从特定 IP 连接时 SSH 连接不起作用

从特定 IP 连接时 SSH 连接不起作用

事实上,这个问题已经出现在我身上有一段时间了,但是,它并没有“困扰”我太多,但现在却变得有点令人沮丧。

我在 5 月份升级到了 18.04,升级后我无法从外部 IP 连接到主机,而以前我可以这样做。尝试连接时,连接会立即关闭。我可以看到连接auth.log成功,但随后立即记录了断开连接。

起初,我以为可能是升级改变了防火墙设置。但很快我sudo ufw status numbered就猜到了,正如规则 5 所示:

[ 5] 22                         ALLOW IN    12.12.12.1

DENY(出于显而易见的原因,IP 地址已匿名化)。规则 5 之前没有规则。

好吧,我想,可能sshd_config已经被修改了,并且不允许密码验证。所以我检查了一下,但我确认该条目仍然在那里:

Match Address 12.12.12.1
    PasswordAuthentication yes

所以,我想,让我们尝试一个不同的 IP 地址。因此,我临时添加了我的电话提供商 IP 范围以sshd_config允许密码验证(我通常使用私钥,因此 IP 地址范围已经在 ufw 中),方法是添加以下内容:

Match Address 82.132.*.*
    PasswordAuthentication yes

然后我重启了 sshd ( sudo service sshd restart) 并尝试连接。成功了!好的,所以密码验证并没有被彻底阻止。

因此,接下来我想,这是我尝试连接时所在位置的防火墙。好吧,我在主机上也有一个 16.04 容器,因此我在路由器上添加了一个条目,以将不同的端口转发到容器的 SSH 端口 (22)。将外部 IP 添加到 ufw,并添加到PasswordAuthenication yessshd_config当我尝试连接时,连接成功。因此,它也不是外部位置的防火墙;因为我可以正常连接到 16.04 主机。

因此,这真的让我很困惑。我不明白为什么我不能使用密码验证连接到主机。我承认,我还没有尝试设置另一个 18.04 容器并尝试连接到它。但是,如果人们认为这有用,我非常乐意尝试。我也没有尝试在外部位置设置密钥,但是,我在这里特别尝试使用密码验证(是的,我知道它不那么安全)。

不过,要确认的是,为什么我无法从这个特定的 IP 通过 SSH 使用密码验证进行连接,我该如何修复它?为什么当sshd_configufw 中都有相关条目时,从另一个 IP 可以正常工作?为什么在我升级到 18.04 后连接会突然停止工作(使用 16.04 时工作正常),而且似乎连接到 16.04 仍然有效,因为我可以从有问题的 IP 连接到容器(在 18.04 主机上),没有任何问题。

可能还值得一提的是,我从特定外部 IP 连接到同一主机上的其他端口时没有遇到问题。例如,我可以毫无问题地连接 apache,并且我还设置了传输守护程序并即将连接到由其托管的 Web 服务。

我的完整 sshd 配置(IP 匿名):

#   $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

PubkeyAuthentication yes

# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

# override default of no subsystems
Subsystem   sftp    /usr/lib/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#   X11Forwarding no
#   AllowTcpForwarding no
#   PermitTTY no
#   ForceCommand cvs server

Match Address 12.12.12.1
    PasswordAuthentication yes

Match Address 192.168.1.*
    PasswordAuthentication yes

作为参考,我的 UFW 输出:

:~sudo ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 8081                       ALLOW IN    Anywhere                  
[ 2] 22                         ALLOW IN    1.2.3.0/17           
[ 3] 10022                      ALLOW IN    4.5.6.0/30             
[ 4] 22                         ALLOW IN    4.5.6.0/30             
[ 5] 22                         ALLOW IN    12.12.12.1                
[ 6] 22                         ALLOW IN    192.168.1.64/26           
[ 7] 22                         DENY IN     Anywhere                  
[ 8] Samba                      DENY IN     192.168.1.254             
[ 9] Samba                      ALLOW IN    192.168.1.0/24            
[10] Plex                       ALLOW IN    192.168.1.0/24            
[11] 8081 (v6)                  ALLOW IN    Anywhere (v6)             
[12] 22 (v6)                    DENY IN     Anywhere (v6)

auth.log以下是我今天尝试从 IP 进行连接时的摘录:

