connect to host 192.168.0.7 port 22: Connection refused

Post by Josh
Hi
I encountered the a.m. error while doing ssh to a computer in my hous net;
it used to work before the recent update of Mandriva 2008;

Which one of the 4+ 2008* installs? Show us the output from

cat /etc/lsb-release

Post by Josh
now I have port 22 closed to ssh - did you folks out there have the
same problem?

Not me, 2008.0 and 2008.1 32 bit install.

Post by Josh
How could did you solve it?

I solve it by clicking up a terminal on the inbound/target system.

ssh $USER@$(hostname)

to verify ssh works locally.
Any time ssh fails, I

su - root
tail -f /var/log/messages

Post by Josh
No luck making shorewall to go down.

Was that a "shorewall clear" command?

David Mathog

2008-08-06 15:41:44 UTC

Post by Josh
I encountered the a.m. error while doing ssh to a computer in my hous net;
it used to work before the recent update of Mandriva 2008; now I have port
22 closed to ssh - did you folks out there have the same problem? How could
did you solve it? No luck making shorewall to go down.

There has been a tendency over the last several years for Mandriva to
stomp on config files in /etc during updates. In particular, and
relevant to what you are seeing, rules.drakx was often changed. This
became such an issue that my Mandriva systems now all have copies of
most of /etc and bits and pieces of other directories under
/root/saf_config, along with scripts to compare these after each update.
So, my general answer to your question is that you should do something
similar, so that when an errant update reconfigures your system, you can
automatically locate the problem and resolve it. The scripts and method
were posted in this forum 25 Jun 2007 with the subject: "Baby steps
towards surviving overly helpful helper scripts".

Regards,

David Mathog

Robert Riches

2008-08-07 03:09:51 UTC

Post by David Mathog

One way to keep an eye out for "helpers" is to keep a copy
(and/or an RCS repository) of all the configuration files in
/etc (and elsewhere). Run a 'diff' of all the files right
before updating. Then, run another 'diff' right after the
update. If any "helper" messed with your files, you now
know what changed and what you used to have in that file.

HTH

--
Robert Riches
***@verizon.net
(Yes, that is one of my email addresses.)

Unruh

2008-08-06 15:48:24 UTC

Post by Josh
Hi
I encountered the a.m. error while doing ssh to a computer in my hous net;
it used to work before the recent update of Mandriva 2008; now I have port
22 closed to ssh - did you folks out there have the same problem? How could
did you solve it? No luck making shorewall to go down.

Is sshd running on that computer? do you allow connections from your
computer to that one in /etc/hosts.allow on the server?
Does your firewall allow connections from that computer?

Vitalie Ucrainciuc

2008-08-16 00:32:59 UTC

Try to enable SSH in firewall rules as Allow or Permit.

It should work!

Maurice Batey

2008-08-16 18:31:54 UTC

Post by Josh
I encountered the a.m. error while doing ssh to a computer in
my house net; it used to work before the recent update of
Mandriva 2008; now I have port 22 closed to ssh -

It just so happens that I have beem trying to set things up to
RYSNC from laptop to desktop on house network, and have come
across the same problem when trying 'ssh MABsdesktop' on the
laptop:

"ssh: connect to host MABsdesktop port 22: Connection refused"

On the laptop, /etc/hosts has:

127.0.0.1 localhost
192.168.0.2 desktop.mab.unregistered MABsdesktop

and the laptop's MCC sees the desktop PC's printer as on 'host:
192.168.0.2'.

The desktop does have SSH enabled on its firewall.

Of course, as I'm sadly still a network neophyte, it's quite
possible that I'm doing something wrong (or not doing domething I
should)...

--
/\/\aurice
Linux Mandriva 2.6.22.19-desktop-2mdv 2008.0 PP 32-bit
KDE 3.5.7 Virtualbox 1.5.6
(Remove 'removethis.' to reply by email)

Bit Twister

2008-08-16 18:48:22 UTC

Post by Maurice Batey
"ssh: connect to host MABsdesktop port 22: Connection refused"
127.0.0.1 localhost
192.168.0.2 desktop.mab.unregistered MABsdesktop
192.168.0.2'.

Click up a terminal on desktop
su - root

/sbin/runlevel

Verify sshd is on boot for your run level
chkconfig --list sshd

and sshd is running with
pgrep -lf sshd

Next see if anything shows up when you try the ssh
tail -f /var/log/messages (on both systems)

Control c aborts the tail -f command.

PS: make it a habit to do a
shorewall clear
to temporally open the firewall, and as soon as possible
service shorewall restart

Now you can do a testhost with ssh -vv $***@MABsdesktop

Would not hurt to show us contents of
cat /etc/hosts.allow
cat /etc/hosts.deny
chkconfig --list | grep sshd
on MABsdesktop

Maurice Batey

2008-08-16 21:10:24 UTC

Post by Bit Twister
Click up a terminal on desktop
su - root

etc...

Did all that:
-----------------------------------------
[***@localhost mab]# /sbin/runlevel
N 5
[***@localhost mab]# chkconfig --list sshd
error reading information about service sshd: No such file or
directory
[***@localhost mab]# pgrep -lf sshd
[***@localhost mab]# cat /etc/hosts.allow
#
# hosts.allow This file describes the names of the hosts which
are
# allowed to use the local INET services, as
decided
# by the '/usr/sbin/tcpd' server.
#

sshd: 192.168.0.3/255.255.255,0
[***@localhost mab]# cat /etc/hosts.deny
#
# hosts.deny This file describes the names of the hosts which
are
# *not* allowed to use the local INET services, as
decided
# by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you
that
# the new secure portmap uses hosts.deny and hosts.allow. In
particular
# you should know that NFS uses portmap!

[***@localhost mab]# ssh -vv $***@MABsdesktop
OpenSSH_4.7p1, OpenSSL 0.9.8e 23 Feb 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to MABsdesktop [192.168.0.2] port 22.
debug1: connect to address 192.168.0.2 port 22: Connection
refused
ssh: connect to host MABsdesktop port 22: Connection refused
[***@localhost mab]#
[***@localhost mab]# chkconfig --list | grep sshd
[***@localhost mab]#
-----------------------------------------

Closing down for the night now...

--
/\/\aurice
Linux Mandriva 2.6.22.19-desktop-2mdv 2008.0 PP 32-bit
KDE 3.5.7 Virtualbox 1.5.6
(Remove 'removethis.' to reply by email)

Bit Twister

2008-08-16 21:17:41 UTC

Post by Bit Twister
Click up a terminal on desktop
su - root

etc...
-----------------------------------------
N 5
error reading information about service sshd: No such file or
directory

Yep, right there, sshd not installed.
Yep, sshd not running.

Post by Maurice Batey
#
# hosts.allow This file describes the names of the hosts which
are
# allowed to use the local INET services, as
decided
# by the '/usr/sbin/tcpd' server.
#
sshd: 192.168.0.3/255.255.255,0

^
|
Is that a comma----------------'

Post by Maurice Batey
Closing down for the night now...

Sleep tight. :)

Maurice Batey

2008-08-17 13:55:51 UTC

Post by Maurice Batey
sshd: 192.168.0.3/255.255.255,0

^
|
Is that a comma---------------'

Yes - that's what is in the file.
I assume it should be a '.', and have changed it.

Yep, right there, sshd not installed.
Yep, sshd not running.

OK, have now found sshd (disguised as "OpenSSH Server" in
MCC...), and installed it.
Started it with "/etc/init.d/sshd start".

However, attempts to ssh from laptop meet with same Port 22
connection refusal as before.

Here is a rerun (on desktop) of your debugging suggestions, after
installing & starting sshd:

-------------------------------------------------------------
[***@localhost mab]# /sbin/runlevel
N 5

[***@localhost mab]# chkconfig --list sshd
sshd 0:off 1:off 2:on 3:on 4:on 5:on
6:off

[***@localhost mab]# pgrep -lf sshd
8351 /usr/sbin/sshd

[***@localhost mab]# ssh -vv ***@MABsdesktop
OpenSSH_4.7p1, OpenSSL 0.9.8e 23 Feb 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to MABsdesktop [192.168.0.2] port 22.
debug1: connect to address 192.168.0.2 port 22: Connection
refused
ssh: connect to host MABsdesktop port 22: Connection refused

[***@localhost mab]# cat /etc/hosts.allow
#
# hosts.allow This file describes the names of the hosts which
# are allowed to use the local INET services, as decided by the
# '/usr/sbin/tcpd' server.

sshd: 192.168.0.3/255.255.255.0

[***@localhost mab]# chkconfig --list | grep sshd
sshd 0:off 1:off 2:on 3:on 4:on 5:on
6:off
-----------------------------------------------------------

By the way, when you recommend doing 'service shorewall clear'
and then a.s.a.p. 'service shorewall restart', on what occasion
should those be done?
(I suspect it's when e.g. changing the firewall to allow SSH,
instead of doing a re-boot.)

--
/\/\aurice
http://www.maurice99.ukfsn.org
Linux Mandriva 2.6.22.19-desktop-2mdv 2008.0 PP 32-bit
KDE 3.5.7 Virtualbox 1.5.6
(Remove 'removethis.' to reply by email)

Bit Twister

2008-08-17 16:10:08 UTC

Post by Maurice Batey
OK, have now found sshd (disguised as "OpenSSH Server" in
MCC...), and installed it.
Started it with "/etc/init.d/sshd start".

Less typing if you do a
service sshd start :)

Post by Maurice Batey
Here is a rerun (on desktop) of your debugging suggestions, after

sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off

Do a
chkconfig --list | grep sshd
and verify is returns something like

sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
sshd-xinetd: off

Post by Maurice Batey
By the way, when you recommend doing 'service shorewall clear'
and then a.s.a.p. 'service shorewall restart', on what occasion
should those be done?

Anytime you think the firewall is in the way, you can open shorewall
firewall with no restrictions with shorewall clear.

I recommend not running in that mode very long, so
service shorewall restart
sets it back to the on boot/normal setting.

If you have not been dinking with customizing shorewall, just clicking
up a terminal
su - root

tail -f /var/log/messages

and then run your test shot should show a line if shorewall blocks your
ssh attempt.

Post by Maurice Batey
(I suspect it's when e.g. changing the firewall to allow SSH,
instead of doing a re-boot.)

About the only time you need a reboot is kernel change, or node
name change in my stupid opinion. In the case of node name change,
init 1, followed with init 3, or init 5, depending on your requirement.

Anytime you change the firewall outside of the GUI interface, it would not
hurt to do a shorewall -check just to verify there are no glaring errors.
Then do a
service shorewall restart

An FYI on hosts.allow/deny.

tcpwrapper code will look in hosts.allow and allow the app to continue
upon hitting the first rule which applies. If nothing applies in hosts.allow,
wrapper code proceeds to see if anything is denied in hosts.deny.
Noting in deny then the application gets to run.

With your wrapper setup, you restricted sshd to an ip address and no
restrictions for everyone else.

That is ok if you manage what services you enable. Downside is
you/malware enables some other service and do not add to allow/deny
you leave a hole in your security.

My suggestion for you would be to add to bottom of hosts.allow,
something like

ALL: LOCAL, .mab.unregistered

#***************** End of hosts.allow. ********************

To the bottom of /etc/hosts.deny

ALL: ALL:\
spawn ( \
/bin/echo -e "\n\
TCP Wrappers\: Connection Refused\n\
By\: $(uname -n)\n\
Process\: %d (pid %p)\n\
\n\
User\: %u\n\
Host\: %c\n\
Date\: $(date)\n\
" | /bin/mail -s \"$(uname -n)\" root ) & : DENY

#*********************** end host.deny ********************************

The above mails root a warning/debugging email about a tcpwrappers deny.
When that happens bittwister get an email. :)

Assuming you have postfix installed/running:

cd /etc/postfix

tail -11 aliases | head -4
# Person who should get root's mail. This alias
# must exist.
# CHANGE THIS LINE to an account of a HUMAN
root: mab <============ you have set this line

did a
postalias aliases
service postfix restart

mail -s "$USER testshot" root < /dev/null

You should be able to click up a terminal in your mab user account,
and do a

mail -s "$USER testshot" root < /dev/null

mail and see 1 root testshot
2 mab testshot
(carriage return) to read the empty email from root
d to delete the email
(carriage return) to read the empty email from mab
q to quit mail and do the deletions.

With imap installed, you can have thunderbird open in another window
in your mab account, set incomming mail server as localhost,
you should get any root email at whatever polling rate you set it at.

test that with
mail -s "$USER testshot" root < /dev/null
click Get mail in thunderbird and you should see
mab testshot in thunderbird's window.

While still on MABsdesktop, in mab's account
do a
ssh $USER@$(hostname)
to see what happens.

Now, if the above changes/tests work, and you run
tail -f /var/log/messages

I am hopping you get some error message in /messages or
an email from root when trying from the laptop.

If not, I am at a loss to explain why it does not work,
unless you have done some customizing in shorewall.

Maurice Batey

2008-08-17 17:37:54 UTC

No, I use KMail.

