# ssh with Gentoo and WinXP

## GentooBox

Hi

I´m new to ssh.

i want to setup a ssh server on my Gentoo box and do a remote login from my Windows XP box.

ï´m useing openssh as sshd and putty as client.

i havent changed anything in /etc/ssh/sshd_config yet.

i just typed "/etc/init.d/sshd start" and then it started.

but then i try to login with putte it just reports:

Network error: connection refused

how should my config look like ?

and do you think there is something wrong with my iptables?

```

#!/bin/sh

echo -e "\nLoading GemtooBox firewall\n"

IPTABLES=/sbin/iptables

LSMOD=/sbin/lsmod

DEPMOD=/sbin/depmod

MODPROBE=/sbin/modprobe

GREP=/bin/grep

AWK=/bin/awk

SED=/bin/sed

IFCONFIG=/sbin/ifconfig

EXTIF="eth0"

INTIF="eth1"

echo "  External Interface:  $EXTIF"

echo "  Internal Interface:  $INTIF"

EXTIP="`$IFCONFIG $EXTIF | $AWK \

 /$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"

echo "  External IP: $EXTIP"

INTNET="192.168.1.0/24"

INTIP="192.168.1.254/24"

echo "  Internal Network: $INTNET"

echo "  Internal IP:      $INTIP"

UNIVERSE="0.0.0.0/0"

echo "  - Verifying that all kernel modules are ok"

$DEPMOD -a

echo -en "    Loading kernel modules: "

echo -en "ip_tables, "

if [ -z "` $LSMOD | $GREP ip_tables | $AWK {'print $1'} `" ]; then

   $MODPROBE ip_tables

fi

echo -en "ip_conntrack, "

if [ -z "` $LSMOD | $GREP ip_conntrack | $AWK {'print $1'} `" ]; then

   $MODPROBE ip_conntrack

fi

echo -e "ip_conntrack_ftp, "

if [ -z "` $LSMOD | $GREP ip_conntrack_ftp | $AWK {'print $1'} `" ]; then

   $MODPROBE ip_conntrack_ftp

fi

echo -en "                             ip_conntrack_irc, "

if [ -z "` $LSMOD | $GREP ip_conntrack_irc | $AWK {'print $1'} `" ]; then

   $MODPROBE ip_conntrack_irc

fi

echo -en "iptable_nat, "

if [ -z "` $LSMOD | $GREP iptable_nat | $AWK {'print $1'} `" ]; then

   $MODPROBE iptable_nat

fi

echo -e "ip_nat_ftp"

if [ -z "` $LSMOD | $GREP ip_nat_ftp | $AWK {'print $1'} `" ]; then

   $MODPROBE ip_nat_ftp

fi

echo "  Enabling forwarding.."

echo "1" > /proc/sys/net/ipv4/ip_forward

echo "  Enabling DynamicAddr.."

echo "1" > /proc/sys/net/ipv4/ip_dynaddr

echo "  Clearing any existing rules and setting default policy to DROP.."

$IPTABLES -P INPUT DROP

$IPTABLES -F INPUT 

$IPTABLES -P OUTPUT DROP

$IPTABLES -F OUTPUT 

$IPTABLES -P FORWARD DROP

$IPTABLES -F FORWARD 

$IPTABLES -F -t nat

echo "  Flushing cache"

if [ -n "`$IPTABLES -L | $GREP drop-and-log-it`" ]; then

   $IPTABLES -F drop-and-log-it

fi

$IPTABLES -X

$IPTABLES -Z

echo "  Creating a DROP chain.."

$IPTABLES -N drop-and-log-it

$IPTABLES -A drop-and-log-it -j LOG --log-level info 

$IPTABLES -A drop-and-log-it -j REJECT

echo -e "\n   - Loading INPUT rulesets"

$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT

$IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT

$IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it

$IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT

#$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT

$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state \

 ESTABLISHED,RELATED -j ACCEPT

#Open port 9176

#

$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \

 -p tcp -s $UNIVERSE -d $EXTIP --dport 9176 -j ACCEPT

$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \

 -p udp -s $UNIVERSE -d $EXTIP --dport 9176 -j ACCEPT

$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it

echo -e "   - Loading OUTPUT rulesets"

$IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT

$IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT

$IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT

$IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it

$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT

$IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it

echo -e "   - Loading FORWARD rulesets"

echo "     - FWD: Allow all connections OUT and only existing/related IN"

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED \

 -j ACCEPT

$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

# Catch all rule, all other forwarding is denied and logged. 

$IPTABLES -A FORWARD -j drop-and-log-it

echo "     - NAT: Enabling SNAT (MASQUERADE) functionality on $EXTIF"

#Stricter form

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP

# Opens port 21 for FTP

$IPTABLES -A INPUT -i eth0 -p tcp --dport 21 -j ACCEPT

echo -e "\nDone.\n"

```

----------

## Carlos

You shouldn't be able to change any of the SSH config; I've always had it working out-of-the-box on my Gentoo installs.