Jun 19 10:08:23 ihy sshd[15066]: Connection reset by 12.12.12.1 port 59644 [preauth]
Jun 19 10:08:45 ihy sshd[15086]: Connection reset by 12.12.12.1 port 30982 [preauth]

如您所见,连接已到达主机,但立即重置。

编辑:当ssh -vvv从其中一个 Linux 主机(我通常在 Windows 主机上使用 Putty)在外部地址使用时,结果是:

OpenSSH_7.2p2, OpenSSL 1.0.2g  1 Mar 2016
debug1: Reading configuration data /usr/local/etc/ssh_config
debug2: resolving "{Domain}" port 10022
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to {Domain} [{IPAddress] port 10022.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /home/{username}/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/{username}/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/{username}/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/{username}/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/{username}/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/{username}/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/{username}/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/{username}/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2
ssh_exchange_identification: read: Connection reset by peer

输出来自iptables -L

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ufw-before-logging-input  all  --  anywhere             anywhere
ufw-before-input  all  --  anywhere             anywhere
ufw-after-input  all  --  anywhere             anywhere
ufw-after-logging-input  all  --  anywhere             anywhere
ufw-reject-input  all  --  anywhere             anywhere
ufw-track-input  all  --  anywhere             anywhere
Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ufw-before-logging-forward  all  --  anywhere             anywhere
ufw-before-forward  all  --  anywhere             anywhere
ufw-after-forward  all  --  anywhere             anywhere
ufw-after-logging-forward  all  --  anywhere             anywhere
ufw-reject-forward  all  --  anywhere             anywhere
ufw-track-forward  all  --  anywhere             anywhere
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ufw-before-logging-output  all  --  anywhere             anywhere
ufw-before-output  all  --  anywhere             anywhere
ufw-after-output  all  --  anywhere             anywhere
ufw-after-logging-output  all  --  anywhere             anywhere
ufw-reject-output  all  --  anywhere             anywhere
ufw-track-output  all  --  anywhere             anywhere
Chain ufw-after-forward (1 references)
target     prot opt source               destination
Chain ufw-after-input (1 references)
target     prot opt source               destination
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:netbios-ns
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:netbios-dgm
ufw-skip-to-policy-input  tcp  --  anywhere             anywhere             tcp dpt:netbios-ssn
ufw-skip-to-policy-input  tcp  --  anywhere             anywhere             tcp dpt:microsoft-ds
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:bootps
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:bootpc
ufw-skip-to-policy-input  all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-after-logging-input (1 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-after-logging-output (1 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "
Chain ufw-after-output (1 references)
target     prot opt source               destination
Chain ufw-before-forward (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere             icmp source-quench
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere             icmp parameter-problem
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
ufw-user-forward  all  --  anywhere             anywhere
Chain ufw-before-input (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ufw-logging-deny  all  --  anywhere             anywhere             ctstate INVALID
DROP       all  --  anywhere             anywhere             ctstate INVALID
ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere             icmp source-quench
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere             icmp parameter-problem
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
ACCEPT     udp  --  anywhere             anywhere             udp spt:bootps dpt:bootpc
ufw-not-local  all  --  anywhere             anywhere
ACCEPT     udp  --  anywhere             224.0.0.251          udp dpt:mdns
ACCEPT     udp  --  anywhere             239.255.255.250      udp dpt:1900
ufw-user-input  all  --  anywhere             anywhere
Chain ufw-before-logging-forward (1 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             ctstate NEW limit: avg 3/min burst 10 LOG level warning prefix "[UFW AUDIT] "
