Bonjour,

J’ai une serveur de fichier ssh sous debian squeeze ainsi qu’un portable et une machine de bureau sous squeeze également.
l’ip en local du serveur est 192.168.1.102. Les ip de la machine de bureau et du portable sont allouées par le serveur dhcp de la box et changent de temps en temps.

je me connecte sans problème au serveur depuis le portable, mais depuis quelques temps c’est impossible depuis la machine de bureau :

$ ssh mon_user@192.168.1.102 ssh: connect to host 192.168.1.102 port 22: Connection timed out
ou

$ ssh -v mon_user@192.168.1.102 OpenSSH_5.5p1 Debian-6, OpenSSL 0.9.8o 01 Jun 2010 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Connecting to 192.168.1.102 [192.168.1.102] port 22. debug1: connect to address 192.168.1.102 port 22: Connection timed out ssh: connect to host 192.168.1.102 port 22: Connection timed out

J’ai supprimé le fichier /home/mon_user/.ssh/know_hosts du client donc le problème ne vient pas de là, et je suis coincé…

Merci à vous !

Salut

Fait un nmap de 192.168.1.102 et vérifie iptables sur ton serveur

Merci,

Voici le résultat de nmap depuis la machine de bureau :

[code]# nmap 192.168.1.102

Starting Nmap 5.00 ( http://nmap.org ) at 2011-09-04 09:38 CEST
Interesting ports on 192.168.1.102:
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp filtered ssh
111/tcp open rpcbind
113/tcp open auth
MAC Address: 00:1F:D0:8D:DC:72 (Giga-byte Technology Co.)

Nmap done: 1 IP address (1 host up) scanned in 1.56 seconds[/code]

On voit bien que le port 22 est filtré…

Si je lance nmap sur le portable :

[code]# nmap 192.168.1.102

Starting Nmap 5.00 ( http://nmap.org ) at 2011-09-04 09:38 CEST
Interesting ports on 192.168.1.102:
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
113/tcp open auth
MAC Address: 00:1F:D0:8D:DC:72 (Giga-byte Technology Co.)

Nmap done: 1 IP address (1 host up) scanned in 1.56 seconds[/code]
Le port 22 est bien ouvert… Donc le problème vient de là…

Ça fait un bout de temps que j’ai configuré ce serveur, j’ai mis les iptable avec la méthode indiquée sur ce forum ainsi que failtoban… Je ne sais pas vraiment ou regarder mais je me renseigne.

Fait un iptables -L sur ton serveur et fait voir ton sshd_config

J’ai réussi à contourner le problème en donnant l’ip 192.168.1.103 dans /etc/network/interface, j’arrive à me connecter maintenant mais ça ne résoud rien…

[code]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-ssh tcp – anywhere anywhere multiport dports ssh
fail2ban-ssh tcp – anywhere anywhere multiport dports ssh
fail2ban-ssh tcp – anywhere anywhere multiport dports ssh
fail2ban-ssh tcp – anywhere anywhere multiport dports ssh
fail2ban-ssh tcp – anywhere anywhere multiport dports ssh
fail2ban-ssh tcp – anywhere anywhere multiport dports ssh
fail2ban-ssh tcp – anywhere anywhere multiport dports ssh
fail2ban-ssh tcp – anywhere anywhere multiport dports ssh
fail2ban-ssh tcp – anywhere anywhere multiport dports ssh
fail2ban-ssh tcp – anywhere anywhere multiport dports ssh
fail2ban-ssh tcp – anywhere anywhere multiport dports ssh
fail2ban-ssh tcp – anywhere anywhere multiport dports ssh
fail2ban-ssh tcp – anywhere anywhere multiport dports ssh
fail2ban-ssh tcp – anywhere anywhere multiport dports ssh
fail2ban-ssh tcp – anywhere anywhere multiport dports ssh
fail2ban-ssh tcp – anywhere anywhere multiport dports ssh
fail2ban-ssh tcp – anywhere anywhere multiport dports ssh
fail2ban-ssh tcp – anywhere anywhere multiport dports ssh
fail2ban-ssh tcp – anywhere anywhere multiport dports ssh
fail2ban-ssh tcp – anywhere anywhere multiport dports ssh
fail2ban-ssh tcp – anywhere anywhere multiport dports ssh
fail2ban-ssh tcp – anywhere anywhere multiport dports ssh
fail2ban-ssh tcp – anywhere anywhere multiport dports ssh
fail2ban-ssh tcp – anywhere anywhere multiport dports ssh
fail2ban-ssh tcp – anywhere anywhere multiport dports ssh
fail2ban-ssh tcp – anywhere anywhere multiport dports ssh
fail2ban-ssh tcp – anywhere anywhere multiport dports ssh
fail2ban-ssh tcp – anywhere anywhere multiport dports ssh
fail2ban-ssh tcp – anywhere anywhere multiport dports ssh
fail2ban-ssh tcp – anywhere anywhere multiport dports ssh
fail2ban-ssh tcp – anywhere anywhere multiport dports ssh
fail2ban-ssh tcp – anywhere anywhere multiport dports ssh
fail2ban-ssh tcp – anywhere anywhere multiport dports ssh
fail2ban-ssh tcp – anywhere anywhere multiport dports ssh
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp – anywhere anywhere tcp dpt:ssh

