Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

connect to host 192.168.0.7 port 22: Connection refused

1,125 views
Skip to first unread message

Josh

unread,
Aug 6, 2008, 3:47:49 AM8/6/08
to
Hi

I encountered the a.m. error while doing ssh to a computer in my hous net;
it used to work before the recent update of Mandriva 2008; now I have port
22 closed to ssh - did you folks out there have the same problem? How could
did you solve it? No luck making shorewall to go down.

Thanks in advance for your help.

Joshua

Bit Twister

unread,
Aug 6, 2008, 6:18:05 AM8/6/08
to
On Wed, 06 Aug 2008 09:47:49 +0200, Josh wrote:
> Hi
>
> I encountered the a.m. error while doing ssh to a computer in my hous net;
> it used to work before the recent update of Mandriva 2008;

Which one of the 4+ 2008* installs? Show us the output from

cat /etc/lsb-release

> now I have port 22 closed to ssh - did you folks out there have the
> same problem?

Not me, 2008.0 and 2008.1 32 bit install.

> How could did you solve it?

I solve it by clicking up a terminal on the inbound/target system.

ssh $USER@$(hostname)

to verify ssh works locally.
Any time ssh fails, I

su - root
tail -f /var/log/messages

Then try the ssh $US...@target.machine

> No luck making shorewall to go down.

Was that a "shorewall clear" command?

David Mathog

unread,
Aug 6, 2008, 11:41:44 AM8/6/08
to
Josh wrote:

> I encountered the a.m. error while doing ssh to a computer in my hous net;
> it used to work before the recent update of Mandriva 2008; now I have port
> 22 closed to ssh - did you folks out there have the same problem? How could
> did you solve it? No luck making shorewall to go down.

There has been a tendency over the last several years for Mandriva to
stomp on config files in /etc during updates. In particular, and
relevant to what you are seeing, rules.drakx was often changed. This
became such an issue that my Mandriva systems now all have copies of
most of /etc and bits and pieces of other directories under
/root/saf_config, along with scripts to compare these after each update.
So, my general answer to your question is that you should do something
similar, so that when an errant update reconfigures your system, you can
automatically locate the problem and resolve it. The scripts and method
were posted in this forum 25 Jun 2007 with the subject: "Baby steps
towards surviving overly helpful helper scripts".

Regards,

David Mathog

Unruh

unread,
Aug 6, 2008, 11:48:24 AM8/6/08
to
Josh <e.pi...@libero.it> writes:

>Hi

>I encountered the a.m. error while doing ssh to a computer in my hous net;
>it used to work before the recent update of Mandriva 2008; now I have port
>22 closed to ssh - did you folks out there have the same problem? How could
>did you solve it? No luck making shorewall to go down.

Is sshd running on that computer? do you allow connections from your
computer to that one in /etc/hosts.allow on the server?
Does your firewall allow connections from that computer?

Robert Riches

unread,
Aug 6, 2008, 11:09:51 PM8/6/08
to

One way to keep an eye out for "helpers" is to keep a copy
(and/or an RCS repository) of all the configuration files in
/etc (and elsewhere). Run a 'diff' of all the files right
before updating. Then, run another 'diff' right after the
update. If any "helper" messed with your files, you now
know what changed and what you used to have in that file.

HTH

--
Robert Riches
spamt...@verizon.net
(Yes, that is one of my email addresses.)

Vitalie Ucrainciuc

unread,
Aug 15, 2008, 8:32:59 PM8/15/08
to

Try to enable SSH in firewall rules as Allow or Permit.

It should work!


"Josh" <e.pi...@libero.it> wrote in message
news:48995725$0$11373$5fc...@news.tiscali.it...

Maurice Batey

unread,
Aug 16, 2008, 2:31:54 PM8/16/08
to
Josh" <e.pi...@libero.it> wrote in message
news:48995725$0$11373$5fc...@news.tiscali.it...

> I encountered the a.m. error while doing ssh to a computer in
> my house net; it used to work before the recent update of


> Mandriva 2008; now I have port 22 closed to ssh -

It just so happens that I have beem trying to set things up to
RYSNC from laptop to desktop on house network, and have come
across the same problem when trying 'ssh MABsdesktop' on the
laptop:

"ssh: connect to host MABsdesktop port 22: Connection refused"

On the laptop, /etc/hosts has:

127.0.0.1 localhost
192.168.0.2 desktop.mab.unregistered MABsdesktop

and the laptop's MCC sees the desktop PC's printer as on 'host:
192.168.0.2'.

The desktop does have SSH enabled on its firewall.

Of course, as I'm sadly still a network neophyte, it's quite
possible that I'm doing something wrong (or not doing domething I
should)...

--
/\/\aurice
Linux Mandriva 2.6.22.19-desktop-2mdv 2008.0 PP 32-bit
KDE 3.5.7 Virtualbox 1.5.6
(Remove 'removethis.' to reply by email)

Bit Twister

unread,
Aug 16, 2008, 2:48:22 PM8/16/08
to
On Sat, 16 Aug 2008 19:31:54 +0100, Maurice Batey wrote:
>
> "ssh: connect to host MABsdesktop port 22: Connection refused"
>
> On the laptop, /etc/hosts has:
>
> 127.0.0.1 localhost
> 192.168.0.2 desktop.mab.unregistered MABsdesktop
>
> and the laptop's MCC sees the desktop PC's printer as on 'host:
> 192.168.0.2'.

Click up a terminal on desktop
su - root

/sbin/runlevel

Verify sshd is on boot for your run level
chkconfig --list sshd

and sshd is running with
pgrep -lf sshd

Next see if anything shows up when you try the ssh
tail -f /var/log/messages (on both systems)


Control c aborts the tail -f command.

PS: make it a habit to do a
shorewall clear
to temporally open the firewall, and as soon as possible
service shorewall restart

Now you can do a testhost with ssh -vv $USER@MABsdesktop

Would not hurt to show us contents of
cat /etc/hosts.allow
cat /etc/hosts.deny
chkconfig --list | grep sshd
on MABsdesktop

Maurice Batey

unread,
Aug 16, 2008, 5:10:24 PM8/16/08
to
On Sat, 16 Aug 2008 18:48:22 +0000, Bit Twister wrote:

> Click up a terminal on desktop
> su - root

etc...

Did all that:
-----------------------------------------
[root@localhost mab]# /sbin/runlevel
N 5
[root@localhost mab]# chkconfig --list sshd
error reading information about service sshd: No such file or
directory
[root@localhost mab]# pgrep -lf sshd
[root@localhost mab]# cat /etc/hosts.allow
#
# hosts.allow This file describes the names of the hosts which
are
# allowed to use the local INET services, as
decided
# by the '/usr/sbin/tcpd' server.
#

sshd: 192.168.0.3/255.255.255,0
[root@localhost mab]# cat /etc/hosts.deny
#
# hosts.deny This file describes the names of the hosts which
are
# *not* allowed to use the local INET services, as
decided
# by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you
that
# the new secure portmap uses hosts.deny and hosts.allow. In
particular
# you should know that NFS uses portmap!

[root@localhost mab]# ssh -vv $USER@MABsdesktop
OpenSSH_4.7p1, OpenSSL 0.9.8e 23 Feb 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to MABsdesktop [192.168.0.2] port 22.
debug1: connect to address 192.168.0.2 port 22: Connection
refused


ssh: connect to host MABsdesktop port 22: Connection refused

[root@localhost mab]#
[root@localhost mab]# chkconfig --list | grep sshd
[root@localhost mab]#
-----------------------------------------

Closing down for the night now...

Bit Twister

unread,
Aug 16, 2008, 5:17:41 PM8/16/08
to
On Sat, 16 Aug 2008 22:10:24 +0100, Maurice Batey wrote:
> On Sat, 16 Aug 2008 18:48:22 +0000, Bit Twister wrote:
>
>> Click up a terminal on desktop
>> su - root
> etc...
>
> Did all that:
> -----------------------------------------
> [root@localhost mab]# /sbin/runlevel
> N 5
> [root@localhost mab]# chkconfig --list sshd
> error reading information about service sshd: No such file or
> directory

Yep, right there, sshd not installed.


> [root@localhost mab]# pgrep -lf sshd

Yep, sshd not running.

> [root@localhost mab]# cat /etc/hosts.allow
> #
> # hosts.allow This file describes the names of the hosts which
> are
> # allowed to use the local INET services, as
> decided
> # by the '/usr/sbin/tcpd' server.
> #
>
> sshd: 192.168.0.3/255.255.255,0

^
|
Is that a comma----------------'

> Closing down for the night now...

Sleep tight. :)

Maurice Batey

unread,
Aug 17, 2008, 9:55:51 AM8/17/08
to
On Sat, 16 Aug 2008 21:17:41 +0000, Bit Twister wrote:

>> [root@localhost mab]# cat /etc/hosts.allow
>
>> sshd: 192.168.0.3/255.255.255,0
> ^
> |
> Is that a comma---------------'

Yes - that's what is in the file.
I assume it should be a '.', and have changed it.

> Yep, right there, sshd not installed.
>
>
>> [root@localhost mab]# pgrep -lf sshd
>
> Yep, sshd not running.

OK, have now found sshd (disguised as "OpenSSH Server" in
MCC...), and installed it.
Started it with "/etc/init.d/sshd start".

However, attempts to ssh from laptop meet with same Port 22
connection refusal as before.

Here is a rerun (on desktop) of your debugging suggestions, after
installing & starting sshd:

-------------------------------------------------------------


[root@localhost mab]# /sbin/runlevel
N 5

[root@localhost mab]# chkconfig --list sshd

sshd 0:off 1:off 2:on 3:on 4:on 5:on
6:off

[root@localhost mab]# pgrep -lf sshd

8351 /usr/sbin/sshd

[root@localhost mab]# ssh -vv mab@MABsdesktop


OpenSSH_4.7p1, OpenSSL 0.9.8e 23 Feb 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to MABsdesktop [192.168.0.2] port 22.
debug1: connect to address 192.168.0.2 port 22: Connection
refused
ssh: connect to host MABsdesktop port 22: Connection refused

[root@localhost mab]# cat /etc/hosts.allow


#
# hosts.allow This file describes the names of the hosts which

# are allowed to use the local INET services, as decided by the
# '/usr/sbin/tcpd' server.

sshd: 192.168.0.3/255.255.255.0

[root@localhost mab]# chkconfig --list | grep sshd
sshd 0:off 1:off 2:on 3:on 4:on 5:on
6:off
-----------------------------------------------------------

By the way, when you recommend doing 'service shorewall clear'
and then a.s.a.p. 'service shorewall restart', on what occasion
should those be done?
(I suspect it's when e.g. changing the firewall to allow SSH,
instead of doing a re-boot.)

--
/\/\aurice
http://www.maurice99.ukfsn.org

Bit Twister

unread,
Aug 17, 2008, 12:10:08 PM8/17/08
to
On Sun, 17 Aug 2008 14:55:51 +0100, Maurice Batey wrote:

> OK, have now found sshd (disguised as "OpenSSH Server" in
> MCC...), and installed it.
> Started it with "/etc/init.d/sshd start".

Less typing if you do a
service sshd start :)

> Here is a rerun (on desktop) of your debugging suggestions, after
> installing & starting sshd:

> [root@localhost mab]# chkconfig --list sshd
sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off


Do a
chkconfig --list | grep sshd
and verify is returns something like

sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off

sshd-xinetd: off

> By the way, when you recommend doing 'service shorewall clear'
> and then a.s.a.p. 'service shorewall restart', on what occasion
> should those be done?

Anytime you think the firewall is in the way, you can open shorewall
firewall with no restrictions with shorewall clear.

I recommend not running in that mode very long, so
service shorewall restart
sets it back to the on boot/normal setting.

If you have not been dinking with customizing shorewall, just clicking
up a terminal
su - root

tail -f /var/log/messages

and then run your test shot should show a line if shorewall blocks your
ssh attempt.

> (I suspect it's when e.g. changing the firewall to allow SSH,
> instead of doing a re-boot.)

About the only time you need a reboot is kernel change, or node
name change in my stupid opinion. In the case of node name change,
init 1, followed with init 3, or init 5, depending on your requirement.

Anytime you change the firewall outside of the GUI interface, it would not
hurt to do a shorewall -check just to verify there are no glaring errors.
Then do a
service shorewall restart


An FYI on hosts.allow/deny.

tcpwrapper code will look in hosts.allow and allow the app to continue
upon hitting the first rule which applies. If nothing applies in hosts.allow,
wrapper code proceeds to see if anything is denied in hosts.deny.
Noting in deny then the application gets to run.

With your wrapper setup, you restricted sshd to an ip address and no
restrictions for everyone else.

That is ok if you manage what services you enable. Downside is
you/malware enables some other service and do not add to allow/deny
you leave a hole in your security.

My suggestion for you would be to add to bottom of hosts.allow,
something like


ALL: LOCAL, .mab.unregistered

#***************** End of hosts.allow. ********************

To the bottom of /etc/hosts.deny

ALL: ALL:\
spawn ( \
/bin/echo -e "\n\
TCP Wrappers\: Connection Refused\n\
By\: $(uname -n)\n\
Process\: %d (pid %p)\n\
\n\
User\: %u\n\
Host\: %c\n\
Date\: $(date)\n\
" | /bin/mail -s \"$(uname -n)\" root ) & : DENY

#*********************** end host.deny ********************************

The above mails root a warning/debugging email about a tcpwrappers deny.
When that happens bittwister get an email. :)

Assuming you have postfix installed/running:

cd /etc/postfix

tail -11 aliases | head -4
# Person who should get root's mail. This alias
# must exist.
# CHANGE THIS LINE to an account of a HUMAN
root: mab <============ you have set this line

did a
postalias aliases
service postfix restart

mail -s "$USER testshot" root < /dev/null

You should be able to click up a terminal in your mab user account,
and do a

mail -s "$USER testshot" root < /dev/null

mail and see 1 root testshot
2 mab testshot
(carriage return) to read the empty email from root
d to delete the email
(carriage return) to read the empty email from mab
q to quit mail and do the deletions.

With imap installed, you can have thunderbird open in another window
in your mab account, set incomming mail server as localhost,
you should get any root email at whatever polling rate you set it at.

test that with
mail -s "$USER testshot" root < /dev/null
click Get mail in thunderbird and you should see
mab testshot in thunderbird's window.

While still on MABsdesktop, in mab's account
do a
ssh $USER@$(hostname)
to see what happens.


