SSH连接一直正常,今天不幸断掉了。
我尝试了很多次才解决它。
linux@mylinux:~$ ssh[电子邮件保护]
ssh:连接到主机 XX.XX.XXX.XXX 端口 22:连接被拒绝linux@mylinux:~$ ssh[电子邮件保护]-p 8787
ssh:连接到主机 XX.XX.XXX.XXX 端口 8787:连接被拒绝
>>>linux@mylinux:~$ ssh [email protected] -vvv
OpenSSH_7.4p1 Ubuntu-10, OpenSSL 1.0.2g 1 Mar 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: resolving "XX.XX.XXX.XXX" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to XX.XX.XXX.XXX [XX.XX.XXX.XXX] port 22.
debug1: connect to address XX.XX.XXX.XXX port 22: Connection refused
ssh: connect to host XX.XX.XXX.XXX port 22: Connection refused
ssh - status
>● ssh.service - OpenBSD Secure Shell server
Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2017-11-18 15:42:28 IST; 31min ago
Main PID: 6940 (sshd)
Tasks: 1 (limit: 4915)
CGroup: /system.slice/ssh.service
└─6940 /usr/sbin/sshd -D
另外,我已将openssh-sever其删除并重新安装,但仍无法成功。
当我尝试通过本地主机连接时,连接成功,但在远程站点上却被拒绝。
但我还是没能成功。
为什么我的 SSH 连接被拒绝?
cat /etc/ssh/sshd_config
Host *
*# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $
*# This is the sshd server system-wide configuration file. See
*# sshd_config(5) for more information.
*# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
*# The strategy used for options in the default sshd_config shipped with
*# OpenSSH is to specify options with their default value where
*# possible, but leave them commented. Uncommented options override the
*# default value.
*#Port 22
*#AddressFamily any
*#ListenAddress 0.0.0.0
*#ListenAddress ::
*#HostKey /etc/ssh/ssh_host_rsa_key
*#HostKey /etc/ssh/ssh_host_ecdsa_key
*#HostKey /etc/ssh/ssh_host_ed25519_key
*# Ciphers and keying
*#RekeyLimit default none
*# Logging
*#SyslogFacility AUTH
*#LogLevel INFO
*# Authentication:
*#LoginGraceTime 2m
*#PermitRootLogin prohibit-password
*#StrictModes yes
*#MaxAuthTries 6
*#MaxSessions 10
*#PubkeyAuthentication yes
*# Expect .ssh/authorized_keys2 to be disregarded by default in future.
*#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
*#AuthorizedPrincipalsFile none
*#AuthorizedKeysCommand none
*#AuthorizedKeysCommandUser nobody
*# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
*#HostbasedAuthentication no
*# Change to yes if you don't trust ~/.ssh/known_hosts for
*# HostbasedAuthentication
*#IgnoreUserKnownHosts no
*# Don't read the user's ~/.rhosts and ~/.shosts files
*#IgnoreRhosts yes
*# To disable tunneled clear text passwords, change to no here!
*#PasswordAuthentication yes
*#PermitEmptyPasswords no
*# Change to yes to enable challenge-response passwords (beware issues with
*# some PAM modules and threads)
ChallengeResponseAuthentication no
*# Kerberos options
*#KerberosAuthentication no
*#KerberosOrLocalPasswd yes
*#KerberosTicketCleanup yes
*#KerberosGetAFSToken no
*# GSSAPI options
*#GSSAPIAuthentication no
*#GSSAPICleanupCredentials yes
*#GSSAPIStrictAcceptorCheck yes
*#GSSAPIKeyExchange no
*# Set this to 'yes' to enable PAM authentication, account processing,
*# and session processing. If this is enabled, PAM authentication will
*# be allowed through the ChallengeResponseAuthentication and
*# PasswordAuthentication. Depending on your PAM configuration,
*# PAM authentication via ChallengeResponseAuthentication may bypass
*# the setting of "PermitRootLogin without-password".
*# If you just want the PAM account and session checks to run without
*# PAM authentication, then enable this but set PasswordAuthentication
*# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
*#AllowAgentForwarding yes
*#AllowTcpForwarding yes
*#GatewayPorts no
X11Forwarding yes
*#X11DisplayOffset 10
*#X11UseLocalhost yes
*#PermitTTY yes
PrintMotd no
*#PrintLastLog yes
*#TCPKeepAlive yes
*#UseLogin no
*#UsePrivilegeSeparation sandbox
*#PermitUserEnvironment no
*#Compression delayed
*#ClientAliveInterval 0
*#ClientAliveCountMax 3
*#UseDNS no
*#PidFile /var/run/sshd.pid
*#MaxStartups 10:30:100
*#PermitTunnel no
*#ChrootDirectory none
*#VersionAddendum none
*# no default banner path
*#Banner none
*# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
*# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server
*# Example of overriding settings on a per-user basis
*#Match User anoncvs
*# X11Forwarding no
*# AllowTcpForwarding no
*# PermitTTY no
*# ForceCommand cvs server
这里
sudo netstat -tlpena | grep -i“ ssh”
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 25237 1260/sshd
tcp6 0 0 :::22 :::* LISTEN 0 25239 1260/sshd
和
sudo iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N ufw-after-forward
-N ufw-after-input
-N ufw-after-logging-forward
-N ufw-after-logging-input
-N ufw-after-logging-output
-N ufw-after-output
-N ufw-before-forward
-N ufw-before-input
-N ufw-before-logging-forward
-N ufw-before-logging-input
-N ufw-before-logging-output
-N ufw-before-output
-N ufw-logging-allow
-N ufw-logging-deny
-N ufw-not-local
-N ufw-reject-forward
-N ufw-reject-input
-N ufw-reject-output
-N ufw-skip-to-policy-forward
-N ufw-skip-to-policy-input
-N ufw-skip-to-policy-output
-N ufw-track-forward
-N ufw-track-input
-N ufw-track-output
-N ufw-user-forward
-N ufw-user-input
-N ufw-user-limit
-N ufw-user-limit-accept
-N ufw-user-logging-forward
-N ufw-user-logging-input
-N ufw-user-logging-output
-N ufw-user-output
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-skip-to-policy-forward -j DROP
-A ufw-skip-to-policy-input -j DROP
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 22 -j ACCEPT
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT
答案1
使用以下命令编辑您的sshd配置:
Port 22
PermitRootLogin yes
并重启 sshd 服务。另外,不确定为什么你的行以 开头*,这是格式问题吗?如果配置*中有sshd,请执行sed -i 's/^*//g' /etc/ssh/sshd_config
答案2
看来您的防火墙正在阻止连接。请尝试暂时禁用它以确保安全。
具体来说,在 INPUT 上(删除了不相关的部分):
你首先去“ufw-before-input”
-P INPUT DROP
...
-A INPUT -j ufw-before-input
从那里你去“ufw-not-local”
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -j ufw-not-local
删除除“本地”、“多播”或“广播”之外的所有内容
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
所以你的
-A ufw-user-input -p tcp -m tcp --dport 22 -j ACCEPT
似乎来得太晚了