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain fail2ban-ssh (34 references)
target prot opt source destination
DROP all – inachis.home anywhere
RETURN all – anywhere anywhere
RETURN all – anywhere anywhere
RETURN all – anywhere anywhere
RETURN all – anywhere anywhere
RETURN all – anywhere anywhere
RETURN all – anywhere anywhere
RETURN all – anywhere anywhere
RETURN all – anywhere anywhere
RETURN all – anywhere anywhere
RETURN all – anywhere anywhere
RETURN all – anywhere anywhere
RETURN all – anywhere anywhere
RETURN all – anywhere anywhere
RETURN all – anywhere anywhere
RETURN all – anywhere anywhere
RETURN all – anywhere anywhere
RETURN all – anywhere anywhere
RETURN all – anywhere anywhere
RETURN all – anywhere anywhere
RETURN all – anywhere anywhere
RETURN all – anywhere anywhere
RETURN all – anywhere anywhere
RETURN all – anywhere anywhere
RETURN all – anywhere anywhere
RETURN all – anywhere anywhere
RETURN all – anywhere anywhere
RETURN all – anywhere anywhere
RETURN all – anywhere anywhere
RETURN all – anywhere anywhere
RETURN all – anywhere anywhere
RETURN all – anywhere anywhere
RETURN all – anywhere anywhere
RETURN all – anywhere anywhere
RETURN all – anywhere anywhere [/code]

Je suppose que c’est cette ligne qui pose problème “DROP all – inachis.home anywhere”

/etc/ssh/sshd_config :

[code]# Package generated configuration file

See the sshd(8) manpage for details

What ports, IPs and protocols we listen for

Port 22

Use these options to restrict which interfaces/protocols sshd will bind to

#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2

HostKeys for protocol version 2

HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

Lifetime and size of ephemeral version 1 server key

KeyRegenerationInterval 3600
ServerKeyBits 768

Logging

SyslogFacility AUTH
LogLevel INFO

Authentication:

LoginGraceTime 60
PermitRootLogin no
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys

Don’t read the user’s ~/.rhosts and ~/.shosts files

IgnoreRhosts yes

For this to work you will also need host keys in /etc/ssh_known_hosts

RhostsRSAAuthentication no

similar for protocol version 2

HostbasedAuthentication no

Uncomment if you don’t trust ~/.ssh/known_hosts for RhostsRSAAuthentication

#IgnoreUserKnownHosts yes

To enable empty passwords, change to yes (NOT RECOMMENDED)

PermitEmptyPasswords no

Change to yes to enable challenge-response passwords (beware issues with

some PAM modules and threads)

ChallengeResponseAuthentication no

Change to no to disable tunnelled clear text passwords

#PasswordAuthentication yes

Kerberos options

#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

GSSAPI options

#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding no
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

Allow client to pass locale environment variables

AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

UsePAM yes

utilisateurs autorisés

AllowUsers mon_user
[/code]

Si tu ne te sers pas d’iptables fait un /etc/init.d/iptables stop et ip6table stop et retest pour voir

Bon j’ai résolu le problème :

Pour réautoriser l’ip 192.168.1.1 :

Pour empêcher les bannissements sur le réseau local :

ignoreip = 192.168.1.0/24

Voilà puisse ceci servir à quelqu’un…

Merci à vous !