I'm trying to ssh into my cisco ISR router. DHCP is working and I can ping the default gateway (the ISR), and can ssh with other devices on the LAN. so I know the LAN connection isn't the problem. I set up a local user that works with console logins so that's not the problem either.
I set up my ssh connection on the router with the following commands:
(config)#line vty 0 21
(config-line)#login local
(config-line)#exec-timeout 3
(config-line)#rotary 1
(config-line)#transport input ssh
(config)#crypto key generate rsa
(config)#ip ssh version 2
(config)#ip ssh port 2222 rotary 1
(config)#ip ssh authentication-retries 3
Then when I nmap the router it has the following ports open:
PORT STATE SERVICE
22/tcp open ssh
However, every time I try to log in to the router I get a Network is unreachable error. This is using the 2222 and 22 port and testing the normal IP and the hostname#ip formats for ssh and absolutely nothing works. I managed to get into telnet with the default settings earlier, but I'm not sure how to get in with SSH.
Thank you all for the help, I know it was very open ended so just let me know anything that could be helpful and I'll provide it.
One logical test step to do, would be switch back to port 22.
Network unreachable usually indicates there's no packet response coming from the host.
It could be because of multiple reasons, but since you've mentioned that ping and telnet went fine. I'd suggest you revert the port config, restart the unit once. See how it goes.
Other possible reasons could be ACL block and/or firewall block on your machine but I think it's unlikely.
Related
I need to be able to SSH into a device on my network. Normally I am able to simply ssh into its local IP address.
I recently ran an nmap scan on it, and now when I try to ssh into its local IP address, I recieve the following:
kex_exchange_identification: read: Connection reset by peer
Connection reset by <IP> port 22
This network is setup in a somewhat unique way. It has one router that manages the Wi-Fi network (what my machine is connected to) which is connected to another box that also acts as the modem. IP addresses that are connected to the Wi-Fi box start with 192.168, whereas those connected to the modem box start with 10.0. The device I am trying to access is connected to the modem box.
Historically, just typing in its 10.0. local address has allowed me to ssh into it with no issue, even though my device is on the 192.168 network, and arp -a does not show it.
Checking the ssh logs of the device via journalctl -fu ssh, I can see that every failed ssh attempt is accompanied by the following message:
Connection reset by 10.0.0.96 port 49949 [preauth]
I do not recognize the IP above, and the port changes every time.
Is this some sort of anti-spam protection that was triggered by my use of nmap? I know it's not just my computer because I am unable to ssh into the device from anything else on my network.
Note that connecting to a VPN then using SSH to connect to the external IP address (which is port-forwarded properly) works, as does connecting via ssh to the machine from the machine itself (127.0.0.1)l
How can I fix this issue?
Currently, I have built a small datacenter environment in OTC with Terraform. based on Ubuntu 20.04 images.
The idea is to have a jump host in the setup phase and for operational purposes that allows spontaneous access to service frontends via ssh proxy jumps without permanently routing them to the public net.
Basic setup works fine so far - I can access the jump host with ssh, and can access the internal machines from there with ssh when I put the private key onto the jump host. So, cloudwise the security seems to be fine. Key pair is generated with ed25519, I use the same key for jump host and internal servers (for now).
What I cannot achieve is the proxy jump as a chained command from my outside machine.
On the jump host, I set AllowTcpForwarding to "yes" in /etc/ssh/sshd_config and restarted ssh and sshd services.
My current local ssh config looks like this:
Host otc
User ubuntu
Hostname <FloatingIP-Address>
Port 22
StrictHostKeyChecking=no
UserKnownHostsFile=/dev/null
IdentityFile= ~/.ssh/ssh_access
ControlPath ~/.ssh/cm-%r#%h:%p
ControlMaster auto
ControlPersist 10m
Host 10.*
User ubuntu
Port 22
IdentityFile=~/.ssh/ssh_access
ProxyJump otc
StrictHostKeyChecking=no
UserKnownHostsFile=/dev/null
I can use this to ssh otc to the jump host.
