I have installed Openssh-sever. Started the ssh-server using the following command :
:~$ sudo service ssh start
ssh start/running, process 20013
With the following command I can see port 22 is open :
:~$ sudo nmap localhost -p 1-65535
Starting Nmap 6.40 ( http://nmap.org ) at 2015-04-22 23:46 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000013s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE
22/tcp open ssh
631/tcp open ipp
Nmap done: 1 IP address (1 host up) scanned in 7.24 seconds
Furthermore, to check if the port is listening I used the following command with the results :
:~$ sudo netstat -plunt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.1.1:53 0.0.0.0:* LISTEN 1061/dnsmasq
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 20013/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 2009/cupsd
tcp6 0 0 :::22 :::* LISTEN 20013/sshd
tcp6 0 0 ::1:631 :::* LISTEN 2009/cupsd
udp 0 0 0.0.0.0:42198 0.0.0.0:*
But when I try to connect to the port from the same machine I get the following message :
:~$ ssh -vvv -p 22 address
OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to address [198.105.xxx.xxx] port 22.
debug1: connect to address 198.105.xxx.xxx port 22: Connection timed out
When I try to ssh from a different computer on a different network I get following message(xx.xxx.xxx.xxx is the external/public IP of the router) :
:~ssh bhuwan#xx.xxx.xxx.xxx
ssh: connect to host xx.xxx.xxx.xxx port 22: Connection refused
Whereas, when I try to ssh from a different computer on a same network I am able to connect. I do have port forwarding enabled on the router on port 22 to my local IP of the computer. I literally started using ubuntu 2 days ago and started working on ssh the same day. I'm not an expert on this as of now and any simplified explanation or guidance would be much appreciated. :)
below is my sshd_config file:
# Package generated configuration file
# See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 120
PermitRootLogin without-password
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
AllowTcpForwarding yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
And my ssh_config file as follows:
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.
# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
# Site-wide defaults for some commonly used options. For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
Host *
ServerAliveInterval 300
# ForwardAgent no
# ForwardX11 no
# ForwardX11Trusted yes
# RhostsRSAAuthentication no
# RSAAuthentication yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# GSSAPIKeyExchange no
# GSSAPITrustDNS no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# Port 22
# Protocol 2,1
# Cipher 3des
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
# MACs hmac-md5,hmac-sha1,umac-64#openssh.com,hmac-ripemd160
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
SendEnv LANG LC_*
HashKnownHosts yes
GSSAPIAuthentication yes
GSSAPIDelegateCredentials no
After a long haul found out that problem was the Modem that ISP provided. Above configuration should work fine if the modem/router has port forwarding not blocked by the ISP. With the modem/router ISP provided, even after I tried port forwarding, port 22 was not open which can be checked here: http://www.canyouseeme.org/.
Related
I have 2 linux machines, both of them have rsyslog. I need to send logs from client machine to server machine. I have done these steps but still I am not able to send the message. What am I doing wrong? I am using UDP port 514
SERVER MACHINE : (192.16.72.239)
updated /etc/rsyslog.conf, uncommented 2 lines after comment
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
`restarted rsyslog`
executed below commands as well:
[root#mysystem/]# iptables -A INPUT -p udp --dport 514 -j ACCEPT
[root#mysystem/]#nc -l -p 514 -4
Ncat: bind to 0.0.0.0:514: Address already in use. QUITTING.
CLIENT MACHINE :
added this rule(third line) at the end of the file:
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* ##remote-host:514
*.* ##192.16.72.239:514
# ### end of the forwarding rule ###
now I am using command on client machine logger "sending message from client to server". But I can see above message is present in client's /var/log/messages but it is not present in server's /var/log/messages.
Am I doing anything wrong?
I'm using the net-snmp for gather system information in linux.
but I found there is problem.
when I check port usage of Net-SNMP by netstat, I found net-snmp using 3 UDP port.
Here is the result.