Now, if the above changes/tests work, and you run
tail -f /var/log/messages

I am hopping you get some error message in /messages or
an email from root when trying from the laptop.


If not, I am at a loss to explain why it does not work,
unless you have done some customizing in shorewall.

Maurice Batey

unread,
Aug 17, 2008, 1:37:54 PM8/17/08
to
On Sun, 17 Aug 2008 16:10:08 +0000, Bit Twister wrote:
>
> Assuming you have postfix installed/running:

No, I use KMail.

> While still on MABsdesktop, in mab's account do a
> ssh $USER@$(hostname) to see what happens.

Here it is (actually I had already tried it but forgot to
capture the output, which also said something about adding
some info into some file):

-------------------------------------------------------
[mab@localhost ~]$ ssh $USER@$(hostname)
mab@localhost's password:
Last login: Sun Aug 17 18:17:43 2008 from localhost

> Now, if the above changes/tests work, and you run tail -f
> /var/log/messages

[mab@localhost ~]$ su
Password:
[root@localhost mab]# tail -f /var/log/messages

Aug 17 18:01:02 localhost msec: changed mode of
/var/log/cups/page_log from 644 to 640
Aug 17 18:14:44 localhost sshd[12511]: Accepted password for mab
from 127.0.0.1 port 36189 ssh2
Aug 17 18:17:43 localhost sshd[12642]: Accepted password for mab
from 127.0.0.1 port 36190 ssh2
Aug 17 18:23:39 localhost drakconf.real[12756]: ### Program is
starting ###
Aug 17 18:23:54 localhost drakconf.real[12763]: ### Program is
starting ###
Aug 17 18:23:58 localhost rpmdrake[12768]: ### Program is
starting ###
Aug 17 18:24:00 localhost rpmdrake[12768]: opening the RPM
database
Aug 17 18:24:24 localhost rpmdrake[12768]: ### Program is exiting
###
Aug 17 18:24:25 localhost drakconf.real[12763]: modified file
/etc/mcc.conf
Aug 17 18:25:23 localhost sshd[12821]: Accepted password for mab
from 127.0.0.1 port 51444 ssh2
-------------------------------------------------------------

(How does one *exit* from an 'ssh' invocation?!)

Sadly, ssh from the laptop still gives 'Port 22 connection
refused' failure. Nothing seems to show up in /var/log/messages
on either m/c for that.

--
/\/\aurice

Maurice Batey

unread,
Aug 17, 2008, 1:43:17 PM8/17/08
to
On Sun, 17 Aug 2008 16:10:08 +0000, Bit Twister wrote:

> Do a
> chkconfig --list | grep sshd
> and verify is returns something like
>
> sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
> sshd-xinetd: off

Not quite. As shown in earlier posting:
-----------------------------------------------------
[root@localhost mab]# chkconfig --list | grep sshd

sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off

-----------------------------------------------------

i.e. it doesn't end with "sshd-xinetd: off"

--
/\/\aurice

Bit Twister

unread,
Aug 17, 2008, 1:53:31 PM8/17/08
to
On Sun, 17 Aug 2008 18:37:54 +0100, Maurice Batey wrote:
> On Sun, 17 Aug 2008 16:10:08 +0000, Bit Twister wrote:
>>
>> Assuming you have postfix installed/running:
>
> No, I use KMail.

M=Mail
T=Transport
C=Client
A=Agent


KMail is a MTC, postfix is a MTA. MTC read/sends mail via a MTA.

>> While still on MABsdesktop, in mab's account do a
>> ssh $USER@$(hostname) to see what happens.
>
> Here it is (actually I had already tried it but forgot to
> capture the output, which also said something about adding
> some info into some file):

That would be ~/.ssh/known_hosts
If name/ip/key differ during connection attempt with that node,
you will get a man in the middle warning.

> -------------------------------------------------------
> [mab@localhost ~]$ ssh $USER@$(hostname)

> (How does one *exit* from an 'ssh' invocation?!)

exit :)

> Sadly, ssh from the laptop still gives 'Port 22 connection
> refused' failure. Nothing seems to show up in /var/log/messages
> on either m/c for that.

Without my suggestion of postfix and hosts.deny;
I can recommend commenting out the sshd line in /etc/hosts.allow
service xinetd reload
and try again.

Still broke, out of suggestions and ideas. :-(

Bit Twister

unread,
Aug 17, 2008, 2:01:25 PM8/17/08
to
On Sun, 17 Aug 2008 18:43:17 +0100, Maurice Batey wrote:
> On Sun, 17 Aug 2008 16:10:08 +0000, Bit Twister wrote:
>
>> Do a
>> chkconfig --list | grep sshd
>> and verify is returns something like
>>
>> sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
>> sshd-xinetd: off
>
> Not quite. As shown in earlier posting:

Yes, but the one I responded to had
[root@localhost mab]# chkconfig --list sshd


sshd 0:off 1:off 2:on 3:on 4:on 5:on
6:off

:)


> -----------------------------------------------------
> [root@localhost mab]# chkconfig --list | grep sshd
>
> sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
> -----------------------------------------------------
>
> i.e. it doesn't end with "sshd-xinetd: off"

How rude. I'll show you mine if you'll show me yours. :)

$ rpm -q -f /usr/sbin/sshd
openssh-server-4.7p1-9.1mdv2008.1

Bit Twister

unread,
Aug 17, 2008, 2:04:25 PM8/17/08
to
On Sun, 17 Aug 2008 18:01:25 +0000 (UTC), Bit Twister wrote:

Opps, forgot to show which command differed.

> Yes, but the one I responded to had

> [root@localhost mab]# chkconfig --list sshd instead of

Maurice Batey

unread,
Aug 17, 2008, 2:28:31 PM8/17/08
to
On Sat, 16 Aug 2008 18:48:22 +0000, Bit Twister wrote:

> make it a habit to do a shorewall clear to temporally open
> the firewall, and as soon as possible service shorewall restart

Tried 'shorewall clear' before attempting ssh from laptop;
still failed as before.

But there were some 'uknown symbol' error msgs from the
'shorewall clear':
-----------------------------------------------
[root@localhost mab]# shorewall clear

FATAL: Error inserting nf_conntrack_h323
(/lib/modules/2.6.22.19-desktop-2mdv/kernel/net/netfilter/
nf_conntrack_h323.ko.gz): Unknown symbol in module, or unknown
parameter (see dmesg)

WARNING: Error inserting nf_conntrack_h323
(/lib/modules/2.6.22.19-desktop-2mdv/kernel/net/netfilter/
nf_conntrack_h323.ko.gz): Unknown symbol in module, or unknown
parameter (see dmesg)

FATAL: Error inserting nf_nat_h323
(/lib/modules/2.6.22.19-desktop-2mdv/kernel/net/ipv4/netfilter/
nf_nat_h323.ko.gz): Unknown symbol in module, or unknown
parameter (see dmesg)

Clearing Shorewall...
done.
--------------------------------------------------

and similar msgs from the 'service shorewall restart'....

Maurice Batey

unread,
Aug 17, 2008, 2:31:46 PM8/17/08
to
On Sun, 17 Aug 2008 18:01:25 +0000, Bit Twister wrote:

> $ rpm -q -f /usr/sbin/sshd
> openssh-server-4.7p1-9.1mdv2008.1

$ rpm -q -f /usr/sbin/sshd

openssh-server-4.7p1-2.3mdv2008.0

Bit Twister

unread,
Aug 17, 2008, 2:43:30 PM8/17/08
to
On Sun, 17 Aug 2008 19:31:46 +0100, Maurice Batey wrote:
> On Sun, 17 Aug 2008 18:01:25 +0000, Bit Twister wrote:
>
>> $ rpm -q -f /usr/sbin/sshd
>> openssh-server-4.7p1-9.1mdv2008.1

Opps, that was my 2008.1 install

>
> $ rpm -q -f /usr/sbin/sshd
> openssh-server-4.7p1-2.3mdv2008.0

Ok, matches my 2008.0 install.

I assume all test shots are not trying to
ssh root@where


Did adding the # sshd: in /etc/hosts.allow still fail a test shot?

Maurice Batey

unread,
Aug 17, 2008, 2:45:18 PM8/17/08
to
On Sun, 17 Aug 2008 17:53:31 +0000, Bit Twister wrote:

> I can recommend commenting out the sshd line in
> /etc/hosts.allow service xinetd reload and try again.

Tried that ("allow service xinetd reload") but ssh from


laptop still failed as before.

As the desktop ssh self-call seemed to work, is it possible
something is awry on the laptop?

The fact that it's ssh reports Port 22 refusal to connect does
show that ssh is working, doesn't it?

Bit Twister

unread,
Aug 17, 2008, 2:45:44 PM8/17/08
to
On Sun, 17 Aug 2008 19:31:46 +0100, Maurice Batey wrote:

> Virtualbox 1.5.6

Are the ssh/sshd systems real or virtual?

Maurice Batey

unread,
Aug 17, 2008, 2:47:10 PM8/17/08
to
On Sun, 17 Aug 2008 18:43:30 +0000, Bit Twister wrote:

> I assume all test shots are not trying to ssh root@where

No - "ssh mab@MABsdesktop"

--

Bit Twister

unread,
Aug 17, 2008, 3:01:04 PM8/17/08
to
On Sun, 17 Aug 2008 19:45:18 +0100, Maurice Batey wrote:
>
> Tried that ("allow service xinetd reload") but ssh from

But did you Comment out sshd in /etc/hosts.allow?


It is odd, xinetd is installed but sshd-xinetd did not show up in
chkconfig --list | grep ssh

sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
sshd-xinetd: off

Guessing /etc/xinetd.d/sshd-xinetd is not there.
Should have been installed when you installed the server package.

$ rpm -q -f /etc/xinetd.d/sshd-xinetd
openssh-server-4.7p1-2.3mdv2008.0

I am not happy that you do not have /etc/xinetd.d/sshd-xinetd

> As the desktop ssh self-call seemed to work, is it possible
> something is awry on the laptop?

Since you cannot connect, something is stopping it.

> The fact that it's ssh reports Port 22 refusal to connect does
> show that ssh is working, doesn't it?

Yes, shows that ssh on the laptop is trying to connect.

Verify ip address in laptop /etc/hosts matches
hostname -i
on desktop

Bit Twister

unread,
Aug 17, 2008, 3:02:49 PM8/17/08
to
On Sun, 17 Aug 2008 19:47:10 +0100, Maurice Batey wrote:
> On Sun, 17 Aug 2008 18:43:30 +0000, Bit Twister wrote:
>
>> I assume all test shots are not trying to ssh root@where
>
> No - "ssh mab@MABsdesktop"

groping around in the dark.

do a hosthame -i on MABsdesktop

and a ssh mab@the_above_ip_address_here


Bit Twister

unread,
Aug 17, 2008, 3:06:11 PM8/17/08
to
On Sun, 17 Aug 2008 19:02:49 +0000 (UTC), Bit Twister wrote:

in ~mab on desktop do
cd ~/.ssh
chmod 700 .
chmod 600 *
cd

and do the same on the laptop

and run the test shot

Maurice Batey

unread,
Aug 17, 2008, 5:23:42 PM8/17/08
to
On Sun, 17 Aug 2008 18:45:44 +0000, Bit Twister wrote:

> Are the ssh/sshd systems real or virtual?

Absolutely real! (Only WIndows stuff under VBox)

--

Maurice Batey

unread,
Aug 17, 2008, 5:26:47 PM8/17/08
to
On Sun, 17 Aug 2008 19:02:49 +0000, Bit Twister wrote:

> do a hosthame -i on MABsdesktop
>
> and a ssh mab@the_above_ip_address_here

-------------------------------------------------------
[mab@localhost ~]$ hostname -i
127.0.0.1

[mab@localhost ~]$ ssh m...@127.0.0.1
Warning: Permanently added '127.0.0.1' (RSA) to the list of known
hosts.
m...@127.0.0.1's password:
Last login: Sun Aug 17 18:25:23 2008 from localhost
[mab@localhost ~]$ exit
logout

Connection to 127.0.0.1 closed.
[mab@localhost ~]$
------------------------------------------------------

Bit Twister

unread,
Aug 17, 2008, 5:27:58 PM8/17/08
to
On Sun, 17 Aug 2008 22:23:42 +0100, Maurice Batey wrote:
> On Sun, 17 Aug 2008 18:45:44 +0000, Bit Twister wrote:
>
>> Are the ssh/sshd systems real or virtual?
>
> Absolutely real! (Only WIndows stuff under VBox)

You seem to missing/ignoring my questions in other replies,
the ones ending in ?.

Maybe, your just behind in answering them. :)
Guess I'll wait and see.

Maurice Batey

unread,
Aug 17, 2008, 5:33:17 PM8/17/08
to
On Sun, 17 Aug 2008 19:01:04 +0000, Bit Twister wrote:

> But did you Comment out sshd in /etc/hosts.allow?

Yes.


>
> $ rpm -q -f /etc/xinetd.d/sshd-xinetd
openssh-server-4.7p1-2.3mdv2008.0

--------------------------------------------------
[mab@localhost ~]$ rpm -q -f /etc/xinetd.d/sshd-xinetd
openssh-server-4.7p1-2.3mdv2008.0
--------------------------------------------------


>
> Verify ip address in laptop /etc/hosts matches hostname -i
> on desktop

It does - both 127.0.0.1

Maurice Batey

unread,
Aug 17, 2008, 5:40:18 PM8/17/08
to
On Sun, 17 Aug 2008 19:06:11 +0000, Bit Twister wrote:

> in ~mab on desktop do
> cd ~/.ssh
> chmod 700 .
> chmod 600 *
> cd
>
> and do the same on the laptop

OK on desktop, but laptop has no ~/.ssh directory anywhere.
(And ssh from laptop still fails.)

Have to close down now. 'night all...

Bit Twister

unread,
Aug 17, 2008, 6:33:37 PM8/17/08
to
On Sun, 17 Aug 2008 22:33:17 +0100, Maurice Batey wrote:
> On Sun, 17 Aug 2008 19:01:04 +0000, Bit Twister wrote:
>
>> But did you Comment out sshd in /etc/hosts.allow?
>
> Yes.

Good. I will suggest something like
sshd: 192.168.0.3, 192.168.0.0/255.255.255.0

for you final test.

