Problems with SSH: Connection Refused

douglasr · 2013-09-29 01:16:20

Greetings fellow Arch users,

I have hit a bit of a snag that I could really use some extra help getting around. I've tried everything I can think of (and everything that Google thought might work) and I have my back rather against a wall, so I thought I'd come here to see if anyone can offer some advice.

To make a long story short, I am a college student and am attempting to set up an ssh server on a desktop at my house so I can access it remotely from the college. I have the computer set up and the server running, however I am having difficulty making connections to it from my laptop. I know that the server is running, because I can log into it both from the server itself (sshing into local host) and from my laptop when I use the internal IP address.

The server is on a static IP address within the network(192.168.0.75), and my router is configured to forward TCP port 1500 to it (I'm using 1500 as the port for my ssh server). However, when I attempt to log into the ssh server using my network's external IP address, the connection is refused. I used nmap to scan my network and found that, even though the proper ports are forwarded to the proper place as far as my Router's configuration interface is concerned, port 1500 is not listed as one of the open TCP ports. I also, to test it, temporarily disabled the firewalls on both the server and the client. That didn't help. The command that I am running is:

ssh -p 1500 douglas@[external ip address

As I am really not sure what is causing this problem, I don't know what information to provide. So here is everything that my inexperienced mind sees as likely being important. If you need anything more, let me know and I will do my best to provide it.

Here is the sshd_config file from my server.

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

Port 1500
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# The default requires explicit activation of protocol 1
#Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Ciphers and keying
#RekeyLimit default none

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin no 
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile      .ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing, 
# and session processing. If this is enabled, PAM authentication will 
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
PrintMotd no # pam does that
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation sandbox          # Default for new installations.
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem       sftp    /usr/lib/ssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       ForceCommand cvs server

The ouptut of ip addr when run on the server:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp8s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether 00:21:9b:3a:be:94 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.75/24 brd 192.168.255.0 scope global enp8s0
       valid_lft forever preferred_lft forever
    inet6 fe80::221:9bff:fe3a:be94/64 scope link 
       valid_lft forever preferred_lft forever

Here is the output from running nmap on the network:

Starting Nmap 6.40 ( http://nmap.org ) at 2013-09-28 21:05 EDT
Initiating Ping Scan at 21:05
Scanning address [2 ports]
Completed Ping Scan at 21:05, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 21:05
Completed Parallel DNS resolution of 1 host. at 21:05, 0.05s elapsed
Initiating Connect Scan at 21:05
Scanning pa-addresss.dhcp.embarqhsd.net (address) [1000 ports]
Discovered open port 80/tcp on address
Discovered open port 443/tcp on address
Discovered open port 23/tcp on address
Discovered open port 21/tcp on address
Completed Connect Scan at 21:05, 4.08s elapsed (1000 total ports)
Nmap scan report for pa-address.dhcp.embarqhsd.net (address)
Host is up (0.036s latency).
Not shown: 995 closed ports
PORT     STATE    SERVICE
21/tcp   open     ftp
23/tcp   open     telnet
80/tcp   open     http
443/tcp  open     https
8080/tcp filtered http-proxy

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 4.19 seconds

Here is the ssh_config client-side:

#       $OpenBSD: ssh_config,v 1.27 2013/05/16 02:00:34 dtucker Exp $

# This is the ssh client system-wide configuration file.  See
# ssh_config(5) for more information.  This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.

# Configuration data is parsed as follows:
#  1. command line options
#  2. user-specific file
#  3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for some commonly used options.  For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.

