Putty issue [vyřešeno]

[Kazekage]

Hi all,

takze snazim sa pripojit s pracovneho pc z prace na moj notebook s linuxom doma. Postupoval som podla tohoto navodu http://ubuntuswitch.wordpress.com/2007/07/01/securely-remote-control-your-ubuntu-via-putty-from-a-windows-host-vncssh/ ale zial nefunguje to. Mam doma Wifirouter ASUS RTN-11. Nastavil som na nom Virtual server vid obrazok



Putty nastavene podla obrazkov(IP adresy niesu skotocne ) v hlavnom menu je vonkajsia IP routeru a v SSH/ Tunnels je IP linux stroja na vnutornej LAN wifiroutera so smerovanym na port 22





Kolegovi vsetko funguje, pripaja sa na iny linux server. Cize blokovane v praci to nebude.

Kód: [Vybrat]

administrator@administrator-laptop:~$ sudo netstat -tapn | grep '\:22'
[sudo] password for administrator:
tcp 0 0 127.0.0.1:50277 127.0.0.1:22 ESTABLISHED 7342/ssh tcp6 0 0 :::22 :::* LISTEN 6662/sshd tcp6 0 0 127.0.0.1:22 127.0.0.1:50277 ESTABLISHED 7343/sshd: administ

[Martin - ViPEr*CZ*]

Buď nemáte veřejnou IP nebo máte blbě nastavený router.

[Kazekage]

Ale nemalo by to ist aj tak, ked na router nastavim port forwarding vo virtual server?

Existuje nejaka ina moznost?

[nettezzaumana]

hm. po prohlednuti clanku musim konstatovat, ze to je blbost.

1) pouzij putty + Xming ve vindous aby ti fungoval xforwarding
2) nainstaluj si na Linuxu xorg-xserver-xephyr (mozna se jmenuje jinak, dulezite je klicove slovo xephyr)
3) pripoj se z windows se zapnutym forwardingem pres ssh k linuxu
4) spust Xephyr

Xephyr :9 -screen 1024x768x16 &
xauth add :9 . `mcookie` &
DISPLAY=:9 xterm &

enjoy!

[Kazekage]

ako mne aj tak staci terminal, VNC nepotrebujem, podstatne je ze ked sa cez putty pripajam tak mi da Connection time out. V logu routera nic o blokovanom spojeni nie je

[nettezzaumana]

Buď nemáte veřejnou IP nebo máte blbě nastavený router.

.. nezmohu se na nic jineho

[dnkk2]

Souhlas, zkuste si to prvne jen po LAN. Pujde-li > problem v natu (verejna), nepujde-li problem na PC :-) Jinak tu nechci placat blbosti, pac presne nevim, co Putty dela v nastaveni v SSH > Tunnels, ale to klidne zruste.

[Kazekage]

odskusal som prepojit oba notebooky kablom, nastavil siet. Ping fungoval v oboch smeroch. Putty som skusil, nic, connection timeout. Klasicky telnet cez cmd mal ciez timeout, cize chyba bude dakde v linuxovom stroji. Ale kde

[nettezzaumana]

nmap -vv -sT -P0 $hostname_nebo_adresa -p 22

## vypise ti to co dela firewall na portu 22, predpokladam, ze ssh server ti na Linuxu bezi

[Kazekage]

nmap -vv -sT -P0 (dal som localhost) -p 22

Vypis
PORT  STATE  SERVICE
22/tcp open    ssh


UPDATE: ked dam na linuxom stroji cez putty ssh na localhost linuxu tak sa pripojim uplne v pohode

[nettezzaumana]

nmap -vv -sT -P0 (dal som localhost) -p 22

Vypis
PORT  STATE  SERVICE
22/tcp open    ssh


UPDATE: ked dam na linuxom stroji cez putty ssh na localhost linuxu tak sa pripojim uplne v pohode

spatne !!!! musis z jineho stroje .. to ze na localhostu je nejake filtrovani neznamena, ze na eth0 je stejne

[Kazekage]

takze teraz som to spravil tak ze som prepojil linux notebook a win stroj. a na linux stroji som sputil ten tvoj prikaz. tu je vysledok

Kód: [Vybrat]

administrator@administrator-laptop:~$ sudo nmap -vv -sT -P0 10.1.1.12 -p 22
[sudo] password for administrator:

Starting Nmap 5.00 ( http://nmap.org ) at 2009-10-02 19:24 CEST
NSE: Loaded 0 scripts for scanning.
Initiating Parallel DNS resolution of 1 host. at 19:24
Completed Parallel DNS resolution of 1 host. at 19:24, 13.01s elapsed
Initiating Connect Scan at 19:24
Scanning 10.1.1.12 [1 port]
Completed Connect Scan at 19:24, 0.00s elapsed (1 total ports)
Host 10.1.1.12 is up (0.00048s latency).
Scanned at 2009-10-02 19:24:19 CEST for 0s
Interesting ports on 10.1.1.12:
PORT   STATE  SERVICE
22/tcp closed ssh

