事实上,这个问题已经出现在我身上有一段时间了,但是,它并没有“困扰”我太多,但现在却变得有点令人沮丧。
我在 5 月份升级到了 18.04,升级后我无法从外部 IP 连接到主机,而以前我可以这样做。尝试连接时,连接会立即关闭。我可以看到连接auth.log
成功,但随后立即记录了断开连接。
起初,我以为可能是升级改变了防火墙设置。但很快我sudo ufw status numbered
就猜到了,正如规则 5 所示:
[ 5] 22 ALLOW IN 12.12.12.1
DENY
(出于显而易见的原因,IP 地址已匿名化)。规则 5 之前没有规则。
好吧,我想,可能sshd_config
已经被修改了,并且不允许密码验证。所以我检查了一下,但我确认该条目仍然在那里:
Match Address 12.12.12.1
PasswordAuthentication yes
所以,我想,让我们尝试一个不同的 IP 地址。因此,我临时添加了我的电话提供商 IP 范围以sshd_config
允许密码验证(我通常使用私钥,因此 IP 地址范围已经在 ufw 中),方法是添加以下内容:
Match Address 82.132.*.*
PasswordAuthentication yes
然后我重启了 sshd ( sudo service sshd restart
) 并尝试连接。成功了!好的,所以密码验证并没有被彻底阻止。
因此,接下来我想,这是我尝试连接时所在位置的防火墙。好吧,我在主机上也有一个 16.04 容器,因此我在路由器上添加了一个条目,以将不同的端口转发到容器的 SSH 端口 (22)。将外部 IP 添加到 ufw,并添加到PasswordAuthenication yes
。sshd_config
当我尝试连接时,连接成功。因此,它也不是外部位置的防火墙;因为我可以正常连接到 16.04 主机。
因此,这真的让我很困惑。我不明白为什么我不能使用密码验证连接到主机。我承认,我还没有尝试设置另一个 18.04 容器并尝试连接到它。但是,如果人们认为这有用,我非常乐意尝试。我也没有尝试在外部位置设置密钥,但是,我在这里特别尝试使用密码验证(是的,我知道它不那么安全)。
不过,要确认的是,为什么我无法从这个特定的 IP 通过 SSH 使用密码验证进行连接,我该如何修复它?为什么当sshd_config
ufw 中都有相关条目时,从另一个 IP 可以正常工作?为什么在我升级到 18.04 后连接会突然停止工作(使用 16.04 时工作正常),而且似乎连接到 16.04 仍然有效,因为我可以从有问题的 IP 连接到容器(在 18.04 主机上),没有任何问题。
可能还值得一提的是,我从特定外部 IP 连接到同一主机上的其他端口时没有遇到问题。例如,我可以毫无问题地连接 apache,并且我还设置了传输守护程序并即将连接到由其托管的 Web 服务。
我的完整 sshd 配置(IP 匿名):
# $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
PubkeyAuthentication yes
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
Match Address 12.12.12.1
PasswordAuthentication yes
Match Address 192.168.1.*
PasswordAuthentication yes
作为参考,我的 UFW 输出:
:~sudo ufw status numbered
Status: active
To Action From
-- ------ ----
[ 1] 8081 ALLOW IN Anywhere
[ 2] 22 ALLOW IN 1.2.3.0/17
[ 3] 10022 ALLOW IN 4.5.6.0/30
[ 4] 22 ALLOW IN 4.5.6.0/30
[ 5] 22 ALLOW IN 12.12.12.1
[ 6] 22 ALLOW IN 192.168.1.64/26
[ 7] 22 DENY IN Anywhere
[ 8] Samba DENY IN 192.168.1.254
[ 9] Samba ALLOW IN 192.168.1.0/24
[10] Plex ALLOW IN 192.168.1.0/24
[11] 8081 (v6) ALLOW IN Anywhere (v6)
[12] 22 (v6) DENY IN Anywhere (v6)
auth.log
以下是我今天尝试从 IP 进行连接时的摘录:
Jun 19 10:08:23 ihy sshd[15066]: Connection reset by 12.12.12.1 port 59644 [preauth]
Jun 19 10:08:45 ihy sshd[15086]: Connection reset by 12.12.12.1 port 30982 [preauth]
如您所见,连接已到达主机,但立即重置。
编辑:当ssh -vvv
从其中一个 Linux 主机(我通常在 Windows 主机上使用 Putty)在外部地址使用时,结果是:
OpenSSH_7.2p2, OpenSSL 1.0.2g 1 Mar 2016
debug1: Reading configuration data /usr/local/etc/ssh_config
debug2: resolving "{Domain}" port 10022
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to {Domain} [{IPAddress] port 10022.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /home/{username}/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/{username}/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/{username}/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/{username}/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/{username}/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/{username}/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/{username}/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/{username}/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2
ssh_exchange_identification: read: Connection reset by peer
输出来自iptables -L
:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ufw-before-logging-input all -- anywhere anywhere
ufw-before-input all -- anywhere anywhere
ufw-after-input all -- anywhere anywhere
ufw-after-logging-input all -- anywhere anywhere
ufw-reject-input all -- anywhere anywhere
ufw-track-input all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ufw-before-logging-forward all -- anywhere anywhere
ufw-before-forward all -- anywhere anywhere
ufw-after-forward all -- anywhere anywhere
ufw-after-logging-forward all -- anywhere anywhere
ufw-reject-forward all -- anywhere anywhere
ufw-track-forward all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-output all -- anywhere anywhere
ufw-before-output all -- anywhere anywhere
ufw-after-output all -- anywhere anywhere
ufw-after-logging-output all -- anywhere anywhere
ufw-reject-output all -- anywhere anywhere
ufw-track-output all -- anywhere anywhere
Chain ufw-after-forward (1 references)
target prot opt source destination
Chain ufw-after-input (1 references)
target prot opt source destination
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-ns
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-dgm
ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:netbios-ssn
ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:microsoft-ds
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootps
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootpc
ufw-skip-to-policy-input all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-after-logging-input (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-after-logging-output (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "
Chain ufw-after-output (1 references)
target prot opt source destination
Chain ufw-before-forward (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp echo-request
ufw-user-forward all -- anywhere anywhere
Chain ufw-before-input (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ufw-logging-deny all -- anywhere anywhere ctstate INVALID
DROP all -- anywhere anywhere ctstate INVALID
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
ufw-not-local all -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere 239.255.255.250 udp dpt:1900
ufw-user-input all -- anywhere anywhere
Chain ufw-before-logging-forward (1 references)
target prot opt source destination
LOG all -- anywhere anywhere ctstate NEW limit: avg 3/min burst 10 LOG level warning prefix "[UFW AUDIT] "
Chain ufw-before-logging-input (1 references)
target prot opt source destination
LOG all -- anywhere anywhere ctstate NEW limit: avg 3/min burst 10 LOG level warning prefix "[UFW AUDIT] "
Chain ufw-before-logging-output (1 references)
target prot opt source destination
LOG all -- anywhere anywhere ctstate NEW limit: avg 3/min burst 10 LOG level warning prefix "[UFW AUDIT] "
Chain ufw-before-output (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ufw-user-output all -- anywhere anywhere
Chain ufw-logging-allow (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
target prot opt source destination
LOG all -- anywhere anywhere ctstate INVALID limit: avg 3/min burst 10 LOG level warning prefix "[UFW AUDIT INVALID] "
LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
RETURN all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST
RETURN all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
ufw-logging-deny all -- anywhere anywhere limit: avg 3/min burst 10
DROP all -- anywhere anywhere
Chain ufw-reject-forward (1 references)
target prot opt source destination
Chain ufw-reject-input (1 references)
target prot opt source destination
Chain ufw-reject-output (1 references)
target prot opt source destination
Chain ufw-skip-to-policy-forward (0 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain ufw-skip-to-policy-input (7 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain ufw-skip-to-policy-output (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw-track-forward (1 references)
target prot opt source destination
Chain ufw-track-input (1 references)
target prot opt source destination
Chain ufw-track-output (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere ctstate NEW
ACCEPT udp -- anywhere anywhere ctstate NEW
Chain ufw-user-forward (1 references)
target prot opt source destination
Chain ufw-user-input (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:32400
ACCEPT udp -- anywhere anywhere udp dpt:32400
ACCEPT tcp -- anywhere anywhere tcp dpt:tproxy
ACCEPT udp -- anywhere anywhere udp dpt:8081
ACCEPT tcp -- 1.2.3.0/17 anywhere tcp dpt:ssh
ACCEPT udp -- 1.2.3.0/17 anywhere udp dpt:22
ACCEPT tcp -- no-dns-yet-12.12.12.0.zen.net.uk/30 anywhere tcp dpt:10022
ACCEPT udp -- no-dns-yet-12.12.12.0.zen.net.uk/30 anywhere udp dpt:10022
ACCEPT tcp -- no-dns-yet-12.12.12.0.zen.net.uk/30 anywhere tcp dpt:ssh
ACCEPT udp -- no-dns-yet-12.12.12.0.zen.net.uk/30 anywhere udp dpt:22
ACCEPT tcp -- no-dns-yet-12.12.12.1.zen.net.uk anywhere tcp dpt:ssh
ACCEPT udp -- no-dns-yet-12.12.12.1.zen.net.uk anywhere udp dpt:22
ACCEPT tcp -- no-dns-yet-12.12.12.1.zen.net.uk anywhere tcp dpt:10022
ACCEPT udp -- no-dns-yet-12.12.12.1.zen.net.uk anywhere udp dpt:10022
ACCEPT tcp -- ihy.home/26 anywhere tcp dpt:ssh
ACCEPT udp -- ihy.home/26 anywhere udp dpt:22
DROP tcp -- anywhere anywhere tcp dpt:ssh
DROP udp -- anywhere anywhere udp dpt:22
DROP udp -- BThomehub.home anywhere multiport dports netbios-ns,netbios-dgm /* 'dapp_Samba' */
DROP tcp -- api.home anywhere multiport dports netbios-ssn,microsoft-ds /* 'dapp_Samba' */
ACCEPT udp -- 192.168.1.0/24 anywhere multiport dports netbios-ns,netbios-dgm /* 'dapp_Samba' */
ACCEPT tcp -- 192.168.1.0/24 anywhere multiport dports netbios-ssn,microsoft-ds /* 'dapp_Samba' */
ACCEPT udp -- 192.168.1.0/24 anywhere multiport dports 1900,mdns,32410,32412,32413,32414 /* 'dapp_Plex' */
ACCEPT tcp -- 192.168.1.0/24 anywhere multiport dports 32400,32469 /* 'dapp_Plex' */
Chain ufw-user-limit (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw-user-logging-forward (0 references)
target prot opt source destination
Chain ufw-user-logging-input (0 references)
target prot opt source destination
Chain ufw-user-logging-output (0 references)
target prot opt source destination
Chain ufw-user-output (1 references)
target prot opt source destination