While still on MABsdesktop, in mab's account do a

Here it is (actually I had already tried it but forgot to
capture the output, which also said something about adding
some info into some file):

-------------------------------------------------------
[***@localhost ~]$ ssh $USER@$(hostname)
***@localhost's password:
Last login: Sun Aug 17 18:17:43 2008 from localhost

Now, if the above changes/tests work, and you run tail -f
/var/log/messages

[***@localhost ~]$ su
Password:
[***@localhost mab]# tail -f /var/log/messages

Aug 17 18:01:02 localhost msec: changed mode of
/var/log/cups/page_log from 644 to 640
Aug 17 18:14:44 localhost sshd[12511]: Accepted password for mab
from 127.0.0.1 port 36189 ssh2
Aug 17 18:17:43 localhost sshd[12642]: Accepted password for mab
from 127.0.0.1 port 36190 ssh2
Aug 17 18:23:39 localhost drakconf.real[12756]: ### Program is
starting ###
Aug 17 18:23:54 localhost drakconf.real[12763]: ### Program is
starting ###
Aug 17 18:23:58 localhost rpmdrake[12768]: ### Program is
starting ###
Aug 17 18:24:00 localhost rpmdrake[12768]: opening the RPM
database
Aug 17 18:24:24 localhost rpmdrake[12768]: ### Program is exiting
###
Aug 17 18:24:25 localhost drakconf.real[12763]: modified file
/etc/mcc.conf
Aug 17 18:25:23 localhost sshd[12821]: Accepted password for mab
from 127.0.0.1 port 51444 ssh2
-------------------------------------------------------------

(How does one *exit* from an 'ssh' invocation?!)

Sadly, ssh from the laptop still gives 'Port 22 connection
refused' failure. Nothing seems to show up in /var/log/messages
on either m/c for that.

--
/\/\aurice
Linux Mandriva 2.6.22.19-desktop-2mdv 2008.0 PP 32-bit
KDE 3.5.7 Virtualbox 1.5.6
(Remove 'removethis.' to reply by email)

Bit Twister

2008-08-17 17:53:31 UTC

Post by Maurice Batey
No, I use KMail.

M=Mail
T=Transport
C=Client
A=Agent

KMail is a MTC, postfix is a MTA. MTC read/sends mail via a MTA.

While still on MABsdesktop, in mab's account do a

Here it is (actually I had already tried it but forgot to
capture the output, which also said something about adding

That would be ~/.ssh/known_hosts
If name/ip/key differ during connection attempt with that node,
you will get a man in the middle warning.

Post by Maurice Batey
-------------------------------------------------------
(How does one *exit* from an 'ssh' invocation?!)

exit :)

Post by Maurice Batey
Sadly, ssh from the laptop still gives 'Port 22 connection
refused' failure. Nothing seems to show up in /var/log/messages
on either m/c for that.

Without my suggestion of postfix and hosts.deny;
I can recommend commenting out the sshd line in /etc/hosts.allow
service xinetd reload
and try again.

Still broke, out of suggestions and ideas. :-(

Maurice Batey

2008-08-17 18:45:18 UTC

Post by Bit Twister
I can recommend commenting out the sshd line in
/etc/hosts.allow service xinetd reload and try again.

Tried that ("allow service xinetd reload") but ssh from
laptop still failed as before.

As the desktop ssh self-call seemed to work, is it possible
something is awry on the laptop?

The fact that it's ssh reports Port 22 refusal to connect does
show that ssh is working, doesn't it?

--
/\/\aurice
Linux Mandriva 2.6.22.19-desktop-2mdv 2008.0 PP 32-bit
KDE 3.5.7 Virtualbox 1.5.6
(Remove 'removethis.' to reply by email)

Bit Twister

2008-08-17 19:01:04 UTC

Post by Maurice Batey
Tried that ("allow service xinetd reload") but ssh from

But did you Comment out sshd in /etc/hosts.allow?

It is odd, xinetd is installed but sshd-xinetd did not show up in
chkconfig --list | grep ssh
sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
sshd-xinetd: off

Guessing /etc/xinetd.d/sshd-xinetd is not there.
Should have been installed when you installed the server package.

$ rpm -q -f /etc/xinetd.d/sshd-xinetd
openssh-server-4.7p1-2.3mdv2008.0

I am not happy that you do not have /etc/xinetd.d/sshd-xinetd

Post by Maurice Batey
As the desktop ssh self-call seemed to work, is it possible
something is awry on the laptop?

Since you cannot connect, something is stopping it.

Post by Maurice Batey
The fact that it's ssh reports Port 22 refusal to connect does
show that ssh is working, doesn't it?

Yes, shows that ssh on the laptop is trying to connect.

Verify ip address in laptop /etc/hosts matches
hostname -i
on desktop

Maurice Batey

2008-08-17 21:33:17 UTC

Post by Bit Twister
But did you Comment out sshd in /etc/hosts.allow?

Yes.

Post by Bit Twister
$ rpm -q -f /etc/xinetd.d/sshd-xinetd

openssh-server-4.7p1-2.3mdv2008.0
--------------------------------------------------
[***@localhost ~]$ rpm -q -f /etc/xinetd.d/sshd-xinetd
openssh-server-4.7p1-2.3mdv2008.0
--------------------------------------------------

Post by Bit Twister
Verify ip address in laptop /etc/hosts matches hostname -i
on desktop

It does - both 127.0.0.1

--
/\/\aurice

Linux Mandriva 2.6.22.19-desktop-2mdv 2008.0 PP 32-bit
KDE 3.5.7 Virtualbox 1.5.6
(Remove 'removethis.' to reply by email)

Bit Twister

2008-08-17 22:33:37 UTC

Post by Bit Twister
But did you Comment out sshd in /etc/hosts.allow?

Yes.

Good. I will suggest something like
sshd: 192.168.0.3, 192.168.0.0/255.255.255.0

for you final test.

Post by Bit Twister
$ rpm -q -f /etc/xinetd.d/sshd-xinetd

openssh-server-4.7p1-2.3mdv2008.0
--------------------------------------------------
openssh-server-4.7p1-2.3mdv2008.0
--------------------------------------------------

Something went wrong because I expected sshd-xinetd
to show up in your chkconfig --list | grep ssh

Tell you what, bring up MCC and set On Boot for sshd.
verify the other sshd is off/unchecked.
and click Ok. Quit MCC and do a

chkconfig --list | grep ssh

sshd-xinetd should now show up.

Post by Bit Twister
Verify ip address in laptop /etc/hosts matches hostname -i
on desktop

It does - both 127.0.0.1

hmmm, ok, I had expected something like
$ hostname -i
192.168.0.2

Because I assumed
$ grep -i $(hostname -a) /etc/hosts
192.168.0.2 desktop.mab.unregistered MABsdesktop
would be found on the desktop. My bad.

Let's ignore that for the moment:

On MABsdesktop do a

ifconfig
and double check the nic connected to the laptop shows 192.168.0.2, then

ssh ***@192.168.0.2
and if it works;

run
ssh ***@192.168.0.2
on the laptop

Sleep tight.

Maurice Batey

2008-08-18 15:18:36 UTC

Post by Bit Twister
I will suggest something like
sshd: 192.168.0.3, 192.168.0.0/255.255.255.0
for you final test.

Tried that (see below). Still no go from laptop.

Here is what is in /etc/hosts, by the way:
----------------------------------------------------
127.0.0.1 localhost
192.168.0.1 router.mab.unregistered MABsrouter
192.168.0.2 desktop.mab.unregistered MABsdesktop
192.168.0.3 laptop.mab.unregistered MABslaptop
---------------------------------------------------

and non-descriptive entries in /etc/hosts.allow:

# sshd: 192.168.0.3/255.255.255.0
# service xinetd reload
# ALL: LOCAL, .mab.unregistered
ALL:LOCAL,.mab.unregistered,192.168.0.3,
192.168.0.0/255.255.255.0
----------------------------------------------------

Post by Bit Twister
Tell you what, bring up MCC and set On Boot for sshd. verify

the other

Post by Bit Twister
sshd is off/unchecked. and click Ok. Quit MCC

sshd was already running and set On Boot

What do you mean by "Verify the other sshd is off/unchecked"?
=============================================================
What other sshd?

Post by Bit Twister
On MABsdesktop do a ifconfig and double check the nic connected
to the laptop shows 192.168.0.2

If you mean (under eth0) "inet=", it shows:
inet addr:192.168.0.3
which is the IP of the laptop.
I assume you meant to laptop, which is 192.169.0.3, so used
latter and it did work - i.e. ssh connected to laptop.
(That puzzles me, because sshd is not running on laptop...)
Did you mean ssh on laptop to itself? As above, did ssh to
***@192.168.0.3, and it did work (though no sshd on laptop).

On laptop, ssh ***@MABsdesktop) still fails - see -vv output:

--------------------------------------------------------
[***@localhost ~]$ ssh -vv ***@MABsdesktop
OpenSSH_4.7p1, OpenSSL 0.9.8f 11 Oct 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to MABsdesktop [192.168.0.2] port 22.
debug1: connect to address 192.168.0.2 port 22: Connection
refused
ssh: connect to host MABsdesktop port 22: Connection refused
[***@localhost ~]$
--------------------------------------------------------

The annoying thing is that - last year, when still using MDV
2007 on desktop and Vista on laptop - I could do ssh via Putty on
Vista!

Presumably this is not a router firewall problem. (Although it
does have an SSH blocker, I believe that only applies to traffic
coming from the outside 'net. Anyway, I tried turning the
blocker off - no difference (so turned it back on.))

Thanks for sticking with me, BT - much appreciated!
I keep thinking we're just one step away from cracking this...

Anything else I can do to help get there?

--
/\/\aurice
Linux Mandriva 2.6.22.19-desktop-2mdv 2008.0 PP 32-bit
KDE 3.5.7 Virtualbox 1.5.6
(Remove 'removethis.' to reply by email)

Bit Twister

2008-08-18 15:54:42 UTC

Post by Bit Twister
I will suggest something like
sshd: 192.168.0.3, 192.168.0.0/255.255.255.0
for you final test.

Tried that (see below). Still no go from laptop.

After playing around last night, I can now suggest just

ALL: .mab.unregistered, 192.168.0.

Until we can get ssh working from the laptop,
I wish you would not have any commands in hosts.allow and hosts.deny

Post by Maurice Batey
----------------------------------------------------
127.0.0.1 localhost
192.168.0.1 router.mab.unregistered MABsrouter
192.168.0.2 desktop.mab.unregistered MABsdesktop
192.168.0.3 laptop.mab.unregistered MABslaptop
---------------------------------------------------

Which /etc/hosts file. With that hosts file,
you can have the same hosts file on both machines.

Just for fun, I want to make the hosts file the same
on both machines and looks as follows:

127.0.0.1 localhost
192.168.0.1 router.mab.unregistered router
192.168.0.2 desktop.mab.unregistered desktop
192.168.0.3 laptop.mab.unregistered laptop

Post by Maurice Batey
# sshd: 192.168.0.3/255.255.255.0
# service xinetd reload
# ALL: LOCAL, .mab.unregistered
ALL:LOCAL,.mab.unregistered,192.168.0.3,
192.168.0.0/255.255.255.0
----------------------------------------------------

Until we can get ssh working from the laptop,
I wish you would not have any commands in hosts.allow and hosts.deny
on either machine.

Post by Bit Twister
Tell you what, bring up MCC and set On Boot for sshd. verify

the other

Post by Bit Twister
sshd is off/unchecked. and click Ok. Quit MCC

sshd was already running and set On Boot
What do you mean by "Verify the other sshd is off/unchecked"?
=============================================================
What other sshd?

In both 2008.0 and 2008.1 MCC System Services I have two lines/selections
sshd running [Info] [x] On Boot Start Stop
sshd-xinetd [Info] [ ] Start when Requested Start Stop

If you are missing sshd-xinetd, I have no idea why you are missing
/etc/xinetd.d/sshd-xinetd

$ ls -al /etc/xinetd.d/sshd-xinetd
-rw-r--r-- 1 root root 321 2008-05-06 14:53 /etc/xinetd.d/sshd-xinetd

You have shown me it was in the rpm in an earlier post.

Post by Bit Twister
On MABsdesktop do a ifconfig and double check the nic connected
to the laptop shows 192.168.0.2

inet addr:192.168.0.3
which is the IP of the laptop.

Well, there you have it. Your settings in /etc/hosts and
what is configured for the nic are incorrect.

You have to make ip address in /etc/hosts match what is
in /etc/sysconfig/network-scripts/ifcfg-eth0's IPADDRESS
from each machine.

Post by Maurice Batey
I assume you meant to laptop,

No assuming, as I mis-understood it, 192.168.0.2 is the desktop
running sshd.

So, I want to verify you can connect to the desktop from the desktop
with the desktop's ip address.
ip given as commands were what you told me was the ip for the desktop.

Numbers were before you told me about you ipconfig results on desktop.

Post by Maurice Batey
Presumably this is not a router firewall problem.

Nope, just involves two machines and their connection.

Post by Maurice Batey
(Although it
does have an SSH blocker, I believe that only applies to traffic
coming from the outside 'net.

Sounds about right.

Post by Maurice Batey
Anyway, I tried turning the
blocker off - no difference (so turned it back on.))

Outstanding.

Post by Maurice Batey
Thanks for sticking with me, BT - much appreciated!
I keep thinking we're just one step away from cracking this...

Good for you. I was about one step away from giving up. :(

Post by Maurice Batey
Anything else I can do to help get there?

First, get the ip addresses in /etc/hosts matching what you
find in the nics which connect to each machine.

Fix /etc/hosts on all machines.