Read data files from: /usr/local/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 13.26 seconds


[Martin Kiklhorn]

ukažte

Kód: [Vybrat]

grep '^[^#]' /etc/ssh/sshd_config

[Kazekage]

Kód: [Vybrat]

Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
UsePrivilegeSeparation yes
KeyRegenerationInterval 3600
ServerKeyBits 768
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes


[Martin Kiklhorn]

a nahodou firewall

Kód: [Vybrat]

sudo iptables-save

[Kazekage]

Kód: [Vybrat]

# Generated by iptables-save v1.3.8 on Fri Oct  2 20:07:01 2009
*filter
:INPUT ACCEPT [4108:1309552]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [285:25411]
:ufw-after-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-not-local - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-input - [0:0]
:ufw-user-output - [0:0]
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -i eth0 -p tcp -m tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --sport 22 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A ufw-after-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK FORWARD]: "
-A ufw-after-forward -j RETURN
-A ufw-after-input -p udp -m udp --dport 137 -j RETURN
-A ufw-after-input -p udp -m udp --dport 138 -j RETURN
-A ufw-after-input -p tcp -m tcp --dport 139 -j RETURN
-A ufw-after-input -p tcp -m tcp --dport 445 -j RETURN
-A ufw-after-input -p udp -m udp --dport 67 -j RETURN
-A ufw-after-input -p udp -m udp --dport 68 -j RETURN
-A ufw-after-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK INPUT]: "
-A ufw-after-input -j RETURN
-A ufw-after-output -j RETURN
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-forward -j RETURN
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -s 224.0.0.0/240.0.0.0 -j ACCEPT
-A ufw-before-input -d 224.0.0.0/240.0.0.0 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-input -j RETURN
-A ufw-before-output -i lo -j ACCEPT
-A ufw-before-output -p tcp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -p udp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-before-output -j RETURN
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK NOT-TO-ME]: "
-A ufw-not-local -j DROP
-A ufw-user-forward -j RETURN
-A ufw-user-input -j RETURN
-A ufw-user-output -j RETURN
COMMIT


[Kazekage]

RESLOVED. Vyriesene. Dakujem vsetkym za pomoc   

[Martin Kiklhorn]

sport/dport ?

[nettezzaumana]

RESLOVED. Vyriesene. Dakujem vsetkym za pomoc   

jak?

[Martin Kiklhorn]

4Kazekage - koukám že BBM si myslí že by někoho zajímalo řešení. Předpokládám že stačí poslat původní a nynější konfigurák ufw nebo opět

Kód: [Vybrat]

sudo iptables-save

[Kazekage]

Takze konfigurak

Kód: [Vybrat]

administrator@administrator-laptop:~$ sudo iptables-save
[sudo] password for administrator:
# Generated by iptables-save v1.3.8 on Fri Oct  2 22:14:07 2009
*filter
:INPUT ACCEPT [12716:3744555]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [453:41035]
:ufw-after-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-not-local - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-input - [0:0]
:ufw-user-output - [0:0]
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -i eth0 -p tcp -m tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --sport 22 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A ufw-after-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK FORWARD]: "
-A ufw-after-forward -j RETURN
-A ufw-after-input -p udp -m udp --dport 137 -j RETURN
-A ufw-after-input -p udp -m udp --dport 138 -j RETURN
-A ufw-after-input -p tcp -m tcp --dport 139 -j RETURN
-A ufw-after-input -p tcp -m tcp --dport 445 -j RETURN
-A ufw-after-input -p udp -m udp --dport 67 -j RETURN
-A ufw-after-input -p udp -m udp --dport 68 -j RETURN
-A ufw-after-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK INPUT]: "
-A ufw-after-input -j RETURN
-A ufw-after-output -j RETURN
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-forward -j RETURN
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -s 224.0.0.0/240.0.0.0 -j ACCEPT
-A ufw-before-input -d 224.0.0.0/240.0.0.0 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-input -j RETURN
-A ufw-before-output -i lo -j ACCEPT
-A ufw-before-output -p tcp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -p udp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-before-output -j RETURN
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK NOT-TO-ME]: "
-A ufw-not-local -j DROP
-A ufw-user-forward -j RETURN
-A ufw-user-input -j RETURN
-A ufw-user-output -j RETURN
COMMIT

po tomto prikaze bolo vidno ze je port closed

Kód: [Vybrat]

sudo nmap -vv -sT -P0 10.1.1.12 -p 22
takze so spravil toto

Kód: [Vybrat]

sudo iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
a uz to slo. Cize neviem preco ale bolo zakazane ssh, co je default povolene.

Ked chcete este nieco vediet spytajte sa