Can SSH on LAN, but not remotely. All ports are open.

[Alexgdb]

I can ssh into my freenas 8.0.1-Beta4 box on LAN with no problem. However I can not do it over the internet. I have enabled login with password (after previously disabling it as I have keys set up). I have opened port 22, and forwarded it to my nas server 192.168.0.130, but I can not connect to it no matter what. It's really starting to bug me, having tried connecting to the server via both the IP Address and the DynDns address. Does FreeNAS have a firewall type system that I am totally overlooking?

Thanks for any help.

 

[matthewowen01]

Nope, map the port at your gateway and you should be good. Did you make any modifications to your ssh config, host allow or deny?

 

[Alexgdb]

Nope. I haven't touched them. I've had a fair amount of experience sucessfully forwarding ports, however this one is being stubborn. I'm using my iPhone's 3G connection to test the remote connection, could it be something to do with vodafone blocking it? Here is my port forwarding rules. The server is 192.168.0.130.

I've also checked the logs, and this appears:

Code:

Mon, 2011-08-08 23:10:47 - TCP Packet - Source:212.183.140.44,24653 Destination:46.208.181.234,22 - [SSH/FTP rule match]

Seems the router is letting it in, however nothing else is happening. I get a connection timeout on the iPhone.

 

[Alexgdb]

Steps i've tried:

• Set up an apache web server on a different machine, and opened the ports for that. I could see that.
• Tried to enable ftp on the NAS box, couldn't connect

I think it could be the hosts file...

 

[matthewowen01]

Setup appache to serve over port 22 then try to connect to the webserver on port 22.

Can you post your ssh configs.

 

[Alexgdb]

Sorry, I am pretty new to this. What do you mean exactly by SSH configs? My ssh settings in freenas?

 

[matthewowen01]

what is the contents of the file /conf/base/etc/ssh/sshd_config?

 

[Alexgdb]

Code:

#	$OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
#	$FreeBSD: src/crypto/openssh/sshd_config,v 1.48 2008/08/01 02:48:36 des Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

# Note that some of FreeBSD's defaults differ from OpenBSD's, and
# FreeBSD has a few additional options.

#VersionAddendum FreeBSD-20080801

#Port 22
#Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile	.ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# Change to yes to enable built-in password authentication.
PasswordAuthentication yes
PermitEmptyPasswords yes

# Change to no to disable PAM authentication
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'no' to disable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will 
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem	sftp	/usr/libexec/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#	X11Forwarding no
#	AllowTcpForwarding no
#	ForceCommand cvs server

 

[matthewowen01]

i don't see anything that would cause your issue, however i do see that you have root logins enabled, you should disable that asap. it can be done through the settings page for ssh.

 

[Alexgdb]

It was disabled, and I was su root, but I enabled it just for troubleshooting. So you have no idea as to why this is happening?

 

[Swarfega]

Don't have a FreeNAS to look but I guess maybe the hosts.allow is the problem?

sshd: ALL

 

[Alexgdb]

Is this what it should be?

 

[Swarfega]

That's to allow all IP's to connect to SSH.

You should also check hosts.deny

 

[Alexgdb]

Thanks, I understand that now, but is this all that should be in hosts.allow? What should hosts.deny read?

 

[Swarfega]

As I said I don't have a FreeNAS to look at right now so don't know what the defaults are. To be able to connect to the daemon remotely sshd: ALL in hosts.allow should be enough. I would have thought hosts.deny would be blank.

 

[Alexgdb]

I'll give that a go when I get chance, thanks.

 

[Alexgdb]

I've changed the hosts.allow file to just include

Code:

sshd: ALL

but it is still not connecting.

At the top of the hosts.allow file, it says the hosts.deny is now depreciated. Does this change anything?

 

[Alexgdb]

Ok, development. I have enabled SSH on my laptop, and can remotely connect to that, so it MUST be something to do with the hosts.allow file. I'm using 8.0.1-Beta4 if this makes any difference.