[SOLVED]SSH Ports Closed?!

[phyerboss]

I hope this is the best thread for this issue...

In a nutshell, my webdev guys cannot login to my server using ssh anymore. The server runs on PCLOS. Which was just upgraded to KDE4.3(please no "knocking" us for running a desktop OS as a server please...I tire of that same moot discussion*). At 1st ssh and even KRFB worked fine and took in remote connections.

Now all of a sudden. We cant access either. And they are both running! I cant even get on KRFB over the local LAN! The router is properly configured and set to relay all incoming traffic to the server. But, when my lead dev ran an app called NMap. He emailed me these results:

Starting Nmap 5.21 ( http://nmap.org ) at 2010-02-08 17:04 Mountain Standard Time
NSE: Loaded 36 scripts for scanning.

Initiating Ping Scan at 17:04
Scanning www.phyer.net (70.61.205.174) [9 ports]
Completed Ping Scan at 17:04, 0.25s elapsed (1 total hosts)

Initiating Parallel DNS resolution of 1 host. at 17:04
Completed Parallel DNS resolution of 1 host. at 17:04, 0.34s elapsed

Initiating SYN Stealth Scan at 17:04
Scanning www.phyer.net (70.61.205.174) [1000 ports]
Discovered open port 80/tcp on 70.61.205.174
Completed SYN Stealth Scan at 17:04, 27.48s elapsed (1000 total ports)

Initiating Service scan at 17:04
Scanning 1 service on www.phyer.net (70.61.205.174)
Completed Service scan at 17:06, 79.39s elapsed (1 service on 1 host)

Initiating OS detection (try #1) against www.phyer.net (70.61.205.174)
Retrying OS detection (try #2) against www.phyer.net (70.61.205.174)

Initiating Traceroute at 17:06
Completed Traceroute at 17:06, 3.06s elapsed

Initiating Parallel DNS resolution of 17 hosts. at 17:06
Completed Parallel DNS resolution of 17 hosts. at 17:06, 3.98s elapsed
NSE: Script scanning 70.61.205.174.
NSE: Starting runlevel 1 (of 1) scan.

Initiating NSE at 17:06
Completed NSE at 17:06, 0.83s elapsed
NSE: Script Scanning completed.
Nmap scan report for www.phyer.net (70.61.205.174)
Host is up (0.074s latency).
rDNS record for 70.61.205.174: rrcs-70-61-205-174.midsouth.biz.rr.com
Not shown: 995 filtered ports

PORT     STATE  SERVICE VERSION
22/tcp   closed ssh
80/tcp   open   http?
|_http-favicon: Unknown favicon MD5: 35345B5C1004C06557E1891919D7ED5E
113/tcp  closed auth
443/tcp  closed https
5900/tcp closed vnc

Device type: general purpose|switch|WAP|router|firewall

Running (JUST GUESSING) : HP HP-UX 11.X (97%), Cisco NX-OS 4.X (95%), Foundry IronWare 7.X (94%), Cisco IOS 12.X (93%), Microsoft Windows 2003 (93%), Linksys embedded (92%), Cisco embedded (92%), WatchGuard embedded (90%)

Aggressive OS guesses: HP HP-UX B.11.11 (97%), Cisco NX-OS 4.0(1a)N1(1) (95%), HP HP-UX B.11.23 (94%), Foundry Networks BigIron 8000 switch (IronWare 07.8.02eT53) (94%), Cisco 3750 switch (IOS 12.2) (93%), Cisco Aironet 1231G WAP (IOS 12.3) (93%), Microsoft Windows Server 2003 SP1 or SP2 (93%), Microsoft Windows Server 2003 SP2 (93%), Linksys BEFSR41 or RT31P2 router, or WRK54G WAP (92%), Cisco ASA 5540 firewall (92%)

No exact OS matches for host (test conditions non-ideal).

Network Distance: 22 hops

TRACEROUTE (using port 113/tcp)

HOP RTT       ADDRESS
1   0.00 ms   10.1.120.253
2   0.00 ms   10.1.1.33
3   0.00 ms   192.168.12.1
4   0.00 ms   66.133.117.19
5   0.00 ms   66.133.113.26
6   0.00 ms   205.158.184.21.ptr.us.xo.net (205.158.184.21)
7   0.00 ms   205.158.184.17.ptr.us.xo.net (205.158.184.17)
8   0.00 ms   gi0-8.na21.b020521-0.slc01.atlas.cogentco.com (38.104.174.5)
9   ... 13
14  31.00 ms  twcable.lax05.atlas.cogentco.com (154.54.13.230)
15  31.00 ms  ae-2-0.cr0.lax30.tbone.rr.com (66.109.6.130)
16  78.00 ms  ae-5-0.cr0.dca20.tbone.rr.com (66.109.6.3)
17  78.00 ms  ae-0-0.cr0.dca10.tbone.rr.com (66.109.6.30)
18  94.00 ms  66.109.6.81
19  94.00 ms  gig13-0-0.clmascmhe-rtr1.southeast.rr.com (24.93.64.61)
20  94.00 ms  24.31.194.126
21  94.00 ms  cpe-024-031-201-182.sc.res.rr.com (24.31.201.182)
22  125.00 ms rrcs-70-61-205-174.midsouth.biz.rr.com (70.61.205.174)

Read data files from: C:\Program Files\Nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 126.63 seconds
           Raw packets sent: 3117 (141.840KB) | Rcvd: 74 (3687B)

Its showing ssh & vnc as "closed". Which baffles me as both were installed via synaptic. which is "root", right? And if I remember correctly. Is'nt only "root" or root instaled apps that can open any ports? I never enabled the firewall or any other security setup. So why all of a sudden is the system locking itself down? The only thing that remained open was the http server's port.