Then go through the trouble shooting text provided in another
post and see if you understand/agree with what is checking doing
and your problem is fixed.

Maurice Batey

2008-08-18 16:55:23 UTC

Post by Bit Twister
After playing around last night, I can now suggest just
ALL: .mab.unregistered, 192.168.0.
Until we can get ssh working from the laptop, I wish you would not have
any commands in hosts.allow and hosts.deny

So I should ignore the "ALL: .mab...." suggestion 5 lines
above here?

[quoted text muted]

Which /etc/hosts file. With that hosts file, you can have the same hosts
file on both machines.

But I already do! They are identical on both desktop & laptop...

Post by Bit Twister
Just for fun, I want to make the hosts file the same on both machines and
127.0.0.1 localhost
192.168.0.1 router.mab.unregistered router
192.168.0.2 desktop.mab.unregistered desktop
192.168.0.3 laptop.mab.unregistered laptop

That's as already are, but omitting the 'MAB prefix. OK!

Post by Bit Twister
Until we can get ssh working from the laptop, I wish you would
not have any commands in hosts.allow and hosts.deny on either
machine.

OK - will comment them out.

Post by Bit Twister
In both 2008.0 and 2008.1 MCC System Services I have two

lines/selections

Post by Bit Twister
sshd running [Info] [x] On Boot Start Stop
sshd-xinetd [Info] [ ] Start when Requested Start Stop

No sign of tha sshd-xinetd entry...

Post by Bit Twister
If you are missing sshd-xinetd, I have no idea why you are missing
/etc/xinetd.d/sshd-xinetd

But it's not missing!
----------------------------------------------------
[***@localhost ~]$ cat /etc/xinetd.d/sshd-xinetd
# default: off
# description: sshd server, xinetd version. \
# Don't run the standalone version if you run \
# this.
service ssh
{
disable = yes
socket_type = stream
wait = no
user = root
server = /usr/sbin/sshd
server_args = -i
log_on_success += DURATION USERID
log_on_failure += USERID
nice = 10
}
--------------------------------------------------------

Post by Bit Twister
-rw-r--r-- 1 root root 321 2008-05-06 14:53
/etc/xinetd.d/sshd-xinetd

Check here on desktop:
------------------------------------------------------
[***@localhost ~]$ ls -al /etc/xinetd.d/sshd-xinetd
-rw-r--r-- 1 root root 321 2008-05-06 20:50
/etc/xinetd.d/sshd-xinetd
------------------------------------------------------
Seems a bit of a mystery. It's there but showing up where it
should. How can that be? (Or, how can it be made to...)

Post by Bit Twister
Your settings in /etc/hosts and what is configured for the
nic are incorrect.
You have to make ip address in /etc/hosts match what is in
/etc/sysconfig/network-scripts/ifcfg-eth0's IPADDRESS from each machine.

I've no idea why ifconfig shows the wrong host IP!

(Are you saying "inet addr" should show 192.168.0.2, rather
than 192.168.0.3?)

How does one figure out how to acquire the correct info from the
ifcg-eth0 file so that ifconfig shows correct IP?
Here are the contents of that file on desktop:
----------------------------------------------------------------
[***@localhost ~]$ cat /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=dhcp
NETMASK=255.255.255.0
ONBOOT=yes
METRIC=10
MII_NOT_SUPPORTED=no
USERCTL=no
RESOLV_MODS=no
IPV6INIT=no
IPV6TO4INIT=no
DHCP_CLIENT=dhclient
NEEDHOSTNAME=no
PEERDNS=yes
PEERYP=yes
---------------------------------------------------------------

Regards,

--
/\/\aurice
Linux Mandriva 2.6.22.19-desktop-2mdv 2008.0 PP 32-bit
KDE 3.5.7 Virtualbox 1.5.6
(Remove 'removethis.' to reply by email)

David W. Hodgins

2008-08-18 17:29:52 UTC

Post by Maurice Batey
I've no idea why ifconfig shows the wrong host IP!

It doesn't. The hosts files are wrong.
Change the hosts file (on both systems) to show what ifconfig shows.

Also, try running "chkconfig --list" without any other pararaters, or piping it
to grep. Does it show the sshd-xinetd?

Regards, Dave Hodgins

--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)

Maurice Batey

2008-08-18 17:54:00 UTC

Post by David W. Hodgins
try running "chkconfig --list" without any other pararaters, or
piping it to grep. Does it show the sshd-xinetd?

No! Absolutely no sign of it, Dave.

--
/\/\aurice
Linux Mandriva 2.6.22.19-desktop-2mdv 2008.0 PP 32-bit
KDE 3.5.7 Virtualbox 1.5.6
(Remove 'removethis.' to reply by email)

Maurice Batey

2008-08-20 13:50:17 UTC

Post by David W. Hodgins
The hosts files are wrong.
Change the hosts file (on both systems) to show what ifconfig shows.

Which I did, and ssh then worked.

However, today when I tried ssh, it failed.

When I checked ipconfig I saw that the 'inet' address had
changed back to the IP address that was reflected in the earlier
'incorrect' /etc/hosts file!

Using the latest inet IP address, ssh works again...

So - what can be causing the inet address to change (and how can
a steady state be achieved)?

--
/\/\aurice
Linux Mandriva 2.6.22.19-desktop-2mdv 2008.0 PP 32-bit
KDE 3.5.7 Virtualbox 1.5.6
(Remove 'removethis.' to reply by email)

Bit Twister

2008-08-20 14:32:35 UTC

Post by David W. Hodgins
The hosts files are wrong.
Change the hosts file (on both systems) to show what ifconfig shows.

Which I did, and ssh then worked.
However, today when I tried ssh, it failed.
When I checked ipconfig I saw that the 'inet' address had
changed back to the IP address that was reflected in the earlier
'incorrect' /etc/hosts file!
Using the latest inet IP address, ssh works again...
So - what can be causing the inet address to change

dhcp lease renew not being received at dhcp server.
dhcp lease renew not being sent to dhcp server.
Turning off the node and loosing the lease.

Post by Maurice Batey
(and how can a steady state be achieved)?

Set connection as static. :-)

Maurice Batey

2008-08-20 14:44:08 UTC

Post by Bit Twister
dhcp lease renew not being received at dhcp server.
dhcp lease renew not being sent to dhcp server.
Turning off the node and loosing the lease.

How does one prevent those happening?

[quoted text muted]

Set connection as static.

My ISP did give me a static external IP address, but the 'inet'
address is a local address, isn't it?
How does setting 'connection' as static affect inet address?

I mean, if DHCP always yields the same fixed IP address, why
would the inet address change?

W.r.t. setting connection address static, all the comments I've
seen in various fora seemed to lean towards the DHCP approach
as more secure.

As a matter iof interest, what is involved in making the
conection static?

--
/\/\aurice
Linux Mandriva 2.6.22.19-desktop-2mdv 2008.0 PP 32-bit
KDE 3.5.7 Virtualbox 1.5.6
(Remove 'removethis.' to reply by email)

Bit Twister

2008-08-20 15:27:35 UTC

Post by Bit Twister
dhcp lease renew not being received at dhcp server.
dhcp lease renew not being sent to dhcp server.
Turning off the node and loosing the lease.

How does one prevent those happening?

Connect systems to an Uninterruptible Power Supply (UPS),
fix the problem preventing the handshake between dhcp server and your
system.

Post by Maurice Batey
My ISP did give me a static external IP address, but the 'inet'
address is a local address, isn't it?

Hmmm, how about, it is the address assigned to the nic.

Post by Maurice Batey
How does setting 'connection' as static affect inet address?

nic always has the same address so it is static.

Post by Maurice Batey
I mean, if DHCP always yields the same fixed IP address,

How can you say that. You already have proof your dhcp server has not
issued the same same ip address to desktop at least two times already.

Post by Maurice Batey
why would the inet address change?

I refer you back to top of this reply.

Post by Maurice Batey
W.r.t. setting connection address static, all the comments I've
seen in various fora seemed to lean towards the DHCP approach
as more secure.

Hmm. Let's see, cracker manages to get a connection/lease on your LAN
through your wifi router and then manages to cause desktop to reboot.
While desktop reboot is going goes on,
sends a fake lease release for desktop's ip address,
send a lease release for his node, ask for a new connection and getting
desktop's old address.
Now all your systems think they are talking with desktop. :(

Post by Maurice Batey
As a matter iof interest, what is involved in making the
conection static?

Get into MCC, delete the network connection, create the connection,
pick manual/static instead automatic/dhcp and provide an ip address.

Suggest 192.168.0.100
gatway 192.168.0.1
DNS 208.67.222.222, 208.67.220.220
host name desktop.unregistered.invalid

As always, check your admin diary to see if there are any custom
changes you make by hand.

Example found in your admin diary.

Network Changes
Modified /etc/sysconfig/network to look as follows:
NETWORKING_IPV6=no
NOZEROCONF=yes
NEEDHOSTNAME=no
NETWORKING=yes
HOSTNAME=desktop.unregistered.invalid

Maurice Batey

2008-08-20 17:31:27 UTC

Post by Bit Twister
fix the problem preventing the handshake between dhcp server and your
system.

Oh, you think there was some glitch that caused the change.
How does one home in on a possible cause, I wonder...

Post by Maurice Batey
My ISP did give me a static external IP address, but the

'inet'

Post by Maurice Batey
address is a local address, isn't it?

Hmmm, how about, it is the address assigned to the nic.

I'm confused by this. Here is what my ISP's email said when
setting up ADSL:

"Your static IP addess is: 78.xx.139.xx"

Is that 'static' different from in your "make the connection
static".

Post by Maurice Batey
How does setting 'connection' as static affect inet address?

nic always has the same address so it is static.

How does my static IP address (78.xx.139.xx) relate to the
inet address "192.168.0.xx" ?

Is 'nic' the same as 'inet address'? If not, what is it?

Are you saying that the 'inet address' is obtained from my ISP?
If not, where does it come from?

--
/\/\aurice
Linux Mandriva 2.6.22.19-desktop-2mdv 2008.0 PP 32-bit
KDE 3.5.7 Virtualbox 1.5.6
(Remove 'removethis.' to reply by email)

Bit Twister

2008-08-20 18:02:24 UTC

Post by Bit Twister
fix the problem preventing the handshake between dhcp server and your
system.

Oh, you think there was some glitch that caused the change.

No, all I did was give reasons. Not knowing what you did, did by
others in the house, what happened to the router,.....

Post by Maurice Batey
How does one home in on a possible cause, I wonder...

Check logs on the dhcp server and your system.

Post by Maurice Batey
My ISP did give me a static external IP address, but the

'inet'

Post by Maurice Batey
address is a local address, isn't it?

Hmmm, how about, it is the address assigned to the nic.

I'm confused by this.

I can tell. :) I am giving you general terms for items.
You keep taking general terms and have hard coded values in
your head. Kinda like I give a pronoun (she) and you transpose it to a
person (Wanda).

Post by Maurice Batey
Here is what my ISP's email said when
"Your static IP addess is: 78.xx.139.xx"
Is that 'static' different from in your "make the connection
static".

Hmm, another bad question. Static is static and does not mean a
particular address.

You get to decide what ip address you wish to assign to a nic when you
set it up as static.

Post by Maurice Batey
Are you saying that the 'inet address' is obtained from my ISP?

No, I am saying inet is the address of the nic regardless of how the
nic was given the address.

Post by Maurice Batey
If not, where does it come from?

Depends, you, dhcp server, avahi-daemon, zeroconf code, another human,.....

Here look at this, and tell me which inet of eth0 we are talking about.

Internet
|
| eth0
,-------+----------.
| ip ISP assigned |
| ISP Gateway |
| ip 71.171.124.1 |
`-----+------------'
| eth1
|
| eth0
.------------------------------.
| ip 71.171.124.137
| gw 71.171.124.1 |
| Actiontech RI408 |
| router/modem |
| ip 192.168.1.1 |
`-------+-------------------+--'
| |
| eth0 | eth0
.-------+--------. .-------+--------.
| ip 192.168.1.4 | | ip 192.168.1.2 |
| gw 192.168.1.1 | | gw 192.168.1.1 |
| node1 | | node2 |
| suse 10.3 | | kubuntu 8.4 |
`----------------' | |
| ip 192.168.5.6 |
`------+---------'
| eth1
|
| eth0
.-------+--------.
| ip 192.168.5.3 |
| gw 192.168.5.6 |
| node3 |
| Mandriva 2008.1|
`----------------'

Bill Mullen

2008-08-20 19:29:15 UTC

On Wed, 20 Aug 2008 17:31:27 +0000 (UTC),

Post by Maurice Batey
My ISP did give me a static external IP address, but the

'inet'

Post by Maurice Batey
address is a local address, isn't it?

Hmmm, how about, it is the address assigned to the nic.

I'm confused by this. Here is what my ISP's email said when
"Your static IP addess is: 78.xx.139.xx"
Is that 'static' different from in your "make the connection
static".

Post by Maurice Batey
How does setting 'connection' as static affect inet address?

nic always has the same address so it is static.

How does my static IP address (78.xx.139.xx) relate to the
inet address "192.168.0.xx" ?
Is 'nic' the same as 'inet address'? If not, what is it?
Are you saying that the 'inet address' is obtained from my ISP?
If not, where does it come from?

It's clear to me, from following this thread, that some clarification
of a few terms and concepts might be helpful.