[root# snmp]# netstat -anp | grep snmp
tcp 0 0 127.0.0.1:199 0.0.0.0:* LISTEN 6392/snmpd
udp 0 0 0.0.0.0:49005 0.0.0.0:* 6392/snmpd
udp 0 0 0.0.0.0:161 0.0.0.0:* 6392/snmpd
udp 0 0 0.0.0.0:44837 0.0.0.0:* 6392/snmpd
as you can see, the snmpd using 2 more udp port without 161.
also I found why the 2 udp ports are randomly occupied by snmp.
those ports are using for sending snmp trap.
when I remove the tran2sink and informsink option, the 2 UDP ports are no more appear.
this is my part of configuration of snmpd.conf
###########################################################################
# SECTION: Trap Destinations
#
# Here we define who the agent will send traps to.
# trap2sink: A SNMPv2c trap receiver
# arguments: host [community] [portnum]
trap2sink 192.168.1.4
# informsink: A SNMPv2c inform (acknowledged trap) receiver
# arguments: host [community] [portnum]
informsink 192.168.1.4 NMS_COM
# trapcommunity: Default trap sink community to use
# arguments: community-string
trapcommunity NMS_COM
# authtrapenable: Should we send traps when authentication failures occur
# arguments: 1 | 2 (1 = yes, 2 = no)
authtrapenable 1
my program have to use 40000~50000 udp port.
so I want to use those trap options and change the ports.
how can I fix the ports?
You can try to set port for the directives as below:
trap2sink 1.1.1.1:port_num e.g. trap2sink 1.1.1.1:162
I hope I understood your question and this would help.
These are SNMP Ephemeral ports. Here is a quote from a Microsoft support page on them:
While SNMP service is running it may be noticed via the netstat
Command Line utility that in addition to the well known ports for
sending and receiving SNMP traps (161/162) that a random ephemeral
port has been created by the service as well.
The random port usage is intended behavior and is opened for the
purpose of sending "management" traps
...
This port will remain in
the system while the SNMP service is running, but is not actively used
unless a management trap is to be sent outbound. Since SNMP does not
listen for inbound packets on this random port, this does not present
a security vulnerability.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 7 years ago.
Improve this question
So I want to control my banana pi with my macbook pro using SSH. It is the first I am using ssh. So I followed a lot of different tutorials and it still does not work.
If I run :
pi#172.25.54.12
or
bananapi#172.25.54.12
or whatever name I try it answers me that
ssh: connect to host 172.25.*.*2 port 22: Operation timed out
and when I try
bananapi#localhost
or
pi#localhost
it answers me:
ssh: connect to host localhost port 22: Connection refused
I found my IP address doing ifconfig on my bananapi.
My bananapi is using bananian (debian for banana pi), and my mac is 10.10.3.
When I run sshd -T, I have:
port 22
protocol 2
addressfamily any
listenaddress 0.0.0.0:22
listenaddress [::]:22
usepam 1
serverkeybits 768
logingracetime 120
keyregenerationinterval 3600
x11displayoffset 10
maxauthtries 6
maxsessions 10
clientaliveinterval 0
clientalivecountmax 3
permitrootlogin yes
ignorerhosts yes
ignoreuserknownhosts no
rhostsrsaauthentication no
hostbasedauthentication no
hostbasedusesnamefrompacketonly no
rsaauthentication yes
pubkeyauthentication yes
kerberosauthentication no
kerberosorlocalpasswd yes
kerberosticketcleanup yes
gssapiauthentication no
gssapikeyexchange no
gssapicleanupcredentials yes
gssapistrictacceptorcheck yes
gssapistorecredentialsonrekey no
passwordauthentication yes
kbdinteractiveauthentication no
challengeresponseauthentication no
printmotd no
printlastlog yes
x11forwarding yes
x11uselocalhost yes
strictmodes yes
tcpkeepalive yes
permitblacklistedkeys no
permitemptypasswords no
permituserenvironment no
uselogin no
compression delayed
gatewayports no
usedns no
allowtcpforwarding yes
useprivilegeseparation yes
pidfile /var/run/sshd.pid
xauthlocation /usr/bin/xauth
ciphers aes256-ctr,aes128-ctr
macs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
loglevel INFO
syslogfacility AUTH
authorizedkeysfile .ssh/authorized_keys .ssh/authorized_keys2
hostkey /etc/ssh/ssh_host_rsa_key
acceptenv LANG
acceptenv LC_*
subsystem sftp /usr/lib/openssh/sftp-server
maxstartups 10:30:100
permittunnel no
ipqos lowdelay throughput
permitopen any
Any idea?
