Solved

ssh_exchange_identification: read: Connection reset by peer

Posted on 2004-10-24
15,637 Views
Last Modified: 2008-01-09
Hello,
I have a slackware 9 box with 2 ethernet interfaces. eth0 is on the internet, eth1 is on the inside network. I am able to ssh to eth0 without any troubles.
When I try to ssh to eth1 from another linux client I get the following error:
ssh_exchange_identification: read: Connection reset by peer
When I try to ssh to eth1 from an old linux box I get the following error:
FATAL: Connecting to 192.168.3.60 failed: TCP/IP Failure
When I try to ssh to eth1 from putty I get the following error:
Network Error: Softaware caused connection abort

ssh -V on target machine:
OpenSSH_3.7.1p2, SSH protocols 1.5/2.0, OpenSSL 0.9.7b 10 Apr 2003
My iptables are definatly allowing connections to port 22 on both interfaces.
There are no entries in the log file related to ssh on the target machine
I can connect to ssh on eth0

Any ideas what is wrong?

Thanks.
0
Question by:tagish
    12 Comments
     
    LVL 40

    Expert Comment

    by:jlevie
    What does your firewall log entries show when you attempt a connection? The problem description tends to point to the firewall being the cause.
    0
     
    LVL 38

    Expert Comment

    by:wesly_chen
    Hi,

       Where are your linux client boxes? Are they in the inside network (192.168.3.X), which is eth1 at?
    If not, then you need to enable routed/ipforwording on this slakware 9 box.

       If they are in the sam subnet, then please give us the outputs of "iptables -L"  and "netstat -n" so people can help to debug this issue.

    Regards,

    Wesly
    0
     

    Author Comment

    by:tagish
    Hello,

    Ok, the linux clients are inside the network. 192.168.3.x I do have port forwarding etc working on the firewall,   I am fairly sure that is not the trouble. (even when I set all policys to accept the errors are the same.) There are no entries regarding the firewall.
    From what machine would you like the netstat from?
    iptables -L on the firewall:
    root@gimli:/etc/rc.d# iptables -L
    Chain INPUT (policy DROP)
    target     prot opt source               destination
    ACCEPT     all  --  anywhere             anywhere
    ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
    REJECT     tcp  --  anywhere             anywhere           tcp option=!2 reject-with tcp-reset
    ACCEPT     icmp --  anywhere             anywhere
    ACCEPT     icmp --  anywhere             anywhere
    ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:ftp
    ACCEPT     udp  --  anywhere             anywhere           udp dpt:ftp
    ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:ssh
    ACCEPT     udp  --  anywhere             anywhere           udp dpt:ssh
    ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:ssh
    ACCEPT     udp  --  anywhere             anywhere           udp dpt:ssh
    ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:10000
    ACCEPT     udp  --  anywhere             anywhere           udp dpt:10000
    ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:10000
    ACCEPT     udp  --  anywhere             anywhere           udp dpt:10000
    ACCEPT     udp  --  anywhere             anywhere           udp dpt:domain
    ACCEPT     tcp  --  192.168.3.0/24       anywhere

    Chain FORWARD (policy DROP)
    target     prot opt source               destination
    ACCEPT     all  --  192.168.3.0/24       anywhere
    ACCEPT     all  --  anywhere             192.168.3.0/24     state RELATED,ESTABLISHED
    ACCEPT     tcp  --  anywhere             192.168.3.19       tcp dpt:http
    ACCEPT     tcp  --  anywhere             192.168.3.19       tcp dpt:smtp
    ACCEPT     udp  --  anywhere             192.168.3.19       udp dpt:smtp
    ACCEPT     tcp  --  anywhere             192.168.3.19       tcp dpt:pop3
    ACCEPT     udp  --  anywhere             192.168.3.19       udp dpt:pop3
    ACCEPT     udp  --  anywhere             192.168.3.0/24     udp dpt:domain
    ACCEPT     udp  --  anywhere             192.168.3.0/24     udp spt:domain

    Chain OUTPUT (policy DROP)
    target     prot opt source               destination
    ACCEPT     all  --  anywhere             anywhere
    ACCEPT     tcp  --  anywhere             192.168.3.0/24
    ACCEPT     tcp  --  anywhere             anywhere           tcp spt:ssh
    ACCEPT     udp  --  anywhere             anywhere           udp spt:ssh
    ACCEPT     tcp  --  anywhere             anywhere           tcp spt:ssh
    ACCEPT     udp  --  anywhere             anywhere           udp spt:ssh
    ACCEPT     icmp --  anywhere             anywhere
    ACCEPT     icmp --  anywhere             anywhere
    ACCEPT     tcp  --  anywhere             anywhere           tcp spt:10000
    ACCEPT     udp  --  anywhere             anywhere           udp spt:10000
    ACCEPT     tcp  --  anywhere             anywhere           tcp spt:10000
    ACCEPT     udp  --  anywhere             anywhere           udp spt:10000

    0
     
    LVL 38

    Expert Comment

    by:wesly_chen
    Hi,

       How about temporarily disable the iptables ( service iptables stop) to see the ssh connection?
    Then you can see whether the firewall cause the problem or not.

       The other thing you might want to check is that "netstat -a |grep ssh" to see if your Linux server listen the ssh port.
    The output should look like
    tcp        0      0 *:ssh                   *:*                     LISTEN      

    Wesly
    0
     

    Author Comment

    by:tagish
    Sorry for the delays in responding.

