Can't ssh from one of my machines, help please

I've just added a machine to my network. As far as I can tell it's
configured in the same way as all of my other machines with the
following two exceptions,

It has a new Belkin gigabit NIC which I configured using Redhat's network
configuration tools.

It's running a 2.6.12.1 kernel. All of the rest of my machines are running
a 2.6.11.5 kernel.

The problem is that I can't ssh or rlogin from
that machine to any of the others although the other machines can all .ssh
into it. The public key for my account on that machine is in the
/etc/ssh/authorized_keys files, I checked that the key is right. The
priviledges on the .ssh/* files are identical to those on all of the other
machines. The machine is listed in the /etc/known_hosts file. There are no
firewalls on any of my machines (I use a router). When I try to ssh or
rlogin from that machine I get a permission denied error. If I try to open
Xemacs back to another machine I get a X server not responding
: "localhost:10.0"

which I'm assuming is a manifestation of the same problem.

In /var/log/messages I'm getting

Jul 2 21:18:44 saratoga kernel: audit(1120353524.648:0): avc: denied {
name_connect } for dest=22 scontext=user_u:system_r:unconfined_t
tcontext=system_ubject_r:reserved_port_t tclass=tcp_socket

Is there something in 2.6.12.1 that is causing the problem? