Can't ssh into my box

[Warren Post]

I'm trying to set up sshd on my box. I can ssh into localhost, and I can
ping my IP address. But even after taking down my firewall for testing
purposes, attempting to ssh into my IP address times out:

[warren@verdi ~]$ ssh warren@localhost
warren@localhost's password:

[warren@verdi ~]$ ping -c 2 190.92.46.142
PING 190.92.46.142 (190.92.46.142) 56(84) bytes of data.
64 bytes from 190.92.46.142: icmp_seq=1 ttl=62 time=10.5 ms
64 bytes from 190.92.46.142: icmp_seq=2 ttl=62 time=11.0 ms

--- 190.92.46.142 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 10.526/10.801/11.077/0.294 ms
[warren@verdi ~]$ ssh -v -v -v war...@190.92.46.142
OpenSSH_5.5p1, OpenSSL 1.0.0a 1 Jun 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to 190.92.46.142 [190.92.46.142] port 22.
debug1: connect to address 190.92.46.142 port 22: Connection timed out
ssh: connect to host 190.92.46.142 port 22: Connection timed out

Oddly, nmap tells me that port 22 (the standard port of ssh, and what I'm
using) is open when looking at localhost but filtered when looking at my
IP address:

[warren@verdi ~]$ nmap -p 22 -PN localhost

Starting Nmap 5.21 ( http://nmap.org ) at 2012-05-16 20:45 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00020s latency).
rDNS record for 127.0.0.1: verdi.home.invalid
PORT STATE SERVICE
22/tcp open ssh

Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds
[warren@verdi ~]$ nmap -p 22 -PN 190.92.46.142

Starting Nmap 5.21 ( http://nmap.org ) at 2012-05-16 20:45 CST
Nmap scan report for 190-92-46-142.reverse.cablecolor.hn (190.92.46.142)
Host is up.
PORT STATE SERVICE
22/tcp filtered ssh

Nmap done: 1 IP address (1 host up) scanned in 2.11 seconds

Any thoughts on what I should be looking at next to solve this?
--
Warren Post
http://my.opera.com/wpost/

[John_Danielson]

On 5/16/2012 10:50 PM, Warren Post wrote:
> I'm trying to set up sshd on my box. I can ssh into localhost, and I can
> ping my IP address. But even after taking down my firewall for testing
> purposes, attempting to ssh into my IP address times out:
>

> --- 190.92.46.142 ping statistics ---
> 2 packets transmitted, 2 received, 0% packet loss, time 1001ms
> rtt min/avg/max/mdev = 10.526/10.801/11.077/0.294 ms
> [warren@verdi ~]$ ssh -v -v -v war...@190.92.46.142
> OpenSSH_5.5p1, OpenSSL 1.0.0a 1 Jun 2010
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug2: ssh_connect: needpriv 0
> debug1: Connecting to 190.92.46.142 [190.92.46.142] port 22.
> debug1: connect to address 190.92.46.142 port 22: Connection timed out
> ssh: connect to host 190.92.46.142 port 22: Connection timed out
>

> Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds
> [warren@verdi ~]$ nmap -p 22 -PN 190.92.46.142
>
> Starting Nmap 5.21 ( http://nmap.org ) at 2012-05-16 20:45 CST
> Nmap scan report for 190-92-46-142.reverse.cablecolor.hn (190.92.46.142)
> Host is up.
> PORT STATE SERVICE
> 22/tcp filtered ssh
>

> Any thoughts on what I should be looking at next to solve this?

ssh_connect: needpriv 0
might need to be
shh_connect: needpriv 1
as needpriv 1 is required to get a login prompt and Linux does not like
anonymous ssh, IIRC.

Next, is there a router between your computer and the one you are trying
to ssh to??? If so, could it be blocking the ssh connect??? This has
been knwon to happen also.

filtered I do not know the significance of for certain, sorry, but it
has some significance that might be relevant also. Might relate to login
need.

John.

[Warren Post]

When I ssh into localhost with the verbosity turned up sufficiently high I
see "needpriv 0", but I am able to connect without a problem:

[warren@verdi ~]$ ssh -v -v warren@localhost

OpenSSH_5.5p1, OpenSSL 1.0.0a 1 Jun 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0

debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: Connection established.
[big snip]
warren@localhost's password:

So I suspect this isn't the problem.

> Next, is there a router between your computer and the one you are trying
> to ssh to???

I forgot to mention that there is no router. My box is plugged directly
into the ISP's cable modem.

> filtered I do not know the significance of for certain

I had to look that up in man nmap:

The state is either
open, filtered, closed, or unfiltered. Open. means that an
application on the target machine is listening for
connections/packets
on that port. Filtered. means that a firewall, filter, or other
network obstacle is blocking the port so that Nmap cannot tell
whether
it is open or closed.

So something is blocking packets to port 22. But not always; only when I
need it.

[John_Danielson]

On 5/16/2012 11:24 PM, Warren Post wrote:
> On Wed, 16 May 2012 21:07:18 -0600, John_Danielson
> <jdii...@invalidjohndanielsonii.name> wrote:
>
>> On 5/16/2012 10:50 PM, Warren Post wrote:
>>> I'm trying to set up sshd on my box. I can ssh into localhost, and I can
>>> ping my IP address. But even after taking down my firewall for testing
>>> purposes, attempting to ssh into my IP address times out:
>>>
>>

> When I ssh into localhost with the verbosity turned up sufficiently high
> I see "needpriv 0", but I am able to connect without a problem:
>
> [warren@verdi ~]$ ssh -v -v warren@localhost
> OpenSSH_5.5p1, OpenSSL 1.0.0a 1 Jun 2010
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug2: ssh_connect: needpriv 0
> debug1: Connecting to localhost [127.0.0.1] port 22.
> debug1: Connection established.
> [big snip]
> warren@localhost's password:

127.0.0.1 is your network card, and localhost is default for a linux
installed machine. I suspect you are looping back onto verdi by calling
127.0.0.1. Verdi looks to be set up right, except that it is accepting
SSH on loopback without login.

>
> So I suspect this isn't the problem.
>
>> Next, is there a router between your computer and the one you are
>> trying to ssh to???
>

> I forgot to mention that there is no router. My box is plugged directly
> into the ISP's cable modem.

The last ISP(Comcast) supplied modem I got did not allow ssh-- it did
not know how to forward it or blocked it, and did all sorts of things
modems are NOT supposed to do. They gave you a different modem if you
wanted to pay for a fixed IP, that was a modem/router (single port
router). I got a Cisco router and my own Motorola modem(which is a
Comcast-approved model, and is a router/modem combo which will allow a
router to be hooked to it), and the Cisco ROUTER insisted on a fixed IP,
but it was a model they approved highly of on their website. So, I got a
fixed IP. I do not have a server here.

>
> So something is blocking packets to port 22. But not always; only when I
> need it.
>

I would look at your network setup in detail on Verdi and echo it
(except for computer name and IP address) on your other computer.

[Bit Twister]

On Wed, 16 May 2012 20:50:16 -0600, Warren Post wrote:
> I'm trying to set up sshd on my box. I can ssh into localhost, and I can
> ping my IP address. But even after taking down my firewall for testing
> purposes, attempting to ssh into my IP address times out:

I had to get into my fios router and forward port 22 if I wanted to
get access to my system via the WAN.

[Warren Post]

On Wed, 16 May 2012 20:50:16 -0600, Warren Post <inv...@invalid.invalid>
wrote:

Some followup information:

The box in question is mdv2010.2. There is no router; it is directly
connected to the ISP's cable modem.

On the web one user reported best results, when sshing into one's own box
for testing purposes, to ssh into a different account than what you are
using. I tried that (see below); no change.

Also on the web another user reported that he couldn't ssh into his own
box, but could ssh into his box from outside his local network:

http://forum.mandriva.com/en/viewtopic.php?f=87&t=132593&hilit=ssh+times+out#wrapper

So (as user warren) I ssh'ed into a remote box on the net and used it to
try to ssh back into my box (but into a different account, not warren).
Again, it timed out:

%ssh -v da...@190.92.46.142
OpenSSH_5.9p1, OpenSSL 1.0.0e 6 Sep 2011

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: Connecting to 190.92.46.142 [190.92.46.142] port 22.
debug1: connect to address 190.92.46.142 port 22: Connection timed out
ssh: connect to host 190.92.46.142 port 22: Connection timed out

So I'm just as stumped as ever.

[sid]

Warren Post wrote:

> So something is blocking packets to port 22. But not always; only when I
> need it.

iptables.

--
sid
RLU 300284
2010.2

[Bit Twister]

On Thu, 17 May 2012 11:06:43 -0600, Warren Post wrote:
>
> The box in question is mdv2010.2. There is no router; it is directly
> connected to the ISP's cable modem.

my ISP's cable modem is a router and I am connected via the ethernet port.

> On the web one user reported best results, when sshing into one's own box
> for testing purposes, to ssh into a different account than what you are
> using. I tried that (see below); no change.

No idea why that would make a difference.

> Also on the web another user reported that he couldn't ssh into his own
> box, but could ssh into his box from outside his local network:

I see no reason for that to make a difference except for firewall/wrapper rules.

Here you can see me attempting to connect to my account on my system
via my WAN ip address.

get_wan_ip.pl is a perl script to get my WAN ip address and I replaced
my ip address with my_ip.


$ ssh $USER@$(get_wan_ip.pl)
and you see my shorewall rules blocking the attempt from this snippet from /var/log/messages

May 17 13:30:08 wb kernel: [69333.568505] Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=d4:85:64:0d:ef:a4:00:26:62:de:98:22:08:00 SRC=my_ip DST=192.168.1.132 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=43726 DF PROTO=TCP SPT=1024 DPT=22 WINDOW=14600 RES=0x00 SYN URGP=0


After, adding my WAN ip to shorewall/rules and doing a shorewall restart,
I get

$ ssh $USER@$(get_wan_ip.pl)
ssh_exchange_identification: Connection closed by remote host

snippet from /var/log/messages
May 17 13:37:02 wb sshd[26624]: refused connect from my_ip

Since I have TCP Wrappers installed, I added my WAN ip to /etc/hosts.allow, I get

$ ssh $USER@$(get_wan_ip.pl)
Warning: Permanently added 'my_ip' (RSA) to the list of known hosts.
Last login: Wed May 16 18:15:23 2012

which shows you I can log into my own account on my system using
the WAN ip address.

[Warren Post]

On Wed, 16 May 2012 22:05:09 -0600, John_Danielson
<jdii...@invalidjohndanielsonii.name> wrote:

> 127.0.0.1 is your network card, and localhost is default for a linux
> installed machine. I suspect you are looping back onto verdi by calling
> 127.0.0.1. Verdi looks to be set up right, except that it is accepting
> SSH on loopback without login.

I have only one box, Verdi.

> The last ISP(Comcast) supplied modem I got did not allow ssh-- it did
> not know how to forward it or blocked it, and did all sorts of things
> modems are NOT supposed to do.

Ah, that's interesting. I'll search for information and reported problems
on my ISP-supplied modem, a Scientific-Atlanta WebSTAR DPC2100R2.

--
Warren Post · New Media Copán
http://my.opera.com/wpost/

[Warren Post]

On Thu, 17 May 2012 12:42:36 -0600, sid
<sids...@thecrap.blueyonder.co.uk> wrote:

> Warren Post wrote:
>
>> So something is blocking packets to port 22. But not always; only when I
>> need it.
>
> iptables.

That's what I thought. But even after "service shorewall clear", the
problem remains:

[root@verdi warren]# service shorewall clear
Clearing Shorewall....
Processing /etc/shorewall/stop ...
Processing /etc/shorewall/tcclear ...
Running /sbin/iptables-restore...
Processing /etc/shorewall/stopped ...
Processing /etc/shorewall/clear ...
done.
[root@verdi warren]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@verdi warren]# su warren
[warren@verdi ~]$ ssh -v war...@190.92.46.196

OpenSSH_5.5p1, OpenSSL 1.0.0a 1 Jun 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *

debug1: Connecting to 190.92.46.196 [190.92.46.196] port 22.
debug1: connect to address 190.92.46.196 port 22: Connection timed out
ssh: connect to host 190.92.46.196 port 22: Connection timed out

[sid]

Must be the modem then.

[Wolfgang Schelongowski]

"Warren Post" <inv...@invalid.invalid> writes:

>On Wed, 16 May 2012 21:07:18 -0600, John_Danielson
><jdii...@invalidjohndanielsonii.name> wrote:

>> Next, is there a router between your computer and the one you are trying
>> to ssh to???
>
>I forgot to mention that there is no router. My box is plugged directly
>into the ISP's cable modem.

Yes, you know that. But does your computer? IOW what does
route -n
tell you about which way packets to 190.92.46.142 take?

You may also want to acquaint yourself with traceroute and tcpdump.
--
The first entry of Sin into the mind occurs when, out of cowardice or
conformity or vanity, the Real is replaced by a comforting lie.
-- Integritas, Consonantia, Claritas

[Warren]

On Wednesday, May 16, 2012 8:50:16 PM UTC-6, Warren Post wrote:
> I'm trying to set up sshd on my box. I can ssh into localhost, and I can
> ping my IP address. But even after taking down my firewall for testing
> purposes, attempting to ssh into my IP address times out:
>
> [warren@verdi ~]$ ssh warren@localhost
> warren@localhost's password:
>
> [warren@verdi ~]$ ping -c 2 190.92.46.142
> PING 190.92.46.142 (190.92.46.142) 56(84) bytes of data.
> 64 bytes from 190.92.46.142: icmp_seq=1 ttl=62 time=10.5 ms
> 64 bytes from 190.92.46.142: icmp_seq=2 ttl=62 time=11.0 ms
>
> --- 190.92.46.142 ping statistics ---
> 2 packets transmitted, 2 received, 0% packet loss, time 1001ms
> rtt min/avg/max/mdev = 10.526/10.801/11.077/0.294 ms
> [warren@verdi ~]$ ssh -v -v -v war...@190.92.46.142
> OpenSSH_5.5p1, OpenSSL 1.0.0a 1 Jun 2010
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug2: ssh_connect: needpriv 0
> debug1: Connecting to 190.92.46.142 [190.92.46.142] port 22.
> debug1: connect to address 190.92.46.142 port 22: Connection timed out
> ssh: connect to host 190.92.46.142 port 22: Connection timed out

Answering my own question here, my ISP's tech support just told me that on dynamic IP accounts like mine they block *all* ports. If I want even one port open I need to upgrade to a static IP. I wish they had that information online somewhere; it would have saved me lots of time.

I suppose I'll have to try the proprietary TeamViewer, which I'm told works for other dynamic IP clients of my ISP. Or can anyone recommend something open source I should be looking at?

PS: Apologies for posting from Google Gropes; I'm away from my box at the moment.

[Warren]

On Friday, May 18, 2012 7:20:17 PM UTC-6, Warren wrote:

> Answering my own question here, my ISP's tech support just told me that on dynamic IP accounts like mine they block *all* ports. If I want even one port open I need to upgrade to a static IP.

Now that I think about it, there's something I don't get. They claim to block *all* ports, yet my mail client uses ports 465 and 993 to send and receive without trouble. What am I not understanding here?

--
Warren Post

[Bit Twister]

I thought it strange that they would be blocking all inbound
connection attempts. You sending email would be an outgoing connection.
As for reading email that would be an outbound connection to their
server.

I just assumed your ISP configured your router to block inbound
connections just like my ISP configured my router to drop inbound
connection attempts.

[Jim Beard]

If they were blocking *all* ports outbound and inbound, you would
not be able to connect to any machine beyond your ISP's server,
regardless of purpose.

They are simply blocking all ports for transmissions originating
beyond the ISP server. You can establish contact from your
machine to anywhere you wish, and your outgoing transmissions and
the replies to them will not be blocked.

An incoming transmission that does not have in its header an ID
created in recent time by your machine will be quietly dropped by
your ISP's machine rather than sent on to your machine or gateway
router.

If you have an "open port," all that means is that an uninvited
communication from somewhere on the 'Net will be allowed through
if it is addressed to the open port. Your router (or computer if
you do not have a router) will have to have instructions on what
to do with unsolicited traffic arriving on that open port, such
as pass it on to a specific machine or broadcast the traffic on a
specified address (port, channel, whatever you wish to call it).

Cheers!

jim b.

--
UNIX is not user unfriendly; it merely
expects users to be computer-friendly.

[unruh]

They lie?

ACtually, if your machine originates the request then they almost
certainly do not block the replies. The question is whether there is any
service which they initiate to get stuff to you.


>