>>
>> $ rpm -q -f /etc/xinetd.d/sshd-xinetd
> openssh-server-4.7p1-2.3mdv2008.0
> --------------------------------------------------
> [mab@localhost ~]$ rpm -q -f /etc/xinetd.d/sshd-xinetd
> openssh-server-4.7p1-2.3mdv2008.0
> --------------------------------------------------

Something went wrong because I expected sshd-xinetd
to show up in your chkconfig --list | grep ssh

Tell you what, bring up MCC and set On Boot for sshd.
verify the other sshd is off/unchecked.
and click Ok. Quit MCC and do a

chkconfig --list | grep ssh

sshd-xinetd should now show up.


>> Verify ip address in laptop /etc/hosts matches hostname -i
>> on desktop
>
> It does - both 127.0.0.1


hmmm, ok, I had expected something like
$ hostname -i
192.168.0.2

Because I assumed
$ grep -i $(hostname -a) /etc/hosts
192.168.0.2 desktop.mab.unregistered MABsdesktop
would be found on the desktop. My bad.

Let's ignore that for the moment:

On MABsdesktop do a

ifconfig
and double check the nic connected to the laptop shows 192.168.0.2, then

ssh m...@192.168.0.2
and if it works;

run
ssh m...@192.168.0.2
on the laptop

Sleep tight.

Bit Twister

unread,
Aug 17, 2008, 8:37:53 PM8/17/08
to
On Sun, 17 Aug 2008 22:26:47 +0100, Maurice Batey wrote:


> [mab@localhost ~]$ hostname -i
> 127.0.0.1

Heheh, just an FYI for the lurkers.


[bittwister@pm80 ~]$ cat /etc/release
Mandriva Linux release 2008.0 (Official) for i586

[bittwister@pm80 ~]$ grep $(hostname) /etc/hosts
192.168.1.213 pm80.home.test pm80

[bittwister@pm80 ~]$ ssh $US...@127.0.0.1
Last login: Sun Aug 17 19:29:09 2008 from localhost

[bittwister@pm80 ~] exit
Connection to 127.0.0.1 closed.


[bittwister@wm81 ~]$ cat /etc/release
Mandriva Linux release 2008.1 (Official) for i586

[bittwister@wm81 ~]$ grep $(hostname) /etc/hosts
192.168.1.131 wm81.home.test wm81

[bittwister@wm81 ~]$ ssh $US...@127.0.0.1
ssh_exchange_identification: Connection closed by remote host

Snippet from /var/log/messages
Aug 17 19:23:32 wm81 sshd[9895]:
refused connect from localhost.localdomain (::ffff:127.0.0.1)

Bit Twister

unread,
Aug 17, 2008, 10:01:34 PM8/17/08
to
On Mon, 18 Aug 2008 00:37:53 +0000 (UTC), Bit Twister wrote:

bittwister wrote:
> Snippet from /var/log/messages
> Aug 17 19:23:32 wm81 sshd[9895]:
> refused connect from localhost.localdomain (::ffff:127.0.0.1)

Just a follow up. Rejection was caused because of hosts.allow did not
catch it and let host.deny reject it.

Thought hosts.allow should have let it through.

ALL: LOCAL, .home.test

#****** End of hosts.allow. ********

Looking on pm80, I had to add wm81 ip address to hosts.allow
for wm81 access.

On wm81 (2008.1) None of the following worked
sshd: .home.test
sshd: .home.test, LOCAL, 192.168.1.131
sshd: .home.test, LOCAL, 192.168.1.131, 192.168.1.0/24
ALL: LOCAL, .home.test, 192.168.1.131, 192.168.1.0/24

My host.allow solution for ssh $US...@127.0.0.1 on 2008.1 is

ALL: LOCAL, .home.test, 27.0.0.1

2008.0 has
ALL: LOCAL, .home.test, 192.168.1.131, 192.168.1.0/24

Gotta love the increase in security.

Bit Twister

unread,
Aug 17, 2008, 10:05:43 PM8/17/08
to
On Mon, 18 Aug 2008 02:01:34 +0000 (UTC), Bit Twister wrote:
> On Mon, 18 Aug 2008 00:37:53 +0000 (UTC), Bit Twister wrote:
>
> bittwister wrote:
>> Snippet from /var/log/messages
>> Aug 17 19:23:32 wm81 sshd[9895]:
>> refused connect from localhost.localdomain (::ffff:127.0.0.1)
>
> Just a follow up. Rejection was caused because of hosts.allow did not
> catch it and let host.deny reject it.
>
> Thought hosts.allow should have let it through.
>
> ALL: LOCAL, .home.test
>
> #****** End of hosts.allow. ********
>
> Looking on pm80, I had to add wm81 ip address to hosts.allow
> for wm81 access.
>
> On wm81 (2008.1) None of the following worked
> sshd: .home.test
> sshd: .home.test, LOCAL, 192.168.1.131
> sshd: .home.test, LOCAL, 192.168.1.131, 192.168.1.0/24
> ALL: LOCAL, .home.test, 192.168.1.131, 192.168.1.0/24
>
> My host.allow solution for ssh $US...@127.0.0.1 on 2008.1 is
>
> ALL: LOCAL, .home.test, 27.0.0.1

Opps, cut did not pick up 1, should read
ALL: LOCAL, .home.test, 127.0.0.1

Maurice Batey

unread,
Aug 18, 2008, 10:24:10 AM8/18/08
to
On Sun, 17 Aug 2008 21:27:58 +0000, Bit Twister wrote:

> You seem to missing/ignoring my questions in other replies, the ones
> ending in ?.

Not deliberately, I can assure you!

Will comb through and check. Watch this space... 8-))

Bit Twister

unread,
Aug 18, 2008, 10:29:07 AM8/18/08
to
On Mon, 18 Aug 2008 15:24:10 +0100, Maurice Batey wrote:
> On Sun, 17 Aug 2008 21:27:58 +0000, Bit Twister wrote:
>
>> You seem to missing/ignoring my questions in other replies, the ones
>> ending in ?.
>
> Not deliberately, I can assure you!
>
> Will comb through and check. Watch this space... 8-))

Tell you what, Instead of that, go through this and see what needs
improvement and lets you run a check front to back.


-------- standard debug ssh/sshd problem steps follows: ------------
Version
0.0

The following is mainly for Mandriva, maybe Suse, maybe Redhat/Fedora and
your install is not using SELinux/ACL's.

I assume you have:
o installed ALL system updates and have rebooted.
o installed the sshd daemon/service package. (OpenSSH Server).
o enabled it to run on boot.
o started sshd on the server.

In this document, "server" is where you are trying to ssh into and
"client" is where you ssh from.

Client is where ssh it trying to connect to sshd on the server.

All ssh test shots will be to a user account on the server, not root.
Where you see bittwister, or ~/, you should be in/using your user account.

Some commands need root privileges to run. To create a root terminal,
Click up a terminal,
su - root or for the k/ubuntu crowd it would be
sudo -i

Anytime I am working a problem, I will open another root terminal and do a

tail -f /var/log/messages
on each system I am working with.

I suggest you do the same.

PS: To abort tail -f command, do a Control c
To close a terminal/ssh session exit

sshd has to running and/or enabled to run on the server.

pgrep -lf sshd <===== Should return the pid and program name
3866 /usr/sbin/sshd <============ see, sshd is running, pid=3866

It might not be running if sshd is to run when needed. :(

Do check the permissions on it

ls -al /usr/sbin/sshd
-rwxr-xr-x 1 root root 379292 2008-05-06 14:53 /usr/sbin/sshd


chkconfig --list | grep sshd <====== on some systems
sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off <= which run level starts on boot
sshd-xinetd: off <=== on indicates to start when needed

NOTE: Do not have both set on.

Current run level found with
/sbin/runlevel
N 3 <==== indicates my system is set at 3 and 3:on indicates
sshd will be started on boot.

If not running, you might be able to start it with
service sshd start
or maybe
/etc/init.d/sshd start


First prove you can connect to it by ip address when you are on the server

ssh bittwister@$(hostname -i)

If there is nothing in /etc/hosts.allow and /etc/hosts.deny
I expect that to work.

If fails, make sure your user account's .ssh directory has the correct
permissions by doing:

cd ~/.ssh
chmod 700 .
chmod 600 *
cd

ssh bittwister@$(hostname -i)

If no message showed up in /var/log/messages and there is nothing in
/etc/hosts.allow and /etc/hosts.deny I have no idea what to check next.

man hosts.allow to understand lines not starting with #

Next, run some test to prove network resolution is working.
Test by node name with
ssh bittwister@$(hostname --alias) then by fully qualified domain name
ssh bittwister@$(hostname --fqdn)

Failure on those, will be a /etc/hosts or network problem.
If so, only use the server's ip address from your client until
you get the network problem solved.

Once that works, verify the hostname ip matches what the client sees.
hostname -i on the server
host servers_hostname_here on the client.

If the hostname -i returns 127.0.0.1 on the server,
you need to use the ip address of the server's nic that
is connected to the client.

ifconfig to find the address. Snippet follows

eth1 Link encap:Ethernet HWaddr 00:16:17:57:66:54
inet addr:192.168.1.131 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::216:17ff:fe57:6654/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
the inet addr: field is ip4 ip address
the inet6: field is the ip6 ip address.

Verify the ip address test on server with
ssh bittwister@servers_ip_here


Once those run, only the firewall and /etc/hosts.allow and hosts.deny
contents would block incoming ssh attempts on the server.

You open the Mandriva firewall with
shorewall clear

Before doing that, get the server ip address for the nic connected to
the client.
ifconfig should give you a list of running nics.

hostname -i on the server.

assuming server is not blocking pings, verify connection with
ping -c1 servers_ip_here on the client, if works then
bittwister@servers_ip_here on the client.
if fails, hit up arrow

and open the firewall on the server with
shorewall clear
hit a carriage return on the client to run the ssh client to server
test shot again.

No matter what, quickly enable the firewall, with
service shorewall restart
or shorewall restart
on the server.

If no messages in /var/log/messages on the server and hosts.allow and
hosts.deny are empty. I do not know what the problem is.


If all the above seems to be true, you will need to dump your settings
so we can see them. Run the commands on server and client.
Cut the command and results and paste them in your reply.


hostname
hostname -fqdn
hostname -i
cat /etc/hosts
grep -v \# /etc/hosts.allow
grep -v \# /etc/hosts.deny
ifconfig

If you see repeatable error messages in the tail -f terminals
every time you do the ssh command, we need to see those also.

Would not hurt to provide results from doing something like
ssh -v bittwister@servers_ip_here
or ssh -vv bittwister@servers_ip_here
or ssh -vvv bittwister@servers_ip_here
which will give increasing debug information with each v.
Take a look at each and decide which one might help us.

PS:
If you run with /etc/hosts.allow and hosts.deny, I found
it helpful for /etc/hosts.deny to contain


ALL: ALL:\
spawn ( \
/bin/echo -e "\n\
TCP Wrappers\: Connection Refused\n\
By\: $(uname -n)\n\
Process\: %d (pid %p)\n\
\n\
User\: %u\n\
Host\: %c\n\
Date\: $(date)\n\
" | /bin/mail -s \"$(uname -n)\" root ) & : DENY

#*********************** end host.deny ********************************

That will send an email to root any time something gets through hosts.allow
without being allowed.

Example email follows:.

TCP Wrappers: Connection Refused
By: wm81.home.test
Process: sshd (pid 11046)

User: unknown
Host: localhost.localdomain
Date: Sun Aug 17 20:50:41 CDT 2008

I have postfix installed, so I modified aliases to send any mail
to root to me.

tail -11 /etc/postfix/aliases | head -5

# Person who should get root's mail. This alias
# must exist.
# CHANGE THIS LINE to an account of a HUMAN

root: bittwister

And executed:
postalias aliases


Once postfix is restarted, all mail to root (security alerts, cron job
failures, audit failures,...) automagically shows up in my email box.

Maurice Batey

unread,
Aug 18, 2008, 11:18:36 AM8/18/08
to
On Sun, 17 Aug 2008 22:33:37 +0000, Bit Twister wrote:

> I will suggest something like
> sshd: 192.168.0.3, 192.168.0.0/255.255.255.0
>
> for you final test.

Tried that (see below). Still no go from laptop.

Here is what is in /etc/hosts, by the way:
----------------------------------------------------
127.0.0.1 localhost
192.168.0.1 router.mab.unregistered MABsrouter
192.168.0.2 desktop.mab.unregistered MABsdesktop
192.168.0.3 laptop.mab.unregistered MABslaptop
---------------------------------------------------

and non-descriptive entries in /etc/hosts.allow:

# sshd: 192.168.0.3/255.255.255.0
# service xinetd reload
# ALL: LOCAL, .mab.unregistered
ALL:LOCAL,.mab.unregistered,192.168.0.3,
192.168.0.0/255.255.255.0
----------------------------------------------------



> Tell you what, bring up MCC and set On Boot for sshd. verify
the other
> sshd is off/unchecked. and click Ok. Quit MCC

sshd was already running and set On Boot

What do you mean by "Verify the other sshd is off/unchecked"?
=============================================================
What other sshd?

> On MABsdesktop do a ifconfig and double check the nic connected
> to the laptop shows 192.168.0.2

If you mean (under eth0) "inet=", it shows:
inet addr:192.168.0.3
which is the IP of the laptop.

> Do ssh m...@192.168.0.2 on desktop

I assume you meant to laptop, which is 192.169.0.3, so used
latter and it did work - i.e. ssh connected to laptop.
(That puzzles me, because sshd is not running on laptop...)

> run ssh m...@192.168.0.2 on the laptop

Did you mean ssh on laptop to itself? As above, did ssh to
m...@192.168.0.3, and it did work (though no sshd on laptop).

On laptop, ssh mab@MABsdesktop) still fails - see -vv output:

--------------------------------------------------------
[mab@localhost ~]$ ssh -vv mab@MABsdesktop
OpenSSH_4.7p1, OpenSSL 0.9.8f 11 Oct 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to MABsdesktop [192.168.0.2] port 22.
debug1: connect to address 192.168.0.2 port 22: Connection
refused
ssh: connect to host MABsdesktop port 22: Connection refused
[mab@localhost ~]$
--------------------------------------------------------

The annoying thing is that - last year, when still using MDV
2007 on desktop and Vista on laptop - I could do ssh via Putty on
Vista!

Presumably this is not a router firewall problem. (Although it
does have an SSH blocker, I believe that only applies to traffic
coming from the outside 'net. Anyway, I tried turning the
blocker off - no difference (so turned it back on.))