    I changed all default policys to accept, and still got the same error.
    The results of my netstat -a |grep ssh are:
    root@gimli:~# netstat -a |grep ssh
    tcp        0      0 *:ssh                   *:*                     LISTEN

    ssh to the outside (eth0 card) works well.

    Thanks.
    0
     
    LVL 38

    Expert Comment

    by:wesly_chen
    Hi,

       Can you provide the output of "ifconfig -a" on your slackware box?

    Wesly
    0
     

    Author Comment

    by:tagish
    You bet, here it is:

    root@gimli:~# ifconfig -a
    dummy0    Link encap:Ethernet  HWaddr 00:00:00:00:00:00
              BROADCAST NOARP  MTU:1500  Metric:1
              RX packets:0 errors:0 dropped:0 overruns:0 frame:0
              TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0
              RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

    eth0      Link encap:Ethernet  HWaddr 00:50:FC:C8:64:CE
              inet addr:216.xxx.xxx.xxx  Bcast:216.xxx.xxx.xxx  Mask:255.255.248.0
              UP BROADCAST NOTRAILERS RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:375215 errors:0 dropped:0 overruns:0 frame:0
              TX packets:302225 errors:0 dropped:0 overruns:0 carrier:0
              collisions:302 txqueuelen:1000
              RX bytes:292587648 (279.0 Mb)  TX bytes:54807832 (52.2 Mb)
              Interrupt:11 Base address:0x6c00

    eth1      Link encap:Ethernet  HWaddr 00:10:A7:25:F6:E0
              inet addr:192.168.3.60  Bcast:192.168.3.255  Mask:255.255.255.0
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:285550 errors:0 dropped:0 overruns:0 frame:0
              TX packets:339413 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000
              RX bytes:52389189 (49.9 Mb)  TX bytes:288712753 (275.3 Mb)
              Interrupt:9 Base address:0x6800

    lo        Link encap:Local Loopback
              inet addr:127.0.0.1  Mask:255.0.0.0
              UP LOOPBACK RUNNING  MTU:16436  Metric:1
              RX packets:0 errors:0 dropped:0 overruns:0 frame:0
              TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0
              RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

    I am not sure what the dummy0 interface is though...
    0
     

    Author Comment

    by:tagish
    Here is some additional info that I find interesting:

    When linux box1 (ssh client) was set to use 192.168.3.1 as the default gateway (the old gateway) I could ssh to Linux box2 (sshd server, also firewall) on the outside interface eth0, but not the inside interface eth1.
    Now I have changed my default gateway to be linux box2, 192.169.3.60. Now I get the same error when I try to conenct to either interface from linux box1. From linux box1 I can ssh to other machines, inside and outside of my LAN. From linux box2 I can ssh to machines on the internet.

    From the old gateway (also a slackware box, but a very old version) using the internet interfae, I can ssh to the outside interface of linux box2.

    Flushing and removing all iptables rules on linux box2 makes no difference.
    0
     
    LVL 38

    Expert Comment

    by:wesly_chen
    Hi,

        When you set default gateway to 192.169.3.60 (eth0 on trouble slackware sever), can you ping internet?

    Wesly
    0
     

    Author Comment

    by:tagish
    Hi Wesly_chen,

    The trouble server is my gateway, Linux Box2. eth0 is on the internet, and eth1 is the internal. However, from my other linux machine, Linux Box1, I can ping the internet. I can ssh, ftp and telnet to other sites. With Linux Box1 having the default gateway 192.168.3.60 I can not  ssh (to either interface) to the gateway machine (linux box2), which is 192.168.3.60 on eth1, and 216.xxx.xxx.xxx on eth0. With Linux Box1 having 192.168.3.1 (linux box3->old gateway) as the default gateway I can ssh to the outside interface of the gateway machine linux box2.
    0
     
    LVL 38

    Accepted Solution

    by:
    Hi,

       It seems that the internal port of slackware linux box2 (eth1) has the problem to accept/forward the ssh request.
    So when your gateway set to the IP address of eth1, ssh doesn't work on both interfaces(eth0,eth1).

       One more check, do you know any ssh server on the internet or can you put one ssh server (box4) on internet side?
    So you can test to ssh into the ssh server (box4) from box1 with default gateway set to 192.168.3.60.
    If it fails, then (eth1) on box2 has the problem to accept/forward the ssh request.

       In additional to iptables, do you have another firewall/packet filter such as ipchains running on box 2?
    Can you kill those firewall processes (iptables,ipchains...)? (Not just remove all the rules)

    Wesly
    0
     

    Author Comment

    by:tagish
    ok, I have tested ssh to another machine out on the internet and it worked well with my dg as 192.168.3.60....you got me thinking :)

    My firewall is running only iptables, but I have another one running ipchains (linux box3) that allowed me to connect the outside interface of problem box...I can't really stop iptables, but I created a new set of rules that allowed anything to go anywhere it wanted, no questions, and viola, ssh works to both interfaces.

    thanks for your help, I was sure that it was not my firewall, and as a result did not thoroughly troubleshoot :( I will now go and start playing with my firewall rules.

    Thanks again.
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
    Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
    In this Experts Exchange video Micro Tutorial, I'm going to show how small business owners who use Google Apps can save money by setting up what is called a catch-all email address in their Gmail accounts. By using the catch-all feature, small busin…
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

    857 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    9 Experts available now in Live!

    Get 1:1 Help Now