Chain ufw-before-logging-input (1 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             ctstate NEW limit: avg 3/min burst 10 LOG level warning prefix "[UFW AUDIT] "
Chain ufw-before-logging-output (1 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             ctstate NEW limit: avg 3/min burst 10 LOG level warning prefix "[UFW AUDIT] "
Chain ufw-before-output (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ufw-user-output  all  --  anywhere             anywhere
Chain ufw-logging-allow (0 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             ctstate INVALID limit: avg 3/min burst 10 LOG level warning prefix "[UFW AUDIT INVALID] "
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL
RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type MULTICAST
RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST
ufw-logging-deny  all  --  anywhere             anywhere             limit: avg 3/min burst 10
DROP       all  --  anywhere             anywhere
Chain ufw-reject-forward (1 references)
target     prot opt source               destination
Chain ufw-reject-input (1 references)
target     prot opt source               destination
Chain ufw-reject-output (1 references)
target     prot opt source               destination
Chain ufw-skip-to-policy-forward (0 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere
Chain ufw-skip-to-policy-input (7 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere
Chain ufw-skip-to-policy-output (0 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
Chain ufw-track-forward (1 references)
target     prot opt source               destination
Chain ufw-track-input (1 references)
target     prot opt source               destination
Chain ufw-track-output (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW
ACCEPT     udp  --  anywhere             anywhere             ctstate NEW
Chain ufw-user-forward (1 references)
target     prot opt source               destination
Chain ufw-user-input (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:32400
ACCEPT     udp  --  anywhere             anywhere             udp dpt:32400
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:tproxy
ACCEPT     udp  --  anywhere             anywhere             udp dpt:8081
ACCEPT     tcp  --  1.2.3.0/17      anywhere             tcp dpt:ssh
ACCEPT     udp  --  1.2.3.0/17      anywhere             udp dpt:22
ACCEPT     tcp  --  no-dns-yet-12.12.12.0.zen.net.uk/30  anywhere             tcp dpt:10022
ACCEPT     udp  --  no-dns-yet-12.12.12.0.zen.net.uk/30  anywhere             udp dpt:10022
ACCEPT     tcp  --  no-dns-yet-12.12.12.0.zen.net.uk/30  anywhere             tcp dpt:ssh
ACCEPT     udp  --  no-dns-yet-12.12.12.0.zen.net.uk/30  anywhere             udp dpt:22
ACCEPT     tcp  --  no-dns-yet-12.12.12.1.zen.net.uk  anywhere             tcp dpt:ssh
ACCEPT     udp  --  no-dns-yet-12.12.12.1.zen.net.uk  anywhere             udp dpt:22
ACCEPT     tcp  --  no-dns-yet-12.12.12.1.zen.net.uk  anywhere             tcp dpt:10022
ACCEPT     udp  --  no-dns-yet-12.12.12.1.zen.net.uk  anywhere             udp dpt:10022
ACCEPT     tcp  --  ihy.home/26          anywhere             tcp dpt:ssh
ACCEPT     udp  --  ihy.home/26          anywhere             udp dpt:22
DROP       tcp  --  anywhere             anywhere             tcp dpt:ssh
DROP       udp  --  anywhere             anywhere             udp dpt:22
DROP       udp  --  BThomehub.home       anywhere             multiport dports netbios-ns,netbios-dgm /* 'dapp_Samba' */
DROP       tcp  --  api.home             anywhere             multiport dports netbios-ssn,microsoft-ds /* 'dapp_Samba' */
ACCEPT     udp  --  192.168.1.0/24       anywhere             multiport dports netbios-ns,netbios-dgm /* 'dapp_Samba' */
ACCEPT     tcp  --  192.168.1.0/24       anywhere             multiport dports netbios-ssn,microsoft-ds /* 'dapp_Samba' */
ACCEPT     udp  --  192.168.1.0/24       anywhere             multiport dports 1900,mdns,32410,32412,32413,32414 /* 'dapp_Plex' */
ACCEPT     tcp  --  192.168.1.0/24       anywhere             multiport dports 32400,32469 /* 'dapp_Plex' */
Chain ufw-user-limit (0 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
Chain ufw-user-logging-forward (0 references)
target     prot opt source               destination
Chain ufw-user-logging-input (0 references)
target     prot opt source               destination
Chain ufw-user-logging-output (0 references)
target     prot opt source               destination
Chain ufw-user-output (1 references)
target     prot opt source               destination

相关内容