The "inet address" that you see when running ifconfig is the IP address
currently assigned to your network card (nic) on that machine. How it
obtained that address can vary; if the card has been configured to get
its address using DHCP, then it got it at boot/network restart time from
your router or ADSL modem or whichever device physically connects you to
the internet (a.k.a. the "next hop" out to the rest of the world - the
device that is located at the other end of the wire from your nic).

However, this is not the only way that the card can be set up; you can
instead opt to assign a static address to it. This is done most easily
in the Mandriva Control Center (MCC), but can also be done by manually
editing the /etc/sysconfig/network-scripts/ifcfg-eth0 file. Giving the
nic a static address is generally a good idea, and doing so will make
troubleshooting networking problems like the present one much easier.

If you assign the nic a static IP address, it must fall within the
range of addresses that your router/modem/whatever will accept. In your
case, this appears to be 192.168.0.xx (where xx is > 1 and < 255). The
gateway IP address also needs to be set at the same time; this is the
"next hop" address, in your setup 192.168.0.1 (the address the router
is listening on). The broadcast address in this case is 192.168.0.255.

The router/modem/whatever will assign DHCP addresses from a subset of
the available ones; you should choose an IP address for your nic that
falls outside of this range. For example, if the router picks DHCP
addresses from x.x.x.100 to x.x.x.150, any static address(es) you set
should not be from within that span; ones like x.x.x.2 or x.x.x.200
would be fine, and will avoid any possible conflicts should you connect
a device that uses DHCP to the network at some future point.

The static address that your router/modem/etc. uses for its external
side (78.xx.139.xx, as noted above) is assigned to it by your ISP; it
then translates the addresses on packets that pass through it in both
directions, to make sure that all of them will get to their correct
destination. This process is known as Network Address Translation, or
NAT. In most cases, it's not something you'll need to concern yourself
with very much.

The router/etc. may well get its own static address from your ISP using
DHCP; it is possible, when one has access to the DHCP server, to set it
up to assign specific addresses to specific machines. This is, in fact,
almost certainly how they do it in your case. The device itself also
contains a DHCP server of its own, to hand out addresses on the local
side of the connection (192.168.0.xx). How much access you have to the
configuration of said server, and whether or not it is sufficiently
flexible to allow you to set up static internal DHCP addresses, I have
no idea. It's generally better all around to just ignore the onboard
DHCP server in the router, and set up static addresses manually on each
internal system, ones chosen from within the appropriate address range.

Doing that simplifies things immensely, by allowing you to enter these
addresses into the /etc/hosts file on each internal machine once and to
not worry about whether or not they will change (which appears, AFAICT,
to be at the root of the problems you've been having). With this sort
of arrangement, the /etc/hosts files on multiple machines on the same
network would all be identical, and therefore every machine will agree
upon how to reach every other machine on the LAN.

In a nutshell, while DHCP is nice for when a friend pops over and wants
to plug in their laptop on your network, for systems that aren't going
anywhere it really makes no sense to use it; use static IPs instead.

HTH!

--
Bill Mullen
RLU #270075

Maurice Batey

2008-08-20 21:47:37 UTC

Post by Bill Mullen
some clarification
of a few terms and concepts might be helpful.

Absolutely! Many thanks, Bill - much appreciated.

With you and BT's guidance the mists have gradually cleared
and I am going to experiment with a 'static' nic setup, using an
installation of PCLinuxOS I happen to have on an external drive.

'night, all...

--
/\/\aurice
Linux Mandriva 2.6.22.19-desktop-2mdv 2008.0 PP 32-bit
KDE 3.5.7 Virtualbox 1.5.6
(Remove 'removethis.' to reply by email)

Bit Twister

2008-08-20 21:55:25 UTC

Post by Maurice Batey
With you and BT's guidance the mists have gradually cleared
and I am going to experiment with a 'static' nic setup, using an
installation of PCLinuxOS I happen to have on an external drive.

That's why I have 27 ip addresses for my two real machines.
Each install gets it's own static ip address for eth0.

That keeps ssh from complaining about possible man in the middle
possibility when the info in ~/.ssh/known_hosts does not match the
connection you are trying to create.

Also had to do it in my virtual machines so they could network with
each other.

Maurice Batey

2008-08-21 16:11:30 UTC

Post by Maurice Batey
I am going to experiment with a 'static' nic setup, using an
installation of PCLinuxOS I happen to have on an external drive.

Looked into that, and found that another set of similar fields
would have to be changed in the router (Netgear DG834G), and as
I'm not 100% sure of the changes I have shelved the idea for
the time being, not wanting to change a setup that has
performed flawlessly for over a year - yet.

--
/\/\aurice
Linux Mandriva 2.6.22.19-desktop-2mdv 2008.0 PP 32-bit
KDE 3.5.7 Virtualbox 1.5.6
(Remove 'removethis.' to reply by email)

Bit Twister

2008-08-21 16:20:59 UTC

Post by Maurice Batey
Looked into that, and found that another set of similar fields
would have to be changed in the router (Netgear DG834G), and as
I'm not 100% sure of the changes I have shelved the idea for
the time being, not wanting to change a setup that has
performed flawlessly for over a year - yet.

I have no experience with Netgear DG834G but I would assume
you should NOT have to change anything in the router.

Wes Newell

2008-08-21 17:56:18 UTC

Post by Maurice Batey
I am going to experiment with a 'static' nic setup, using an
installation of PCLinuxOS I happen to have on an external drive.

Looked into that, and found that another set of similar fields
would have to be changed in the router (Netgear DG834G), and as I'm not
100% sure of the changes I have shelved the idea for the time being, not
wanting to change a setup that has performed flawlessly for over a year
- yet.

Why don't you just avoid this crap all together and assign a static IP
address to the desktop machine, or both for that matter. Then it won't
matter which is boot first, last, or in between a hundred other machines.
It will always have the same IP address. Check your router to see what it
allows for dhcp and change it to a small block like 192.168.0.200-250 and
leave the other addresses for static ip's.

--
Want the ultimate in free OTA SD/HDTV Recorder? http://mythtv.org
My Tivo Experience http://wesnewell.no-ip.com/tivo.htm
Tivo HD/S3 compared http://wesnewell.no-ip.com/mythtivo.htm
AMD cpu help http://wesnewell.no-ip.com/cpu.php

David W. Hodgins

2008-08-20 22:54:46 UTC

Post by Maurice Batey
Oh, you think there was some glitch that caused the change.
How does one home in on a possible cause, I wonder...

Currently, the desktop and notebook computers are getting the ip address from
the router, using dhcp.

If both computers are off when the dhcp leases expire, then the ip address
given to each computer, will depend on the order they are turned on.

Post by Maurice Batey
I'm confused by this. Here is what my ISP's email said when
"Your static IP addess is: 78.xx.139.xx"
Is that 'static' different from in your "make the connection
static".

Yes, they are different.

The router gets the ip address that the isp will use to send data to it, from
the isp via dhcp, or, as in your case, it is statically assigned. That ip
address is used to get traffic from the net, to your router. It is not normally
used on the lan side of the router.

Post by Maurice Batey
How does my static IP address (78.xx.139.xx) relate to the
inet address "192.168.0.xx" ?

The router has two ip addresses. The 78.xx.139.xx is used by your isp, to route
traffic from the net, to your router. The 192.168.0.1 (typically) is used by
computers on your lan, to send packets directly to the router. Note that sending
a packet directly to the router, is not the same as sending a packet through the
router, to your isp.

Post by Maurice Batey
Is 'nic' the same as 'inet address'? If not, what is it?

Network Interface Card. This can be a card you plug into a pci/usb/isa/pcmia slot,
or built into the motherboard. Each computer may have multiple nics.

In your case, the laptop has one nic (that you're using, the wireless adapter,
and the desktop has one nic, the ethernet card or chipset. Each nic has a MAC
address (also called hardware address), that is supposed to be unique, and
identifies that particular network interface.

Post by Maurice Batey
Are you saying that the 'inet address' is obtained from my ISP?
If not, where does it come from?

The address of the router, was given to you by your isp, via email. In the
router configuration, you've set that ip address, which is only used on the
internet side of the router.

Take a look at your router's configuration screen. Most routers will require you
to use a web browser, on a computer connected to if directly via an ethernet cable.
In the browser, you go to http://192.168.0.1 (address will vary, depending on the
make and/or model of the router).

In the router configuration, you have a choice. Use dhcp to assign the addresses
to the computers, that you connect to it, or statically assign the addresses by
entering the MAC addresses of the NICs, in a table, specifying which ip address
should be associated with which MAC. You can use a mixture, where some computers
have an ip address and MAC in the routers static table, and the rest get dhcp
assigned addresses.

The computers setup for it's NIC has to match with what you've setup, in the
router. Either dhcp, or static.

At present, both your notebook, and the desktop have dhcp assigned addresses.

I would change both to static, although in this case, just changing the desktop
would probably accomplish what you want.

To change the notebook and desktop to static, do the following ...

Run ifconfig on both computers, and take note of the HWaddr (that's the MAC),
of each.

In the router configuration, find the table of MAC/IP addresses, for static
assignment. Pick an ip 192.168.?.? for each, enter the mac addresses, and save the
configuration.

In each of the computers, use mcc to remove the existing network connection,
and readd it, using static, and the ip 192.168.?.? matching the setting in
the router. Ensure the hosts file on both, match with the router settings.

Hope this helps to clarify things.

Regards, Dave Hodgins

--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)

Maurice Batey

2008-08-21 16:33:23 UTC

Post by David W. Hodgins
At present, both your notebook, and the desktop have dhcp assigned addresses.
I would change both to static, although in this case, just changing the
desktop would probably accomplish what you want.

I had assumed that as a laptop is sometimes away from base,
it should not have a static IP address in case it clashes
with another server's static IP address.

Post by David W. Hodgins
In the router configuration, find the table of MAC/IP
addresses, for static assignment.

I can find the MAC's for the desktop and laptop, and under
- "LAN IP Setup" - an empty table headed "Address Reservation"
with column headers:

IP address Device name MAC address

which is presumably what you refer to.

Post by David W. Hodgins
Hope this helps to clarify things.

Absolutely - many thanks! I shall save this posting as part
of my 'IP' notes for use when I can face the changes (which may
now be sooner than I thought).

--
/\/\aurice
Linux Mandriva 2.6.22.19-desktop-2mdv 2008.0 PP 32-bit
KDE 3.5.7 Virtualbox 1.5.6
(Remove 'removethis.' to reply by email)

Bill Mullen

2008-08-21 17:24:59 UTC

On Thu, 21 Aug 2008 16:33:23 +0000 (UTC),

Post by David W. Hodgins
At present, both your notebook, and the desktop have dhcp assigned addresses.
I would change both to static, although in this case, just changing
the desktop would probably accomplish what you want.

I had assumed that as a laptop is sometimes away from base,
it should not have a static IP address in case it clashes
with another server's static IP address.

Which is why having the router always assign the same addresses via DHCP
is always preferable, in those cases when it's possible - it allows you
to leave any or all systems set to use DHCP if you wish, yet completely
solves the problem of shifting IP addresses.

Post by David W. Hodgins
In the router configuration, find the table of MAC/IP
addresses, for static assignment.

I can find the MAC's for the desktop and laptop, and under
- "LAN IP Setup" - an empty table headed "Address Reservation"
IP address Device name MAC address
which is presumably what you refer to.

Bingo. That's exactly what you want to see. Enter the hostnames, MAC
addresses, and chosen static IP addresses for your systems there, and
you'll never have to worry about this sort of problem again, no matter
in what order you power up your systems.

If it were me, I'd still configure the desktop to use a manual static IP
address and to not use DHCP, while setting up both systems in the router
to be able to get their correct address via DHCP on that screen. This
way. even if the router settings are lost for some reason (prolonged
power outage, whatever), at least you can be sure that the desktop will
*always* boot up with the right IP address, regardless.

--
Bill Mullen
RLU #270075

Maurice Batey

2008-08-21 17:35:05 UTC

Post by Bill Mullen
Enter the hostnames, MAC
addresses, and chosen static IP addresses for your systems there

What 'hostname' is that?

(When I asked the router to show me the 'Add' template, it
automatically showed the MAC and IP address of the desktop, but
for 'Device name' it shows 'Unknown'. What should go there?)

Do you mean if I set the router up with that table that there is
no functional need to change the DHCP setup in MCC?

--
/\/\aurice
Linux Mandriva 2.6.22.19-desktop-2mdv 2008.0 PP 32-bit
KDE 3.5.7 Virtualbox 1.5.6
(Remove 'removethis.' to reply by email)

David W. Hodgins

2008-08-21 17:52:40 UTC

Post by Maurice Batey
(When I asked the router to show me the 'Add' template, it
automatically showed the MAC and IP address of the desktop, but
for 'Device name' it shows 'Unknown'. What should go there?)

Whatever you want. The name in the router setup, is only to help you remember
which machine is which. It isn't used in any traffic routing. You could
enter "Desktop", or "Main", or even leave it blank.

Post by Maurice Batey
Do you mean if I set the router up with that table that there is
no functional need to change the DHCP setup in MCC?

Here, I'm not quite sure. I would expect the ip address would have to be outside
of the range that the router has reserved for dhcp addresses. MCC would then
have to have the address changed to a static address.

