Solved

SSH into Linux

Posted on 2010-11-30
12
1,147 Views
Last Modified: 2012-05-10
I am trying to SSH into a Linux test server I built to no avail, its currently running CentOS 5.5.

I ran "lsof -i:22" and "pgrep sshd" to ensure ssh is running on the server, it is. When I go into Putty and type "ssh root@server-ip-address" i just get a blank screen. And yes I am putting in the numeric server ip address in, I have also tried the server name.

The only thing I can come up with is the firewall is blocking it... I'm running a Cisco PIX 515e. I opened port 22 up but maybe I'm missing something else. The config for the firewall is below.

Thank you in advance for any insight.

PIX Version 7.2(2)
!
hostname CSNPix
domain-name CSN
enable password xxx encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address w.x.y.z 255.255.255.248
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 172.26.2.3 255.255.255.0
!
interface Ethernet2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd xxxxx encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name CSN
access-list inside_nat0_outbound extended permit ip 172.26.1.0 255.255.255.0 172.26.3.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.26.2.0 255.255.255.0 172.26.3.0 255.255.255.0
access-list CSNTnlGrp_splitTunnelAcl standard permit 172.26.10.0 255.255.255.0
access-list CSNTnlGrp_splitTunnelAcl standard permit 172.26.1.0 255.255.255.0
access-list CSNTnlGrp_splitTunnelAcl standard permit 172.26.2.0 255.255.255.0
access-list fromoutside extended permit tcp any any eq 5900
access-list fromoutside extended permit udp any any eq 4500
access-list fromoutside extended permit esp any any
access-list fromoutside extended permit udp any any eq isakmp
access-list fromoutside extended permit tcp any any eq ssh
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool ippool 172.26.3.10-172.26.3.100 mask 255.255.255.0
no failover
monitor-interface outside
monitor-interface inside
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp w.x.y.0 5900 172.26.1.0 5900 netmask 255.255.255.0
static (inside,outside) tcp w.x.y.0 4500 172.26.1.0 4500 netmask 255.255.255.0
static (inside,outside) udp w.x.y.0 4500 172.26.1.0 4500 netmask 255.255.255.0
static (inside,outside) tcp w.x.y.0 ssh 172.26.10.0 ssh netmask 255.255.255.0
access-group fromoutside in interface outside
route outside 0.0.0.0 0.0.0.0 w.x.y.z 1
route inside 172.0.0.0 255.0.0.0 172.26.2.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy xxxxxxxxxx internal
group-policy xxxxxxxxxx attributes
 dns-server value a.a.a.a b.b.b.b
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value xxxxxx_splitTunnelAcl
username xxxxx password xxxxx encrypted privilege 15
username xxxxx attributes
 vpn-group-policy xxxxxxxx
aaa authentication ssh console LOCAL
http server enable
http 172.26.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  60
tunnel-group xxxxxxxx type ipsec-ra
tunnel-group xxxxxxxx general-attributes
 address-pool ippool
 default-group-policy xxxxxxxxxxx
tunnel-group xxxxxxxx ipsec-attributes
 pre-shared-key *
vpn-sessiondb max-session-limit 20
telnet 172.26.3.0 255.255.255.0 inside
telnet timeout 5
ssh 172.26.1.10 255.255.255.255 inside
ssh 172.26.2.3 255.255.255.255 inside
ssh 172.26.2.2 255.255.255.255 inside
ssh 172.26.3.0 255.255.255.0 inside
ssh 172.26.1.11 255.255.255.255 inside
ssh 172.26.1.12 255.255.255.255 inside
ssh 172.26.10.10 255.255.255.255 inside
ssh 172.26.10.11 255.255.255.255 inside
ssh 172.26.10.12 255.255.255.255 inside
ssh timeout 45
console timeout 0
management-access inside
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:xxx
: end
0
Comment
Question by:JBober14
  • 4
  • 2
  • 2
  • +4
12 Comments
 
LVL 17

Assisted Solution

by:StrifeJester
StrifeJester earned 83 total points
ID: 34242522
Try adding an outgoing rule on your inside interface.  Because of the VPN there is a rule there and the implicit deny all is catching it because it not using the same VPN Split rule.  We have the same on ours you have to create a rule to all the packet in on the outside interface and then you also have to create a rule on the inside interface allowing into your network.  So it would need to be an outgoing rule on the inside interface.

access-list ToInternal extended permit tcp any host YOUR-HOST-OR-IP eq ssh

You will have to see where there are rules applied.  Remember anywhere you have a rule an implicit deny goes in at the end.  You can also try using ASDM that will show you where rules and what directions they are applied.
0
 
LVL 5

Assisted Solution

by:evil_hitman
evil_hitman earned 83 total points
ID: 34242825
Ok, this may be a bit simplistic and it could just be me misunderstanding what you say (i apologise in advance) but......

When I go into Putty and type "ssh root@server-ip-address" i just get a blank screen

If you are loading up putty, and literally typing that full line in to the host field i wouldn't imagine it would work.