Thanks for sticking with me, BT - much appreciated!
I keep thinking we're just one step away from cracking this...

Anything else I can do to help get there?

Bit Twister

unread,
Aug 18, 2008, 11:54:42 AM8/18/08
to
On Mon, 18 Aug 2008 16:18:36 +0100, Maurice Batey wrote:
> On Sun, 17 Aug 2008 22:33:37 +0000, Bit Twister wrote:
>
>> I will suggest something like
>> sshd: 192.168.0.3, 192.168.0.0/255.255.255.0
>>
>> for you final test.
>
> Tried that (see below). Still no go from laptop.

After playing around last night, I can now suggest just

ALL: .mab.unregistered, 192.168.0.

Until we can get ssh working from the laptop,
I wish you would not have any commands in hosts.allow and hosts.deny

> Here is what is in /etc/hosts, by the way:
> ----------------------------------------------------
> 127.0.0.1 localhost
> 192.168.0.1 router.mab.unregistered MABsrouter
> 192.168.0.2 desktop.mab.unregistered MABsdesktop
> 192.168.0.3 laptop.mab.unregistered MABslaptop
> ---------------------------------------------------

Which /etc/hosts file. With that hosts file,
you can have the same hosts file on both machines.

Just for fun, I want to make the hosts file the same
on both machines and looks as follows:

127.0.0.1 localhost
192.168.0.1 router.mab.unregistered router
192.168.0.2 desktop.mab.unregistered desktop
192.168.0.3 laptop.mab.unregistered laptop

>
> and non-descriptive entries in /etc/hosts.allow:
>
> # sshd: 192.168.0.3/255.255.255.0
> # service xinetd reload
> # ALL: LOCAL, .mab.unregistered
> ALL:LOCAL,.mab.unregistered,192.168.0.3,
> 192.168.0.0/255.255.255.0
> ----------------------------------------------------

Until we can get ssh working from the laptop,
I wish you would not have any commands in hosts.allow and hosts.deny
on either machine.

>
>> Tell you what, bring up MCC and set On Boot for sshd. verify
> the other
>> sshd is off/unchecked. and click Ok. Quit MCC
>
> sshd was already running and set On Boot
>
> What do you mean by "Verify the other sshd is off/unchecked"?
> =============================================================
> What other sshd?

In both 2008.0 and 2008.1 MCC System Services I have two lines/selections
sshd running [Info] [x] On Boot Start Stop
sshd-xinetd [Info] [ ] Start when Requested Start Stop

If you are missing sshd-xinetd, I have no idea why you are missing
/etc/xinetd.d/sshd-xinetd

$ ls -al /etc/xinetd.d/sshd-xinetd
-rw-r--r-- 1 root root 321 2008-05-06 14:53 /etc/xinetd.d/sshd-xinetd

You have shown me it was in the rpm in an earlier post.


>> On MABsdesktop do a ifconfig and double check the nic connected
>> to the laptop shows 192.168.0.2
>
> If you mean (under eth0) "inet=", it shows:
> inet addr:192.168.0.3
> which is the IP of the laptop.

Well, there you have it. Your settings in /etc/hosts and
what is configured for the nic are incorrect.

You have to make ip address in /etc/hosts match what is
in /etc/sysconfig/network-scripts/ifcfg-eth0's IPADDRESS
from each machine.


>
>> Do ssh m...@192.168.0.2 on desktop
>
> I assume you meant to laptop,

No assuming, as I mis-understood it, 192.168.0.2 is the desktop
running sshd.

So, I want to verify you can connect to the desktop from the desktop
with the desktop's ip address.
ip given as commands were what you told me was the ip for the desktop.

Numbers were before you told me about you ipconfig results on desktop.

>
> Presumably this is not a router firewall problem.

Nope, just involves two machines and their connection.

> (Although it
> does have an SSH blocker, I believe that only applies to traffic
> coming from the outside 'net.

Sounds about right.


> Anyway, I tried turning the
> blocker off - no difference (so turned it back on.))

Outstanding.


> Thanks for sticking with me, BT - much appreciated!
> I keep thinking we're just one step away from cracking this...

Good for you. I was about one step away from giving up. :(

> Anything else I can do to help get there?

First, get the ip addresses in /etc/hosts matching what you
find in the nics which connect to each machine.

Fix /etc/hosts on all machines.

Then go through the trouble shooting text provided in another
post and see if you understand/agree with what is checking doing
and your problem is fixed.

Maurice Batey

unread,
Aug 18, 2008, 12:13:32 PM8/18/08
to
On Mon, 18 Aug 2008 14:29:07 +0000, Bit Twister wrote:

> -------- standard debug ssh/sshd problem steps follows:

> I assume you have:
> o installed ALL system updates and have rebooted.
> o installed the sshd daemon/service package. (OpenSSH Server)

> o enabled it to run on boot.
> o started sshd on the server.

Yes.


>
> pgrep -lf sshd <===== Should return the pid and
program
> name 3866 /usr/sbin/sshd <============ see, sshd is running,
> pid=3866

Yes (though no sign of "pid=xxxx")



>
> It might not be running if sshd is to run when needed. :(
>
> Do check the permissions on it
>
> ls -al /usr/sbin/sshd
> -rwxr-xr-x 1 root root 379292 2008-05-06 14:53 /usr/sbin/sshd

Yes - same


>
> chkconfig --list | grep sshd <====== on some
systems sshd
> 0:off 1:off 2:on 3:on 4:on 5:on 6:off <= which run level starts on boot
> sshd-xinetd: off <=== on indicates to start when
> needed

OK - except still no sign of "sshd-xinetd..."
=============================

>
> Current run level found with
> /sbin/runlevel
> N 3 <==== indicates my system is set at 3 and 3:on
> indicates
> sshd will be started on boot.

Yes - that's OK


>
> First prove you can connect to it by ip address when you are on
the server
>
> ssh bittwister@$(hostname -i)

Fine.

> ssh bittwister@$(hostname --alias)

Failed:
------------------------------------------------
[mab@localhost ~]$ ssh mab@$(hostname --alias)
ssh: : Name or service not known
------------------------------------------------

then by fully qualified
domain name
> ssh bittwister@$(hostname --fqdn)

Fine.


>
> Once that works, verify the hostname ip matches what the client
sees.
> hostname -i on the server host servers_hostname_here on
> the client.

'hostname -i' gives 127.0.0.1,


>
> If the hostname -i returns 127.0.0.1 on the server, you need to use the ip
> address of the server's nic that is connected to the client.

I believe that is 192.168.0.2 in my case: cat /etc/hosts gives

127.0.0.1 localhost
192.168.0.1 router.mab.unregistered MABsrouter
192.168.0.2 desktop.mab.unregistered MABsdesktop
192.168.0.3 laptop.mab.unregistered MABslaptop

>

> ifconfig to find the address.

In my case:
-----------------------------------------------------------
eth0 Link encap:Ethernet HWaddr 00:1B:21:07:31:63
inet addr:192.168.0.3 Bcast:192.168.0.255
Mask:255.255.255.0


UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

------------------------------------------------------------


>
> Verify the ip address test on server with
> ssh bittwister@servers_ip_here

You mean - on server - ssh to itself? This is what happens:

------------------------------------------------------------
[mab@localhost ~]$ ssh m...@192.168.0.2
ssh: connect to host 192.168.0.2 port 22: Connection refused
------------------------------------------------------------
(though ssh m...@127.0.0.1 and ssh mab@(hostname) work)


I'll stop here, as my earoier posting today may have helped
clear the air.

Maurice Batey

unread,
Aug 18, 2008, 12:55:23 PM8/18/08
to
On Mon, 18 Aug 2008 15:54:42 +0000, Bit Twister wrote:

> After playing around last night, I can now suggest just
>
> ALL: .mab.unregistered, 192.168.0.
>
> Until we can get ssh working from the laptop, I wish you would not have
> any commands in hosts.allow and hosts.deny

So I should ignore the "ALL: .mab...." suggestion 5 lines
above here?
>
>> [quoted text muted]


>
> Which /etc/hosts file. With that hosts file, you can have the same hosts
> file on both machines.

But I already do! They are identical on both desktop & laptop...


>
> Just for fun, I want to make the hosts file the same on both machines and
> looks as follows:
>
> 127.0.0.1 localhost
> 192.168.0.1 router.mab.unregistered router
> 192.168.0.2 desktop.mab.unregistered desktop
> 192.168.0.3 laptop.mab.unregistered laptop

That's as already are, but omitting the 'MAB prefix. OK!

> Until we can get ssh working from the laptop, I wish you would
> not have any commands in hosts.allow and hosts.deny on either
> machine.

OK - will comment them out.


>
> In both 2008.0 and 2008.1 MCC System Services I have two
lines/selections
> sshd running [Info] [x] On Boot Start Stop
> sshd-xinetd [Info] [ ] Start when Requested Start Stop

No sign of tha sshd-xinetd entry...

> If you are missing sshd-xinetd, I have no idea why you are missing
> /etc/xinetd.d/sshd-xinetd

But it's not missing!
----------------------------------------------------
[mab@localhost ~]$ cat /etc/xinetd.d/sshd-xinetd
# default: off
# description: sshd server, xinetd version. \
# Don't run the standalone version if you run \
# this.
service ssh
{
disable = yes
socket_type = stream
wait = no
user = root
server = /usr/sbin/sshd
server_args = -i
log_on_success += DURATION USERID
log_on_failure += USERID
nice = 10
}
--------------------------------------------------------

> -rw-r--r-- 1 root root 321 2008-05-06 14:53
> /etc/xinetd.d/sshd-xinetd

Check here on desktop:
------------------------------------------------------
[mab@localhost ~]$ ls -al /etc/xinetd.d/sshd-xinetd
-rw-r--r-- 1 root root 321 2008-05-06 20:50
/etc/xinetd.d/sshd-xinetd
------------------------------------------------------
Seems a bit of a mystery. It's there but showing up where it
should. How can that be? (Or, how can it be made to...)


> Your settings in /etc/hosts and what is configured for the
> nic are incorrect.
>
> You have to make ip address in /etc/hosts match what is in
> /etc/sysconfig/network-scripts/ifcfg-eth0's IPADDRESS from each machine.

I've no idea why ifconfig shows the wrong host IP!

(Are you saying "inet addr" should show 192.168.0.2, rather
than 192.168.0.3?)

How does one figure out how to acquire the correct info from the
ifcg-eth0 file so that ifconfig shows correct IP?
Here are the contents of that file on desktop:
----------------------------------------------------------------
[mab@localhost ~]$ cat /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=dhcp
NETMASK=255.255.255.0
ONBOOT=yes
METRIC=10
MII_NOT_SUPPORTED=no
USERCTL=no
RESOLV_MODS=no
IPV6INIT=no
IPV6TO4INIT=no
DHCP_CLIENT=dhclient
NEEDHOSTNAME=no
PEERDNS=yes
PEERYP=yes
---------------------------------------------------------------

Regards,

Bit Twister

unread,
Aug 18, 2008, 1:08:19 PM8/18/08
to
On Mon, 18 Aug 2008 17:13:32 +0100, Maurice Batey wrote:
> On Mon, 18 Aug 2008 14:29:07 +0000, Bit Twister wrote:

>> pgrep -lf sshd <===== Should return the pid and program name
>> 3866 /usr/sbin/sshd <============ see, sshd is running, pid=3866
>
> Yes (though no sign of "pid=xxxx")

Comment was trying to show 3866 is the pid, hence pid=3866
I change comment to read pid is 3866

>> chkconfig --list | grep sshd <====== on some
> systems sshd
>> 0:off 1:off 2:on 3:on 4:on 5:on 6:off <= which run level starts on boot
>> sshd-xinetd: off <=== on indicates to start when
>> needed
>
> OK - except still no sign of "sshd-xinetd..."
> =============================

That is a problem in it's self. No idea why it is not there.
It is in the sshd package you installed.

>
>> ssh bittwister@$(hostname --alias)
>
> Failed:
> ------------------------------------------------
> [mab@localhost ~]$ ssh mab@$(hostname --alias)
> ssh: : Name or service not known
> ------------------------------------------------

Ok, your node name of localhost is biting you. You need to set the
hostname to a FQDN value. Suggestion follows:

$ cat /etc/sysconfig/network
NETWORKING_IPV6=no
NOZEROCONF=yes
NEEDHOSTNAME=no
NETWORKING=yes
HOSTNAME=desktop.mab.unregistered <========= FQDN node set here

Recommendation:
$ cat /etc/sysconfig/network
NETWORKING_IPV6=no
NOZEROCONF=yes
NEEDHOSTNAME=no
NETWORKING=yes
HOSTNAME=desktop.mab.test <========= better domain name here

Read http://www.rfc-editor.org/rfc/rfc2606.txt

NOTE: warning, anytime I change the hostname, I reboot to make every
service/daemon aware of the name change, and check nothing breaks.

>>
>> If the hostname -i returns 127.0.0.1 on the server, you need to use the ip
>> address of the server's nic that is connected to the client.
>
> I believe that is 192.168.0.2 in my case: cat /etc/hosts gives

Belief does not hack it. You are required to KNOW.

>
> 127.0.0.1 localhost
> 192.168.0.1 router.mab.unregistered MABsrouter
> 192.168.0.2 desktop.mab.unregistered MABsdesktop
> 192.168.0.3 laptop.mab.unregistered MABslaptop

Just an FYI, those long aliases could bit you. I suggest getting them
less than 9 characters.


>
>>
>> ifconfig to find the address.
> In my case:
> -----------------------------------------------------------
> eth0 Link encap:Ethernet HWaddr 00:1B:21:07:31:63
> inet addr:192.168.0.3 Bcast:192.168.0.255
> Mask:255.255.255.0
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> ------------------------------------------------------------
>>
>> Verify the ip address test on server with
>> ssh bittwister@servers_ip_here
>
> You mean - on server - ssh to itself?

Yep, that is just what you did with these commands:
ssh bittwister@$(hostname -i)
ssh bittwister@$(hostname --alias)
ssh bittwister@$(hostname --fqdn)

> This is what happens:

>
> ------------------------------------------------------------
> [mab@localhost ~]$ ssh m...@192.168.0.2
> ssh: connect to host 192.168.0.2 port 22: Connection refused
> ------------------------------------------------------------

> (though ssh m...@127.0.0.1 and ssh mab@$(hostname) work)

And why is that you ask. Run these three commands and see if you can relate.

grep 127.0.0.1 /etc/hosts
grep $(hostname) /etc/hosts
echo $(hostname)

> I'll stop here, as my earoier posting today may have helped
> clear the air.

