SSH/Firewall issue

tawnos42 · March 13, 2010, 3:18pm

I am a complete UNIX neophyte with the unenviable task of trying to pseudo manage two SUN boxes with an unknown past. I was not responsible for setting them up, anything that was done on them previously, and have no means of figuring out anything that was done to them. So far I have changed the IPs and enabled root access for SSH. I also changed the IP in /etc/hosts associated with one of them from its previous public IP to its current IP on the local (private) network. Otherwise I have done nothing.

The machines are named Sun1 and Sun2 and are both on the same network. Everything works fine on Sun1. I can ssh into it from anywhere. For Sun2, however, I can only ssh into it from a client that is on the same network but not from a client on another network. For now, the user has been ssh'ing into Sun1 and going from there to Sun2. This works but is awkward.

I first suspected a firewall was active on Sun2 but ipfstat shows nothing and there are no rules defined in /etc/ipf/ipf.conf. As far far as I can tell ipf is not even running anyway. Is there some way I can tell for sure if a firewall is running somewhere on Sun2? Is there some other ssh setting that would allow only LAN access? I also compared /etc/ssh/sshd_config between Sun1 and Sun2 and could not find any differences.

System_Shock · March 13, 2010, 11:30pm

Are you sure the default route and netmask are set correctly in sun2?

incredible · March 14, 2010, 1:55am

check your /etc/hosts.allow and hosts.deny files in Sun2

TonyLawrence · March 14, 2010, 10:22am

By the way, I really wouldn't advise enabling ssh for root unless absolutely necessary.

Better to ssh in as an ordinary user and su or sudo.

When testing for firewalls, a simple test for any protocol is to try

telnet sun2 (port)

which in this case is 22.

If nothing is blocking that, you'll see something like

Trying x,.x.x.x
Connected to sun2
Escape character is '^]'.
SSH-2.0-OpenSSH_4.3

(with that last line varying, of course)

If you don't get that, yes, you are looking at a firewall or routing issue. If you do get it, then ssh itself is refusing you and your next move is "ssh -v" to figure out why.

Note: Because ssh HAS -v, you don't really need the "telnet sun2 22" - the "ssh -v" would hang if it is blocked by a firewall or routing. It's just a good trick to keep in mind for any sort of access.

tawnos42 · March 14, 2010, 11:35am

It was the default gateway. I had changed it initially using route delete/add but apparently that doesn't permanently change it. It went back to the old default route after someone rebooted. I did delete/add again and changed it in /etc/defaultrouter and now it works. The change should be persistent over reboots this time I hope.