SSH:连接被拒绝

SSH:连接被拒绝

SSH连接一直正常,今天不幸断掉了。

我尝试了很多次才解决它。

linux@mylinux:~$ ssh[电子邮件保护]
ssh:连接到主机 XX.XX.XXX.XXX 端口 22:连接被拒绝

linux@mylinux:~$ ssh[电子邮件保护]-p 8787
ssh:连接到主机 XX.XX.XXX.XXX 端口 8787:连接被拒绝

>>>linux@mylinux:~$ ssh [email protected] -vvv
OpenSSH_7.4p1 Ubuntu-10, OpenSSL 1.0.2g  1 Mar 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: resolving "XX.XX.XXX.XXX" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to XX.XX.XXX.XXX [XX.XX.XXX.XXX] port 22.
debug1: connect to address XX.XX.XXX.XXX port 22: Connection refused
ssh: connect to host XX.XX.XXX.XXX port 22: Connection refused

ssh - status

>● ssh.service - OpenBSD Secure Shell server
   Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)
   Active: active (running) since Sat 2017-11-18 15:42:28 IST; 31min ago
 Main PID: 6940 (sshd)
    Tasks: 1 (limit: 4915)
   CGroup: /system.slice/ssh.service
           └─6940 /usr/sbin/sshd -D

另外,我已将openssh-sever其删除并重新安装,但仍无法成功。

当我尝试通过本地主机连接时,连接成功,但在远程站点上却被拒绝。

但我还是没能成功。

为什么我的 SSH 连接被拒绝?

cat /etc/ssh/sshd_config

Host *

*#    $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $

*# This is the sshd server system-wide configuration file.  See
*# sshd_config(5) for more information.

*# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

*# The strategy used for options in the default sshd_config shipped with
*# OpenSSH is to specify options with their default value where
*# possible, but leave them commented.  Uncommented options override the
*# default value.

*#Port 22
*#AddressFamily any
*#ListenAddress 0.0.0.0
*#ListenAddress ::

*#HostKey /etc/ssh/ssh_host_rsa_key
*#HostKey /etc/ssh/ssh_host_ecdsa_key
*#HostKey /etc/ssh/ssh_host_ed25519_key

*# Ciphers and keying
*#RekeyLimit default none

*# Logging
*#SyslogFacility AUTH
*#LogLevel INFO

*# Authentication:

*#LoginGraceTime 2m
*#PermitRootLogin prohibit-password
*#StrictModes yes
*#MaxAuthTries 6
*#MaxSessions 10

*#PubkeyAuthentication yes

*# Expect .ssh/authorized_keys2 to be disregarded by default in future.
*#AuthorizedKeysFile    .ssh/authorized_keys .ssh/authorized_keys2

*#AuthorizedPrincipalsFile none

*#AuthorizedKeysCommand none
*#AuthorizedKeysCommandUser nobody

*# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
*#HostbasedAuthentication no
*# Change to yes if you don't trust ~/.ssh/known_hosts for
*# HostbasedAuthentication
*#IgnoreUserKnownHosts no
*# Don't read the user's ~/.rhosts and ~/.shosts files
*#IgnoreRhosts yes

*# To disable tunneled clear text passwords, change to no here!
*#PasswordAuthentication yes
*#PermitEmptyPasswords no

*# Change to yes to enable challenge-response passwords (beware issues with
*# some PAM modules and threads)
ChallengeResponseAuthentication no

*# Kerberos options
*#KerberosAuthentication no
*#KerberosOrLocalPasswd yes
*#KerberosTicketCleanup yes
*#KerberosGetAFSToken no

*# GSSAPI options
*#GSSAPIAuthentication no
*#GSSAPICleanupCredentials yes
*#GSSAPIStrictAcceptorCheck yes
*#GSSAPIKeyExchange no

*# Set this to 'yes' to enable PAM authentication, account processing,
*# and session processing. If this is enabled, PAM authentication will
*# be allowed through the ChallengeResponseAuthentication and
*# PasswordAuthentication.  Depending on your PAM configuration,
*# PAM authentication via ChallengeResponseAuthentication may bypass
*# the setting of "PermitRootLogin without-password".
*# If you just want the PAM account and session checks to run without
*# PAM authentication, then enable this but set PasswordAuthentication
*# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

*#AllowAgentForwarding yes
*#AllowTcpForwarding yes
*#GatewayPorts no
X11Forwarding yes
*#X11DisplayOffset 10
*#X11UseLocalhost yes
*#PermitTTY yes
PrintMotd no
*#PrintLastLog yes
*#TCPKeepAlive yes
*#UseLogin no
*#UsePrivilegeSeparation sandbox
*#PermitUserEnvironment no
*#Compression delayed
*#ClientAliveInterval 0
*#ClientAliveCountMax 3
*#UseDNS no
*#PidFile /var/run/sshd.pid
*#MaxStartups 10:30:100
*#PermitTunnel no
*#ChrootDirectory none
*#VersionAddendum none

*# no default banner path
*#Banner none

*# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

*# override default of no subsystems
Subsystem    sftp    /usr/lib/openssh/sftp-server

*# Example of overriding settings on a per-user basis
*#Match User anoncvs
*#    X11Forwarding no
*#    AllowTcpForwarding no
*#    PermitTTY no
*#    ForceCommand cvs server

这里

sudo netstat -tlpena | grep -i“ ssh”

tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      0          25237      1260/sshd
tcp6       0      0 :::22                   :::*                    LISTEN      0          25239      1260/sshd

sudo iptables -S

-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N ufw-after-forward
-N ufw-after-input
-N ufw-after-logging-forward
-N ufw-after-logging-input
-N ufw-after-logging-output
-N ufw-after-output
-N ufw-before-forward
-N ufw-before-input
-N ufw-before-logging-forward
-N ufw-before-logging-input
-N ufw-before-logging-output
-N ufw-before-output
-N ufw-logging-allow
-N ufw-logging-deny
-N ufw-not-local
-N ufw-reject-forward
-N ufw-reject-input
-N ufw-reject-output
-N ufw-skip-to-policy-forward
-N ufw-skip-to-policy-input
-N ufw-skip-to-policy-output
-N ufw-track-forward
-N ufw-track-input
-N ufw-track-output
-N ufw-user-forward
-N ufw-user-input
-N ufw-user-limit
-N ufw-user-limit-accept
-N ufw-user-logging-forward
-N ufw-user-logging-input
-N ufw-user-logging-output
-N ufw-user-output
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-skip-to-policy-forward -j DROP
-A ufw-skip-to-policy-input -j DROP
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 22 -j ACCEPT
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT

答案1

使用以下命令编辑您的sshd配置:

Port 22
PermitRootLogin yes

并重启 sshd 服务。另外,不确定为什么你的行以 开头*,这是格式问题吗?如果配置*中有sshd,请执行sed -i 's/^*//g' /etc/ssh/sshd_config

答案2

看来您的防火墙正在阻止连接。请尝试暂时禁用它以确保安全。

具体来说,在 INPUT 上(删除了不相关的部分):

你首先去“ufw-before-input”

-P INPUT DROP
...
-A INPUT -j ufw-before-input

从那里你去“ufw-not-local”

-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -j ufw-not-local

删除除“本地”、“多播”或“广播”之外的所有内容

-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP

所以你的

-A ufw-user-input -p tcp -m tcp --dport 22 -j ACCEPT

似乎来得太晚了

相关内容