Guessing my reply to that post should have fixed it. :-)

David W. Hodgins

unread,
Aug 18, 2008, 1:29:52 PM8/18/08
to
On Mon, 18 Aug 2008 12:55:23 -0400, Maurice Batey <mau...@bcs.removethis.org.uk> wrote:

> I've no idea why ifconfig shows the wrong host IP!

It doesn't. The hosts files are wrong.
Change the hosts file (on both systems) to show what ifconfig shows.

Also, try running "chkconfig --list" without any other pararaters, or piping it
to grep. Does it show the sshd-xinetd?

Regards, Dave Hodgins

--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)

Bit Twister

unread,
Aug 18, 2008, 1:38:54 PM8/18/08
to
On Mon, 18 Aug 2008 17:55:23 +0100, Maurice Batey wrote:
> On Mon, 18 Aug 2008 15:54:42 +0000, Bit Twister wrote:
>
>> After playing around last night, I can now suggest just
>>
>> ALL: .mab.unregistered, 192.168.0.
>>
>> Until we can get ssh working from the laptop, I wish you would not have
>> any commands in hosts.allow and hosts.deny
>
> So I should ignore the "ALL: .mab...." suggestion 5 lines
> above here?

I am saying, when you get done making the laptop to desktop test work,
and you are ready to enable /etc/host.allow controls, the only
line you will need is

ALL: .mab.unregistered, 192.168.0.

>> Which /etc/hosts file. With that hosts file, you can have the same hosts
>> file on both machines.
>
> But I already do! They are identical on both desktop & laptop...

Heheheh, But I did not know that. :-D

>
>> If you are missing sshd-xinetd, I have no idea why you are missing
>> /etc/xinetd.d/sshd-xinetd
>
> But it's not missing!
> ----------------------------------------------------
> [mab@localhost ~]$ cat /etc/xinetd.d/sshd-xinetd
> # default: off

Then check the perms.

$ ls -ald /etc/xinetd.d/
drwxr-xr-x 2 root root 4096 2008-08-14 19:34 /etc/xinetd.d/

>> Your settings in /etc/hosts and what is configured for the
>> nic are incorrect.
>>
>> You have to make ip address in /etc/hosts match what is in
>> /etc/sysconfig/network-scripts/ifcfg-eth0's IPADDRESS from each machine.
>
> I've no idea why ifconfig shows the wrong host IP!
>
> (Are you saying "inet addr" should show 192.168.0.2, rather
> than 192.168.0.3?)
>
> How does one figure out how to acquire the correct info from the
> ifcg-eth0 file so that ifconfig shows correct IP?
> Here are the contents of that file on desktop:
> ----------------------------------------------------------------
> [mab@localhost ~]$ cat /etc/sysconfig/network-scripts/ifcfg-eth0
> DEVICE=eth0
> BOOTPROTO=dhcp

Ok, what I am saying, is, if laptop is sshing into desktop,
then desktop's ip address in laptop's hosts file has to match
the ip address where laptop connects to desktop.

Here look at this drawing


192.168.1.1 pc1 node's gateway
192.168.1.14 pc1 node's ip
|
v
x pc1 printer 24.x.x.xx
x \ / |
x \ / v
x Hub---------eth1_fw_eth0---cablemodem-----ISPgateway---Internet
x / ^ ^
x / | |
x pc2 192.168.1.1 ggg.ggg.ggg.1
^ lan gateway
|
192.168.1.12 pc2 node's ip
192.168.1.1 pc2 node's gateway

If pc2 wanted to ssh to fw.
pc2's hosts file would have
192.168.1.1 fw.home.test fw


If you cannot understand what I am saying, draw a picture, label with
values and I will run over this again.

Maurice Batey

unread,
Aug 18, 2008, 1:51:51 PM8/18/08
to
On Mon, 18 Aug 2008 17:38:54 +0000, Bit Twister wrote:

> Then check the perms.
>
> $ ls -ald /etc/xinetd.d/
> drwxr-xr-x 2 root root 4096 2008-08-14 19:34 /etc/xinetd.d/

OK:
-------------------------------------------------------------
[mab@desktop ~]$ ls -ald /etc/xinetd.d/
drwxr-xr-x 2 root root 4096 2008-08-17 16:54 /etc/xinetd.d//
-------------------------------------------------------------

Still a mystery, I guess...

However, despite all that, you can GET OUT THE FLAGS!
MAFEKING HAS BEEN RELIEVED... 8-))

I can now ssh in to desktop from laptop, now that the IP muddle
has been identified and sorted out.
(I really don't know how they got mixed up, but whenever it
did was yonks ago, and a lot of water has flown under the bridge
(and probably into what's left of my brain) since then.)

BT, many many thanks once again for your unstinted help and
patience - very much appreciated indeed.

Maurice Batey

unread,
Aug 18, 2008, 1:54:00 PM8/18/08
to
On Mon, 18 Aug 2008 13:29:52 -0400, David W. Hodgins wrote:

> try running "chkconfig --list" without any other pararaters, or
> piping it to grep. Does it show the sshd-xinetd?

No! Absolutely no sign of it, Dave.

Bit Twister

unread,
Aug 18, 2008, 1:55:32 PM8/18/08
to
On Mon, 18 Aug 2008 18:51:51 +0100, Maurice Batey wrote:

> [mab@desktop ~]$ ls -ald /etc/xinetd.d/
> drwxr-xr-x 2 root root 4096 2008-08-17 16:54 /etc/xinetd.d//


What is that // doing on the end of that line. Should be

Maurice Batey

unread,
Aug 18, 2008, 2:27:44 PM8/18/08
to
On Mon, 18 Aug 2008 17:55:32 +0000, Bit Twister wrote:

> What is that // doing on the end of that line. Should be
>
> $ ls -ald /etc/xinetd.d/
> drwxr-xr-x 2 root root 4096 2008-08-14 19:34 /etc/xinetd.d/

Mmm. I tried it without the '/' on the end of the call and the
2nd '/' doesn't appear!:
-------------------------------------------------------------


[mab@desktop ~]$ ls -ald /etc/xinetd.d

drwxr-xr-x 2 root root 4096 2008-08-17 16:54 /etc/xinetd.d/

-------------------------------------------------------------

Figure that one out!

David W. Hodgins

unread,
Aug 18, 2008, 2:24:51 PM8/18/08
to
On Mon, 18 Aug 2008 13:51:51 -0400, Maurice Batey <mau...@bcs.removethis.org.uk> wrote:

> Still a mystery, I guess...

Do you have the package xinetd installed? Run "rpm -q -i xinetd"
Is it running "service xinetd status"?

Bit Twister

unread,
Aug 18, 2008, 2:46:44 PM8/18/08
to
On Mon, 18 Aug 2008 19:27:44 +0100, Maurice Batey wrote:
>
> Mmm. I tried it without the '/' on the end of the call and the
> 2nd '/' doesn't appear!:
>
> Figure that one out!

No thank you. :)

Homework assignment.
type ls
type -a ls

On the subject of hosts.allow and hosts.deny.

Your initial setup did not have anything in hosts.deny.

I recommend All: ALL if you are not going to use mine.

If you are going to hardcode ip addresses in /etc/hosts
I recommend setting static instead of dynamic (chcp)
for those interfaces.

I recommend a FQDN for all nodes. For the linux install, I recommend
these lines and values <=============
$ cat /etc/sysconfig/network
NETWORKING_IPV6=no <=============
NOZEROCONF=yes <=============
NEEDHOSTNAME=no <=============
NETWORKING=yes <=============
HOSTNAME=desktop.mab.test <=============

Maurice Batey

unread,
Aug 18, 2008, 2:46:52 PM8/18/08
to
On Mon, 18 Aug 2008 14:24:51 -0400, David W. Hodgins wrote:

> Do you have the package xinetd installed? Run "rpm -q -i xinetd" Is it
> running "service xinetd status"?

[root@desktop mab]# rpm -q -i xinetd
package xinetd is not installed

So - in spite of all that evidence to the contrary - it appears
not!

Have now installed it via MCC.

Is there anything more that should be done with it?

Maurice Batey

unread,
Aug 18, 2008, 2:53:06 PM8/18/08
to
On Mon, 18 Aug 2008 15:54:42 +0000, Bit Twister wrote:

> In both 2008.0 and 2008.1 MCC System Services I have two lines/selections
> sshd running [Info] [x] On Boot Start Stop
> sshd-xinetd [Info] [ ] Start when Requested Start Stop

I now see those two entries.

Bit Twister

unread,
Aug 18, 2008, 2:57:03 PM8/18/08
to
On Mon, 18 Aug 2008 19:46:52 +0100, Maurice Batey wrote:
> On Mon, 18 Aug 2008 14:24:51 -0400, David W. Hodgins wrote:
>
>> Do you have the package xinetd installed? Run "rpm -q -i xinetd" Is it
>> running "service xinetd status"?
>
> [root@desktop mab]# rpm -q -i xinetd
> package xinetd is not installed
>
> So - in spite of all that evidence to the contrary - it appears
> not!
>
> Have now installed it via MCC.
>
> Is there anything more that should be done with it?

In your case, so far, it is only good for deciding if you want sshd started
on boot, or if sshd only starts when a sshd connection is tried.

Maurice Batey

unread,
Aug 18, 2008, 5:48:29 PM8/18/08
to
On Mon, 18 Aug 2008 18:57:03 +0000, Bit Twister wrote:

> In your case, so far, it is only good for deciding if you want sshd
> started on boot, or if sshd only starts when a sshd connection is tried.

OIC - that answers a question I was going to ask!

How does one use it to get sshd to start only when a ssh
connection is attempted?

Aragorn

unread,
Aug 18, 2008, 6:04:43 PM8/18/08
to
On Monday 18 August 2008 23:48, someone identifying as *Maurice Batey* wrote
in /alt.os.linux.mandriva:/

> On Mon, 18 Aug 2008 18:57:03 +0000, Bit Twister wrote:
>
>> In your case, so far, it is only good for deciding if you want sshd
>> started on boot, or if sshd only starts when a sshd connection is tried.
>
> OIC - that answers a question I was going to ask!
>
> How does one use it to get sshd to start only when a ssh
> connection is attempted?

If that is what you want, then you should use /xinet-sshd/ - or whatever
it's called - instead of the regular sshd, and then you must set
up /xinetd/ to include /sshd/ among the offered services.

--
*Aragorn*
(registered GNU/Linux user #223157)

Bit Twister

unread,
Aug 18, 2008, 6:26:15 PM8/18/08
to
On Mon, 18 Aug 2008 22:48:29 +0100, Maurice Batey wrote:
>
> How does one use it to get sshd to start only when a ssh
> connection is attempted?

Get into MCC Services,
uncheck sshd On Boot
click Stop for sshd
click Start when requested for ssd-xinetd
Click Ok, bottom left
Control q
Control q

man xinetd
man xinetd.conf

And start hacking away at
/etc/xinetd.d/sshd-xinetd
do keep an original somewhere else before editing. :-)

Maurice Batey

unread,
Aug 19, 2008, 11:44:13 AM8/19/08
to
On Mon, 18 Aug 2008 18:46:44 +0000, Bit Twister wrote:

> I recommend All: ALL if you are not going to use mine.

Have put that in /etc/hosts/deny; thanks.

I did take a long look at your 'email' setup for that file,
and would love to have it, but it seemd so intricate that I
chickened out, as it would have cost you more days of
trouble-shooting to get it working. 8-)

I assume the purpose is to report any rogue attempt to ssh in to
the server via the router wireless channel.
In my case the router is WAP-key protected, and no one else
here would know what 'ssh' was, so I don't feel a need for more
security.

But all the same it looks an interesting project for a rainy
day...

> If you are going to hardcode ip addresses in /etc/hosts ..

How does one avoid that?

Maurice Batey

unread,
Aug 19, 2008, 12:04:22 PM8/19/08
to
On Mon, 18 Aug 2008 22:26:15 +0000, Bit Twister wrote:

> Get into MCC Services,
> uncheck sshd On Boot
> click Stop for sshd
> click Start when requested for ssd-xinetd Click Ok, bottom left

Happy with that!

> And start hacking away at /etc/xinetd.d/sshd-xinetd

Mmm. I won't get into that, as I don't see a need for
sshd-xinetd (yet).

Many thanks!

Maurice Batey

unread,
Aug 19, 2008, 12:10:48 PM8/19/08
to
On Tue, 19 Aug 2008 00:04:43 +0200, Aragorn wrote:

> If that is what you want, then you should use /xinet-sshd/ - or whatever
> it's called - instead of the regular sshd, and then you must set up
> /xinetd/ to include /sshd/ among the offered services.

I installed xinetd because I got the impression it was needed
to properly allow the SSH from laptop, hence my wondering how it
is used.

As I was (eventually!) able to achieve the SSH connection without
it, and don't really need the 'start at first call' facility, I
propose to uninstall it as superfluous (unless there is some
other reason why it should be kept).

Bit Twister

unread,
Aug 19, 2008, 1:48:04 PM8/19/08
to
On Tue, 19 Aug 2008 16:44:13 +0100, Maurice Batey wrote:

> I did take a long look at your 'email' setup for that file,
> and would love to have it, but it seemd so intricate that I
> chickened out, as it would have cost you more days of
> trouble-shooting to get it working. 8-)

No, changes/debugging to that fancy .deny script needed.
Bring up a root terminal.

You change a line in /etc/postfix/aliases, (close to bottom of aliases)
from root: postfix
to root: mab
save/quit editor

postalias aliases

service postfix restart

At this point, mab on this node should receive this nodes root's
email. You test by sending root a message and check mab's mail box.

mail -s "root test shot" mab < /dev/null

su - mab

mail <==== should show 1 root test shot
(carriage return) <==== would read the mail
d <==== deletes email
q <==== exits mail and deletes marked email.
exit <==== closes the su - mab session.

If postfix has been running since install, I would check root's mail box.

mail

d 1-30 <==== deletes email 1 through 30

exit <==== closes this root terminal session.


> I assume the purpose is to report any rogue attempt to ssh in to
> the server via the router wireless channel.

Not just ssh, report any application attempt compiled with tcpwrapper support
which did not match a rule in hosts.allow.

> In my case the router is WAP-key protected, and no one else here
> would know what 'ssh' was, so I don't feel a need for more security.

