Why is OpenSSH blocking connections from dynamic IP addresses?
AnsweredOpenSSH is blocking connections from all IP addresses except the first one it successfully connected from, but I can't figure out why or how. It's running on Ubuntu 22.04 LTS and cPanel 118 with CSF firewall using iptables. UFW and firewalld are disabled. The server also had nftables, so I uninstalled it, in case that was the cause. Password authentication is not allowed, and this is what I see after attempting to login using public/private key pair:
# fgrep ddd.ddd.ddd.ddd /var/log/syslog | tail -2
Apr 4 09:33:55 server kernel: [ 1588.252786] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:0a:3b:02:e5:d5:12:34:56:78:9c:b9:08:00 SRC=ddd.ddd.ddd.ddd DST=10.1.0.4 LEN=52 TOS=0x00 PREC=0x00 TTL=108 ID=1006 DF PROTO=TCP SPT=54415 DPT=22 WINDOW=64240 RES=0x00 SYN URGP=0
Apr 4 09:33:59 server kernel: [ 1592.265238] Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:0a:3b:02:e5:d5:12:34:56:78:9c:b9:08:00 SRC=ddd.ddd.ddd.ddd DST=10.1.0.4 LEN=52 TOS=0x00 PREC=0x00 TTL=108 ID=1011 DF PROTO=TCP SPT=54415 DPT=22 WINDOW=64240 RES=0x00 SYN URGP=0
# iptables -L -n | fgrep ddd.ddd.ddd.ddd
#
So, it was blocked at the firewall, but the firewall has no knowledge of it! I can log into WHM and access normal web pages from that IP address, but not with ssh.
The first successful connection was from a static IP address, and I can still connect from that, but not any other. The file ~/.ssh/authorized_keys does not contain a "from=" to limit connections to a specific IP address.
I've also tried adding "sshd:ALL:allow" to /etc/hosts.allow, but that made no difference. There's nothing in /etc/hosts.deny.
Any suggestions for how to fix this would be appreciated!
-
Hey hey! I'm not sure I have a good explanation for this one since it seems to be limited to openssh and not cPanel itself. After you adjusted the sshd:all:allow section, did you restart the SSH service?
0 -
Thanks for the suggestion. I've configured sshd to run on a second port, open on the firewall, and have been able to login on that (after restarting sshd!) so this will do as a workaround. I'll be sure after I've checked it from another IP address and will get back with the result.
0 -
Using another port for ssh has resolved this issue for me and I can now connect from any IP address.
0 -
I'm glad to hear things are working well now!
0
Please sign in to leave a comment.
Comments
4 comments