If the router will allow you to specify an address inside the range used for dhcp,
I'm not sure if the computer will still be able to use dhcp, or if it will have
to be configured, as static. Shouldn't hurt to go ahead and try it. If it doesn't
work with dhcp, just change it to static.

Another thing you may want to look at. If you decide to stay with dhcp, you could
increase the dhcp lease expires timeout. It's probably set at around 24 hours right
now. You could increase this to a week, or more, then you'd only have to worry about
the order the computers are turned on, that often.

Regards, Dave Hodgins

--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)

Maurice Batey

2008-08-21 18:08:57 UTC

I would expect the ip address would have to be outside of the range that
the router has reserved for dhcp addresses.

Under "Use router as DHCP server" it shows:

Start IP address: 192.168.0.2
End IP address: 192.168.0.254

If the router will allow you to specify an address inside the
range used for dhcp, I'm not sure if the computer will still
be able to use dhcp, or if it will have to be configured, as
static. Shouldn't hurt to go ahead and try it.

--
/\/\aurice
Linux Mandriva 2.6.22.19-desktop-2mdv 2008.0 PP 32-bit
KDE 3.5.7 Virtualbox 1.5.6
(Remove 'removethis.' to reply by email)

Bit Twister

2008-08-21 18:27:58 UTC

I would expect the ip address would have to be outside of the range that
the router has reserved for dhcp addresses.

Start IP address: 192.168.0.2
End IP address: 192.168.0.254

Except for .0. it looks about like mine.

I just use .100+ ips on my machines. If you wanted to do it right, you
would change End IP address: to 192.168.0.99 and the router's DHCP
server would not hand out leases greater than .99

In my case I did not change anything in the router.
If the router has assigned more that 99 leases, it could assign .100
to the next computer and I would have two systems on the network with
.100 and start having problems.

Jim Beard

2008-08-21 23:45:18 UTC

I would expect the ip address would have to be outside of the range that
the router has reserved for dhcp addresses.

Start IP address: 192.168.0.2
End IP address: 192.168.0.254

Except for .0. it looks about like mine.
I just use .100+ ips on my machines. If you wanted to do it right, you
would change End IP address: to 192.168.0.99 and the router's DHCP
server would not hand out leases greater than .99
In my case I did not change anything in the router.
If the router has assigned more that 99 leases, it could assign .100
to the next computer and I would have two systems on the network with
.100 and start having problems.

This requires that the static ip for a machine be set
in the router and in the machine's software.

For home-use routers (I suspect commercial network
routers should work differently), you can assign an
ip from the router's dhcp range to a mac, and then
let the machine with that mac simply request dhcp
service. It will be assigned the specified static ip.

Cheers!

jim b.

--
UNIX is not user unfriendly; it merely
expects users to be computer-friendly.

Bill Mullen

2008-08-21 18:29:28 UTC

On Thu, 21 Aug 2008 18:08:57 +0000 (UTC),

I would expect the ip address would have to be outside of the range
that the router has reserved for dhcp addresses.

Start IP address: 192.168.0.2
End IP address: 192.168.0.254

Assuming that you can change those settings, make it pick from a smaller
range; for example, set the first one to 192.168.0.100. If you can't
change it, then don't worry about it, since presumably having a static
address set (in the other router screen) would ensure that it will never
give that same address out to another system dynamically.

--
Bill Mullen
RLU #270075

Maurice Batey

2008-08-21 18:13:00 UTC

you could increase the dhcp lease expires timeout. It's
probably set at around 24 hours right now.

Where the devil is that to be found?!

--
/\/\aurice
Linux Mandriva 2.6.22.19-desktop-2mdv 2008.0 PP 32-bit
KDE 3.5.7 Virtualbox 1.5.6
(Remove 'removethis.' to reply by email)

Bit Twister

2008-08-21 18:30:41 UTC

you could increase the dhcp lease expires timeout. It's
probably set at around 24 hours right now.

Where the devil is that to be found?!

You would think it would be in the router's User Manual. :)

I know I had to get the manual from the Vendor's site to see where
I could change what for what reason in my router.

Maurice Batey

2008-08-21 18:50:22 UTC

Post by Bit Twister
You would think it would be in the router's User Manual.

I did a preliminary check in the router info but could see no
mention of it.

Will have another, closer, perusal tomorrow...

--
/\/\aurice
Linux Mandriva 2.6.22.19-desktop-2mdv 2008.0 PP 32-bit
KDE 3.5.7 Virtualbox 1.5.6
(Remove 'removethis.' to reply by email)

Bit Twister

2008-08-21 18:19:45 UTC

On Thu, 21 Aug 2008 13:52:40 -0400, David W. Hodgins wrote:

I sure do wish you would tell Opera to automagically line wrap at
something less than or equal to 72 characters.
That would leave at least a little more room for reply depth indicators.

Post by David W. Hodgins

A little cation note there.
If Maurice does not want the desktop's node name to become Main, he
may want to remember to set Need Hostname = no during nic configuration.

Bill Mullen

2008-08-21 18:32:02 UTC

On Thu, 21 Aug 2008 18:19:45 +0000 (UTC),

On Thu, 21 Aug 2008 13:35:05 -0400, Maurice Batey

Whatever you want. The name in the router setup, is only to help
you remember which machine is which. It isn't used in any traffic
routing. You could enter "Desktop", or "Main", or even leave it
blank.

A little cation note there.
If Maurice does not want the desktop's node name to become Main, he
may want to remember to set Need Hostname = no during nic
configuration.

Another good reason to ensure that the name used in the router setup
matches the system's own hostname - to avoid that sort of problem.

--
Bill Mullen
RLU #270075

Bit Twister

2008-08-21 18:39:36 UTC

Post by Bill Mullen
On Thu, 21 Aug 2008 18:19:45 +0000 (UTC),

Post by Bit Twister
A little cation note there.
If Maurice does not want the desktop's node name to become Main, he
may want to remember to set Need Hostname = no during nic
configuration.

Another good reason to ensure that the name used in the router setup
matches the system's own hostname - to avoid that sort of problem.

Having had two router downloads pushed into my router from my ISP,
the ISP change my DNS settings in my router and one router replacement,
I find my connection maintenance has gone away since I set the
computer connections as static. :-D

Bill Mullen

2008-08-21 18:23:47 UTC

On Thu, 21 Aug 2008 17:35:05 +0000 (UTC),

Post by Bill Mullen
Enter the hostnames, MAC
addresses, and chosen static IP addresses for your systems there

Were it me, I'd put the same name there that you have configured each
system to use as its hostname. IME, some routers that provide DNS to
the LAN will use this setting to let you resolve names properly that do
not appear in /etc/hosts on the local machine, and other routers will
ignore the name used here entirely. Which is the case for yours won't
really matter, since you're going to make sure that all local systems'
hosts files are the same anyway. All it would affect is whether or not
any other system that is temporarily connected can still resolve local
names to local IP addresses, using only the DNS provided by the router.

Post by Maurice Batey
Do you mean if I set the router up with that table that there is
no functional need to change the DHCP setup in MCC?

That is exactly what I mean. However, as I stated before, I'd change the
desktop's config to not use DHCP, although I'd also set up that table
on the router to have an entry for the desktop, so that if it did use
DHCP for some reason, it would still get the correct IP address.

Remember, when choosing addresses to use in this table, select ones that
fall outside the range that the router uses for the ones that *it* picks
(the ones that aren't pre-assigned this way). IOW, if the router's
usual range for handing out DHCP addresses is x.x.x.100 - x.x.x.200,
select ones that are x.x.x.y (where 1 < y < 100, or 200 < y < 255).

--
Bill Mullen
RLU #270075

David W. Hodgins

2008-08-21 18:00:31 UTC

Post by Bill Mullen
If it were me, I'd still configure the desktop to use a manual static IP
address and to not use DHCP, while setting up both systems in the router
to be able to get their correct address via DHCP on that screen. This
way. even if the router settings are lost for some reason (prolonged
power outage, whatever), at least you can be sure that the desktop will
*always* boot up with the right IP address, regardless.

Now I'm getting confused! :)

As I understand it, the router will have some addresses reserved for dhcp,
and may have some static addresses reserved for specific MACs.

On the computer, if the router has it's MAC address in the static table, then
the NIC should be configured, as static, with the same ip address.

On the computer, if the router does not have the MAC address, then the NIC
should be configured to use DHCP.

Can the computer be configured to use DHCP, and have the MAC address specified
as static in the router?

Regards, Dave Hodgins

--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)

Bit Twister

2008-08-21 18:13:03 UTC

Post by David W. Hodgins
Now I'm getting confused! :)
As I understand it, the router will have some addresses reserved for dhcp,
and may have some static addresses reserved for specific MACs.
On the computer, if the router has it's MAC address in the static table, then
the NIC should be configured, as static, with the same ip address.
On the computer, if the router does not have the MAC address, then the NIC
should be configured to use DHCP.
Can the computer be configured to use DHCP, and have the MAC address specified
as static in the router?

Heheheh, you configure the computer to use DHCP. It always gets the
lease from the router. You tell the router that for a given MAC id, send
a given ip address. The computer does not care.

In Maurice's case he seems to always ssh from laptop to desktop.

He can set desktop's nic as static 192.168.0.100 or dhcp and
tell the router to send 192.168.0.2 when it sees desktop's mac.

With just static 192.168.0.100, a factory reset on the router will not
affect desktop. With 192.168.0.2 assigned by MAC, a factory reset will
loose the setting and assign the next ip to desktop.

Bill Mullen

2008-08-21 20:04:04 UTC

On Thu, 21 Aug 2008 14:00:31 -0400,

Post by David W. Hodgins

Post by Bill Mullen
If it were me, I'd still configure the desktop to use a manual
static IP address and to not use DHCP, while setting up both
systems in the router to be able to get their correct address via
DHCP on that screen. This way. even if the router settings are lost
for some reason (prolonged power outage, whatever), at least you
can be sure that the desktop will *always* boot up with the right
IP address, regardless.

This is not strictly necessary. If the NIC uses DHCP, and the router
has a static IP address assigned to said NIC based on its MAC address,
then that same IP address is the one that the router should give it,
whether or not the address is in the router's usual DHCP address range.
If not, then the router is more brain-dead than any I've yet used (that
are capable of MAC-based IP address assignment at all).

That being said, it makes the most sense to me to set it up as static in
both places for any systems that are staying put 24/7. And I'll be the
first to admit that there are an awful lot of routers out there that I
haven't encountered, and given that they're low-profit-margin devices
to begin with, there's every reason for me to expect that quite a few of
them are bound to be precisely that brain-dead. ;)

Post by David W. Hodgins
On the computer, if the router does not have the MAC address, then
the NIC should be configured to use DHCP.

No, the NIC can always be configured for a static address with no regard
whatsoever to how the router is set up; the only real concern is that
when one sets up static IP addresses about which the router is unaware,
said addresses should not fall within the range used by the router's
pool of DHCP addresses, so that there's no potential for conflicts.

Post by David W. Hodgins
Can the computer be configured to use DHCP, and have the MAC address
specified as static in the router?

It should be able to be, IME, if the router is capable of static IP
address reservation at all. I find that especially handy for giving
devices like networked printers predictable IP addys when I don't want
to bother with figuring out how to get them to not use DHCP. You just
want to bear in mind that router settings can go missing for any number
of reasons, which is why I feel that setting up each non-mobile system
with a (matching) static IP address within that system's own NIC config
is always worthwhile, IMHO. Likewise for laptops that use wireless - the
wireless settings are LAN-specific, so setting them up as static IP for
when you're home has no effect on which method is used when elsewhere;
it's only their wired NICs that are more convenient to leave as DHCP.

--
Bill Mullen
RLU #270075

Bit Twister

2008-08-21 20:47:33 UTC

Post by Bill Mullen
That being said, it makes the most sense to me to set it up as static in
both places for any systems that are staying put 24/7. And I'll be the
first to admit that there are an awful lot of routers out there that I
haven't encountered, and given that they're low-profit-margin devices
to begin with, there's every reason for me to expect that quite a few of
them are bound to be precisely that brain-dead. ;)

Not to mention crackable from a malware infested web page you might
browse. :-(
http://www.haveyougotwoods.com/archive/2008/01/15/common-home-router-exploit-upnp-enabled-routers-only.aspx
http://www.darkreading.com/document.asp?doc_id=156741

Jim Beard

2008-08-21 23:55:04 UTC

Post by David W. Hodgins
Can the computer be configured to use DHCP, and have the MAC address specified
as static in the router?
Regards, Dave Hodgins

Using the routers handed out by Verizon for ADSL, FIOS Internet, and
FIOS Internet + FIOS TV, the answer has been yes.

I specify the mac address and corresponding ip in the router as
static, and set the machine software to dhcp, and the static address
is provided whenever the machine needs it.

One problem with the Actiontec router (internet+tv), has been that
the router seems to forget that a mac/ip pair has been specified as
static. I think that has been due to the firmware on the router
being updated, or the router reset from the Verizon server. In such
cases, having the static IP set both in the router and on the machine
provides the effect of wearing a belt plus suspenders.

For my wife's laptop, her connection to the local AP network is
static IP, but she has the option of connecting to any net her
machine can find in the area. That requires having two networks
configured for wireless, but it works.

Cheers!

jim b.

--
UNIX is not user unfriendly; it merely
expects users to be computer-friendly.