What about a 192.168.0.* node cracked when user was playing out on the
internet. :-(

If me, I would have to set all nodes static, starting at, say 192.168.0.100
just in case someone can get a lease/connection from your router.

I would then set .allow ALL: 192.168.0.101, 192.168.0.102, 192.168.0.103
Now, only those nodes could use tcpwrapped apps like sshd.

>> If you are going to hardcode ip addresses in /etc/hosts ..
>
> How does one avoid that?

Good question for someone knowing network stuff and make/model of router. :-)

Carry over from your other question posted today.

The xinetd package would allow you to have tighter tweaks/features
and not require sshd to be running all the time.

If you did not take my suggestion for your FQDN, you might want
to look through this thread.

http://groups.google.com/group/alt.os.linux.mandriva/msg/9edf6653de20a8a4

Maurice Batey

unread,
Aug 19, 2008, 2:55:57 PM8/19/08
to
On Tue, 19 Aug 2008 17:48:04 +0000, Bit Twister wrote:

> No, changes/debugging to that fancy .deny script needed.

The problem is that in your posting of that script the text
appears split up all over the place, so that it's difficult to
see how it is supposed to precisely fit together.
(I printed it out and pored over it, but even then I couldn't
make it gell...)

> You change a line in /etc/postfix/aliases,

But I don't use postfix; not installed. Happy with KMail.

Perhaps there's a way of throwing some warning panel onto the
screen instead?

Bit Twister

unread,
Aug 19, 2008, 3:41:33 PM8/19/08
to
On Tue, 19 Aug 2008 19:55:57 +0100, Maurice Batey wrote:
>
>> No, changes/debugging to that fancy .deny script needed.
>
> The problem is that in your posting of that script the text
> appears split up all over the place,

Change news reader then. :-D


> so that it's difficult to
> see how it is supposed to precisely fit together.

Hey, use google to get a second opinion on the code.

http://groups.google.com/group/alt.os.linux.mandriva/msg/01881519c0d3af38

> (I printed it out and pored over it, but even then I couldn't
> make it gell...)

Not much to pore over. It uses tcpwrappers % EXPANSIONS adds new line
characters (\n), line continuation char (\) and feed it to mail.

>> You change a line in /etc/postfix/aliases,
>
> But I don't use postfix; not installed. Happy with KMail.

M=Mail
T=Transport
A=Agent
C=Client

Postfix is an MTA and KMail is a MTC.
The MTC sends/fetches email from a MTA.

Guessing in your case you told KMail to use your ISP's MTA.
You would then ask KMail to also fetch mail from desktop
for mab on desktop.

> Perhaps there's a way of throwing some warning panel onto the
> screen instead?

Well, on that topic, I tend to use xmessage to send pop up messages.
Downside :0.0 is the first user's screen to login. :(


Two examples to send a pop up and keep going.

xmessage -display :0.0 "sample pop up" &

nohup xmessage -display :0.0 "

installation of firefox-3.0.1.tar.bz2

failed extract/install, install aborted
" &


A simple pop up, and wait for mouse click

xmessage -display :0.0 "sample pop up"

man xmessage for more switches.
man X For -display usage


Heheheheh, that reminds me, I helped set a co-worker up with linux
and be able to dial up into work.

One evening after work, I had dialed in, and noticed him dialed in.

I got his ip address and did a

xeyes &
xeyes -display x.x.x.x:0 -fg yellow -center red

I could move my mouse around and know what his xeyes was doing.
About two seconds later I get connection broken when he panicked
and shut down his system. 8-)

Bit Twister

unread,
Aug 19, 2008, 3:44:53 PM8/19/08
to
On Tue, 19 Aug 2008 19:55:57 +0100, Maurice Batey wrote:

> Perhaps there's a way of throwing some warning panel onto the
> screen instead?

You can, but that would only be host.deny email.

You would not know about cron failures or mail from system cron jobs
which audit/warn root about problems. :(

Maurice Batey

unread,
Aug 20, 2008, 9:50:17 AM8/20/08
to
On Mon, 18 Aug 2008 13:29:52 -0400, David W. Hodgins wrote:

> The hosts files are wrong.
> Change the hosts file (on both systems) to show what ifconfig shows.

Which I did, and ssh then worked.

However, today when I tried ssh, it failed.

When I checked ipconfig I saw that the 'inet' address had
changed back to the IP address that was reflected in the earlier
'incorrect' /etc/hosts file!

Using the latest inet IP address, ssh works again...

So - what can be causing the inet address to change (and how can
a steady state be achieved)?

Maurice Batey

unread,
Aug 20, 2008, 9:53:18 AM8/20/08
to
On Tue, 19 Aug 2008 19:41:33 +0000, Bit Twister wrote:

> Change news reader then

I have now, from old Pan to new Pan (used for posting this)!

Script looks a little less daunting. It's also the link up with
mailing that puts me off.

Bit Twister

unread,
Aug 20, 2008, 10:27:42 AM8/20/08
to
On Wed, 20 Aug 2008 13:53:18 +0000 (UTC), Maurice Batey wrote:
> On Tue, 19 Aug 2008 19:41:33 +0000, Bit Twister wrote:
>
>> Change news reader then
>
> I have now, from old Pan to new Pan (used for posting this)!

Oh, no, your going from bad to worse. :-)
Note to self, get that flame proof suit on pretty quick. :-D

> Script looks a little less daunting.

% Expansion variables found in
man hosts.allow or man hosts.deny

Sample email from deny, would look like:

TCP Wrappers: Connection Refused
By: wm81.home.test
Process: sshd (pid 11046)

User: unknown
Host: localhost.localdomain
Date: Sun Aug 17 20:50:41 CDT 2008


> It's also the link up with mailing that puts me off.

Ok.

Bit Twister

unread,
Aug 20, 2008, 10:32:35 AM8/20/08
to
On Wed, 20 Aug 2008 13:50:17 +0000 (UTC), Maurice Batey wrote:
> On Mon, 18 Aug 2008 13:29:52 -0400, David W. Hodgins wrote:
>
>> The hosts files are wrong.
>> Change the hosts file (on both systems) to show what ifconfig shows.
>
> Which I did, and ssh then worked.
>
> However, today when I tried ssh, it failed.
>
> When I checked ipconfig I saw that the 'inet' address had
> changed back to the IP address that was reflected in the earlier
> 'incorrect' /etc/hosts file!
>
> Using the latest inet IP address, ssh works again...
>
> So - what can be causing the inet address to change

dhcp lease renew not being received at dhcp server.
dhcp lease renew not being sent to dhcp server.
Turning off the node and loosing the lease.

> (and how can a steady state be achieved)?

Set connection as static. :-)

Maurice Batey

unread,
Aug 20, 2008, 10:44:08 AM8/20/08
to
On Wed, 20 Aug 2008 14:32:35 +0000, Bit Twister wrote:

> dhcp lease renew not being received at dhcp server.
> dhcp lease renew not being sent to dhcp server.
> Turning off the node and loosing the lease.

How does one prevent those happening?

>> [quoted text muted]
>
> Set connection as static.

My ISP did give me a static external IP address, but the 'inet'
address is a local address, isn't it?
How does setting 'connection' as static affect inet address?

I mean, if DHCP always yields the same fixed IP address, why
would the inet address change?

W.r.t. setting connection address static, all the comments I've
seen in various fora seemed to lean towards the DHCP approach
as more secure.

As a matter iof interest, what is involved in making the
conection static?

Bit Twister

unread,
Aug 20, 2008, 11:27:35 AM8/20/08
to
On Wed, 20 Aug 2008 14:44:08 +0000 (UTC), Maurice Batey wrote:
> On Wed, 20 Aug 2008 14:32:35 +0000, Bit Twister wrote:
>
>> dhcp lease renew not being received at dhcp server.
>> dhcp lease renew not being sent to dhcp server.
>> Turning off the node and loosing the lease.
>
> How does one prevent those happening?

Connect systems to an Uninterruptible Power Supply (UPS),
fix the problem preventing the handshake between dhcp server and your
system.


> My ISP did give me a static external IP address, but the 'inet'
> address is a local address, isn't it?

Hmmm, how about, it is the address assigned to the nic.


> How does setting 'connection' as static affect inet address?

nic always has the same address so it is static.

> I mean, if DHCP always yields the same fixed IP address,

How can you say that. You already have proof your dhcp server has not
issued the same same ip address to desktop at least two times already.

> why would the inet address change?

I refer you back to top of this reply.

> W.r.t. setting connection address static, all the comments I've
> seen in various fora seemed to lean towards the DHCP approach
> as more secure.

Hmm. Let's see, cracker manages to get a connection/lease on your LAN
through your wifi router and then manages to cause desktop to reboot.
While desktop reboot is going goes on,
sends a fake lease release for desktop's ip address,
send a lease release for his node, ask for a new connection and getting
desktop's old address.
Now all your systems think they are talking with desktop. :(

> As a matter iof interest, what is involved in making the
> conection static?

Get into MCC, delete the network connection, create the connection,
pick manual/static instead automatic/dhcp and provide an ip address.

Suggest 192.168.0.100
gatway 192.168.0.1
DNS 208.67.222.222, 208.67.220.220
host name desktop.unregistered.invalid

As always, check your admin diary to see if there are any custom
changes you make by hand.

Example found in your admin diary.

Network Changes
Modified /etc/sysconfig/network to look as follows:
NETWORKING_IPV6=no
NOZEROCONF=yes
NEEDHOSTNAME=no
NETWORKING=yes
HOSTNAME=desktop.unregistered.invalid

Maurice Batey

unread,
Aug 20, 2008, 1:31:27 PM8/20/08
to
On Wed, 20 Aug 2008 15:27:35 +0000, Bit Twister wrote:

> fix the problem preventing the handshake between dhcp server and your
> system.

Oh, you think there was some glitch that caused the change.
How does one home in on a possible cause, I wonder...


>
>> My ISP did give me a static external IP address, but the
'inet'
>> address is a local address, isn't it?
>
> Hmmm, how about, it is the address assigned to the nic.

I'm confused by this. Here is what my ISP's email said when
setting up ADSL:

"Your static IP addess is: 78.xx.139.xx"

Is that 'static' different from in your "make the connection
static".


>
>> How does setting 'connection' as static affect inet address?
>
> nic always has the same address so it is static.

How does my static IP address (78.xx.139.xx) relate to the
inet address "192.168.0.xx" ?

Is 'nic' the same as 'inet address'? If not, what is it?

Are you saying that the 'inet address' is obtained from my ISP?
If not, where does it come from?

Bit Twister

unread,
Aug 20, 2008, 2:02:24 PM8/20/08
to
On Wed, 20 Aug 2008 17:31:27 +0000 (UTC), Maurice Batey wrote:
> On Wed, 20 Aug 2008 15:27:35 +0000, Bit Twister wrote:
>
>> fix the problem preventing the handshake between dhcp server and your
>> system.
>
> Oh, you think there was some glitch that caused the change.

No, all I did was give reasons. Not knowing what you did, did by
others in the house, what happened to the router,.....

> How does one home in on a possible cause, I wonder...

Check logs on the dhcp server and your system.

>>
>>> My ISP did give me a static external IP address, but the
> 'inet'
>>> address is a local address, isn't it?
>>
>> Hmmm, how about, it is the address assigned to the nic.
>
> I'm confused by this.

I can tell. :) I am giving you general terms for items.
You keep taking general terms and have hard coded values in
your head. Kinda like I give a pronoun (she) and you transpose it to a
person (Wanda).


> Here is what my ISP's email said when
> setting up ADSL:
>
> "Your static IP addess is: 78.xx.139.xx"
>
> Is that 'static' different from in your "make the connection
> static".

Hmm, another bad question. Static is static and does not mean a
particular address.

You get to decide what ip address you wish to assign to a nic when you
set it up as static.


> Are you saying that the 'inet address' is obtained from my ISP?

No, I am saying inet is the address of the nic regardless of how the
nic was given the address.


> If not, where does it come from?

Depends, you, dhcp server, avahi-daemon, zeroconf code, another human,.....

Here look at this, and tell me which inet of eth0 we are talking about.

Internet
|
| eth0
,-------+----------.
| ip ISP assigned |
| ISP Gateway |
| ip 71.171.124.1 |
`-----+------------'
| eth1
|
| eth0
.------------------------------.
| ip 71.171.124.137
| gw 71.171.124.1 |
| Actiontech RI408 |
| router/modem |
| ip 192.168.1.1 |
`-------+-------------------+--'
| |
| eth0 | eth0
.-------+--------. .-------+--------.
| ip 192.168.1.4 | | ip 192.168.1.2 |
| gw 192.168.1.1 | | gw 192.168.1.1 |
| node1 | | node2 |
| suse 10.3 | | kubuntu 8.4 |
`----------------' | |
| ip 192.168.5.6 |
`------+---------'
| eth1
|
| eth0
.-------+--------.
| ip 192.168.5.3 |
| gw 192.168.5.6 |
| node3 |
| Mandriva 2008.1|
`----------------'

Bill Mullen

unread,
Aug 20, 2008, 3:29:15 PM8/20/08
to
On Wed, 20 Aug 2008 17:31:27 +0000 (UTC),
Maurice Batey wrote:

> On Wed, 20 Aug 2008 15:27:35 +0000, Bit Twister wrote:
>
> >> My ISP did give me a static external IP address, but the
> 'inet'
> >> address is a local address, isn't it?
> >
> > Hmmm, how about, it is the address assigned to the nic.
>
> I'm confused by this. Here is what my ISP's email said when
> setting up ADSL:
>
> "Your static IP addess is: 78.xx.139.xx"
>
> Is that 'static' different from in your "make the connection
> static".
> >
> >> How does setting 'connection' as static affect inet address?
> >
> > nic always has the same address so it is static.
>
> How does my static IP address (78.xx.139.xx) relate to the
> inet address "192.168.0.xx" ?
>
> Is 'nic' the same as 'inet address'? If not, what is it?
>
> Are you saying that the 'inet address' is obtained from my ISP?
> If not, where does it come from?

It's clear to me, from following this thread, that some clarification
of a few terms and concepts might be helpful.

The "inet address" that you see when running ifconfig is the IP address
currently assigned to your network card (nic) on that machine. How it
obtained that address can vary; if the card has been configured to get
its address using DHCP, then it got it at boot/network restart time from
your router or ADSL modem or whichever device physically connects you to
the internet (a.k.a. the "next hop" out to the rest of the world - the
device that is located at the other end of the wire from your nic).

