[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1217
  • Last Modified:

SSH into Linux

I am trying to SSH into a Linux test server I built to no avail, its currently running CentOS 5.5.

I ran "lsof -i:22" and "pgrep sshd" to ensure ssh is running on the server, it is. When I go into Putty and type "ssh root@server-ip-address" i just get a blank screen. And yes I am putting in the numeric server ip address in, I have also tried the server name.

The only thing I can come up with is the firewall is blocking it... I'm running a Cisco PIX 515e. I opened port 22 up but maybe I'm missing something else. The config for the firewall is below.

Thank you in advance for any insight.

PIX Version 7.2(2)
!
hostname CSNPix
domain-name CSN
enable password xxx encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address w.x.y.z 255.255.255.248
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 172.26.2.3 255.255.255.0
!
interface Ethernet2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd xxxxx encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name CSN
access-list inside_nat0_outbound extended permit ip 172.26.1.0 255.255.255.0 172.26.3.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.26.2.0 255.255.255.0 172.26.3.0 255.255.255.0
access-list CSNTnlGrp_splitTunnelAcl standard permit 172.26.10.0 255.255.255.0
access-list CSNTnlGrp_splitTunnelAcl standard permit 172.26.1.0 255.255.255.0
access-list CSNTnlGrp_splitTunnelAcl standard permit 172.26.2.0 255.255.255.0
access-list fromoutside extended permit tcp any any eq 5900
access-list fromoutside extended permit udp any any eq 4500
access-list fromoutside extended permit esp any any
access-list fromoutside extended permit udp any any eq isakmp
access-list fromoutside extended permit tcp any any eq ssh
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool ippool 172.26.3.10-172.26.3.100 mask 255.255.255.0
no failover
monitor-interface outside
monitor-interface inside
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp w.x.y.0 5900 172.26.1.0 5900 netmask 255.255.255.0
static (inside,outside) tcp w.x.y.0 4500 172.26.1.0 4500 netmask 255.255.255.0
static (inside,outside) udp w.x.y.0 4500 172.26.1.0 4500 netmask 255.255.255.0
static (inside,outside) tcp w.x.y.0 ssh 172.26.10.0 ssh netmask 255.255.255.0
access-group fromoutside in interface outside
route outside 0.0.0.0 0.0.0.0 w.x.y.z 1
route inside 172.0.0.0 255.0.0.0 172.26.2.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy xxxxxxxxxx internal
group-policy xxxxxxxxxx attributes
 dns-server value a.a.a.a b.b.b.b
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value xxxxxx_splitTunnelAcl
username xxxxx password xxxxx encrypted privilege 15
username xxxxx attributes
 vpn-group-policy xxxxxxxx
aaa authentication ssh console LOCAL
http server enable
http 172.26.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  60
tunnel-group xxxxxxxx type ipsec-ra
tunnel-group xxxxxxxx general-attributes
 address-pool ippool
 default-group-policy xxxxxxxxxxx
tunnel-group xxxxxxxx ipsec-attributes
 pre-shared-key *
vpn-sessiondb max-session-limit 20
telnet 172.26.3.0 255.255.255.0 inside
telnet timeout 5
ssh 172.26.1.10 255.255.255.255 inside
ssh 172.26.2.3 255.255.255.255 inside
ssh 172.26.2.2 255.255.255.255 inside
ssh 172.26.3.0 255.255.255.0 inside
ssh 172.26.1.11 255.255.255.255 inside
ssh 172.26.1.12 255.255.255.255 inside
ssh 172.26.10.10 255.255.255.255 inside
ssh 172.26.10.11 255.255.255.255 inside
ssh 172.26.10.12 255.255.255.255 inside
ssh timeout 45
console timeout 0
management-access inside
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:xxx
: end
0
JBober14
Asked:
JBober14
  • 4
  • 2
  • 2
  • +4
6 Solutions
 
StrifeJesterCommented:
Try adding an outgoing rule on your inside interface.  Because of the VPN there is a rule there and the implicit deny all is catching it because it not using the same VPN Split rule.  We have the same on ours you have to create a rule to all the packet in on the outside interface and then you also have to create a rule on the inside interface allowing into your network.  So it would need to be an outgoing rule on the inside interface.

access-list ToInternal extended permit tcp any host YOUR-HOST-OR-IP eq ssh

You will have to see where there are rules applied.  Remember anywhere you have a rule an implicit deny goes in at the end.  You can also try using ASDM that will show you where rules and what directions they are applied.
0
 
evil_hitmanCommented:
Ok, this may be a bit simplistic and it could just be me misunderstanding what you say (i apologise in advance) but......