What I would expect is that I could use e.g. ssh 10.0.0.56 to reach an internal host without further ado. As well I should be able to use commands like ssh -L 8080:10.0.0.56:8080 10.0.0.56 -N to map an internal server's port to a localhost port on my external machine. This is how I managed that successfully on other hosting scenarios in the public cloud.
All I get is:
Stdio forwarding request failed: Session open refused by peer
kex_exchange_identification: Connection closed by remote host
Journal on the Jump host says:
Jul 30 07:19:04 dev-nc-o-bastion sshd[2176]: refused local port forward: originator 127.0.0.1 port 65535, target 10.0.0.56 port 22
What I checked as well:
ufw is off on the Jump Host.
replaced ProxyJump configuration with ProxyCommand
So I am at the end of my knowledge. Has anyone a hint what else could be the reason? Any help welcome!
Ok, cause is found (but not yet fully explained).
My local ssh setting was allowing multiplexed forwards (ControlMaster auto ) which caused the creation of a unix socket file for the Controlpath in ~/.ssh.
I had to login to the jump host to AllowTcpForwarding in the first place.
After rebooting the sshd, I returned to the local machine and the failure occured when trying to forward to the remote internal machine.
After deleting the socket file in ~/.ssh, the connection can now be established as needed. Obviously, the persistent tunnel was not impacted by the restarted daemon on the jump host and simply refused to follow the new directive.
This cost me two days. On the bright side, I learned a lot about ssh :o
I am running a home network with a ddwrt installed router.
I can ssh into the router from homenetwork, i can ssh in the pc from inside the homenetwork, i can ssh into the router from outside the home network ( static public ip).
Now i want to ssh in my pc from outside the home network, as far as i have understood, to do that i need to create a ssh tunnel. I am using the following command :
ssh -L bbbb:hoomepcip:22 root:externalip
after doing this i open another terminal and i
ssh homepcusername#externalip -p bbbb
but it does not work, what am i doing wrong
Isn't the first command supposed to do a port forward in the router so everything i send to it's external ip on bbbb port goes to 22 of my home pc?
for now i have made a permanent port forward on the router gui, but i would like to not use that and open the port when i need to ssh.
both the router and the pc have SSH server installed, the router has dropbear the pc openssh
I found the solution for me.
So as i said i needed a way to ssh into my pc from outside my network through my router.
first open a terminal window and type
ssh -L bbbb:homepcIP:cc myrouterusername#mywanip -p aa
this will connect you to the router and forward port bbbb(chose a number from 1024-60000) to cc in your pc(usually 22)
type the password and leave it open
then open a new terminal window and type
ssh pcUSERNAME#localhost -p bbbb
bbbb in this case can be any port number you choose(best if above 1024, and max limit is 60000ish)
cc and bb are the port of the ssh servers (cc of my pc and bb of my router, they usually are 22 but it can change depending on conifguartion)
the key here is the "localhost" i always typed my pc ip in there but you have to type localhost and it connects to the pc correctly.
Also you have to have enabled SSH TCP Forwarding in the first server
Instead of SSH tunneling, you might consider tailscale.
See for instance "How to secure an Ubuntu server using Tailscale and UFW", which will restrict ssh access to be only over Tailscale, and use UFW (Uncomplicated Firewall) to restrict non-Tailscale traffic to your server.
That will give you a Tailscale IP address (starting with 100.x.y.z) which can be used to SSH, while your public internet IP would not allow SSH.
You can then add MFA (multi-factor auth) if you want.
Other example: "How to Setup SSH using Tailscale or Ngrok" from Ibrahim Jarif.
For a project, I need to access the faculty server
Remotely through ssh after connecting the faculty VPN with my credentials.
Before,I log in quietly until recently with:
ssh my_name_user#147.163.26.244
it appeared to enter the password and entering the credentials I accessed the server (actually a virtual machine mounted on the server for me).