edit:
so as suggested in the comments, I did a :
$ ls -al ~/.ssh
total 24 drwx------ 5 ***************** staff 170 12 mai 13:27 .
drwxr-xr-x 53 **************** staff 1802 12 mai 11:16 ..
-rw------- 1 ***************** staff 1766 12 mai 11:16 authorized_keys
-rw------- 1 ***************** staff 1679 12 mai 13:27 id_rsa
-rw-r--r-- 1 ***************** staff 429 12 mai 13:27 id_rsa.pub –
This is what I get as an answer. So I have a key in the authorized_keys file.
Do I have to send it (the public key) to my banana pi?
edit#2:
here is my adress less hidden 172.25.54.12 All I want for now is just connect my mac to my banana pi and control it as a server. So my Mac would be the client, and my banana pi my "host".
When I run
netstat -an | grep 22
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp6 0 0 :::22 :::* LISTEN
udp 0 0 0.0.0.0:32622 0.0.0.0:*
unix 3 [ ] STREAM CONNECTED 4122
unix 3 [ ] STREAM CONNECTED 2922 #/tmp/.X11-unix/X0
Basically what I did is, I followed some tutorial on the internet (like this one https://www.youtube.com/watch?v=0wn44MbxtZw) but it does not work.
edit#3:
I tried with a PC and puTTY, and I have got an error:
Network error: Network is unreachable.
Maybe it can help.
Edit#4
Ok I understood a part of my problem: I thought it was possible to connect directly my two devices without using the local network. I mean directly connect my banana pi to my mac just with one ethernet cable. But my goal is to be able to connect to my banana pi even when it is not connected to any network (is thath possible?), so I want to use an static IP address, is that a good idea?
Ok, so I found a way to do what I wanted to do. That means to connect directly my mac with my banana pi just with an ethernet cable (cross over ethernet cable).
I edited the network interface doing:
gedit /etc/network/interfaces
and then I modified the file this way
#interfaces (5) file used by ifup(8° and ifdown(8)
auto lo
iface lo inet loopback
#dhcp configuration
allow-hotplug eth0
#iface eth0 inet dhcp
#static ip configuration
auto eth0
iface eth0 inet static
adress 169.x.y.z
netmask 255.255.255.0
gateway 169.X.Y.*
So for address I put an IP really similar to my Mac IP adress (to get the mac IP address run ipconfig getifaddr en0)
And for gateway I put my mac IP address.
Then I connected my two devices with a cross over ethernet cable. And in my mac terminal I ran:
bananapi#169.x.y.*
and it worked!
Thank you
I am running an OpenSSH sftp-server (Linux, Raspbian) and FileZilla is used as client. The problems I experienced were that the user could delete any file on the server with no regard to the filemask or the owner/group:
User that logs in:
cat /etc/passwd | grep sftp
sftp-guest:x:1001:1004:::/sbin/nologin
Group:
cat /etc/group | grep sftp-only
sftp-only:x:1004:
This is my /etc/ssh/sshd_config - file (shadowed Port):
# Package generated configuration file
# See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for
Port ***33
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#X11Forwarding yes
#X11DisplayOffset 10
#PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
Banner /sftp/welcome_message
# Allow client to pass locale environment variables
#AcceptEnv LANG LC_*
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM yes
Subsystem sftp internal-sftp
Match group *,!sftp-only,!pi
ForceCommand internal-sftp
ChrootDirectory /sftp/empty
Match group sftp-only
ChrootDirectory /sftp/%u
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp
As you can see in the sshd_config the user sftp-guest is chrooted into /sftp/sftp-guest.
