -j LSI
-A LSI -j LOG_FILTER
-A LSI -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j LOG --log-prefix "Inbound " --log-level 6
-A LSI -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A LSI -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j LOG --log-prefix "Inbound " --log-level 6
-A LSI -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j DROP
-A LSI -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j LOG --log-prefix "Inbound " --log-level 6
-A LSI -p icmp -m icmp --icmp-type 8 -j DROP
-A LSI -m limit --limit 5/sec -j LOG --log-prefix "Inbound " --log-level 6
-A LSI -j DROP
-A LSO -j LOG_FILTER
-A LSO -m limit --limit 5/sec -j LOG --log-prefix "Outbound " --log-level 6
-A LSO -j REJECT --reject-with icmp-port-unreachable
-A OUTBOUND -p icmp -j ACCEPT
-A OUTBOUND -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTBOUND -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTBOUND -j ACCEPT
COMMIT
# Completed on Mon Sep 19 20:25:52 2011
I stopped iptables, firestarter...But still cant connect...it must be something regarding fedora 14, it didnt happened before.
Any ideas?
Thanks!
__________________
Aventuras con Fedora: Fedorama
|
27th September 2011, 04:41 AM
|
|
Registered User
|
|
Join Date: Feb 2007
Posts: 167
|
|
|
Re: ssh not working after update
Well....In the end I went back to fedora 13......Maybe a fresh install will fix this...but I dont have time for that right now...
Anyway thanks a lot zackwasa I learned a couple of things 
__________________
Aventuras con Fedora: Fedorama
|
| Thread Tools |
Search this Thread |
|
|
|
| Display Modes |
 Linear Mode
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
Current GMT-time: 02:40 (Wednesday, 19-06-2013)
|
|
 |
 |
 |
 |
|
|