# Host *
#   ForwardAgent no
#   ForwardX11 no
#   RhostsRSAAuthentication no
#   RSAAuthentication yes
#   PasswordAuthentication yes
#   HostbasedAuthentication no
#   GSSAPIAuthentication no
#   GSSAPIDelegateCredentials no
#   BatchMode no
#   CheckHostIP yes
#   AddressFamily any
#   ConnectTimeout 0
#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/identity
#   IdentityFile ~/.ssh/id_rsa
#   IdentityFile ~/.ssh/id_dsa
#   Port 22
    Protocol 2
#   Cipher 3des
#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
#   MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
#   EscapeChar ~
#   Tunnel no
#   TunnelDevice any:any
#   PermitLocalCommand no
#   VisualHostKey no
#   ProxyCommand ssh -q -W %h:%p gateway.example.com
#   RekeyLimit 1G 1h

Output of ssh -v during connection attempt:

OpenSSH_6.3, OpenSSL 1.0.1e 11 Feb 2013
debug1: Reading configuration data /home/douglas/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to address [address] port 1500.
debug1: connect to address address port 1500: Connection refused
ssh: connect to host address port 1500: Connection refused

Thank you guys ahead of time. Getting this server operational is hardly critical, it is just a side project of mine, but I would really like to see it working.

Douglas Bahr Rumbaugh

Last edited by douglasr (2013-09-29 02:58:56)

jasonwryan · 2013-09-29 01:25:24

The output of ssh with the verbose switch (-vv or -vvv), with your IP redacted would be helpful.

You are using public key authentication: have you set that up correctly?

Xyne · 2013-09-29 01:30:47

Are you able to access other services on the computer via the external IP (e.g. a simple netcat server)?

Can you access service using the external IP through a proxy (e.g. Tor) or from an external address (e.g. a friend's house, a open wifi point)?

douglasr · 2013-09-29 01:40:32

Jason, here is the output of ssh -v. I'll edit it into the above post as well. As far as public key, no I have not set that up. This is my first time messing around with ssh, or really any server for that matter, so right now I just want it to work. Once I get that step done, I can work on making it a bit more secure.

OpenSSH_6.3, OpenSSL 1.0.1e 11 Feb 2013
debug1: Reading configuration data /home/douglas/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to address [address] port 1500.
debug1: connect to address address port 1500: Connection refused
ssh: connect to host address port 1500: Connection refused

Xyne:
I've not tried any of that actually, though there are some good ideas. I will attempt to set up and then access a different type of server right now. As far as accessing by proxy, that is not a technique I am familiar with so I'll need to do a bit of reading up on it. I haven't had the opportunity just yet to try and access the server from anywhere but my network.

jasonwryan · 2013-09-29 01:47:51

I misread you first post (either that or it only became clearer after your second), but you are trying to connect to the server from it's external IP while your laptop is connected to your LAN?

douglasr · 2013-09-29 01:55:09

Yes. I am assuming that it is possible to do that, and I suppose that the problem could lie in that fact. But yeah, I am on my LAN trying to connect via my network's external IP address.

Also, I just tested Telnet on the same ports and once again the connections were refused.

jasonwryan · 2013-09-29 01:55:56

Yeah, that's not going to work. You'll need to be outside your router to do that.

# edit: so set up keys, restrict acess to just your user, and change the port you are using now we all know it...

douglasr · 2013-09-29 02:03:55

Okay. I'll just have to test it again when I get back to school tomorrow and hope that it works (otherwise I'll be sitting on my hands for a week before I can get access to the box again). Thanks for your help, I'll let you know how it all turns out then!

cfr · 2013-09-29 02:09:58

You need to secure it. You've published your ip address and the port you are running ssh on.

douglasr · 2013-09-29 02:23:43

Well only the internal IP, which I understand is pretty much useless. But the port has been changed and I just set up keys and disable standard log in. It's secured now, I think.

cfr · 2013-09-29 02:35:03

What did you run nmap on, then? Maybe I'm just confused...

douglasr · 2013-09-29 02:59:38

Oh, heh. That was an oversight. Yeah, nmap was on the external address. I just redacted it, I guess I wasn't thinking too much when I posted that!