However, this is not the only way that the card can be set up; you can
instead opt to assign a static address to it. This is done most easily
in the Mandriva Control Center (MCC), but can also be done by manually
editing the /etc/sysconfig/network-scripts/ifcfg-eth0 file. Giving the
nic a static address is generally a good idea, and doing so will make
troubleshooting networking problems like the present one much easier.

If you assign the nic a static IP address, it must fall within the
range of addresses that your router/modem/whatever will accept. In your
case, this appears to be 192.168.0.xx (where xx is > 1 and < 255). The
gateway IP address also needs to be set at the same time; this is the
"next hop" address, in your setup 192.168.0.1 (the address the router
is listening on). The broadcast address in this case is 192.168.0.255.

The router/modem/whatever will assign DHCP addresses from a subset of
the available ones; you should choose an IP address for your nic that
falls outside of this range. For example, if the router picks DHCP
addresses from x.x.x.100 to x.x.x.150, any static address(es) you set
should not be from within that span; ones like x.x.x.2 or x.x.x.200
would be fine, and will avoid any possible conflicts should you connect
a device that uses DHCP to the network at some future point.

The static address that your router/modem/etc. uses for its external
side (78.xx.139.xx, as noted above) is assigned to it by your ISP; it
then translates the addresses on packets that pass through it in both
directions, to make sure that all of them will get to their correct
destination. This process is known as Network Address Translation, or
NAT. In most cases, it's not something you'll need to concern yourself
with very much.

The router/etc. may well get its own static address from your ISP using
DHCP; it is possible, when one has access to the DHCP server, to set it
up to assign specific addresses to specific machines. This is, in fact,
almost certainly how they do it in your case. The device itself also
contains a DHCP server of its own, to hand out addresses on the local
side of the connection (192.168.0.xx). How much access you have to the
configuration of said server, and whether or not it is sufficiently
flexible to allow you to set up static internal DHCP addresses, I have
no idea. It's generally better all around to just ignore the onboard
DHCP server in the router, and set up static addresses manually on each
internal system, ones chosen from within the appropriate address range.

Doing that simplifies things immensely, by allowing you to enter these
addresses into the /etc/hosts file on each internal machine once and to
not worry about whether or not they will change (which appears, AFAICT,
to be at the root of the problems you've been having). With this sort
of arrangement, the /etc/hosts files on multiple machines on the same
network would all be identical, and therefore every machine will agree
upon how to reach every other machine on the LAN.

In a nutshell, while DHCP is nice for when a friend pops over and wants
to plug in their laptop on your network, for systems that aren't going
anywhere it really makes no sense to use it; use static IPs instead.

HTH!

--
Bill Mullen
RLU #270075


Maurice Batey

unread,
Aug 20, 2008, 5:47:37 PM8/20/08
to
On Wed, 20 Aug 2008 15:29:15 -0400, Bill Mullen wrote:

> some clarification
> of a few terms and concepts might be helpful.

Absolutely! Many thanks, Bill - much appreciated.

With you and BT's guidance the mists have gradually cleared
and I am going to experiment with a 'static' nic setup, using an
installation of PCLinuxOS I happen to have on an external drive.

'night, all...

Bit Twister

unread,
Aug 20, 2008, 5:55:25 PM8/20/08
to
On Wed, 20 Aug 2008 21:47:37 +0000 (UTC), Maurice Batey wrote:

> With you and BT's guidance the mists have gradually cleared
> and I am going to experiment with a 'static' nic setup, using an
> installation of PCLinuxOS I happen to have on an external drive.

That's why I have 27 ip addresses for my two real machines.
Each install gets it's own static ip address for eth0.

That keeps ssh from complaining about possible man in the middle
possibility when the info in ~/.ssh/known_hosts does not match the
connection you are trying to create.

Also had to do it in my virtual machines so they could network with
each other.

David W. Hodgins

unread,
Aug 20, 2008, 6:54:46 PM8/20/08
to
On Wed, 20 Aug 2008 13:31:27 -0400, Maurice Batey <mau...@removethis.bcs.org.uk> wrote:

> Oh, you think there was some glitch that caused the change.
> How does one home in on a possible cause, I wonder...

Currently, the desktop and notebook computers are getting the ip address from
the router, using dhcp.

If both computers are off when the dhcp leases expire, then the ip address
given to each computer, will depend on the order they are turned on.

> I'm confused by this. Here is what my ISP's email said when
> setting up ADSL:
> "Your static IP addess is: 78.xx.139.xx"
> Is that 'static' different from in your "make the connection
> static".

Yes, they are different.

The router gets the ip address that the isp will use to send data to it, from
the isp via dhcp, or, as in your case, it is statically assigned. That ip
address is used to get traffic from the net, to your router. It is not normally
used on the lan side of the router.

> How does my static IP address (78.xx.139.xx) relate to the
> inet address "192.168.0.xx" ?

The router has two ip addresses. The 78.xx.139.xx is used by your isp, to route
traffic from the net, to your router. The 192.168.0.1 (typically) is used by
computers on your lan, to send packets directly to the router. Note that sending
a packet directly to the router, is not the same as sending a packet through the
router, to your isp.

> Is 'nic' the same as 'inet address'? If not, what is it?

Network Interface Card. This can be a card you plug into a pci/usb/isa/pcmia slot,
or built into the motherboard. Each computer may have multiple nics.

In your case, the laptop has one nic (that you're using, the wireless adapter,
and the desktop has one nic, the ethernet card or chipset. Each nic has a MAC
address (also called hardware address), that is supposed to be unique, and
identifies that particular network interface.

> Are you saying that the 'inet address' is obtained from my ISP?
> If not, where does it come from?

The address of the router, was given to you by your isp, via email. In the
router configuration, you've set that ip address, which is only used on the
internet side of the router.

Take a look at your router's configuration screen. Most routers will require you
to use a web browser, on a computer connected to if directly via an ethernet cable.
In the browser, you go to http://192.168.0.1 (address will vary, depending on the
make and/or model of the router).

In the router configuration, you have a choice. Use dhcp to assign the addresses
to the computers, that you connect to it, or statically assign the addresses by
entering the MAC addresses of the NICs, in a table, specifying which ip address
should be associated with which MAC. You can use a mixture, where some computers
have an ip address and MAC in the routers static table, and the rest get dhcp
assigned addresses.

The computers setup for it's NIC has to match with what you've setup, in the
router. Either dhcp, or static.

At present, both your notebook, and the desktop have dhcp assigned addresses.

I would change both to static, although in this case, just changing the desktop
would probably accomplish what you want.

To change the notebook and desktop to static, do the following ...

Run ifconfig on both computers, and take note of the HWaddr (that's the MAC),
of each.

In the router configuration, find the table of MAC/IP addresses, for static
assignment. Pick an ip 192.168.?.? for each, enter the mac addresses, and save the
configuration.

In each of the computers, use mcc to remove the existing network connection,
and readd it, using static, and the ip 192.168.?.? matching the setting in
the router. Ensure the hosts file on both, match with the router settings.

Hope this helps to clarify things.

Regards, Dave Hodgins

--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)

Maurice Batey

unread,
Aug 21, 2008, 12:04:51 PM8/21/08
to
On Wed, 20 Aug 2008 15:27:35 +0000, Bit Twister wrote:

> fix the problem preventing the handshake between dhcp server and your
> system.

Mystery solved. The reason the inet address had changed from
its usual 192.168.0.2 was because - on those days - I had booted
the *laptop* first, which was therefore allocated the first free
address above the router's 192.168.0.1, i.e. 192.168.0.2 as IP
address, so that when the desktop was booted the next IP in
sequence (192.168.0.3) was allocated!

So all I have to do to prevent any more such fluctuation is to
ensure the desktop is first to boot.

Maurice Batey

unread,
Aug 21, 2008, 12:11:30 PM8/21/08
to
On Wed, 20 Aug 2008 21:47:37 +0000, I wrote:

> I am going to experiment with a 'static' nic setup, using an
> installation of PCLinuxOS I happen to have on an external drive.

Looked into that, and found that another set of similar fields
would have to be changed in the router (Netgear DG834G), and as
I'm not 100% sure of the changes I have shelved the idea for
the time being, not wanting to change a setup that has
performed flawlessly for over a year - yet.

Bit Twister

unread,
Aug 21, 2008, 12:20:59 PM8/21/08
to
On Thu, 21 Aug 2008 16:11:30 +0000 (UTC), Maurice Batey wrote:

> Looked into that, and found that another set of similar fields
> would have to be changed in the router (Netgear DG834G), and as
> I'm not 100% sure of the changes I have shelved the idea for
> the time being, not wanting to change a setup that has
> performed flawlessly for over a year - yet.

I have no experience with Netgear DG834G but I would assume
you should NOT have to change anything in the router.

Maurice Batey

unread,
Aug 21, 2008, 12:33:23 PM8/21/08
to
On Wed, 20 Aug 2008 18:54:46 -0400, David W. Hodgins wrote:

> At present, both your notebook, and the desktop have dhcp assigned
> addresses.
>
> I would change both to static, although in this case, just changing the
> desktop would probably accomplish what you want.

I had assumed that as a laptop is sometimes away from base,
it should not have a static IP address in case it clashes
with another server's static IP address.



> In the router configuration, find the table of MAC/IP
> addresses, for static assignment.

I can find the MAC's for the desktop and laptop, and under
- "LAN IP Setup" - an empty table headed "Address Reservation"
with column headers:

IP address Device name MAC address

which is presumably what you refer to.



> Hope this helps to clarify things.

Absolutely - many thanks! I shall save this posting as part
of my 'IP' notes for use when I can face the changes (which may
now be sooner than I thought).

Bill Mullen

unread,
Aug 21, 2008, 1:24:59 PM8/21/08
to
On Thu, 21 Aug 2008 16:33:23 +0000 (UTC),
Maurice Batey wrote:

> On Wed, 20 Aug 2008 18:54:46 -0400, David W. Hodgins wrote:
>
> > At present, both your notebook, and the desktop have dhcp assigned
> > addresses.
> >
> > I would change both to static, although in this case, just changing
> > the desktop would probably accomplish what you want.
>
> I had assumed that as a laptop is sometimes away from base,
> it should not have a static IP address in case it clashes
> with another server's static IP address.

Which is why having the router always assign the same addresses via DHCP
is always preferable, in those cases when it's possible - it allows you
to leave any or all systems set to use DHCP if you wish, yet completely
solves the problem of shifting IP addresses.

> > In the router configuration, find the table of MAC/IP
> > addresses, for static assignment.
>
> I can find the MAC's for the desktop and laptop, and under
> - "LAN IP Setup" - an empty table headed "Address Reservation"
> with column headers:
>
> IP address Device name MAC address
>
> which is presumably what you refer to.

Bingo. That's exactly what you want to see. Enter the hostnames, MAC
addresses, and chosen static IP addresses for your systems there, and
you'll never have to worry about this sort of problem again, no matter
in what order you power up your systems.

If it were me, I'd still configure the desktop to use a manual static IP
address and to not use DHCP, while setting up both systems in the router
to be able to get their correct address via DHCP on that screen. This
way. even if the router settings are lost for some reason (prolonged
power outage, whatever), at least you can be sure that the desktop will
*always* boot up with the right IP address, regardless.

Maurice Batey

unread,
Aug 21, 2008, 1:35:05 PM8/21/08
to
On Thu, 21 Aug 2008 13:24:59 -0400, Bill Mullen wrote:

> Enter the hostnames, MAC
> addresses, and chosen static IP addresses for your systems there

What 'hostname' is that?

(When I asked the router to show me the 'Add' template, it
automatically showed the MAC and IP address of the desktop, but
for 'Device name' it shows 'Unknown'. What should go there?)

Do you mean if I set the router up with that table that there is
no functional need to change the DHCP setup in MCC?

David W. Hodgins

unread,
Aug 21, 2008, 1:52:40 PM8/21/08
to
On Thu, 21 Aug 2008 13:35:05 -0400, Maurice Batey <mau...@removethis.bcs.org.uk> wrote:

> (When I asked the router to show me the 'Add' template, it
> automatically showed the MAC and IP address of the desktop, but
> for 'Device name' it shows 'Unknown'. What should go there?)

Whatever you want. The name in the router setup, is only to help you remember
which machine is which. It isn't used in any traffic routing. You could
enter "Desktop", or "Main", or even leave it blank.

> Do you mean if I set the router up with that table that there is
> no functional need to change the DHCP setup in MCC?

Here, I'm not quite sure. I would expect the ip address would have to be outside
of the range that the router has reserved for dhcp addresses. MCC would then
have to have the address changed to a static address.

If the router will allow you to specify an address inside the range used for dhcp,
I'm not sure if the computer will still be able to use dhcp, or if it will have
to be configured, as static. Shouldn't hurt to go ahead and try it. If it doesn't
work with dhcp, just change it to static.

Another thing you may want to look at. If you decide to stay with dhcp, you could
increase the dhcp lease expires timeout. It's probably set at around 24 hours right
now. You could increase this to a week, or more, then you'd only have to worry about
the order the computers are turned on, that often.

Wes Newell

unread,
Aug 21, 2008, 1:56:18 PM8/21/08
to
On Thu, 21 Aug 2008 16:11:30 +0000, Maurice Batey wrote:

On Thu, 21 Aug 2008 16:11:30 +0000, Maurice Batey wrote:

> On Wed, 20 Aug 2008 21:47:37 +0000, I wrote:
>
>> I am going to experiment with a 'static' nic setup, using an
>> installation of PCLinuxOS I happen to have on an external drive.
>
> Looked into that, and found that another set of similar fields
> would have to be changed in the router (Netgear DG834G), and as I'm not
> 100% sure of the changes I have shelved the idea for the time being, not
> wanting to change a setup that has performed flawlessly for over a year
> - yet.

Why don't you just avoid this crap all together and assign a static IP
address to the desktop machine, or both for that matter. Then it won't
matter which is boot first, last, or in between a hundred other machines.
It will always have the same IP address. Check your router to see what it
allows for dhcp and change it to a small block like 192.168.0.200-250 and
leave the other addresses for static ip's.

