Ubuntu Security :: SSHD Stopped Working After Reboot
Jun 11, 2011
I've been using ssh for a LONG time to connect my laptop to my desktop with no problems. I use a non-standard port (nnnnn) and keys. After a power outage that caused a shutdown and reboot, I can no longer ssh into the desktop. The only changes I've made are updates (laptop and desktop both running ubuntu 10.04).
$ ssh -p nnnnn Desktop
ssh: connect to host Desktop port nnnnn: Connection refused
No messages are generated in any of the logs on Desktop!
$ /usr/sbin/sshd -T
port nnnnn
protocol 2
addressfamily any
listenaddress 0.0.0.0:12023
listenaddress [::]:12023 .....
I hadn't updated until yesturday night, today after the massive update and reboot, my x stopped working. What happens is, after the splash screen, both screens goes black and unresponsive. Tried killing X and alt + ctrl + f1 etc. I can probably fix this myself if I could access the terminal but, the other day I had to be stylish and remove everything from my grub boot besides Windows 7 and the default Ubuntu so I can't boot into root terminal. So, how would I gain access to a console before X starts?
I have a bare Ubuntu install that I use to run Xbmc. It has been working perfect for a month. I reboot it every few days. This morning I decided to reboot when it came back up my remote stopped working. I hadn't done any updates since I build the box. Unless Ubuntu does them without asking. Here is the dmesg log
My computer wouldn't come out of sleep mode, so I had to shut it down improperly. Now there's no ethernet network connection. The NIC works as I can start the computer by wake-on-lan, but somehow Ubuntu no longer sets up a network connection on it.
The green light on the NIC is lit up and blinking. I have changed no settings. It used to get an IP address from the DHCP no problem, but ifconfig now only shows 127.0.0.1.
I have latest openssh-server. you know the classic star/stop scripts:
sudo /etc/init.d/ssh start/stop
But when I wrote this stop command, everything looks good, except sshd was still running. I looked into script it uses start-stop-deaemon to kill through pid. The script always kills process, but immediately, new process of sshd was emerged (by it self - with new process ID)! I don't get it. I'm sick of my not understanding of the proglem! The new process of sshd has parent with id 1 (init). How is this possible? How does it come, that ssh can not be turn off and nobody has noticed or complain about it?
After 2 hours of googling I managed to find this command:
sudo service ssh stop
and ssh finally got killed. Yeahh! After issuing this command /etc/init.d/ssh start/stop work correctly. But only to restart of system. Is this some king of super-uber command and we should not user /etc/init.d/ scripts anymore?
The strange thing is, ssh is run by itself after system start-up (without being in /etc/rc...).
I have an openSUSE 11.1 and I noticed that after installing a couple of things on it the sshd is not starting anymore on reboot. how can I debug this problem. Is there a log file so that I can see what was the problem? If I want to use ssh I have to start it from yast every time the computer restarts.
I want to make sure sshd service will start after a server reboot. On redhat or centOS I can do "chkconfig sshd on". What's the equivalent command for ubuntu?
I'm having troubles trying to understand this problem:my homeserver until yesterday had a public IP, staying on network, with sshd running and all was fine;this evening I changed the IP, giving it a local lan address, and what happened if I tried to connect to it by ssh?I got an error about "Connection closed by remote host". Google helped me finding that was regarded to hosts.deny file, that was actually containing a lineALL:ALLthat I commented, and all was fine.My question is: why the hosts.deny (that has never changed) was observed only with the local IP?I tried to switch back to the public IP and leaving ALL:ALL, and it did connect without any problem
I want to enable sshd from Internet, but I want to secure it as much as possible.Therefore, despite the fact that the service will run on a tcp port above 2000 to prevent most scans, I would like to :- First, force the use of a client certificate, to avoid brute force attack on my users/passwords- second force the use of a username/password to avoid someone having access to my system just by stealing my key..When I look at the configuration, it's possible to enable both, but one of them is sufficient to login, but I can't find how to make them both mandatory...
I have a RHEL server with users logging in via ssh. I want to start using public keys instead of passwords with ssh. But public key is as good as a rotten tomato if it is unpassphrased and I cannot guarantee that all users will use passphrases. Therefore I will generate both private and public key on the server and will distribute the private key to the user via user-friendly web interface and thats where I will force them to use passphrase. I know they can change later the passphrase or remove it totally but my users are not so advanced.
So now I am trying to setup a centralized authorized_keys file with to be able to make them only root writable so they cannot put their own public keys on the server , it will be handled by scripts. Now the actual problem. I created /etc/ssh/keys directory instead of ~/.ssh and changed AuthorizedKeysFile to /etc/ssh/keys/%u in sshd_config But when I try to connect with the key I get the following error in the logs (after enabling DEBUG3 in sshd_config)
<CUT> Mar 8 15:22:28 stagesmpp sshd[12248]: debug3: mm_request_receive entering Mar 8 15:22:29 stagesmpp sshd[22358]: debug2: channel 0: rcvd adjust 33544 Mar 8 15:22:30 stagesmpp sshd[12248]: debug3: monitor_read: checking request 20
Quick explanation about what this thread is: by way of an article featured on linuxtoday, I learned about what appears to be an actively managed IP blacklist: [URL]
# This is a compiled list of dirty hosts associated with # bruteforcing attempts, spam, botnets, RBN and the list # continues to grow. The data is comprised of information # compiled from Arbor Networks, Project Honeypot, FIRE # (maliciousnetwork.org), Host Exploit, Shadowserver and # a variety of other similarly based sites.