douglasr · 2013-09-30 01:25:54

Okay, so I finally have the opportunity to try and log in from a remote network. And. . . it doesn't work. Which is just my luck because I now need to wait an entire week, at least, before I can touch the server again. Anyway, running ssh with the maximum verbosity I get this output:

douglas ~ $ ssh -vvv -p 2000 address
OpenSSH_6.3, OpenSSL 1.0.1e 11 Feb 2013
debug1: Reading configuration data /home/douglas/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to address [address] port 2000.
debug1: connect to address address port 2000: Connection timed out
ssh: connect to host address port 2000: Connection timed out

It takes a minute or two for the command to finish with the connection timeout, as one would expect. And yes, I am reasonably sure that the address that I am using is my home network's external IP. It is dynamic, but I checked it before I left which was just over an hour ago. I guess that it may have changed. I'll know that for sure in the morning, when my server sends me an automatic email with the network's current address. In the meantime I am operating under the assumption that the address I am using is correct. What else could be the problem?

brenix · 2013-09-30 03:43:38

Do you see that the port is open and listening? Maybe try running "lsof -i TCP -P |grep LISTEN" on the server and ensure you see the port is listening on the correct interface or * for any interface.. For example:

$ lsof -i TCP -P |grep LISTEN
1:sshd        123      root    1u  IPv4   1234     0t0  TCP *:2000 (LISTEN)

I would un-comment the AddressFamily and ListenAddress lines and set them to the following, then restart sshd:

AddressFamily inet
ListenAddress 0.0.0.0

Also, is it possible the network you are running the client from has outbound connections blocked? I've been on some networks which block all outbound ports except 80, 443, or 22 specifically.

douglasr · 2013-09-30 12:30:37

Thanks Brenix, I'll try it as soon as I get physical access to the server. As far as the network blocking the ports, I specifically forwarded port 2000 the the device (which I gave a static IP on the network) in my router's configuration page. But then I've never been able to get port forwarding to work right, so that could be the problem as well. Of course if that is the problem, I have absolutely no idea how to go about fixing it.

cfr · 2013-09-30 20:30:53

I think brenix was asking if the network you are now on blocks OUTbound connections e.g. if you are on campus, is the university's network stopping the laptop sending stuff out on that port?

brenix · 2013-10-01 01:01:07

cfr wrote:

I think brenix was asking if the network you are now on blocks OUTbound connections e.g. if you are on campus, is the university's network stopping the laptop sending stuff out on that port?

This is correct / what I meant.. Thx for the clarification cfr

Xyne · 2013-10-01 01:08:10

If you need to test outbound ssh connections, just hack phrak.

Arch Linux

#1 2013-09-29 01:16:20

Problems with SSH: Connection Refused

#2 2013-09-29 01:25:24

Re: Problems with SSH: Connection Refused

#3 2013-09-29 01:30:47

Re: Problems with SSH: Connection Refused

#4 2013-09-29 01:40:32

Re: Problems with SSH: Connection Refused

#5 2013-09-29 01:47:51

Re: Problems with SSH: Connection Refused

#6 2013-09-29 01:55:09

Re: Problems with SSH: Connection Refused

#7 2013-09-29 01:55:56

Re: Problems with SSH: Connection Refused

#8 2013-09-29 02:03:55

Re: Problems with SSH: Connection Refused

#9 2013-09-29 02:09:58

Re: Problems with SSH: Connection Refused

#10 2013-09-29 02:23:43

Re: Problems with SSH: Connection Refused

#11 2013-09-29 02:35:03

Re: Problems with SSH: Connection Refused

#12 2013-09-29 02:59:38

Re: Problems with SSH: Connection Refused

#13 2013-09-30 01:25:54

Re: Problems with SSH: Connection Refused

#14 2013-09-30 03:43:38

Re: Problems with SSH: Connection Refused

#15 2013-09-30 12:30:37

Re: Problems with SSH: Connection Refused

#16 2013-09-30 20:30:53

Re: Problems with SSH: Connection Refused

#17 2013-10-01 01:01:07

Re: Problems with SSH: Connection Refused

#18 2013-10-01 01:08:10

Re: Problems with SSH: Connection Refused

Board footer