Now with the command above nothing happens and after waiting a bit I get:
ssh: connect to host 147.163.26.244 port 22: Connection timed out
What may have happened?
Yesterday I changed my password to access University services (mandatory after 3 months for security reasons). After doing so I had to change that new password in the VPN configurations and I was able to have access to the VPN and also to the server, until this all ok. From today at 13.00 this problem occurs.
Does anyone have any idea what this is all about?
(I'm on Ubuntu. The server(the virtual machine is a Lubuntu system))
Thanks for your attention.
Update:
The command
ping 147.163.26.244
gives me:
PING 147.163.26.244 (147.163.26.244) 56(84) bytes of data.
and
telnet 147.163.26.244 22
gives:
Trying 147.163.26.244...
and it remain running. What can I deduce?
As ssh shows connection timeout its nothing to do with your credentials. It hasn't go to the authentication level but failing before that itself.
First of all check if the IP is accessible from you machine using Ping (hoping ICMP should be allowed by the Firewall).
ping server_ip
If it shows not accessible- then make sure there is a route for the IP/IP subnet of the server IP through the vpn tunnel. You can do it by using route/netstat
example
netstat -nr | grep "147.163"
If route is not present you may have to add a route for this IP through the VPN tunnel. You can find the "route add.." or "ip route add ... " commands for this from google depending on your machine platform.
If the Ping shows the IP is pinging, we need to make sure the ssh service is running on the port 22. Just do a telnet and check
telnet <server_ip> 22
if the connection shows UP, in your case which shouldn't show UP btw :)as you got a timeout already. Then problem can be
(1) ssh service not running
(2) any firewall blocking your connection
You may have to get in touch with the ADMIN in that case.
===== Update =========
I guess your ping itself is failing.
Ping should show it is getting response.
example :
XXXXXXX$ ping 216.58.217.174
PING 216.58.217.174 (216.58.217.174): 56 data bytes
64 bytes from 216.58.217.174: icmp_seq=0 ttl=43 time=273.068 ms
64 bytes from 216.58.217.174: icmp_seq=1 ttl=43 time=317.405 ms
64 bytes from 216.58.217.174: icmp_seq=2 ttl=43 time=361.682 ms
64 bytes from 216.58.217.174: icmp_seq=3 ttl=43 time=266.436 ms
Check for the routes in your machine using route or netstat.
Possibilities :
server is down
Proper route is not present for the IP/subnet of the ssh server through VPN tunnel
Let me explain my very strange problem. I have one server (Linux Debian Jessie) which had access to my git repository on gitlab.com
Two days ago, I tried to pull some modifications on this server with a simple git pull. I received an error message :
ssh: connect to host gitlab.com port 22: Connection timed out
Si I have done some tests
1. TELNET
To understand why, I have tried a telnet on 22 port = TIMEOUT
2. IPTABLES
I checked my iptables to be sure that SSH port was allowed. It is. If I try a telnet on another service for example like github.com, it works. So I'm allowed in OUTPUT on this port.
3. PING
I thought a ip translation problem. I have done a ping, I obtain this message :
PING 104.210.2.228 (104.210.2.228) 56(84) bytes of data.
--- 104.210.2.228 ping statistics ---
87 packets transmitted, 0 received, 100% packet loss, time 86534ms
4. FAIL2BAN
I use fail2ban, so I have checked if gitlab was in jail address, but it seems not.
So my problem is that I can't reach gitlab.com
If I try from my local machine or from another server, I don't have this problem. It works.
I can't reach gitlab.com only from this server but I don't know why. Maybe someone has an idea which cans be very precious to help me ?
Probably some modification of firewall caused this. For a quick solution use http protocol instead of ssh. Change your url in the git config file to http.
git config --local -e
change entry of
url = git#gitlab.com:username/repo.git , to
url = https://gitlab.com/username/repo.git
You need to give your username and password to authenticate yourself while making a push or pull though as it's http based.