Jim Beard

2008-08-21 23:40:26 UTC

Post by Maurice Batey
I had assumed that as a laptop is sometimes away from base,
it should not have a static IP address in case it clashes
with another server's static IP address.

Post by David W. Hodgins
In the router configuration, find the table of MAC/IP
addresses, for static assignment.

I can find the MAC's for the desktop and laptop, and under
- "LAN IP Setup" - an empty table headed "Address Reservation"
IP address Device name MAC address
which is presumably what you refer to.

Post by David W. Hodgins
Hope this helps to clarify things.

I have used a couple of D-Link routers and one Actiontec.
Using them, I would set the MAC for a machine to a static
ip (192.168.0.3 or whatever) in the router, and let the
machine simply request dhcp.

When the router got the request, it would look at the
MAC and assign the specified static ip. Setting the
machine to the specified static IP would not have hurt
(in a fixed environment), but it was not needed. I
think you can handle your laptop the same way.

Cheers!

jim b.

--
UNIX is not user unfriendly; it merely
expects users to be computer-friendly.

Maurice Batey

2008-08-21 16:04:51 UTC

Post by Bit Twister
fix the problem preventing the handshake between dhcp server and your
system.

Mystery solved. The reason the inet address had changed from
its usual 192.168.0.2 was because - on those days - I had booted
the *laptop* first, which was therefore allocated the first free
address above the router's 192.168.0.1, i.e. 192.168.0.2 as IP
address, so that when the desktop was booted the next IP in
sequence (192.168.0.3) was allocated!

So all I have to do to prevent any more such fluctuation is to
ensure the desktop is first to boot.

--
/\/\aurice
Linux Mandriva 2.6.22.19-desktop-2mdv 2008.0 PP 32-bit
KDE 3.5.7 Virtualbox 1.5.6
(Remove 'removethis.' to reply by email)

Bit Twister

2008-08-18 17:38:54 UTC

So I should ignore the "ALL: .mab...." suggestion 5 lines
above here?

I am saying, when you get done making the laptop to desktop test work,
and you are ready to enable /etc/host.allow controls, the only
line you will need is

ALL: .mab.unregistered, 192.168.0.

Post by Bit Twister
Which /etc/hosts file. With that hosts file, you can have the same hosts
file on both machines.

But I already do! They are identical on both desktop & laptop...

Heheheh, But I did not know that. :-D

Post by Bit Twister
If you are missing sshd-xinetd, I have no idea why you are missing
/etc/xinetd.d/sshd-xinetd

But it's not missing!
----------------------------------------------------
# default: off

Then check the perms.

$ ls -ald /etc/xinetd.d/
drwxr-xr-x 2 root root 4096 2008-08-14 19:34 /etc/xinetd.d/

Ok, what I am saying, is, if laptop is sshing into desktop,
then desktop's ip address in laptop's hosts file has to match
the ip address where laptop connects to desktop.

Here look at this drawing

192.168.1.1 pc1 node's gateway
192.168.1.14 pc1 node's ip
|
v
x pc1 printer 24.x.x.xx
x \ / |
x \ / v
x Hub---------eth1_fw_eth0---cablemodem-----ISPgateway---Internet
x / ^ ^
x / | |
x pc2 192.168.1.1 ggg.ggg.ggg.1
^ lan gateway
|
192.168.1.12 pc2 node's ip
192.168.1.1 pc2 node's gateway

If pc2 wanted to ssh to fw.
pc2's hosts file would have
192.168.1.1 fw.home.test fw

If you cannot understand what I am saying, draw a picture, label with
values and I will run over this again.

Maurice Batey

2008-08-18 17:51:51 UTC

Post by Bit Twister
Then check the perms.
$ ls -ald /etc/xinetd.d/
drwxr-xr-x 2 root root 4096 2008-08-14 19:34 /etc/xinetd.d/

OK:
-------------------------------------------------------------
[***@desktop ~]$ ls -ald /etc/xinetd.d/
drwxr-xr-x 2 root root 4096 2008-08-17 16:54 /etc/xinetd.d//
-------------------------------------------------------------

Still a mystery, I guess...

However, despite all that, you can GET OUT THE FLAGS!
MAFEKING HAS BEEN RELIEVED... 8-))

I can now ssh in to desktop from laptop, now that the IP muddle
has been identified and sorted out.
(I really don't know how they got mixed up, but whenever it
did was yonks ago, and a lot of water has flown under the bridge
(and probably into what's left of my brain) since then.)

BT, many many thanks once again for your unstinted help and
patience - very much appreciated indeed.

Regards,

--
/\/\aurice
Linux Mandriva 2.6.22.19-desktop-2mdv 2008.0 PP 32-bit
KDE 3.5.7 Virtualbox 1.5.6
(Remove 'removethis.' to reply by email)

Bit Twister

2008-08-18 17:55:32 UTC

Post by Maurice Batey
drwxr-xr-x 2 root root 4096 2008-08-17 16:54 /etc/xinetd.d//

What is that // doing on the end of that line. Should be

$ ls -ald /etc/xinetd.d/
drwxr-xr-x 2 root root 4096 2008-08-14 19:34 /etc/xinetd.d/

Maurice Batey

2008-08-18 18:27:44 UTC

Post by Bit Twister
What is that // doing on the end of that line. Should be
$ ls -ald /etc/xinetd.d/
drwxr-xr-x 2 root root 4096 2008-08-14 19:34 /etc/xinetd.d/

Mmm. I tried it without the '/' on the end of the call and the
2nd '/' doesn't appear!:
-------------------------------------------------------------
[***@desktop ~]$ ls -ald /etc/xinetd.d
drwxr-xr-x 2 root root 4096 2008-08-17 16:54 /etc/xinetd.d/
-------------------------------------------------------------

Figure that one out!

--
/\/\aurice
Linux Mandriva 2.6.22.19-desktop-2mdv 2008.0 PP 32-bit
KDE 3.5.7 Virtualbox 1.5.6
(Remove 'removethis.' to reply by email)

Bit Twister

2008-08-18 18:46:44 UTC

Post by Maurice Batey
Mmm. I tried it without the '/' on the end of the call and the
Figure that one out!

No thank you. :)

Homework assignment.
type ls
type -a ls

On the subject of hosts.allow and hosts.deny.

Your initial setup did not have anything in hosts.deny.

I recommend All: ALL if you are not going to use mine.

If you are going to hardcode ip addresses in /etc/hosts
I recommend setting static instead of dynamic (chcp)
for those interfaces.

I recommend a FQDN for all nodes. For the linux install, I recommend
these lines and values <=============
$ cat /etc/sysconfig/network
NETWORKING_IPV6=no <=============
NOZEROCONF=yes <=============
NEEDHOSTNAME=no <=============
NETWORKING=yes <=============
HOSTNAME=desktop.mab.test <=============

Maurice Batey

2008-08-19 15:44:13 UTC

Post by Bit Twister
I recommend All: ALL if you are not going to use mine.

Have put that in /etc/hosts/deny; thanks.

I did take a long look at your 'email' setup for that file,
and would love to have it, but it seemd so intricate that I
chickened out, as it would have cost you more days of
trouble-shooting to get it working. 8-)

I assume the purpose is to report any rogue attempt to ssh in to
the server via the router wireless channel.
In my case the router is WAP-key protected, and no one else
here would know what 'ssh' was, so I don't feel a need for more
security.

But all the same it looks an interesting project for a rainy
day...

Post by Bit Twister
If you are going to hardcode ip addresses in /etc/hosts ..

How does one avoid that?

--
/\/\aurice
Linux Mandriva 2.6.22.19-desktop-2mdv 2008.0 PP 32-bit
KDE 3.5.7 Virtualbox 1.5.6
(Remove 'removethis.' to reply by email)

Bit Twister

2008-08-19 17:48:04 UTC

Post by Maurice Batey
I did take a long look at your 'email' setup for that file,
and would love to have it, but it seemd so intricate that I
chickened out, as it would have cost you more days of
trouble-shooting to get it working. 8-)

No, changes/debugging to that fancy .deny script needed.
Bring up a root terminal.

You change a line in /etc/postfix/aliases, (close to bottom of aliases)
from root: postfix
to root: mab
save/quit editor

postalias aliases

service postfix restart

At this point, mab on this node should receive this nodes root's
email. You test by sending root a message and check mab's mail box.

mail -s "root test shot" mab < /dev/null

su - mab

mail <==== should show 1 root test shot
(carriage return) <==== would read the mail
d <==== deletes email
q <==== exits mail and deletes marked email.
exit <==== closes the su - mab session.

If postfix has been running since install, I would check root's mail box.

mail

d 1-30 <==== deletes email 1 through 30

exit <==== closes this root terminal session.

Post by Maurice Batey
I assume the purpose is to report any rogue attempt to ssh in to
the server via the router wireless channel.

Not just ssh, report any application attempt compiled with tcpwrapper support
which did not match a rule in hosts.allow.

Post by Maurice Batey
In my case the router is WAP-key protected, and no one else here
would know what 'ssh' was, so I don't feel a need for more security.

What about a 192.168.0.* node cracked when user was playing out on the
internet. :-(

If me, I would have to set all nodes static, starting at, say 192.168.0.100
just in case someone can get a lease/connection from your router.

I would then set .allow ALL: 192.168.0.101, 192.168.0.102, 192.168.0.103
Now, only those nodes could use tcpwrapped apps like sshd.

Post by Bit Twister
If you are going to hardcode ip addresses in /etc/hosts ..

How does one avoid that?

Good question for someone knowing network stuff and make/model of router. :-)

Carry over from your other question posted today.

The xinetd package would allow you to have tighter tweaks/features
and not require sshd to be running all the time.

If you did not take my suggestion for your FQDN, you might want
to look through this thread.

http://groups.google.com/group/alt.os.linux.mandriva/msg/9edf6653de20a8a4

Maurice Batey

2008-08-19 18:55:57 UTC

Post by Bit Twister
No, changes/debugging to that fancy .deny script needed.

The problem is that in your posting of that script the text
appears split up all over the place, so that it's difficult to
see how it is supposed to precisely fit together.
(I printed it out and pored over it, but even then I couldn't
make it gell...)

Post by Bit Twister
You change a line in /etc/postfix/aliases,

But I don't use postfix; not installed. Happy with KMail.

Perhaps there's a way of throwing some warning panel onto the
screen instead?

--
/\/\aurice
Linux Mandriva 2.6.22.19-desktop-2mdv 2008.0 PP 32-bit
KDE 3.5.7 Virtualbox 1.5.6
(Remove 'removethis.' to reply by email)

Bit Twister

2008-08-19 19:41:33 UTC

Post by Bit Twister
No, changes/debugging to that fancy .deny script needed.

The problem is that in your posting of that script the text
appears split up all over the place,

Change news reader then. :-D

Post by Maurice Batey
so that it's difficult to
see how it is supposed to precisely fit together.

Hey, use google to get a second opinion on the code.

http://groups.google.com/group/alt.os.linux.mandriva/msg/01881519c0d3af38

Post by Maurice Batey
(I printed it out and pored over it, but even then I couldn't
make it gell...)

Not much to pore over. It uses tcpwrappers % EXPANSIONS adds new line
characters (\n), line continuation char (\) and feed it to mail.

Post by Bit Twister
You change a line in /etc/postfix/aliases,

But I don't use postfix; not installed. Happy with KMail.

M=Mail
T=Transport
A=Agent
C=Client

Postfix is an MTA and KMail is a MTC.
The MTC sends/fetches email from a MTA.

Guessing in your case you told KMail to use your ISP's MTA.
You would then ask KMail to also fetch mail from desktop
for mab on desktop.

Post by Maurice Batey
Perhaps there's a way of throwing some warning panel onto the
screen instead?

Well, on that topic, I tend to use xmessage to send pop up messages.
Downside :0.0 is the first user's screen to login. :(

Two examples to send a pop up and keep going.

xmessage -display :0.0 "sample pop up" &

nohup xmessage -display :0.0 "

installation of firefox-3.0.1.tar.bz2

failed extract/install, install aborted
" &

A simple pop up, and wait for mouse click

xmessage -display :0.0 "sample pop up"

man xmessage for more switches.
man X For -display usage

Heheheheh, that reminds me, I helped set a co-worker up with linux
and be able to dial up into work.

One evening after work, I had dialed in, and noticed him dialed in.

I got his ip address and did a

xeyes &
xeyes -display x.x.x.x:0 -fg yellow -center red

I could move my mouse around and know what his xeyes was doing.
About two seconds later I get connection broken when he panicked
and shut down his system. 8-)

Maurice Batey

2008-08-20 13:53:18 UTC

Post by Bit Twister
Change news reader then

I have now, from old Pan to new Pan (used for posting this)!

Script looks a little less daunting. It's also the link up with
mailing that puts me off.

--
/\/\aurice
Linux Mandriva 2.6.22.19-desktop-2mdv 2008.0 PP 32-bit
KDE 3.5.7 Virtualbox 1.5.6
(Remove 'removethis.' to reply by email)

Bit Twister

2008-08-20 14:27:42 UTC

Post by Bit Twister
Change news reader then

I have now, from old Pan to new Pan (used for posting this)!

Oh, no, your going from bad to worse. :-)
Note to self, get that flame proof suit on pretty quick. :-D

Post by Maurice Batey
Script looks a little less daunting.