When I go into Putty and type "ssh root@server-ip-address" i just get a blank screen

If you are loading up putty, and literally typing that full line in to the host field i wouldn't imagine it would work.

Try instead to just put the server ip and putty will prompt you for username and select ssh through the connection type.

Again apologies if your comment was not to be taken literally
0
 
JBober14Author Commented:
To StrifeJester, I believe I have the line you are speaking of [access-list fromoutside extended permit tcp any any eq ssh]...

To evil hitman, the way I wrote that was misleading, my apologies. I select ssh connection and type "root@server ip"

As it stands right now I cannot access ssh using my 172.26.10.0 network, but my 172.26.1.0 network can access the computer through ssh, kind of... When it prompts me for a password my set password tell me access is denied. Any ideas?

Thank you again
0
Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

 
JBober14Author Commented:
Scratch my previous post about the 172.26.1.0 network... I am running CentOS as a VM on a Xen Server. The 1.0 network is a management line for Xen. None the less the SSH works for that, so I would believe port 22 is open.
0
 
StrifeJesterCommented:
Do the other services work? such as the 4500 5900 that you have listed?  Also try maybe taking out the SSH lines from the inside it could be that the NAT rule is not applying properly because of the ssh is thinking it should goto the PIX and only on the inside interface.

ssh 172.26.1.10 255.255.255.255 inside
ssh 172.26.2.3 255.255.255.255 inside
ssh 172.26.2.2 255.255.255.255 inside
ssh 172.26.3.0 255.255.255.0 inside
ssh 172.26.1.11 255.255.255.255 inside
ssh 172.26.1.12 255.255.255.255 inside
ssh 172.26.10.10 255.255.255.255 inside
ssh 172.26.10.11 255.255.255.255 inside
ssh 172.26.10.12 255.255.255.255 inside
ssh timeout 45


These may be messing it up but I doubt it.
0
 
mccrackyCommented:
I think you mis-understood what evil_hitman was saying.  In Putty you don't put the username in with the IP.  Just put the IP in and Putty will prompt you for the username.  There is another place to actually put the username, but I can't remember exactly where it is and I don't have putty on this box.  It might be under something called "session"?
0
 
MikeKaneCommented:
If you suspect the ASA, then try this simple test.  

Open up a Console or CLI session to the ASA.    Try to connect via SSH to you host (I assume you are on the ouside and the host is in the 172.subnets).    
Once it fails, issue a "SHOW LOGGING" on the ASA.   If any packets were dropped due to a access-list, this would show it.

Post it here if you need me to review.
0
 
joolsCommented:
Can you check access the server by other means or is it just related to ssh connections.

From the host can you ssh to localhost..

Do you have a resolv.conf entry that points to a DNS server that cannot be accessed or does not exist?

just a thought and all that...
0
 
bouguiCommented:
Regarding

"When it prompts me for a password my set password tell me access is denied. Any ideas?"

If you get a message with access denied then you can ssh to the box for sure.  Because this message is givnen by the ssh server.

let,s try this:
1) On the centos console create a normall user like this (has the user root)  type this
useradd testuser
2) Then put a password for the new user
passwd testuser

Then in putty try to ssh to the centos box.

3) Just enter the IP adress of the centos box in putty and hit OPEN

4) Then enter the username and the password test user / with the passowrd that you gave a step 2)

You should be in.

Probably that your centos config deny root access to ssh.

Just my 2 ยข

Cheer !
0
 
JBober14Author Commented:
PIX 515E Error Log showed the following... 3 Dec 01 2010 19:48:55 305005 172.26.10.10 No translation group found for tcp src outside:172.26.3.11/50980 dst inside:172.26.10.10/22

Any thoughts?
0
 
JBober14Author Commented:
Well I got it... I forgot to add the following command in the firewall:

access-list inside_nat0_outbound extended permit ip 172.26.10.0 255.255.255.0 172.26.3.0 255.255.255.0

Thanks everyone for the help, that simple oversight had me racking my brain. As always great help, I will spread the points to all the experts that lent a hand
0
 
bouguiCommented:
So you can't access to your ssh server because a policy is missing in the cisco.

Add the corresponding rule and then it should be fine.

Good luck
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
  • 2
  • 2
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now