Author |
Message |
Proscribere
|
|
Post subject: Port 22 after reboot closed
Posted: 17.01.2011, 17:42
|
|

Joined: 2011-01-17
Posts: 7
Location: Pa
Status: Offline
|
|
Hi,
i have a big problem. I opened port 22 with this:
Code:
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
and the same with OUTPUT.
After opening it, i can connect with ssh from archlinux to aptosid. But if aptosid is getting rebooted the setting for the port will get deleted.
nmap from archlinux to aptosid says:
Code:
[ferdl@sweetarch ~]$ nmap 192.168.2.105 -p 22
Starting Nmap 5.21 ( http://nmap.org ) at 2011-01-17 18:34 CET
Nmap scan report for aptosidbox.localdomain (192.168.2.105)
Host is up (0.0036s latency).
PORT STATE SERVICE
22/tcp closed ssh
Nmap done: 1 IP address (1 host up) scanned in 0.24 seconds
The same problem i had with ubuntu and debian.
There is a other strange problem too:
If my pc with arch is running and i activate the printer, so aptosid could print -> aptosid doesn't find the printer. Only if i reboot arch it will be found. The same problem i had with other debian based distributions too. But this is a small problem which has time...
Thank you for your time. If someone needs more information i will give it.
Greetings |
|
|
|
|
 |
Sephi
|
|
Post subject:
Posted: 17.01.2011, 18:41
|
|

Joined: 2010-09-29
Posts: 5
Status: Offline
|
|
This behaviour is normal, iptables rules get reset if you restart your system. You can simply export your rules with iptables-save and restore them at each boot with iptables-restore. |
|
|
|
|
 |
Proscribere
|
|
Post subject:
Posted: 20.01.2011, 17:10
|
|

Joined: 2011-01-17
Posts: 7
Location: Pa
Status: Offline
|
|
Ok, iptables-save will work. But iptables-restore doesn't really work. If i type it in nothing happens. It looks more like it's running but can't complete.
I installed iptables-persitent from apt and configured it but this doesn't change anything. I don't understand why it is so hard to set up on debian based systems..  |
|
|
|
|
 |
finotti
|
|
Post subject:
Posted: 20.01.2011, 19:12
|
|

Joined: 2010-09-12
Posts: 479
Status: Offline
|
|
Did you do it with
Code:
iptables-save > iptabels_config_file
iptables-restore < iptables_config_file
|
|
|
|
|
 |
Proscribere
|
|
Post subject:
Posted: 20.01.2011, 19:49
|
|

Joined: 2011-01-17
Posts: 7
Location: Pa
Status: Offline
|
|
Seems like iptables-persitent should do exactly the same. |
|
|
|
|
 |
Proscribere
|
|
Post subject:
Posted: 30.01.2011, 11:12
|
|

Joined: 2011-01-17
Posts: 7
Location: Pa
Status: Offline
|
|
I found out, why this stupid thing don't connect: ssh doesn't start at bootup. I activated it with rcconf and now it's in rc5.d. But it don't want to start. So i tried to put it into rc.local and make rc.local executable -> Nothing happens...
I don't understand why this thing doesn't start.
At bootup it says it's starting. But if i ask with "/etc/init.d/ssh status" it says ssh is not running. |
|
|
|
|
 |
ToZ
|
|
Post subject:
Posted: 30.01.2011, 14:02
|
|

Joined: 2010-09-11
Posts: 26
Location: Toronto, Ontario, Canada
Status: Offline
|
|
By issuing the command:
Code:
update-rc.d ssh enable 2 3 4 5
I was able to create the necessary startup links in the /etc/rc?.d directories. Upon restart, the ssh service started automatically for me. |
|
|
|
|
 |
ToZ
|
|
Post subject:
Posted: 30.01.2011, 14:09
|
|

Joined: 2010-09-11
Posts: 26
Location: Toronto, Ontario, Canada
Status: Offline
|
|
Did you make any changes to the /etc/ssh/sshd_config file? If so please post.
Also, any relevant error messages in dmesg, /var/log/daemon.log, /var/log/messages, /var/log/syslog? |
|
|
|
|
 |
Proscribere
|
|
Post subject:
Posted: 30.01.2011, 14:59
|
|