Try instead to just put the server ip and putty will prompt you for username and select ssh through the connection type.

Again apologies if your comment was not to be taken literally
0
 

Author Comment

by:JBober14
ID: 34243063
To StrifeJester, I believe I have the line you are speaking of [access-list fromoutside extended permit tcp any any eq ssh]...

To evil hitman, the way I wrote that was misleading, my apologies. I select ssh connection and type "root@server ip"

As it stands right now I cannot access ssh using my 172.26.10.0 network, but my 172.26.1.0 network can access the computer through ssh, kind of... When it prompts me for a password my set password tell me access is denied. Any ideas?

Thank you again
0
 

Author Comment

by:JBober14
ID: 34243081
Scratch my previous post about the 172.26.1.0 network... I am running CentOS as a VM on a Xen Server. The 1.0 network is a management line for Xen. None the less the SSH works for that, so I would believe port 22 is open.
0
 
LVL 17

Expert Comment

by:StrifeJester
ID: 34243659
Do the other services work? such as the 4500 5900 that you have listed?  Also try maybe taking out the SSH lines from the inside it could be that the NAT rule is not applying properly because of the ssh is thinking it should goto the PIX and only on the inside interface.

ssh 172.26.1.10 255.255.255.255 inside
ssh 172.26.2.3 255.255.255.255 inside
ssh 172.26.2.2 255.255.255.255 inside
ssh 172.26.3.0 255.255.255.0 inside
ssh 172.26.1.11 255.255.255.255 inside
ssh 172.26.1.12 255.255.255.255 inside
ssh 172.26.10.10 255.255.255.255 inside
ssh 172.26.10.11 255.255.255.255 inside
ssh 172.26.10.12 255.255.255.255 inside
ssh timeout 45


These may be messing it up but I doubt it.
0
 
LVL 12

Assisted Solution

by:mccracky
mccracky earned 83 total points
ID: 34243875
I think you mis-understood what evil_hitman was saying.  In Putty you don't put the username in with the IP.  Just put the IP in and Putty will prompt you for the username.  There is another place to actually put the username, but I can't remember exactly where it is and I don't have putty on this box.  It might be under something called "session"?
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 33

Assisted Solution

by:MikeKane
MikeKane earned 83 total points
ID: 34244179
If you suspect the ASA, then try this simple test.  

Open up a Console or CLI session to the ASA.    Try to connect via SSH to you host (I assume you are on the ouside and the host is in the 172.subnets).    
Once it fails, issue a "SHOW LOGGING" on the ASA.   If any packets were dropped due to a access-list, this would show it.

Post it here if you need me to review.
0
 
LVL 19

Accepted Solution

by:
jools earned 84 total points
ID: 34245856
Can you check access the server by other means or is it just related to ssh connections.

From the host can you ssh to localhost..

Do you have a resolv.conf entry that points to a DNS server that cannot be accessed or does not exist?

just a thought and all that...
0
 
LVL 5

Assisted Solution

by:bougui
bougui earned 84 total points
ID: 34248074
Regarding

"When it prompts me for a password my set password tell me access is denied. Any ideas?"

If you get a message with access denied then you can ssh to the box for sure.  Because this message is givnen by the ssh server.

let,s try this:
1) On the centos console create a normall user like this (has the user root)  type this
useradd testuser
2) Then put a password for the new user
passwd testuser

Then in putty try to ssh to the centos box.

3) Just enter the IP adress of the centos box in putty and hit OPEN

4) Then enter the username and the password test user / with the passowrd that you gave a step 2)

You should be in.

Probably that your centos config deny root access to ssh.

Just my 2 ¢

Cheer !
0
 

Author Comment

by:JBober14
ID: 34251523
PIX 515E Error Log showed the following... 3 Dec 01 2010 19:48:55 305005 172.26.10.10 No translation group found for tcp src outside:172.26.3.11/50980 dst inside:172.26.10.10/22

Any thoughts?
0
 

Author Closing Comment

by:JBober14
ID: 34251654
Well I got it... I forgot to add the following command in the firewall:

access-list inside_nat0_outbound extended permit ip 172.26.10.0 255.255.255.0 172.26.3.0 255.255.255.0

Thanks everyone for the help, that simple oversight had me racking my brain. As always great help, I will spread the points to all the experts that lent a hand
0
 
LVL 5

Expert Comment

by:bougui
ID: 34251826
So you can't access to your ssh server because a policy is missing in the cisco.

Add the corresponding rule and then it should be fine.

Good luck
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Cisco ASA NAT question. 9 25
Cisco Sup720 Migrate to Sup2T 5 40
Cisco vlan question 12 43
Cisco ASA5508-X vs Barracuda X200 2 32
This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
We all know how boring and exhausting it is to transfer huge web projects developed locally to a webserver simply via FTP. The File Transfer Protocol is a really nice solution if you need to transfer small amounts of files, but if you're plannin…
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now