Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

ssh_exchange_identification: read: Connection reset by peer

Posted on 2004-10-24
12
Medium Priority
?
15,995 Views
Last Modified: 2008-01-09
Hello,
I have a slackware 9 box with 2 ethernet interfaces. eth0 is on the internet, eth1 is on the inside network. I am able to ssh to eth0 without any troubles.
When I try to ssh to eth1 from another linux client I get the following error:
ssh_exchange_identification: read: Connection reset by peer
When I try to ssh to eth1 from an old linux box I get the following error:
FATAL: Connecting to 192.168.3.60 failed: TCP/IP Failure
When I try to ssh to eth1 from putty I get the following error:
Network Error: Softaware caused connection abort

ssh -V on target machine:
OpenSSH_3.7.1p2, SSH protocols 1.5/2.0, OpenSSL 0.9.7b 10 Apr 2003
My iptables are definatly allowing connections to port 22 on both interfaces.
There are no entries in the log file related to ssh on the target machine
I can connect to ssh on eth0

Any ideas what is wrong?

Thanks.
0
Comment
Question by:tagish
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
12 Comments
 
LVL 40

Expert Comment

by:jlevie
ID: 12396355
What does your firewall log entries show when you attempt a connection? The problem description tends to point to the firewall being the cause.
0
 
LVL 38

Expert Comment

by:wesly_chen
ID: 12397225
Hi,

   Where are your linux client boxes? Are they in the inside network (192.168.3.X), which is eth1 at?
If not, then you need to enable routed/ipforwording on this slakware 9 box.

   If they are in the sam subnet, then please give us the outputs of "iptables -L"  and "netstat -n" so people can help to debug this issue.

Regards,

Wesly
0
 

Author Comment

by:tagish
ID: 12397393
Hello,

Ok, the linux clients are inside the network. 192.168.3.x I do have port forwarding etc working on the firewall,   I am fairly sure that is not the trouble. (even when I set all policys to accept the errors are the same.) There are no entries regarding the firewall.
From what machine would you like the netstat from?
iptables -L on the firewall:
root@gimli:/etc/rc.d# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
REJECT     tcp  --  anywhere             anywhere           tcp option=!2 reject-with tcp-reset
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:ftp
ACCEPT     udp  --  anywhere             anywhere           udp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:ssh
ACCEPT     udp  --  anywhere             anywhere           udp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:ssh
ACCEPT     udp  --  anywhere             anywhere           udp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:10000
ACCEPT     udp  --  anywhere             anywhere           udp dpt:10000
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:10000
ACCEPT     udp  --  anywhere             anywhere           udp dpt:10000
ACCEPT     udp  --  anywhere             anywhere           udp dpt:domain
ACCEPT     tcp  --  192.168.3.0/24       anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  192.168.3.0/24       anywhere
ACCEPT     all  --  anywhere             192.168.3.0/24     state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             192.168.3.19       tcp dpt:http
ACCEPT     tcp  --  anywhere             192.168.3.19       tcp dpt:smtp
ACCEPT     udp  --  anywhere             192.168.3.19       udp dpt:smtp
ACCEPT     tcp  --  anywhere             192.168.3.19       tcp dpt:pop3
ACCEPT     udp  --  anywhere             192.168.3.19       udp dpt:pop3
ACCEPT     udp  --  anywhere             192.168.3.0/24     udp dpt:domain
ACCEPT     udp  --  anywhere             192.168.3.0/24     udp spt:domain

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             192.168.3.0/24
ACCEPT     tcp  --  anywhere             anywhere           tcp spt:ssh
ACCEPT     udp  --  anywhere             anywhere           udp spt:ssh
ACCEPT     tcp  --  anywhere             anywhere           tcp spt:ssh
ACCEPT     udp  --  anywhere             anywhere           udp spt:ssh
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere           tcp spt:10000
ACCEPT     udp  --  anywhere             anywhere           udp spt:10000
ACCEPT     tcp  --  anywhere             anywhere           tcp spt:10000
ACCEPT     udp  --  anywhere             anywhere           udp spt:10000

0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 38

Expert Comment

by:wesly_chen
ID: 12402031
Hi,

   How about temporarily disable the iptables ( service iptables stop) to see the ssh connection?
Then you can see whether the firewall cause the problem or not.

   The other thing you might want to check is that "netstat -a |grep ssh" to see if your Linux server listen the ssh port.
The output should look like
tcp        0      0 *:ssh                   *:*                     LISTEN      

Wesly
0
 

Author Comment

by:tagish
ID: 12429760
Sorry for the delays in responding.

