# SSH listening, but not responding [RESOLVED]

## triwebb1

Hello.  I have emerge openssh and started sshd, but I cannot ssh to my box.  I believe the standard config for sshd will accept connections without modification, however juust to be certain I changed the listen address to my IP and uncommented the listen port so that I know it is listening on 22.  I start the service and do a netstat -a and I see that it is listening on port 22, however when I try to ssh to the IP it is is listening on it just times out after about 2 minutes.  I get no response it all.  I have iptables installed and running, however there are no rules in any of the tables and they are all set to accept, so I'm pretty sure the firewall is not the problem.

Does anyone have any ideas?  I have tried openssh 5.1_p1-r2 as well as the latest unmasked version (don't remember which one that is) and they both have the same issue.Last edited by triwebb1 on Thu Sep 25, 2008 2:36 am; edited 1 time in total

----------

## ianw1974

Did you try stopping iptables to see if you could get access to SSH?  If that didn't work, also check /etc/hosts.allow and /etc/hosts.deny to see if you have a deny all in there which could be stopping you from connecting as well.

----------

## infinite1der

If iptables is not your problem, run sshd directly and watch closely:

/usr/sbin/sshd -d

----------

## triwebb1

It turns out that iptables was never even started.  "I ran /usr/sbin/sshd -d" and it shows that it is listening on the right port and IP, but when I open another xterm and try to ssh to the IP it is listening on, nothing happens.  The sshd output shows nothing, and the output from the ssh command says connection timed out (after 2 minutes).

I didn't have an /etc/hosts.allow or /etc/hosts.deny.  I created an allow file and allowed sshd for my subnet, but that didn't appear to change anything.

----------

## triwebb1

I just emerged pure-ftpd, edited the config, and started it.  Netstat shows it listening, but I cannot ftp to my box.  This appears to be a a general security issue, not specific to any service.  I do not have inetd or xinetd installed, and iptables has not been started.  What else could be blocking these services?

----------

## ncl

Can you ping the server from the client and vice versa?

----------

## ZeuZ_NG

More over, from the same host where the daemon is running, can you connect to yourself (that localhost, 127.0.0.1) to the port in question?

If yes, then we might get a clue of what's going wrong.

----------

## triwebb1

Everything I have done is on/from the same computer.  This is all on/from my desktop computer.  I cannot connect to any net services on my computer from my computer.  

I just tried pinging myself, and I cannot.  I cannot even ping the loopback.  Weird.

----------

## ZeuZ_NG

What about pingin' from the outside?

Perhaps every policy in iptables is set to drop appart from outgoing?

----------

## overkll

Just for kicks, what's the output of

```
# iptables -L -nv
```

?

Even though you previously stated that you turned it off, it may have left the default policy's at DENY or DROP, instead of ACCEPT.  I have iptables installed, but I haven't configured it yet (usually use shorewall for that) and the output of "iptables -L -nv" clearly shows the policy's values:

```
# iptables -L -nv

Chain INPUT (policy ACCEPT 220K packets, 246M bytes)

 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 161K packets, 42M bytes)

 pkts bytes target     prot opt in     out     source               destination 
```

It wouldn't hurt to double-check.

----------

## triwebb1

Here is the output from iptable -L -nv:

```
Chain INPUT (policy ACCEPT 957 packets, 706K bytes)

 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 984 packets, 218K bytes)

 pkts bytes target     prot opt in     out     source               destination         
```

----------

## ZeuZ_NG

I would rather go after iptables -L and iptables -t nat -L

----------

## triwebb1

```
GentooBox tristan # iptables -L

Chain INPUT (policy ACCEPT)

target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination     

    

GentooBox tristan # iptables -t nat -L

Chain PREROUTING (policy ACCEPT)

target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)

target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination  
```

Could there be some kernel thing getting in the way?  I'm going to look through the networking stuff in the menuconfig, though I don't think I'll find anything...

----------

## overkll

I always go back to basics when trouble shooting.

Correct drivers either as module(s) or in-kernel?

Are the interfaces up?  ifconfig

Are they configured correctly - ip, brdcast, route?

Did the net.* services start?

Ah, you are try to do NAT.  Did you enable ip_forwarding?

```
cat /proc/sys/net/ipv4/ip_forward
```

should return 1 if enabled, 0 if disabled.

If it's not enabled:

```
echo 1 > /proc/sys/net/ipv4/ip_forward
```

Other than that, I'm out of ideas.

----------

## iloose2

What does this command show?

```

netstat -ant

```

What happens if you try to ssh to the machine from itself?

```

ssh localhost

```

----------

## triwebb1

```
GentooBox tristan # netstat -ant

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address           Foreign Address         State      

tcp        0      0 0.0.0.0:6000            0.0.0.0:*               LISTEN      

tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN  
```

So I CAN ping and ssh my computer from another computer on the network. 

My computer can communicate with other computers just fine, but it can't communicate with itself properly.  I cannot ping my computer from my computer (tried 127.0.0.1 as well as my ip), but I can ping my computer from another computer.  I cannot ssh to my computer from my computer, but I can ssh to my computer from another computer.

Here is my ifconfig (I see no problems here though...):

```
eth1      Link encap:Ethernet  HWaddr 00:04:4B:17:03:EB  

          inet addr:-M-.-Y-.-I-.-P-  Bcast:MY.BC.AS.T  Mask:255.255.255.248

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:2439 errors:0 dropped:0 overruns:0 frame:0

          TX packets:821 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000 

          RX bytes:735403 (718.1 Kb)  TX bytes:160899 (157.1 Kb)

          Interrupt:252 Base address:0xc000 
```

I guess I should also point out that I am not using the net.eth0/net.eth1 script.  I made my own script that gives the interfaces IPs and subent masks, brings them up, and sets the routes.  I hate all that fancy crap that is integral to the net. scripts.  And the config files didn't work right for me (I probably didn't configure them right...).  Anyway, like I said, I can browse the net and download files from my computer just fine.  I can SSH and ping my computer from another computer on the network with no problems.  I just can't communicate with my computer from my computer.  My routing table has three entries - a default gw, a route to the 10.0.0.0 that is on one interface, and a route to my externel subnet.  Note, I am not trying to do NAT right now.  Iptables is all clear and accepting, and not running.

So what would stop me from pinging my own loopback?

----------

## jamapii

Is your "lo" interface up? What does "ifconfig lo" output?

Maybe /etc/init.d/net.lo is not started

----------

## triwebb1

I just figured that out myself.  The problem was that I had no lo interface configured.  DOH!

Thank you all for your help!

----------

## overkll

Like I said, back to basics...   :Wink: 

----------

