昨天,我因错误“ kex_exchange_identification: read: Connection reset by peer”而被锁定在服务器之外,通过 KVM 连接后,我立即找到了原因,即主机名hosts.allow虽然匹配,但匹配失败。
sshd[717775]: warning: /etc/hosts.allow, line 10: can't verify hostname:
getaddrinfo (<correct-host.com>, AF_INET) failed
sshd[717775]: refused connect from <x.x.x.x> (x.x.x.x)
同样的情况也会发生在不同位置的不同 ISP 上,虽然也被允许但由于同样的原因被拒绝。
然而,奇怪的是,每个 ISP 条目的第 10 行和第 11 行都被报告为"line 10" in /var/log/auth.log连接失败 —— 请注意,第 10 行之前或之后没有任何字符(包括空格)可能导致其“不可读”并导致第 11 行无法读取。
请注意,使用传统格式“ sshd: .isp1.com .isp2.com”时主机仍然会失败(我这样配置的唯一原因是如果我想要的话,可以逐行更改每个主机的服务访问)。
如上所述,无论列出的主机顺序如何或我从哪个域连接,它都无法读取第一个未注释的行(10):
sshd[3626087]: warning: /etc/hosts.allow, line 10: can't verify hostname: getaddrinfo(different-but-correct-host.com), AF_INET) failed
sshd[717775]: refused connect from <x.x.x.x> (<x.x.x.x>)
请注意,IP xxxx 也是正确的,反向 DNS 会完整解析主机名,包括解析和允许连接所需的“.isp1.com”和“.isp2.com”域。如果我更改主机的顺序,则不会有任何区别 - 第 10 行首先失败,并且不允许任何连接。它会允许IP 条目。
我可以通过hosts.allow列出入站连接的 IP 地址进行连接 - 这具体与 DNS 有关,但目前提供商不存在已知的 DNS 故障;我已经测试了不同的 DNS 提供商,据我所知,它也能正常工作。
此配置已按配置运行了好几个月,唯一的变化是其主资源和 ESM 资源的更新。我认为问题就出在这里,因为 DNS 似乎可以运行。
我记得在问题发生之前最后一次成功登录时,应用了更新:
Log started: 2024-03-15 06:50:32
(Reading database ... ^M(Reading database ... 5%^M(Reading database ... 10%^M(Reading database ... 15%^M(Reading database ... 20%^M(Reading database ... 25%^M(Reading database ... 30%^M(Reading database ... 35%^M(Reading database ... 40%^M(Reading database ... 45%^M(Reading database ... 50%^M(Reading database ... 5>
Preparing to unpack .../libexpat1-dev_2.4.7-1ubuntu0.3_amd64.deb ...
Unpacking libexpat1-dev:amd64 (2.4.7-1ubuntu0.3) over (2.4.7-1ubuntu0.2) ...
Preparing to unpack .../libexpat1_2.4.7-1ubuntu0.3_amd64.deb ...
Unpacking libexpat1:amd64 (2.4.7-1ubuntu0.3) over (2.4.7-1ubuntu0.2) ...
Setting up libexpat1:amd64 (2.4.7-1ubuntu0.3) ...
Setting up libexpat1-dev:amd64 (2.4.7-1ubuntu0.3) ...
Processing triggers for libc-bin (2.35-0ubuntu3.6) ...
Log ended: 2024-03-15 06:50:52
有可能它之前已经更新过:
Log started: 2024-03-13 18:34:36
(Reading database ... ^M(Reading database ... 5%^M(Reading database ... 10%^M(Reading database ... 15%^M(Reading database ... 20%^M(Reading database ... 25%^M(Reading database ... 30%^M(Reading database ... 35%^M(Reading database ... 40%^M(Reading database ... 45%^M(Reading database ... 50%^M(Reading database ... 5>
Preparing to unpack .../ubuntu-advantage-tools_31.2~22.04_all.deb ...
Unpacking ubuntu-advantage-tools (31.2~22.04) over (30~22.04) ...
^[[1mdpkg:^[[0m ^[[1;33mwarning:^[[0m unable to delete old directory '/var/lib/ubuntu-advantage': Directory not empty
^[[1mdpkg:^[[0m ^[[1;33mwarning:^[[0m unable to delete old directory '/etc/ubuntu-advantage': Directory not empty
Selecting previously unselected package ubuntu-pro-client.
Preparing to unpack .../ubuntu-pro-client_31.2~22.04_amd64.deb ...
Unpacking ubuntu-pro-client (31.2~22.04) ...
Setting up ubuntu-pro-client (31.2~22.04) ...
Setting up ubuntu-advantage-tools (31.2~22.04) ...
Processing triggers for man-db (2.10.2-1) ...
Log ended: 2024-03-13 18:35:09
Log started: 2024-03-13 18:42:57
(Reading database ... ^M(Reading database ... 5%^M(Reading database ... 10%^M(Reading database ... 15%^M(Reading database ... 20%^M(Reading database ... 25%^M(Reading database ... 30%^M(Reading database ... 35%^M(Reading database ... 40%^M(Reading database ... 45%^M(Reading database ... 50%^M(Reading database ... 5>
Preparing to unpack .../ubuntu-pro-client-l10n_31.2~22.04_amd64.deb ...
Unpacking ubuntu-pro-client-l10n (31.2~22.04) over (30~22.04) ...
Setting up ubuntu-pro-client-l10n (31.2~22.04) ...
Log ended: 2024-03-13 18:43:12
Log started: 2024-03-13 18:43:35
(Reading database ... ^M(Reading database ... 5%^M(Reading database ... 10%^M(Reading database ... 15%^M(Reading database ... 20%^M(Reading database ... 25%^M(Reading database ... 30%^M(Reading database ... 35%^M(Reading database ... 40%^M(Reading database ... 45%^M(Reading database ... 50%^M(Reading database ... 5>
Preparing to unpack .../apache2-utils_2.4.52-1ubuntu4.8_amd64.deb ...
Unpacking apache2-utils (2.4.52-1ubuntu4.8) over (2.4.52-1ubuntu4.7) ...
Setting up apache2-utils (2.4.52-1ubuntu4.8) ...
Processing triggers for man-db (2.10.2-1) ...
Log ended: 2024-03-13 18:43:41
如果有人知道为什么会发生这种情况,我想修复它,因为只有两个来自两个 ISP 的连接需要通过 ssh 进行连接,其余的连接被明确拒绝hosts.deny。由于无论格式如何,只有与 DNS 相关的条目没有被正确解析(看起来是这样),我留下的线索很少。
裸 IP 可以工作,但是连接主机没有静态 IP,因此遗憾的是,它不能以首选方式使用。