Here you can see the permissions of the files/folders:
ll /sftp | grep sftp-guest
drwxr-xr-x 3 root root 4096 Dec 20 02:26 sftp-guest
ll /sftp/sftp-guest/
drwxrwxr-x 9 sftp-guest pi 4096 Apr 18 22:18 maturaprojekt
ll /sftp/sftp-guest/data/
---------- 1 sftp-guest sftp-only 205 Apr 18 22:06 readme
---------- 1 root root 205 Apr 18 22:18 readme2
The problem is that both files (readme, readme2) can be deleted with Filezilla or via sftp (commandline). Futher renaming or changing the permissions is possible.
EDIT -->
When trying to view or download these files the transfer fails!
Filezilla-Log:
Command: get "readme" "/tmp/fz3temp-1/readme"
Error: /data/readme: open for read: permission denied
Error: File transfer failed
Command: get "readme" "/home/michael/data/readme"
Error: /data/readme: open for read: permission denied
Error: File transfer failed
<-- EDIT
My question is now how this behavior could be prevented?
The right to delete a file is on the parent folder : if the folder is writable, you can delete a file inside. Try a chmod -w /sftp/sftp-guest/data/ to prevent sftp-guest from deleting the readme files (you can also make them readable to fix your last edit).
I am trying to change d default port (22) for my system, I edited the sshd_config file by changing to my desirable port no (5555) and restarted my service but it seem not to work . is there something else i have to change? thanks
Yes, you must allow that new port in iptables. iptables is the firewall program for Linux.
With root privileges you will need to do this:
iptables -I INPUT 1 -p tcp --dport 5555 -j ACCEPT
Make sure you can connect using port 5555 then disable the old port.
iptables -A INPUT -j DROP -p tcp --dport 22
then save the new settings
/etc/init.d/iptables save
Check out this really good webpage for more information:
http://www.rackspace.com/knowledge_center/article/introduction-to-iptables#Save_Save_Save_your_Ruleset
1) Make a backup of the sshd config file (optional but a good idea):
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
2) edit the sshd_config file to include your alternate port
vi /etc/ssh/sshd_config
Leave the default port 22 active for now and add your custom port
# Open ports for sshd
Port 22
Port 5555
3) Open the custom port in your firewall
iptables -I INPUT 1 -p tcp --dport 5555 -j ACCEPT
service iptables save
4) Use a new terminal window to make sure you can login with your custom port
ssh -p 5555 myuser#myserver.com
If this doesn't work, now you can still login on port 22 to troubleshoot
5) Once you've confirmed the custom port works, edit the sshd_config file and firewall settings to block port 22
vi /etc/ssh/sshd_config
...
# Open ports for sshd
# Port 22
Port 5555
...
iptables -A INPUT -j DROP -p tcp --dport 22
service iptables save
Now you'll want to test again to make sure you can login with your custom port but not with the default port of 22.
You will need to have root privileges or use sudo for the above commands.
Step - 1:
nano /etc/ssh/sshd_config
and change the port from 22 to the desired one i.e. 5555
service sshd restart
Step - 2:
nano /etc/sysconfig/iptables
Here, you will find an entry for port 22. You will need to change it to 5555
service iptables restart
Now, try the SSH using,
- ssh -p 5555 root#Your IP Address
To Change the SSH Port for Your Linux Server
Connect to your server via SSH
Switch to the root user
Run the following command:
vi /etc/ssh/sshd_config
Locate the following line: #Port 22
Remove # and change 22 to your desired port number like 2224 etc.
Restart the sshd service by running the following command:
service sshd restart