Unable to ssh into my PC-BSD box

[glrx314]

I have PCBSD 7.0.2 installed on my computer.

When I try to ssh into my system from an outside server I get a timeout error and it doesn't even respond with a password prompt. But when I try ssh from my machine to my own machine, it works just fine.

I have reproduced the relevant files below. Any help is appreciated.

I have sshd running

Code:

[~]$/etc/rc.d/sshd status sshd is running as pid 1267.

I've configured my /etc/ssh/sshd_config file with the following parameters.

Code:

Port 22 #Protocol 2 #AddressFamily any #ListenAddress 155.97.234.205 #ListenAddress :: # Disable legacy (protocol version 1) support in the server for new # installations. In future the default will change to require explicit # activation of protocol 1 Protocol 2 # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 1024 # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH #LogLevel INFO # Authentication: #LoginGraceTime 2m #PermitRootLogin no #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 #RSAAuthentication yes #PubkeyAuthentication yes #AuthorizedKeysFile .ssh/authorized_keys2 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # Change to yes to enable built-in password authentication. PasswordAuthentication yes #PermitEmptyPasswords no # Change to no to disable PAM authentication #ChallengeResponseAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes # Set this to 'no' to disable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. #UsePAM yes AllowUsers amjith vijay nx #AllowUsers admin #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no X11Forwarding yes # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes # Set this to 'no' to disable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. #UsePAM yes AllowUsers amjith vijay nx #AllowUsers admin #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no #UsePrivilegeSeparation yes #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10 #PermitTunnel no #ChrootDirectory none # no default banner path #Banner none # override default of no subsystems Subsystem sftp /usr/libexec/sftp-server # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # ForceCommand cvs server

Here is my /etc/allow.hosts

Code:

# The rules here work on a "First match wins" basis. ALL : ALL : allow # Wrapping sshd(8) is not normally a good idea, but if you # need to do it, here's how #sshd : .evil.cracker.example.com : deny # Protect against simple DNS spoofing attacks by checking that the # forward and reverse records for the remote host match. If a mismatch # occurs, access is denied, and any positive ident response within # 20 seconds is logged. No protection is afforded against DNS poisoning, # IP spoofing or more complicated attacks. Hosts with no reverse DNS # pass this rule. ALL : PARANOID : RFC931 20 : deny # Allow anything from localhost. Note that an IP address (not a host # name) *MUST* be specified for rpcbind(8). ALL : localhost 127.0.0.1 : allow # Comment out next line if you build libwrap with NO_INET6=yes. ALL : [::1] : allow ALL : my.machine.example.com 192.0.2.35 : allow # To use IPv6 addresses you must enclose them in []'s ALL : [fe80::%fxp0]/10 : allow ALL : [fe80::]/10 : deny ALL : [2001:db8:2:1:2:3:4:3fe1] : deny ALL : [2001:db8:2:1::]/64 : allow # Sendmail can help protect you against spammers and relay-rapers sendmail : localhost : allow sendmail : .nice.guy.example.com : allow sendmail : .evil.cracker.example.com : deny sendmail : ALL : allow # Exim is an alternative to sendmail, available in the ports tree exim : localhost : allow exim : .nice.guy.example.com : allow exim : .evil.cracker.example.com : deny exim : ALL : allow # Rpcbind is used for all RPC services; protect your NFS! # (IP addresses rather than hostnames *MUST* be used here) rpcbind : 192.0.2.32/255.255.255.224 : allow rpcbind : 192.0.2.96/255.255.255.224 : allow rpcbind : ALL : deny # NIS master server. Only local nets should have access ypserv : localhost : allow ypserv : .unsafe.my.net.example.com : deny ypserv : .my.net.example.com : allow ypserv : ALL : deny # Provide a small amount of protection for ftpd ftpd : localhost : allow ftpd : .nice.guy.example.com : allow ftpd : .evil.cracker.example.com : deny ftpd : ALL : allow # You need to be clever with finger; do _not_ backfinger!! You can easily # start a "finger war". fingerd : ALL \ : spawn (echo Finger. | \ /usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & \ : deny # The rest of the daemons are protected. #ALL : ALL \ # : severity auth.info \ # : twist /bin/echo "You are not welcome to use %d from %h." # denyhosts sshd : /etc/hosts.deniedssh \ : severity auth.info \ : twist /bin/echo "Server %d denied from %h" : deny sshd : ALL : allow