% Expansion variables found in
man hosts.allow or man hosts.deny

Sample email from deny, would look like:

TCP Wrappers: Connection Refused
By: wm81.home.test
Process: sshd (pid 11046)

User: unknown
Host: localhost.localdomain
Date: Sun Aug 17 20:50:41 CDT 2008

Post by Maurice Batey
It's also the link up with mailing that puts me off.

Ok.

Bit Twister

2008-08-19 19:44:53 UTC

Post by Maurice Batey
Perhaps there's a way of throwing some warning panel onto the
screen instead?

You can, but that would only be host.deny email.

You would not know about cron failures or mail from system cron jobs
which audit/warn root about problems. :(

David W. Hodgins

2008-08-18 18:24:51 UTC

Post by Maurice Batey
Still a mystery, I guess...

Do you have the package xinetd installed? Run "rpm -q -i xinetd"
Is it running "service xinetd status"?

Regards, Dave Hodgins

--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)

Maurice Batey

2008-08-18 18:46:52 UTC

Do you have the package xinetd installed? Run "rpm -q -i xinetd" Is it
running "service xinetd status"?

[***@desktop mab]# rpm -q -i xinetd
package xinetd is not installed

So - in spite of all that evidence to the contrary - it appears
not!

Have now installed it via MCC.

Is there anything more that should be done with it?

--
/\/\aurice
Linux Mandriva 2.6.22.19-desktop-2mdv 2008.0 PP 32-bit
KDE 3.5.7 Virtualbox 1.5.6
(Remove 'removethis.' to reply by email)

Bit Twister

2008-08-18 18:57:03 UTC

Do you have the package xinetd installed? Run "rpm -q -i xinetd" Is it
running "service xinetd status"?

package xinetd is not installed
So - in spite of all that evidence to the contrary - it appears
not!
Have now installed it via MCC.
Is there anything more that should be done with it?

In your case, so far, it is only good for deciding if you want sshd started
on boot, or if sshd only starts when a sshd connection is tried.

Maurice Batey

2008-08-18 21:48:29 UTC

Post by Bit Twister
In your case, so far, it is only good for deciding if you want sshd
started on boot, or if sshd only starts when a sshd connection is tried.

OIC - that answers a question I was going to ask!

How does one use it to get sshd to start only when a ssh
connection is attempted?

--
/\/\aurice
Linux Mandriva 2.6.22.19-desktop-2mdv 2008.0 PP 32-bit
KDE 3.5.7 Virtualbox 1.5.6
(Remove 'removethis.' to reply by email)

Aragorn

2008-08-18 22:04:43 UTC

On Monday 18 August 2008 23:48, someone identifying as *Maurice Batey* wrote
in /alt.os.linux.mandriva:/

Post by Bit Twister
In your case, so far, it is only good for deciding if you want sshd
started on boot, or if sshd only starts when a sshd connection is tried.

OIC - that answers a question I was going to ask!
How does one use it to get sshd to start only when a ssh
connection is attempted?

If that is what you want, then you should use /xinet-sshd/ - or whatever
it's called - instead of the regular sshd, and then you must set
up /xinetd/ to include /sshd/ among the offered services.

--
*Aragorn*
(registered GNU/Linux user #223157)

Maurice Batey

2008-08-19 16:10:48 UTC

Post by Aragorn
If that is what you want, then you should use /xinet-sshd/ - or whatever
it's called - instead of the regular sshd, and then you must set up
/xinetd/ to include /sshd/ among the offered services.

I installed xinetd because I got the impression it was needed
to properly allow the SSH from laptop, hence my wondering how it
is used.

As I was (eventually!) able to achieve the SSH connection without
it, and don't really need the 'start at first call' facility, I
propose to uninstall it as superfluous (unless there is some
other reason why it should be kept).

--
/\/\aurice
Linux Mandriva 2.6.22.19-desktop-2mdv 2008.0 PP 32-bit
KDE 3.5.7 Virtualbox 1.5.6
(Remove 'removethis.' to reply by email)

Bit Twister

2008-08-18 22:26:15 UTC

Post by Maurice Batey
How does one use it to get sshd to start only when a ssh
connection is attempted?

Get into MCC Services,
uncheck sshd On Boot
click Stop for sshd
click Start when requested for ssd-xinetd
Click Ok, bottom left
Control q
Control q

man xinetd
man xinetd.conf

And start hacking away at
/etc/xinetd.d/sshd-xinetd
do keep an original somewhere else before editing. :-)

Maurice Batey

2008-08-19 16:04:22 UTC

Post by Bit Twister
Get into MCC Services,
uncheck sshd On Boot
click Stop for sshd
click Start when requested for ssd-xinetd Click Ok, bottom left

Happy with that!

Post by Bit Twister
And start hacking away at /etc/xinetd.d/sshd-xinetd

Mmm. I won't get into that, as I don't see a need for
sshd-xinetd (yet).

Many thanks!

--
/\/\aurice
Linux Mandriva 2.6.22.19-desktop-2mdv 2008.0 PP 32-bit
KDE 3.5.7 Virtualbox 1.5.6
(Remove 'removethis.' to reply by email)

Maurice Batey

2008-08-18 18:53:06 UTC

Post by Bit Twister
In both 2008.0 and 2008.1 MCC System Services I have two lines/selections
sshd running [Info] [x] On Boot Start Stop
sshd-xinetd [Info] [ ] Start when Requested Start Stop

I now see those two entries.

--
/\/\aurice
Linux Mandriva 2.6.22.19-desktop-2mdv 2008.0 PP 32-bit
KDE 3.5.7 Virtualbox 1.5.6
(Remove 'removethis.' to reply by email)

Maurice Batey

2008-08-17 17:43:17 UTC

Post by Bit Twister
Do a
chkconfig --list | grep sshd
and verify is returns something like
sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
sshd-xinetd: off

Not quite. As shown in earlier posting:
-----------------------------------------------------
[***@localhost mab]# chkconfig --list | grep sshd

sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
-----------------------------------------------------

i.e. it doesn't end with "sshd-xinetd: off"

--
/\/\aurice
Linux Mandriva 2.6.22.19-desktop-2mdv 2008.0 PP 32-bit
KDE 3.5.7 Virtualbox 1.5.6
(Remove 'removethis.' to reply by email)

Bit Twister

2008-08-17 18:01:25 UTC

Post by Bit Twister
Do a
chkconfig --list | grep sshd
and verify is returns something like
sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
sshd-xinetd: off

Yes, but the one I responded to had
[***@localhost mab]# chkconfig --list sshd
sshd 0:off 1:off 2:on 3:on 4:on 5:on
6:off

:)

Post by Maurice Batey
-----------------------------------------------------
sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
-----------------------------------------------------
i.e. it doesn't end with "sshd-xinetd: off"

How rude. I'll show you mine if you'll show me yours. :)

$ rpm -q -f /usr/sbin/sshd
openssh-server-4.7p1-9.1mdv2008.1

Bit Twister

2008-08-17 18:04:25 UTC

On Sun, 17 Aug 2008 18:01:25 +0000 (UTC), Bit Twister wrote:

Opps, forgot to show which command differed.

Post by Bit Twister
Yes, but the one I responded to had

[***@localhost mab]# chkconfig --list | grep sshd

Maurice Batey

2008-08-17 18:31:46 UTC

Post by Bit Twister
$ rpm -q -f /usr/sbin/sshd
openssh-server-4.7p1-9.1mdv2008.1

$ rpm -q -f /usr/sbin/sshd
openssh-server-4.7p1-2.3mdv2008.0

/\/\aurice
Linux Mandriva 2.6.22.19-desktop-2mdv 2008.0 PP 32-bit
KDE 3.5.7 Virtualbox 1.5.6
(Remove 'removethis.' to reply by email)

Bit Twister

2008-08-17 18:43:30 UTC

Post by Bit Twister
$ rpm -q -f /usr/sbin/sshd
openssh-server-4.7p1-9.1mdv2008.1

Opps, that was my 2008.1 install

Post by Bit Twister
$ rpm -q -f /usr/sbin/sshd
openssh-server-4.7p1-2.3mdv2008.0

Ok, matches my 2008.0 install.

I assume all test shots are not trying to
ssh ***@where

Did adding the # sshd: in /etc/hosts.allow still fail a test shot?

Maurice Batey

2008-08-17 18:47:10 UTC

No - "ssh ***@MABsdesktop"

--
/\/\aurice
Linux Mandriva 2.6.22.19-desktop-2mdv 2008.0 PP 32-bit
KDE 3.5.7 Virtualbox 1.5.6
(Remove 'removethis.' to reply by email)

Bit Twister

2008-08-17 19:02:49 UTC

groping around in the dark.

do a hosthame -i on MABsdesktop

and a ssh ***@the_above_ip_address_here

Bit Twister

2008-08-17 19:06:11 UTC

On Sun, 17 Aug 2008 19:02:49 +0000 (UTC), Bit Twister wrote:

in ~mab on desktop do
cd ~/.ssh
chmod 700 .
chmod 600 *
cd

and do the same on the laptop

and run the test shot

Maurice Batey

2008-08-17 21:40:18 UTC

Post by Bit Twister
in ~mab on desktop do
cd ~/.ssh
chmod 700 .
chmod 600 *
cd
and do the same on the laptop

OK on desktop, but laptop has no ~/.ssh directory anywhere.
(And ssh from laptop still fails.)

Have to close down now. 'night all...

--
/\/\aurice
Linux Mandriva 2.6.22.19-desktop-2mdv 2008.0 PP 32-bit
KDE 3.5.7 Virtualbox 1.5.6
(Remove 'removethis.' to reply by email)

Maurice Batey

2008-08-17 21:26:47 UTC

Post by Bit Twister
do a hosthame -i on MABsdesktop

-------------------------------------------------------
[***@localhost ~]$ hostname -i
127.0.0.1

[***@localhost ~]$ ssh ***@127.0.0.1
Warning: Permanently added '127.0.0.1' (RSA) to the list of known
hosts.
***@127.0.0.1's password:
Last login: Sun Aug 17 18:25:23 2008 from localhost
[***@localhost ~]$ exit
logout

Connection to 127.0.0.1 closed.
[***@localhost ~]$
------------------------------------------------------

--
/\/\aurice
Linux Mandriva 2.6.22.19-desktop-2mdv 2008.0 PP 32-bit
KDE 3.5.7 Virtualbox 1.5.6
(Remove 'removethis.' to reply by email)

Bit Twister

2008-08-18 00:37:53 UTC

Post by Maurice Batey
127.0.0.1

Heheh, just an FYI for the lurkers.

[***@pm80 ~]$ cat /etc/release
Mandriva Linux release 2008.0 (Official) for i586

[***@pm80 ~]$ grep $(hostname) /etc/hosts
192.168.1.213 pm80.home.test pm80

[***@pm80 ~]$ ssh $***@127.0.0.1
Last login: Sun Aug 17 19:29:09 2008 from localhost

[***@pm80 ~] exit
Connection to 127.0.0.1 closed.

[***@wm81 ~]$ cat /etc/release
Mandriva Linux release 2008.1 (Official) for i586

[***@wm81 ~]$ grep $(hostname) /etc/hosts
192.168.1.131 wm81.home.test wm81

[***@wm81 ~]$ ssh $***@127.0.0.1
ssh_exchange_identification: Connection closed by remote host

Snippet from /var/log/messages
Aug 17 19:23:32 wm81 sshd[9895]:
refused connect from localhost.localdomain (::ffff:127.0.0.1)

Bit Twister

2008-08-18 02:01:34 UTC

Post by Bit Twister
Snippet from /var/log/messages
refused connect from localhost.localdomain (::ffff:127.0.0.1)

Just a follow up. Rejection was caused because of hosts.allow did not
catch it and let host.deny reject it.

Thought hosts.allow should have let it through.

ALL: LOCAL, .home.test

#****** End of hosts.allow. ********

Looking on pm80, I had to add wm81 ip address to hosts.allow
for wm81 access.

On wm81 (2008.1) None of the following worked
sshd: .home.test
sshd: .home.test, LOCAL, 192.168.1.131
sshd: .home.test, LOCAL, 192.168.1.131, 192.168.1.0/24
ALL: LOCAL, .home.test, 192.168.1.131, 192.168.1.0/24

My host.allow solution for ssh $***@127.0.0.1 on 2008.1 is

ALL: LOCAL, .home.test, 27.0.0.1

2008.0 has
ALL: LOCAL, .home.test, 192.168.1.131, 192.168.1.0/24

Gotta love the increase in security.

Bit Twister

2008-08-18 02:05:43 UTC

Post by Bit Twister
Snippet from /var/log/messages
refused connect from localhost.localdomain (::ffff:127.0.0.1)

Just a follow up. Rejection was caused because of hosts.allow did not
catch it and let host.deny reject it.
Thought hosts.allow should have let it through.
ALL: LOCAL, .home.test
#****** End of hosts.allow. ********
Looking on pm80, I had to add wm81 ip address to hosts.allow
for wm81 access.
On wm81 (2008.1) None of the following worked
sshd: .home.test
sshd: .home.test, LOCAL, 192.168.1.131
sshd: .home.test, LOCAL, 192.168.1.131, 192.168.1.0/24
ALL: LOCAL, .home.test, 192.168.1.131, 192.168.1.0/24
ALL: LOCAL, .home.test, 27.0.0.1

Opps, cut did not pick up 1, should read
ALL: LOCAL, .home.test, 127.0.0.1

Bit Twister

2008-08-17 18:45:44 UTC

Post by Maurice Batey
Virtualbox 1.5.6

Are the ssh/sshd systems real or virtual?