Are you able to connect to other services on your Gentoo box?  Also, maybe check your hosts.deny and hosts.allow in /etc.

----------

## GentooBox

When i portscan my server, then port 22 is closed.

so i added this to my iptables:

```
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \

 -p tcp -s $UNIVERSE -d $EXTIP --dport 21 -j ACCEPT
```

is this correct ?

look at the rc.firewall script.

----------

## Carlos

 *GentooBox wrote:*   

> When i portscan my server, then port 22 is closed.
> 
> so i added this to my iptables:
> 
> ```
> ...

 I know nothing about firewall configuration.  May as well try and see if it starts working once you add that, though.

----------

## paolo

 *GentooBox wrote:*   

> When i portscan my server, then port 22 is closed.
> 
> so i added this to my iptables:
> 
> ```
> ...

 

Port 21 is for ftp.

22 is ssh.

Open that.

ByEZz,

Paolo

----------

## maalth

For FTP you need 20 and 21, 20 is ftp-data.

----------

## madchaz

you'll need port 22 open on the inside of your network.

Also, if you are paranoid, edit the ssh.conf to turn ssh1 support off. it as known issues with buffer overflows that were fixed with version 2 of the protocol. this is nice if you allow ssh to be talked to from the internet.

----------

## jbrown

you should install cygwin on the xp box and run proper ssh rather than a crapy windows app

----------

## PowerFactor

 *jbrown wrote:*   

> you should install cygwin on the xp box and run proper ssh rather than a crapy windows app

   :Rolling Eyes:   Please don't troll, especially in honest support threads.

The windows app is not at all at fault here, it's just a configuration issue, as others have noted.

----------

## jbrown

 *PowerFactor wrote:*   

>  *jbrown wrote:*   you should install cygwin on the xp box and run proper ssh rather than a crapy windows app    Please don't troll, especially in honest support threads.
> 
> The windows app is not at all at fault here, it's just a configuration issue, as others have noted.

 

sorry

 :Crying or Very sad: 

----------

## PowerFactor

It's ok.  :Wink: 

----------

## scap1784

it may not have made your keys it will automatically make them if you use /etc/init.d/sshd start as root. try doing that. Also putty is a great program i use it all the time on my friends computers  :Smile: 

----------

## TenPin

Rather than paste your iptables script, paste the output of:

```
iptables -L
```

That way we can see whats open/closed.

A decent reason to install cygwin on XP would be to run the ssh *server*. With some faffing you can get a reasonable amount of remote control of your XP box but windows is severely retarded in terms of remote access.

The original reason I installed Linux was because I had neutered my Win2K installation so badly so you could only use it via cygwin. When I tried to reinstall Win2K my HiPoint driver disk was corrupt and I was handed a copy of RedHat7 by jbrown with assurances that it would "just work". Which it did.

----------

## echo6

There's nothing wrong with Putty,  it's very configurable.   Default port for ssh is tcp port 22 although you can configure it to use another port.

I would advise you check the sshd_config file;

Protocol 2

PermitRootLogin no

PermitEmptyPasswords no

X11Forwarding no

Most of these are set by default but check,  you can then use ssh to logon using a non-root user to a different port.

e.g.

```
ssh -l nonroot-user -p 222 192.168.0.254
```

Also consider using kerberos if you can.   If you have gnome or kde consider using something like Firestarter,  easier than struggling with iptables.   Your circumstances may vary so don't take this as read.

----------

## beandog

 *echo6 wrote:*   

> Also consider using kerberos if you can.

 

What is that anyway?  Just another security protocol?

 *echo6 wrote:*   

> If you have gnome or kde consider using something like Firestarter,  easier than struggling with iptables.   Your circumstances may vary so don't take this as read.

 

In running a server, with no GUI installed, I ended up installing projectfiles.com firewall which comes with a very nice console/text gui (whatever you call em).  It was so easy to setup... sure wish more console only proggies could do that.  :Smile: 

Steve

----------

## echo6

 *Quote:*   

> In running a server, with no GUI installed, I ended up installing projectfiles.com firewall

 

Cool,  I'll check that out.

Kerberos,  yet another authentication protocol yes.

----------