Quick explanation about what this thread is not: this is not intended to be a discussion about default deny vs. default allow (i.e. whitelists vs. blacklists), nor is this a call for enumerations of your own sshd hardening strategy. Please try to keep on point. That said, can anyone speak to the quality of the blacklist information noted above? And/or are there any suggestions for a readily available blacklist of "known better" quality? I plan to try including an actively maintained blacklist like this into a multi-layered approach for hardening an sshd bastion host.
I am running a fresh installation of RHEL 6 box and it shipped with Openssh 5.3.But, /etc/ssh/moduli file doesn't exist even in this new installation and the SSH log warns as below:PHP Code:WARNING: /etc/ssh/moduli does not exist, using fixed modulusDoes this imply that it is using the same random number for key exchange purpose ? Also, does it impose any security risks
Now I know that the first is the tunnel end but how can I connect the two lines if I don't know the port number (ie: someone else estabilieshes another tunnel)
I'm trying to setup ssh access on my Fedora 12 laptop. I get the following error message in /var/log/secure when I try to login from another machine using ssh and the login is denied:
Code:
sshd[3025]: error: Could not get shadow information for <user> sshd[3025]: Failed password for <user> from <ip> port <port> ssh2
If I do a 'setenforce 0' I can login and no error is logged.
When a user that has rsa public key set in ~/.ssh/authorized_keys file logs in via ssh an sshd process is started to handle the ssh session.Periodically we audit the authorized keys and remove them from the system and authorized_keys file. This means the next log in attempt will fail, which is fine.However we need to terminate current ssh sessions in progress that use the rsa key.I have not been able to determine a way to map sshd processes with authorized_keys entries.
Tried google and searching this forum to no avail. Under Fedora 14, there is an selinux policy which blocks sshd from making outbound connections on port 80 or 443. This can occur when a client box tries to tunnel through the ssh connection for encrypted access to the web.
While I did manage to allow this happen by creating a permissive domain for sshd with this command:
Code:
The preferred way would be to allow sshd to make connection on other ports with a similar command that does not seem to work:
Code:
Is this the correct way of allowing an outbound port connection for the sshd daemon?
I have upgraded Fedora 13 to Fedora 15 using installation DVD. Upgrade went well, no issue. After the reboot, the system stops after following line: Started LSB: Suspend/Resume libvirt guests on shutdown/root. I do not have any idea what kind of problem is, also I would like to keep my old version installation.
When originally installing 11.04 I had problems getting my Ralink 5390 wireless card to work.
Today my computer froze completely and I had to turn it off via the power switch. When I turned it back on, wireless was no longer recognized! My iPod can connect to the network just fine, so it must be an Ubuntu problem. There are no problems with my ethernet connection either.
I researched this and found several threads about blocking and unblocking wireless devices using the rfkill command. Well, unfortunately for me the rfkill command doesn't work. When I type sudo rfkill list or sudo rfkill unblock all, nothing happens; it just returns me to my bash prompt. I even tried uninstalling and reinstalling rfkill...nothing.
I enabled LDAP from the system>administration>authentication and have not had any luck with it working. I now want to turn it off and log back into my machine normally.
I logged into terminal as root and told it to change the config files back to the previous ones and now it will not let me log into any of my accounts including root! this is via X, SSH and terminal.
If i boot into single user mode and change a users password this makes no different.
On April 10, 2010, I upgraded some packages on my Ubuntu 9.04 server. This included an upgrade to "ufw 0.27-0ubuntu2". I rebooted the server, and all appeared to be fine.
Now I've noticed that UFW is not logging blocked packets since that reboot. It used to do this. It is still logging the allowed packets that I've configured it to log.
This morning I was looking at the router's log file and noticed a certain IP address was able to gain LAN access on port 2222. That just happens to be the port my SSH server is listening on! A whois search revealed that IP address is in Germany. As soon as I found this out I stopped forwarding all ports to this machine in my router.
how to tell what had happened, what information this person was able to obtain, and if he left any goodies behind that could hurt me? I've read through some of the logs on my computer and haven't been able to find much at all. I did have some personal information on the hard drives, but that information is encrypted. I'm thinking if they were able to get my SSH password then that information probably isn't safe either (assuming they have some of it).
resubscribed to Rapidshare and in the past could easily download my friend's discussion papers using the file manager called DTA that integrates into Firefox. I have taken out a new subscription to RS and instead of getting the files I am receiving small html referer files. In theory this should be corrected by ticking a direct download setting on RS, but it is making no difference. I can manually download the files so I am certain the files are on RS in full form. I am also successfully auto logging into RS and this means the name and password are being handed over correctly
I know very little about SE Linux and I've heard that in some situations it's better to disable it. For a home user, is it important? Does it improve your life ? or does it get in the way ?
Last week some update stopped my printing and I had to install the new hplip from HP because it wasn't in the Fedora repos to correct the problem. I don't know if SELinux had anything to do with it, but today when I disabled SELinux a few minutes later I get a star up on the toolbar and when I clicked on it it mentioned something about hplip. It wouldn't make any sense to me but maybe this has happened to others.
After I installed Windows XP on my leftover partition, I decided to reinstall grub2.
Now when I reboot grub throws me in the grub shell, if I then type configfile /grub/grub.cfg it starts grub like its supposed to. Tho I cant seem to be able to go straight to the grub menu and no to the shell.
Have just started to use look at crontab. I could use Scheduled Tasks as well as crontab -e in terminal.
I must have changed something because now Scheduled Tasks just seems to load then dropout. Loading a task through terminal is accepten (crontab -e) but doesn't work.