[kjpetrie]

You'd probably be better off in the networking section as the fact you're running KDE 4 seems incidental to the problem you have. It's an important piece of background information but unlikely to be the cause.

I'm not an expert on networking, but it sounds as if an upgrade has installed/enabled some extra security. You will need to go through the settings in msec and iptables to track down the problem.

[pags]

Try running

Code: [Select]

netstat -anutp
as root from the server you're having trouble connecting to.  This will tell you if you have the ports open on the machine itself (and therefore, point you towards either changing the config, or investigating the network more fully)

If you want to narrow the results further, use

Code: [Select]

netstat -anutp | grep LISTEN


[phyerboss]

Thanks for reminding me of that code pags.

Upon digging around. we discovered that for some unusual reason. SSHd locked itself down. Even excluding out root login! So, it had to been something I accidently messed with with under the admin/security settings in pcc. We just cant be 100% sure just what.

As I may have been in it...I never clicked "ok" to set anything. I just "looked around". And then simply hit cancel to back out.

Heres the log of our chat which reflects his findings. Hopefully if anyone else is experiencing this same issue. This might somewhat point you in a decent direction...

Nathan:  alright
22 is open now!

PORT     STATE    SERVICE
22/tcp   open     ssh
1234/tcp open     hotline
5900/tcp filtered vnc
I got in
That was it!!!
 me:  what was?
 Nathan:  It was only allowing itself to log in, and it was blocking root from logging in so the whole TCP loop on port 22 was closed from anyone ever logging in via SSH
 me:  ssh reconfiged itself?
 Nathan:  It works now
It needed to be pointed to 0.0.0.0
like the other services
 me:  i see
im just wondering why the heck it did that in the 1st place
 Nathan:  Probably like you said - it got messed up when you installed something or changed something
 Sent at 6:25 PM on Tuesday
 me:  hopefully this wont happen again with the 2010 release too


So for now, I will set this thread to "SOLVED".

[pags]

Glad I could be of some assistance.

IIRC, there was a change to the default sshd_config (waaaay back) that disallowed root from logging in at all (it's considered a security breach, and should be handled by logging in as a regular user and su'ing to root, instead).  I know, because I had to change it on a couple machines so I could create tunnels (tun* adapters) via ssh, and that requires root privileges 

[kjpetrie]

I wouldn't mind betting you have a nice .rpmsave file with your chosen ssh configuration settings safely stored away somewhere under /etc/ and a nice new default config file which replaced it.

That's why you get what Synaptic calls "extra output" when these files are created. If you just run with default configuration you can probably adopt an .rpmnew or ignore an .rpmsave. If you have customised the configuration you will need to go through the two files and see whether you need to do anything to restore your settings while still benefiting from new features.

[pags]

I wouldn't mind betting you have a nice .rpmsave file with your chosen ssh configuration settings safely stored away somewhere under /etc/ and a nice new default config file which replaced it.

That's why you get what Synaptic calls "extra output" when these files are created. If you just run with default configuration you can probably adopt an .rpmnew or ignore an .rpmsave. If you have customised the configuration you will need to go through the two files and see whether you need to do anything to restore your settings while still benefiting from new features.

No.  I'd be interested if you care to elaborate on the ".rpmsave" file.

If things break, I usually try to fix it from memory (which I admit isn't very good, but once I'm in the config file and have done a couple searches, something usually jars it).  Sometimes, I even make notes (*gasp!*)

[kjpetrie]

I don't use sshd so I don't know where its configuration file is other than it'll be under /etc/ somewhere.

When an rpm installs an application that has configuration files it also has to install default configuration files. However, it is usually programmed to check whether the files exist first. In the case of an upgrade or reinstall the files will already exist and may well contain a wanted configuration. When this happens there are two options: either the rpm will save the default files alongside the live ones with the suffix .rpmnew, leaving the live ones unchanged, or it will rename the live ones to...rpmsave and install the default ones as the new live files. Either way it will usually tell you which it has done as output, which Synaptic will display in a dialogue box.

The general wisdom on this forum is that such output can safely be ignored, which is true if you're just using default settings for everything. On the other hand, if you've configured it you want your own settings back. However, it's not quite as simple as making sure you have your original file in place, because the whole point of an upgrade is it has replaced the application with an (hopefully) improved version, and there might be some changes to the configuration options. So I would always advise reading through both the old and new files and merging any new options into your old file or merging your changes into the new file, whichever is easier, and then making the merged file the live one.

There are supposed to be automated ways to do this but I don't trust them because I've seen them make a terrible mess in the past. So I just do it by hand.

I don't know whether there's been an upgrade to ssh, but if upgrading the system returned it to default it's the most likely explanation.

[pags]

Thanks!

...well, there is an sshd_config.rpmnew, from March 18, 2009 (I said it was waaaay back!).

It's good to learn!
+1