I changed all default policys to accept, and still got the same error.
The results of my netstat -a |grep ssh are:
root@gimli:~# netstat -a |grep ssh
tcp        0      0 *:ssh                   *:*                     LISTEN

ssh to the outside (eth0 card) works well.

Thanks.
0
 
LVL 38

Expert Comment

by:wesly_chen
ID: 12445706
Hi,

   Can you provide the output of "ifconfig -a" on your slackware box?

Wesly
0
 

Author Comment

by:tagish
ID: 12449053
You bet, here it is:

root@gimli:~# ifconfig -a
dummy0    Link encap:Ethernet  HWaddr 00:00:00:00:00:00
          BROADCAST NOARP  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

eth0      Link encap:Ethernet  HWaddr 00:50:FC:C8:64:CE
          inet addr:216.xxx.xxx.xxx  Bcast:216.xxx.xxx.xxx  Mask:255.255.248.0
          UP BROADCAST NOTRAILERS RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:375215 errors:0 dropped:0 overruns:0 frame:0
          TX packets:302225 errors:0 dropped:0 overruns:0 carrier:0
          collisions:302 txqueuelen:1000
          RX bytes:292587648 (279.0 Mb)  TX bytes:54807832 (52.2 Mb)
          Interrupt:11 Base address:0x6c00

eth1      Link encap:Ethernet  HWaddr 00:10:A7:25:F6:E0
          inet addr:192.168.3.60  Bcast:192.168.3.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:285550 errors:0 dropped:0 overruns:0 frame:0
          TX packets:339413 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:52389189 (49.9 Mb)  TX bytes:288712753 (275.3 Mb)
          Interrupt:9 Base address:0x6800

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

I am not sure what the dummy0 interface is though...
0
 

Author Comment

by:tagish
ID: 12458759
Here is some additional info that I find interesting:

When linux box1 (ssh client) was set to use 192.168.3.1 as the default gateway (the old gateway) I could ssh to Linux box2 (sshd server, also firewall) on the outside interface eth0, but not the inside interface eth1.
Now I have changed my default gateway to be linux box2, 192.169.3.60. Now I get the same error when I try to conenct to either interface from linux box1. From linux box1 I can ssh to other machines, inside and outside of my LAN. From linux box2 I can ssh to machines on the internet.

From the old gateway (also a slackware box, but a very old version) using the internet interfae, I can ssh to the outside interface of linux box2.

Flushing and removing all iptables rules on linux box2 makes no difference.
0
 
LVL 38

Expert Comment

by:wesly_chen
ID: 12459823
Hi,

    When you set default gateway to 192.169.3.60 (eth0 on trouble slackware sever), can you ping internet?

Wesly
0
 

Author Comment

by:tagish
ID: 12460474
Hi Wesly_chen,

The trouble server is my gateway, Linux Box2. eth0 is on the internet, and eth1 is the internal. However, from my other linux machine, Linux Box1, I can ping the internet. I can ssh, ftp and telnet to other sites. With Linux Box1 having the default gateway 192.168.3.60 I can not  ssh (to either interface) to the gateway machine (linux box2), which is 192.168.3.60 on eth1, and 216.xxx.xxx.xxx on eth0. With Linux Box1 having 192.168.3.1 (linux box3->old gateway) as the default gateway I can ssh to the outside interface of the gateway machine linux box2.
0
 
LVL 38

Accepted Solution

by:
wesly_chen earned 500 total points
ID: 12460754
Hi,

   It seems that the internal port of slackware linux box2 (eth1) has the problem to accept/forward the ssh request.
So when your gateway set to the IP address of eth1, ssh doesn't work on both interfaces(eth0,eth1).

   One more check, do you know any ssh server on the internet or can you put one ssh server (box4) on internet side?
So you can test to ssh into the ssh server (box4) from box1 with default gateway set to 192.168.3.60.
If it fails, then (eth1) on box2 has the problem to accept/forward the ssh request.

   In additional to iptables, do you have another firewall/packet filter such as ipchains running on box 2?
Can you kill those firewall processes (iptables,ipchains...)? (Not just remove all the rules)

Wesly
0
 

Author Comment

by:tagish
ID: 12469133
ok, I have tested ssh to another machine out on the internet and it worked well with my dg as 192.168.3.60....you got me thinking :)

My firewall is running only iptables, but I have another one running ipchains (linux box3) that allowed me to connect the outside interface of problem box...I can't really stop iptables, but I created a new set of rules that allowed anything to go anywhere it wanted, no questions, and viola, ssh works to both interfaces.

thanks for your help, I was sure that it was not my firewall, and as a result did not thoroughly troubleshoot :( I will now go and start playing with my firewall rules.

Thanks again.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question