Maurice Batey

2008-08-17 21:23:42 UTC

Post by Bit Twister
Are the ssh/sshd systems real or virtual?

Absolutely real! (Only WIndows stuff under VBox)

--
/\/\aurice
Linux Mandriva 2.6.22.19-desktop-2mdv 2008.0 PP 32-bit
KDE 3.5.7 Virtualbox 1.5.6
(Remove 'removethis.' to reply by email)

Bit Twister

2008-08-17 21:27:58 UTC

Post by Bit Twister
Are the ssh/sshd systems real or virtual?

Absolutely real! (Only WIndows stuff under VBox)

You seem to missing/ignoring my questions in other replies,
the ones ending in ?.

Maybe, your just behind in answering them. :)
Guess I'll wait and see.

Maurice Batey

2008-08-18 14:24:10 UTC

You seem to missing/ignoring my questions in other replies, the ones
ending in ?.

Not deliberately, I can assure you!

Will comb through and check. Watch this space... 8-))

--
/\/\aurice

Linux Mandriva 2.6.22.19-desktop-2mdv 2008.0 PP 32-bit
KDE 3.5.7 Virtualbox 1.5.6
(Remove 'removethis.' to reply by email)

Bit Twister

2008-08-18 14:29:07 UTC

You seem to missing/ignoring my questions in other replies, the ones
ending in ?.

Not deliberately, I can assure you!
Will comb through and check. Watch this space... 8-))

Tell you what, Instead of that, go through this and see what needs
improvement and lets you run a check front to back.

-------- standard debug ssh/sshd problem steps follows: ------------
Version
0.0

The following is mainly for Mandriva, maybe Suse, maybe Redhat/Fedora and
your install is not using SELinux/ACL's.

I assume you have:
o installed ALL system updates and have rebooted.
o installed the sshd daemon/service package. (OpenSSH Server).
o enabled it to run on boot.
o started sshd on the server.

In this document, "server" is where you are trying to ssh into and
"client" is where you ssh from.

Client is where ssh it trying to connect to sshd on the server.

All ssh test shots will be to a user account on the server, not root.
Where you see bittwister, or ~/, you should be in/using your user account.

Some commands need root privileges to run. To create a root terminal,
Click up a terminal,
su - root or for the k/ubuntu crowd it would be
sudo -i

Anytime I am working a problem, I will open another root terminal and do a

tail -f /var/log/messages
on each system I am working with.

I suggest you do the same.

PS: To abort tail -f command, do a Control c
To close a terminal/ssh session exit

sshd has to running and/or enabled to run on the server.

pgrep -lf sshd <===== Should return the pid and program name
3866 /usr/sbin/sshd <============ see, sshd is running, pid=3866

It might not be running if sshd is to run when needed. :(

Do check the permissions on it

ls -al /usr/sbin/sshd
-rwxr-xr-x 1 root root 379292 2008-05-06 14:53 /usr/sbin/sshd

chkconfig --list | grep sshd <====== on some systems
sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off <= which run level starts on boot
sshd-xinetd: off <=== on indicates to start when needed

NOTE: Do not have both set on.

Current run level found with
/sbin/runlevel
N 3 <==== indicates my system is set at 3 and 3:on indicates
sshd will be started on boot.

If not running, you might be able to start it with
service sshd start
or maybe
/etc/init.d/sshd start

First prove you can connect to it by ip address when you are on the server

ssh bittwister@$(hostname -i)

If there is nothing in /etc/hosts.allow and /etc/hosts.deny
I expect that to work.

If fails, make sure your user account's .ssh directory has the correct
permissions by doing:

cd ~/.ssh
chmod 700 .
chmod 600 *
cd

ssh bittwister@$(hostname -i)

If no message showed up in /var/log/messages and there is nothing in
/etc/hosts.allow and /etc/hosts.deny I have no idea what to check next.

man hosts.allow to understand lines not starting with #

Next, run some test to prove network resolution is working.
Test by node name with
ssh bittwister@$(hostname --alias) then by fully qualified domain name
ssh bittwister@$(hostname --fqdn)

Failure on those, will be a /etc/hosts or network problem.
If so, only use the server's ip address from your client until
you get the network problem solved.

Once that works, verify the hostname ip matches what the client sees.
hostname -i on the server
host servers_hostname_here on the client.

If the hostname -i returns 127.0.0.1 on the server,
you need to use the ip address of the server's nic that
is connected to the client.

ifconfig to find the address. Snippet follows

eth1 Link encap:Ethernet HWaddr 00:16:17:57:66:54
inet addr:192.168.1.131 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::216:17ff:fe57:6654/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
the inet addr: field is ip4 ip address
the inet6: field is the ip6 ip address.

Verify the ip address test on server with
ssh ***@servers_ip_here

Once those run, only the firewall and /etc/hosts.allow and hosts.deny
contents would block incoming ssh attempts on the server.

You open the Mandriva firewall with
shorewall clear

Before doing that, get the server ip address for the nic connected to
the client.
ifconfig should give you a list of running nics.

hostname -i on the server.

assuming server is not blocking pings, verify connection with
ping -c1 servers_ip_here on the client, if works then
***@servers_ip_here on the client.
if fails, hit up arrow

and open the firewall on the server with
shorewall clear
hit a carriage return on the client to run the ssh client to server
test shot again.

No matter what, quickly enable the firewall, with
service shorewall restart
or shorewall restart
on the server.

If no messages in /var/log/messages on the server and hosts.allow and
hosts.deny are empty. I do not know what the problem is.

If all the above seems to be true, you will need to dump your settings
so we can see them. Run the commands on server and client.
Cut the command and results and paste them in your reply.

hostname
hostname -fqdn
hostname -i
cat /etc/hosts
grep -v \# /etc/hosts.allow
grep -v \# /etc/hosts.deny
ifconfig

If you see repeatable error messages in the tail -f terminals
every time you do the ssh command, we need to see those also.

Would not hurt to provide results from doing something like
ssh -v ***@servers_ip_here
or ssh -vv ***@servers_ip_here
or ssh -vvv ***@servers_ip_here
which will give increasing debug information with each v.
Take a look at each and decide which one might help us.

PS:
If you run with /etc/hosts.allow and hosts.deny, I found
it helpful for /etc/hosts.deny to contain

ALL: ALL:\
spawn ( \
/bin/echo -e "\n\
TCP Wrappers\: Connection Refused\n\
By\: $(uname -n)\n\
Process\: %d (pid %p)\n\
\n\
User\: %u\n\
Host\: %c\n\
Date\: $(date)\n\
" | /bin/mail -s \"$(uname -n)\" root ) & : DENY

#*********************** end host.deny ********************************

That will send an email to root any time something gets through hosts.allow
without being allowed.

Example email follows:.

TCP Wrappers: Connection Refused
By: wm81.home.test
Process: sshd (pid 11046)

User: unknown
Host: localhost.localdomain
Date: Sun Aug 17 20:50:41 CDT 2008

I have postfix installed, so I modified aliases to send any mail
to root to me.

tail -11 /etc/postfix/aliases | head -5

# Person who should get root's mail. This alias
# must exist.
# CHANGE THIS LINE to an account of a HUMAN
root: bittwister

And executed:
postalias aliases

Once postfix is restarted, all mail to root (security alerts, cron job
failures, audit failures,...) automagically shows up in my email box.

Maurice Batey

2008-08-18 16:13:32 UTC

Post by Bit Twister
o installed ALL system updates and have rebooted.
o installed the sshd daemon/service package. (OpenSSH Server)
o enabled it to run on boot.
o started sshd on the server.

Yes.

Post by Bit Twister
pgrep -lf sshd <===== Should return the pid and

program

Post by Bit Twister
name 3866 /usr/sbin/sshd <============ see, sshd is running,
pid=3866

Yes (though no sign of "pid=xxxx")

Post by Bit Twister
It might not be running if sshd is to run when needed. :(
Do check the permissions on it
ls -al /usr/sbin/sshd
-rwxr-xr-x 1 root root 379292 2008-05-06 14:53 /usr/sbin/sshd

Yes - same

Post by Bit Twister
chkconfig --list | grep sshd <====== on some

systems sshd

Post by Bit Twister
0:off 1:off 2:on 3:on 4:on 5:on 6:off <= which run level starts on boot
sshd-xinetd: off <=== on indicates to start when needed

OK - except still no sign of "sshd-xinetd..."
=============================

Post by Bit Twister
Current run level found with
/sbin/runlevel
N 3 <==== indicates my system is set at 3 and 3:on indicates
sshd will be started on boot.

Yes - that's OK

Post by Bit Twister
First prove you can connect to it by ip address when you are on the server

Fine.
Failed:
------------------------------------------------
[***@localhost ~]$ ssh mab@$(hostname --alias)
ssh: : Name or service not known
------------------------------------------------

then by fully qualified
domain name
Fine.

Post by Bit Twister
Once that works, verify the hostname ip matches what the client sees.
hostname -i on the server host servers_hostname_here on
the client.

'hostname -i' gives 127.0.0.1,

Post by Bit Twister
If the hostname -i returns 127.0.0.1 on the server, you need to use the ip
address of the server's nic that is connected to the client.

I believe that is 192.168.0.2 in my case: cat /etc/hosts gives

127.0.0.1 localhost
192.168.0.1 router.mab.unregistered MABsrouter
192.168.0.2 desktop.mab.unregistered MABsdesktop
192.168.0.3 laptop.mab.unregistered MABslaptop

Post by Bit Twister
ifconfig to find the address.

In my case:
-----------------------------------------------------------
eth0 Link encap:Ethernet HWaddr 00:1B:21:07:31:63
inet addr:192.168.0.3 Bcast:192.168.0.255
Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
------------------------------------------------------------

Post by Bit Twister
Verify the ip address test on server with

You mean - on server - ssh to itself? This is what happens:

------------------------------------------------------------
[***@localhost ~]$ ssh ***@192.168.0.2
ssh: connect to host 192.168.0.2 port 22: Connection refused
------------------------------------------------------------
(though ssh ***@127.0.0.1 and ssh mab@(hostname) work)

I'll stop here, as my earoier posting today may have helped
clear the air.

--
/\/\aurice
Linux Mandriva 2.6.22.19-desktop-2mdv 2008.0 PP 32-bit
KDE 3.5.7 Virtualbox 1.5.6
(Remove 'removethis.' to reply by email)

Bit Twister

2008-08-18 17:08:19 UTC

pgrep -lf sshd <===== Should return the pid and program name
3866 /usr/sbin/sshd <============ see, sshd is running, pid=3866

Yes (though no sign of "pid=xxxx")

Comment was trying to show 3866 is the pid, hence pid=3866
I change comment to read pid is 3866

chkconfig --list | grep sshd <====== on some

systems sshd

0:off 1:off 2:on 3:on 4:on 5:on 6:off <= which run level starts on boot
sshd-xinetd: off <=== on indicates to start when needed

OK - except still no sign of "sshd-xinetd..."
=============================

That is a problem in it's self. No idea why it is not there.
It is in the sshd package you installed.

Post by Maurice Batey
------------------------------------------------
ssh: : Name or service not known
------------------------------------------------

Ok, your node name of localhost is biting you. You need to set the
hostname to a FQDN value. Suggestion follows:

$ cat /etc/sysconfig/network
NETWORKING_IPV6=no
NOZEROCONF=yes
NEEDHOSTNAME=no
NETWORKING=yes
HOSTNAME=desktop.mab.unregistered <========= FQDN node set here

Recommendation:
$ cat /etc/sysconfig/network
NETWORKING_IPV6=no
NOZEROCONF=yes
NEEDHOSTNAME=no
NETWORKING=yes
HOSTNAME=desktop.mab.test <========= better domain name here

Read http://www.rfc-editor.org/rfc/rfc2606.txt

NOTE: warning, anytime I change the hostname, I reboot to make every
service/daemon aware of the name change, and check nothing breaks.

If the hostname -i returns 127.0.0.1 on the server, you need to use the ip
address of the server's nic that is connected to the client.

I believe that is 192.168.0.2 in my case: cat /etc/hosts gives

Belief does not hack it. You are required to KNOW.

Post by Maurice Batey
127.0.0.1 localhost
192.168.0.1 router.mab.unregistered MABsrouter
192.168.0.2 desktop.mab.unregistered MABsdesktop
192.168.0.3 laptop.mab.unregistered MABslaptop

Just an FYI, those long aliases could bit you. I suggest getting them
less than 9 characters.

ifconfig to find the address.

-----------------------------------------------------------
eth0 Link encap:Ethernet HWaddr 00:1B:21:07:31:63
inet addr:192.168.0.3 Bcast:192.168.0.255
Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
------------------------------------------------------------

Verify the ip address test on server with

You mean - on server - ssh to itself?
------------------------------------------------------------
ssh: connect to host 192.168.0.2 port 22: Connection refused
------------------------------------------------------------

And why is that you ask. Run these three commands and see if you can relate.

grep 127.0.0.1 /etc/hosts
grep $(hostname) /etc/hosts
echo $(hostname)

Post by Maurice Batey
I'll stop here, as my earoier posting today may have helped
clear the air.

Guessing my reply to that post should have fixed it. :-)

Maurice Batey

2008-08-17 18:28:31 UTC