You are not logged in.

#1 2017-10-19 03:10:44

msmol
Member
Registered: 2016-07-07
Posts: 12

Can't connect to tomato router on any port running SSH server

I've been trying to debug this for several hours now so I think it's about time to ask for help :-)

I recently flashed my Asus RT-AC66U with the latest build (3.4-140) of AdvancedTomato

After enabling the SSH server (Dropbear v2016.74) on the router, on port 22, I can not connect to that port from my Arch Linux client.

I can:

  • telnet on port 23 to the router from Arch to get shell access on the router

  • ssh on port 22 to the router from my girlfriend's Macbook running OS X

  • ssh on port 22 to the router from Windows (dualboot Arch machine, so, same MAC address, same IP address, & using cygwin's openssh client)

  • telnet to port 22 and 23 from both of the above Mac and Windows boxes

I can not:

  • ssh on port 22 from Arch

  • telnet on port 22 from Arch

So it seems it is only Arch that is unable to connect on port 22 since I am able to connect from two other machines on the same network.

I've tried changing the ssh server to run on a different port, with the same issues. E.g. swapping the telnet and ssh ports to be 22 and 23 respectively, now I am able to connect on port 22, but not on 23.

Running nmap:

$ nmap -sV -p 22 192.168.1.1                

Starting Nmap 7.60 ( https://nmap.org ) at 2017-10-18 22:21 EDT
Nmap scan report for 192.168.1.1
Host is up (0.0030s latency).

PORT   STATE    SERVICE VERSION
22/tcp filtered ssh

I'm unsure how to interpret the "filtered" result, but maybe someone here can shed some light.

Any help is greatly appreciated :-)

edit: here's an attempt to connect to the box

$ ssh -vvv root@192.168.1.1
OpenSSH_7.6p1, OpenSSL 1.1.0f  25 May 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: resolving "192.168.1.1" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to 192.168.1.1 [192.168.1.1] port 22.
debug1: connect to address 192.168.1.1 port 22: Connection timed out
ssh: connect to host 192.168.1.1 port 22: Connection timed out

Last edited by msmol (2017-10-19 03:13:48)

Offline

#2 2017-10-19 14:07:26

msmol
Member
Registered: 2016-07-07
Posts: 12

Re: Can't connect to tomato router on any port running SSH server

Update: I went to work and connected to the OpenVPN server I set up on the router. While connected to the VPN as 10.8.0.6 on tun0, I can now connect via ssh to the router with no issues. Still no access while connected directly to the LAN at home though...

Offline

#3 2017-10-21 15:48:08

nesk
Member
Registered: 2011-03-31
Posts: 181

Re: Can't connect to tomato router on any port running SSH server

Do you have any iptables/nftables or the like rules set up on the client Arch?

Offline

#4 2017-10-21 16:15:14

msmol
Member
Registered: 2016-07-07
Posts: 12

Re: Can't connect to tomato router on any port running SSH server

No, none at all.

Offline

#5 2017-10-21 16:50:56

qinohe
Member
From: Netherlands
Registered: 2012-06-20
Posts: 1,494

Re: Can't connect to tomato router on any port running SSH server

msmol wrote:

I'm unsure how to interpret the "filtered" result, but maybe someone here can shed some light.

Nmap's man page says this about it:

nmap man> wrote:

       filtered
           Nmap cannot determine whether the port is open because packet filtering prevents its probes from reaching
           the port. The filtering could be from a dedicated firewall device, router rules, or host-based firewall
           software....

If you do not have a firewall there must be something else blocking your access.

Offline

#6 2017-10-21 16:58:41

msmol
Member
Registered: 2016-07-07
Posts: 12

Re: Can't connect to tomato router on any port running SSH server

- I have no firewall running on the client so I think we can rule that out.
- It's not a firewall rule on the server since I can connect from the same machine with the same IP and MAC while running Windows.
- It's not an issue with my ssh client being somehow incompatible with the ssh server running on the router (1. because even telnet to port 22 times out, and 2. because I can connect while on the VPN)

I'm really stumped as to what else it could be :-(

Offline

#7 2017-10-21 17:08:09

qinohe
Member
From: Netherlands
Registered: 2012-06-20
Posts: 1,494

Re: Can't connect to tomato router on any port running SSH server

Did you use that same client at your work or a different one?

Offline

#8 2017-10-21 17:15:19

msmol
Member
Registered: 2016-07-07
Posts: 12

Re: Can't connect to tomato router on any port running SSH server

Yes, same client, same machine, same everything except for the fact that I was connected to my office's WiFi and tunneled into my home network via the OpenVPN server running on the router.