Joined: 2011-01-17
Posts: 7
Location: Pa
Status: Offline
|
|
sshd_config
Code:
# Package generated configuration file
# See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
ListenAddress 192.168.2.105
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
dmesg | grep ssh:
Code:
[ 18.557207] sshd (1762): /proc/1762/oom_adj is deprecated, please use /proc/1762/oom_score_adj instead.
cat /var/log/messages | grep ssh:
Code:
Jan 30 11:30:26 localhost kernel: [ 18.337255] sshd (1791): /proc/1791/oom_adj is deprecated, please use /proc/1791/oom_score_adj instead.
Jan 30 11:43:07 localhost kernel: [ 18.947159] sshd (1760): /proc/1760/oom_adj is deprecated, please use /proc/1760/oom_score_adj instead.
Jan 30 11:47:23 localhost kernel: [ 18.774970] sshd (1764): /proc/1764/oom_adj is deprecated, please use /proc/1764/oom_score_adj instead.
Jan 30 11:50:03 localhost kernel: [ 20.608448] sshd (1819): /proc/1819/oom_adj is deprecated, please use /proc/1819/oom_score_adj instead.
Jan 30 11:51:48 localhost kernel: [ 19.226774] sshd (1797): /proc/1797/oom_adj is deprecated, please use /proc/1797/oom_score_adj instead.
Jan 30 11:55:55 localhost kernel: [ 18.048727] sshd (1752): /proc/1752/oom_adj is deprecated, please use /proc/1752/oom_score_adj instead.
Jan 30 12:02:43 localhost kernel: [ 20.742245] sshd (1801): /proc/1801/oom_adj is deprecated, please use /proc/1801/oom_score_adj instead.
Jan 30 13:57:20 localhost kernel: [ 18.557207] sshd (1762): /proc/1762/oom_adj is deprecated, please use /proc/1762/oom_score_adj instead.
Code:
Jan 30 11:30:26 localhost kernel: [ 18.337255] sshd (1791): /proc/1791/oom_adj is deprecated, please use /proc/1791/oom_score_adj instead.
Jan 30 11:43:07 localhost kernel: [ 18.947159] sshd (1760): /proc/1760/oom_adj is deprecated, please use /proc/1760/oom_score_adj instead.
Jan 30 11:47:23 localhost kernel: [ 18.774970] sshd (1764): /proc/1764/oom_adj is deprecated, please use /proc/1764/oom_score_adj instead.
Jan 30 11:50:03 localhost kernel: [ 20.608448] sshd (1819): /proc/1819/oom_adj is deprecated, please use /proc/1819/oom_score_adj instead.
Jan 30 11:51:48 localhost kernel: [ 19.226774] sshd (1797): /proc/1797/oom_adj is deprecated, please use /proc/1797/oom_score_adj instead.
Jan 30 11:55:55 localhost kernel: [ 18.048727] sshd (1752): /proc/1752/oom_adj is deprecated, please use /proc/1752/oom_score_adj instead.
Jan 30 12:02:43 localhost kernel: [ 20.742245] sshd (1801): /proc/1801/oom_adj is deprecated, please use /proc/1801/oom_score_adj instead.
Jan 30 13:57:20 localhost kernel: [ 18.557207] sshd (1762): /proc/1762/oom_adj is deprecated, please use /proc/1762/oom_score_adj instead.
Can't see anything special. Maybe i'm blind.
EDIT:
Oh, and i have 2 computer in the network. One is with ip 192.168.2.105 (aptosid / aptosidbox) and the other is 192.168.2.102 (Arch Linux / sweetarch) |
|
|
|
|
 |
ToZ
|
|
Post subject:
Posted: 30.01.2011, 21:52
|
|

Joined: 2010-09-11
Posts: 26
Location: Toronto, Ontario, Canada
Status: Offline
|
|
What happens when you try:
Code:
ssh localhost
from the machine right after reboot, before you need to restart ssh.
Also, try commenting out the:
Code:
ListenAddress 192.168.2.105
from /etc/ssh/sshd_config, restarting sshd, and trying again.
What does:
Code:
ls -l /etc/rc5.d/*ssh*
return? |
|
|
|
|
 |
Proscribere
|
|
Post subject:
Posted: 31.01.2011, 06:39
|
|

Joined: 2011-01-17
Posts: 7
Location: Pa
Status: Offline
|
|
ToZ wrote:
Also, try commenting out the:
Code:
ListenAddress 192.168.2.105
from /etc/ssh/sshd_config, restarting sshd, and trying again.
That solved the problem. But why?  |
|
|
|
|
 |
ToZ
|
|
Post subject:
Posted: 31.01.2011, 11:57
|
|

Joined: 2010-09-11
Posts: 26
Location: Toronto, Ontario, Canada
Status: Offline
|
|
Code:
man sshd_config
for an explanation.
What does your network look like with ip addresses? |
|
|
|
|
 |
Proscribere
|
|
Post subject:
Posted: 31.01.2011, 13:01
|
|

Joined: 2011-01-17
Posts: 7
Location: Pa
Status: Offline
|
|
Like said before:
Aptosid = 192.168.2.105 - aptosidbox
Arch Linux = 192.168.2.102 - sweetarch
Router Speedport = 192.168.2.5 |
|
|
|
|
 |
ToZ
|
|
Post subject:
Posted: 01.02.2011, 03:46
|
|

Joined: 2010-09-11
Posts: 26
Location: Toronto, Ontario, Canada
Status: Offline
|
|
Hmmm, should work. I just did some testing and found that I couldn't get the ListenAddress parameter to work on boot either. I wonder if it has something to do with the possibility that the ssh server is starting before the network interface is configured and thus can't bind to the address (speculating). Something similar is here: http://www.mail-archive.com/ubuntu-serv ... 2767.html. |
|
|
|
|
 |
|