[gwood]

pc-bsd 7.x comes with the pf firewall enabled, and the default ruleset, /etc/pf.conf, is not configured to allow ssh connections from anything but localhost.

In addition, denyhosts is enabled in rc.conf. I believe it may also block ssh connections. It looks innocuous, but I had to disable it in rc.conf to get incoming ssh to work.

I am not a pf guru, but I think something like this will open up ssh from anywhere, assuming your ethernet interface is bfe0:

Code:

pass in on bfe0 proto tcp from any to (bfe0) port 22 keep state

or from one host ('foo.bar.com' by name):

Code:

pass in on bfe0 proto tcp from foo.bar.com to (bfe0) port 22 keep state

or from a list of hosts

Code:

pass in on bfe0 proto tcp from { foo.bar.com, ugh.com } to (bfe0) port 22 keep state

(I am not sure the braces are required)

or from a subnet:

Code:

pass in on bfe0 proto tcp from 98.23.43.0/24 to (bfe0) port 22 keep state

If someone has a working configuration for denyhosts that allows a local subnet and a set of external hosts, please post it. I'm also looking for good tutorials, sample configs or other doc for pf and denyhosts. (yes, I saw /usr/share/examples/pf/).

-g

[TerryP]

This is the principal rule from my machines pf.conf, for ssh'ing in:

Code:

# # allow new incoming tcp/ssh traffic on our usual port # # bind matches to interface # Enable src tracking; limit state creations based on this rule only # Limit the max number of nodes that can simultaneously create state # Limit the max number of simultaneous states per source IP # Limit max simultaneous TCP conn's /w completed handshakes per host # Limit rate of said new conn's to integer / seconds # people who abuse these limits, get fucked off pass in quick on $eiface0 proto tcp \ from <clients> to $eiface0 port $ssh_port \ flags S/SA synproxy state \ (if-bound, source-track rule, max-src-nodes 5, max-src-states 8, \ max-src-conn 8, max-src-conn-rate 12/60, \ overload <fuckoff> flush global)

where $eiface0 = my external interface, $ssh_port is a custom SSH port, and <fuckoff> is a persistent table for people yanking the machines chain, and <clients> is a table of people that should have the right to connect.



I'm not a PF guru either.

This more simple rule would probably work for most PC-BSD users (Note it's written off the top of my head, not battle proven):

Code:

pass in quick on TheInterface proto tcp from any to any port TheSshdPort keep state

When one gets into NAT and stuff, it would get a bit more complicated of course.

[glrx314]

I checked my pf.conf file and it has the following line. msk0 is my ethernet name.

Code:

pass in on msk0 proto tcp from any to (msk0) port 22 keep state

But still I am not able to ssh into my machine. I don't even get a prompt asking for a login or passwd. When I try to ssh, it waits for a long time and then reports a time out error.

[gwood]

just to make sure that pf is not the problem, briefly disable it and try to ssh in from some other box. If this succeeds, then your pf rules need tweaking.

remember to re-enable afterwards.

to disable, use a root shell and enter 'pfctl -d'

to check the status: 'pfctl -s all |grep ^Status'

also, check with denyhosts off:

/usr/local/etc/rc.d/denyhosts stop
ps -ax |grep denyhosts # make sure it is not running

to re-enable pf: 'pfctl -e'
to restart denyhosts: /usr/local/etc/rc.d/denyhosts start