Offline

#9 2017-10-21 17:45:14

qinohe
Member
From: Netherlands
Registered: 2012-06-20
Posts: 1,494

Re: Can't connect to tomato router on any port running SSH server

I don't really have an idea right now, but I'm curious about that nmap scan from the macbook or even the windows machine.

Offline

#10 2017-10-21 20:00:03

nesk
Member
Registered: 2011-03-31
Posts: 181

Re: Can't connect to tomato router on any port running SSH server

Let's see sshd's log on the server while you're trying to ssh into it.

Offline

#11 2017-10-23 15:13:58

msmol
Member
Registered: 2016-07-07
Posts: 12

Re: Can't connect to tomato router on any port running SSH server

Here is the nmap from the macbook:

$ nmap -sV -p 22 192.168.1.1

Starting Nmap 7.60 ( https://nmap.org ) at 2017-10-21 16:10 EDT
Nmap scan report for stark (192.168.1.1)
Host is up (0.0021s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     Dropbear sshd 2016.74 (protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.50 seconds

I'll confirm when I get home from work later today, however if memory serves, the sshd log was not modified at all when logging in with the Arch client: the connection never made it that far

Offline

#12 2017-10-23 19:46:53

msmol
Member
Registered: 2016-07-07
Posts: 12

Re: Can't connect to tomato router on any port running SSH server

interesting new development when trying to ssh into the router from Arch just now:

ssh -vvv root@192.168.1.1        
OpenSSH_7.6p1, OpenSSL 1.1.0f  25 May 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: resolving "192.168.1.1" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to 192.168.1.1 [192.168.1.1] port 22.
debug1: Connection established.
debug1: identity file /home/msmol/.ssh/id_rsa type 0
debug1: key_load_public: No such file or directory
debug1: identity file /home/msmol/.ssh/id_rsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.6
debug1: Remote protocol version 2.0, remote software version dropbear_2016.74
debug1: no match: dropbear_2016.74
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 192.168.1.1:22 as 'root'
debug3: hostkeys_foreach: reading file "/home/msmol/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/msmol/.ssh/known_hosts:21
debug3: load_hostkeys: loaded 1 keys from 192.168.1.1
debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,kexguess2@matt.ucc.asn.au
debug2: host key algorithms: ecdsa-sha2-nistp521,ssh-rsa,ssh-dss
debug2: ciphers ctos: aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc,twofish256-cbc,twofish-cbc,twofish128-cbc,3des-ctr,3des-cbc
debug2: ciphers stoc: aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc,twofish256-cbc,twofish-cbc,twofish128-cbc,3des-ctr,3des-cbc
debug2: MACs ctos: hmac-sha1-96,hmac-sha1,hmac-sha2-256,hmac-sha2-512
debug2: MACs stoc: hmac-sha1-96,hmac-sha1,hmac-sha2-256,hmac-sha2-512
debug2: compression ctos: none
debug2: compression stoc: none
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp521
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
Connection reset by 192.168.1.1 port 22

meanwhile in the server logs:

Oct 23 15:36:54 stark authpriv.info dropbear[4750]: Child connection from 192.168.1.101:49236
Oct 23 15:37:31 stark authpriv.info dropbear[4750]: Exit before auth: Error reading: Connection timed out

Haven't seen that before

Offline

#13 2017-10-23 23:37:45

qinohe
Member
From: Netherlands
Registered: 2012-06-20
Posts: 1,494

Re: Can't connect to tomato router on any port running SSH server

The key exchange was never made, could you remove entry 21 from 'known_hosts' (check before you do) and try again.
If that won't work, set your server to accept passwords temporary, if it works like this, then there must be something off with the key or the exchange of it.

Offline

#14 2017-10-25 00:32:25

msmol
Member
Registered: 2016-07-07
Posts: 12

Re: Can't connect to tomato router on any port running SSH server

A few things:

1. I can only reproduce the above once every 10 or so connection attempts. All other attempts time out like in my first post
2. After deleting entry 21 in my known_hosts file, zero difference in behavior that I've seen
3. I somehow managed to connect via telnet to port 22. After disconnecting, all further attempts to telnet to port 22 have failed

Last edited by msmol (2017-10-25 00:32:43)

Offline

#15 2017-10-25 07:13:45

hcjl
Member
From: berlin
Registered: 2007-06-29
Posts: 330

Re: Can't connect to tomato router on any port running SSH server

Does it work, if you use another client, e.g. putty? Just a try...

Offline

#16 2017-12-29 09:24:30

beeender
Member
Registered: 2011-09-03
Posts: 8

Re: Can't connect to tomato router on any port running SSH server

Exact the same problem here. ssh to tomato router works fine on MacOS but not Arch.

Offline

Board footer

Powered by FluxBB