--
Want the ultimate in free OTA SD/HDTV Recorder? http://mythtv.org
My Tivo Experience http://wesnewell.no-ip.com/tivo.htm
Tivo HD/S3 compared http://wesnewell.no-ip.com/mythtivo.htm
AMD cpu help http://wesnewell.no-ip.com/cpu.php

David W. Hodgins

unread,
Aug 21, 2008, 2:00:31 PM8/21/08
to
On Thu, 21 Aug 2008 13:24:59 -0400, Bill Mullen <mo...@lunarhub.com> wrote:

> If it were me, I'd still configure the desktop to use a manual static IP
> address and to not use DHCP, while setting up both systems in the router
> to be able to get their correct address via DHCP on that screen. This
> way. even if the router settings are lost for some reason (prolonged
> power outage, whatever), at least you can be sure that the desktop will
> *always* boot up with the right IP address, regardless.

Now I'm getting confused! :)

As I understand it, the router will have some addresses reserved for dhcp,
and may have some static addresses reserved for specific MACs.

On the computer, if the router has it's MAC address in the static table, then
the NIC should be configured, as static, with the same ip address.

On the computer, if the router does not have the MAC address, then the NIC
should be configured to use DHCP.

Can the computer be configured to use DHCP, and have the MAC address specified
as static in the router?

Maurice Batey

unread,
Aug 21, 2008, 2:08:57 PM8/21/08
to
On Thu, 21 Aug 2008 13:52:40 -0400, David W. Hodgins wrote:

> I would expect the ip address would have to be outside of the range that
> the router has reserved for dhcp addresses.

Under "Use router as DHCP server" it shows:

Start IP address: 192.168.0.2
End IP address: 192.168.0.254



> If the router will allow you to specify an address inside the
> range used for dhcp, I'm not sure if the computer will still
> be able to use dhcp, or if it will have to be configured, as
> static. Shouldn't hurt to go ahead and try it.

--

Bit Twister

unread,
Aug 21, 2008, 2:13:03 PM8/21/08
to
On Thu, 21 Aug 2008 14:00:31 -0400, David W. Hodgins wrote:
>
> Now I'm getting confused! :)
>
> As I understand it, the router will have some addresses reserved for dhcp,
> and may have some static addresses reserved for specific MACs.
>
> On the computer, if the router has it's MAC address in the static table, then
> the NIC should be configured, as static, with the same ip address.
>
> On the computer, if the router does not have the MAC address, then the NIC
> should be configured to use DHCP.
>
> Can the computer be configured to use DHCP, and have the MAC address specified
> as static in the router?

Heheheh, you configure the computer to use DHCP. It always gets the
lease from the router. You tell the router that for a given MAC id, send
a given ip address. The computer does not care.

In Maurice's case he seems to always ssh from laptop to desktop.

He can set desktop's nic as static 192.168.0.100 or dhcp and
tell the router to send 192.168.0.2 when it sees desktop's mac.

With just static 192.168.0.100, a factory reset on the router will not
affect desktop. With 192.168.0.2 assigned by MAC, a factory reset will
loose the setting and assign the next ip to desktop.

Maurice Batey

unread,
Aug 21, 2008, 2:13:00 PM8/21/08
to
On Thu, 21 Aug 2008 13:52:40 -0400, David W. Hodgins wrote:

> you could increase the dhcp lease expires timeout. It's
> probably set at around 24 hours right now.

Where the devil is that to be found?!

Bit Twister

unread,
Aug 21, 2008, 2:19:45 PM8/21/08
to
On Thu, 21 Aug 2008 13:52:40 -0400, David W. Hodgins wrote:

I sure do wish you would tell Opera to automagically line wrap at
something less than or equal to 72 characters.
That would leave at least a little more room for reply depth indicators.

> On Thu, 21 Aug 2008 13:35:05 -0400, Maurice Batey <mau...@removethis.bcs.org.uk> wrote:
>
>> (When I asked the router to show me the 'Add' template, it
>> automatically showed the MAC and IP address of the desktop, but
>> for 'Device name' it shows 'Unknown'. What should go there?)
>
> Whatever you want. The name in the router setup, is only to help you remember
> which machine is which. It isn't used in any traffic routing. You could
> enter "Desktop", or "Main", or even leave it blank.

A little cation note there.
If Maurice does not want the desktop's node name to become Main, he
may want to remember to set Need Hostname = no during nic configuration.

Bill Mullen

unread,
Aug 21, 2008, 2:23:47 PM8/21/08
to
On Thu, 21 Aug 2008 17:35:05 +0000 (UTC),
Maurice Batey wrote:

> On Thu, 21 Aug 2008 13:24:59 -0400, Bill Mullen wrote:
>
> > Enter the hostnames, MAC
> > addresses, and chosen static IP addresses for your systems there
>
> What 'hostname' is that?
>
> (When I asked the router to show me the 'Add' template, it
> automatically showed the MAC and IP address of the desktop, but
> for 'Device name' it shows 'Unknown'. What should go there?)

Were it me, I'd put the same name there that you have configured each
system to use as its hostname. IME, some routers that provide DNS to
the LAN will use this setting to let you resolve names properly that do
not appear in /etc/hosts on the local machine, and other routers will
ignore the name used here entirely. Which is the case for yours won't
really matter, since you're going to make sure that all local systems'
hosts files are the same anyway. All it would affect is whether or not
any other system that is temporarily connected can still resolve local
names to local IP addresses, using only the DNS provided by the router.

> Do you mean if I set the router up with that table that there is
> no functional need to change the DHCP setup in MCC?

That is exactly what I mean. However, as I stated before, I'd change the
desktop's config to not use DHCP, although I'd also set up that table
on the router to have an entry for the desktop, so that if it did use
DHCP for some reason, it would still get the correct IP address.

Remember, when choosing addresses to use in this table, select ones that
fall outside the range that the router uses for the ones that *it* picks
(the ones that aren't pre-assigned this way). IOW, if the router's
usual range for handing out DHCP addresses is x.x.x.100 - x.x.x.200,
select ones that are x.x.x.y (where 1 < y < 100, or 200 < y < 255).

Bit Twister

unread,
Aug 21, 2008, 2:27:58 PM8/21/08
to
On Thu, 21 Aug 2008 18:08:57 +0000 (UTC), Maurice Batey wrote:
> On Thu, 21 Aug 2008 13:52:40 -0400, David W. Hodgins wrote:
>
>> I would expect the ip address would have to be outside of the range that
>> the router has reserved for dhcp addresses.
>
> Under "Use router as DHCP server" it shows:
>
> Start IP address: 192.168.0.2
> End IP address: 192.168.0.254

Except for .0. it looks about like mine.

I just use .100+ ips on my machines. If you wanted to do it right, you
would change End IP address: to 192.168.0.99 and the router's DHCP
server would not hand out leases greater than .99

In my case I did not change anything in the router.
If the router has assigned more that 99 leases, it could assign .100
to the next computer and I would have two systems on the network with
.100 and start having problems.

Bill Mullen

unread,
Aug 21, 2008, 2:29:28 PM8/21/08
to
On Thu, 21 Aug 2008 18:08:57 +0000 (UTC),
Maurice Batey wrote:

> On Thu, 21 Aug 2008 13:52:40 -0400, David W. Hodgins wrote:
>
> > I would expect the ip address would have to be outside of the range
> > that the router has reserved for dhcp addresses.
>
> Under "Use router as DHCP server" it shows:
>
> Start IP address: 192.168.0.2
> End IP address: 192.168.0.254

Assuming that you can change those settings, make it pick from a smaller
range; for example, set the first one to 192.168.0.100. If you can't
change it, then don't worry about it, since presumably having a static
address set (in the other router screen) would ensure that it will never
give that same address out to another system dynamically.

Bit Twister

unread,
Aug 21, 2008, 2:30:41 PM8/21/08
to
On Thu, 21 Aug 2008 18:13:00 +0000 (UTC), Maurice Batey wrote:
> On Thu, 21 Aug 2008 13:52:40 -0400, David W. Hodgins wrote:
>
>> you could increase the dhcp lease expires timeout. It's
>> probably set at around 24 hours right now.
>
> Where the devil is that to be found?!

You would think it would be in the router's User Manual. :)

I know I had to get the manual from the Vendor's site to see where
I could change what for what reason in my router.

Bill Mullen

unread,
Aug 21, 2008, 2:32:02 PM8/21/08
to

Another good reason to ensure that the name used in the router setup
matches the system's own hostname - to avoid that sort of problem.

Bit Twister

unread,
Aug 21, 2008, 2:39:36 PM8/21/08
to

Having had two router downloads pushed into my router from my ISP,
the ISP change my DNS settings in my router and one router replacement,
I find my connection maintenance has gone away since I set the
computer connections as static. :-D


Maurice Batey

unread,
Aug 21, 2008, 2:50:22 PM8/21/08
to
On Thu, 21 Aug 2008 18:30:41 +0000, Bit Twister wrote:

> You would think it would be in the router's User Manual.

I did a preliminary check in the router info but could see no
mention of it.

Will have another, closer, perusal tomorrow...

Bill Mullen

unread,
Aug 21, 2008, 4:04:04 PM8/21/08
to
On Thu, 21 Aug 2008 14:00:31 -0400,
David W. Hodgins wrote:

> On Thu, 21 Aug 2008 13:24:59 -0400, Bill Mullen wrote:
>
> > If it were me, I'd still configure the desktop to use a manual
> > static IP address and to not use DHCP, while setting up both
> > systems in the router to be able to get their correct address via
> > DHCP on that screen. This way. even if the router settings are lost
> > for some reason (prolonged power outage, whatever), at least you
> > can be sure that the desktop will *always* boot up with the right
> > IP address, regardless.
>
> Now I'm getting confused! :)
>
> As I understand it, the router will have some addresses reserved for
> dhcp, and may have some static addresses reserved for specific MACs.
>
> On the computer, if the router has it's MAC address in the static
> table, then the NIC should be configured, as static, with the same ip
> address.

This is not strictly necessary. If the NIC uses DHCP, and the router
has a static IP address assigned to said NIC based on its MAC address,
then that same IP address is the one that the router should give it,
whether or not the address is in the router's usual DHCP address range.
If not, then the router is more brain-dead than any I've yet used (that
are capable of MAC-based IP address assignment at all).

That being said, it makes the most sense to me to set it up as static in
both places for any systems that are staying put 24/7. And I'll be the
first to admit that there are an awful lot of routers out there that I
haven't encountered, and given that they're low-profit-margin devices
to begin with, there's every reason for me to expect that quite a few of
them are bound to be precisely that brain-dead. ;)

> On the computer, if the router does not have the MAC address, then
> the NIC should be configured to use DHCP.

No, the NIC can always be configured for a static address with no regard
whatsoever to how the router is set up; the only real concern is that
when one sets up static IP addresses about which the router is unaware,
said addresses should not fall within the range used by the router's
pool of DHCP addresses, so that there's no potential for conflicts.

> Can the computer be configured to use DHCP, and have the MAC address
> specified as static in the router?

It should be able to be, IME, if the router is capable of static IP
address reservation at all. I find that especially handy for giving
devices like networked printers predictable IP addys when I don't want
to bother with figuring out how to get them to not use DHCP. You just
want to bear in mind that router settings can go missing for any number
of reasons, which is why I feel that setting up each non-mobile system
with a (matching) static IP address within that system's own NIC config
is always worthwhile, IMHO. Likewise for laptops that use wireless - the
wireless settings are LAN-specific, so setting them up as static IP for
when you're home has no effect on which method is used when elsewhere;
it's only their wired NICs that are more convenient to leave as DHCP.

Bit Twister

unread,
Aug 21, 2008, 4:47:33 PM8/21/08
to
On Thu, 21 Aug 2008 16:04:04 -0400, Bill Mullen wrote:

> That being said, it makes the most sense to me to set it up as static in
> both places for any systems that are staying put 24/7. And I'll be the
> first to admit that there are an awful lot of routers out there that I
> haven't encountered, and given that they're low-profit-margin devices
> to begin with, there's every reason for me to expect that quite a few of
> them are bound to be precisely that brain-dead. ;)

Not to mention crackable from a malware infested web page you might
browse. :-(
http://www.haveyougotwoods.com/archive/2008/01/15/common-home-router-exploit-upnp-enabled-routers-only.aspx
http://www.darkreading.com/document.asp?doc_id=156741

Jim Beard

unread,
Aug 21, 2008, 7:40:26 PM8/21/08
to
Maurice Batey wrote:
> I had assumed that as a laptop is sometimes away from base,
> it should not have a static IP address in case it clashes
> with another server's static IP address.
>
>> In the router configuration, find the table of MAC/IP
>> addresses, for static assignment.
>
> I can find the MAC's for the desktop and laptop, and under
> - "LAN IP Setup" - an empty table headed "Address Reservation"
> with column headers:
>
> IP address Device name MAC address
>
> which is presumably what you refer to.
>
>> Hope this helps to clarify things.

I have used a couple of D-Link routers and one Actiontec.
Using them, I would set the MAC for a machine to a static
ip (192.168.0.3 or whatever) in the router, and let the
machine simply request dhcp.

When the router got the request, it would look at the
MAC and assign the specified static ip. Setting the
machine to the specified static IP would not have hurt
(in a fixed environment), but it was not needed. I
think you can handle your laptop the same way.

Cheers!

jim b.

--
UNIX is not user unfriendly; it merely
expects users to be computer-friendly.

Jim Beard

unread,
Aug 21, 2008, 7:45:18 PM8/21/08
to

This requires that the static ip for a machine be set
in the router and in the machine's software.

For home-use routers (I suspect commercial network
routers should work differently), you can assign an
ip from the router's dhcp range to a mac, and then
let the machine with that mac simply request dhcp
service. It will be assigned the specified static ip.

Jim Beard

unread,
Aug 21, 2008, 7:55:04 PM8/21/08
to
David W. Hodgins wrote:
> Can the computer be configured to use DHCP, and have the MAC address specified
> as static in the router?
>
> Regards, Dave Hodgins

Using the routers handed out by Verizon for ADSL, FIOS Internet, and
FIOS Internet + FIOS TV, the answer has been yes.

I specify the mac address and corresponding ip in the router as
static, and set the machine software to dhcp, and the static address
is provided whenever the machine needs it.

One problem with the Actiontec router (internet+tv), has been that
the router seems to forget that a mac/ip pair has been specified as
static. I think that has been due to the firmware on the router
being updated, or the router reset from the Verizon server. In such
cases, having the static IP set both in the router and on the machine
provides the effect of wearing a belt plus suspenders.

For my wife's laptop, her connection to the local AP network is
static IP, but she has the option of connecting to any net her
machine can find in the area. That requires having two networks
configured for wireless, but it works.

It is loading more messages.
0 new messages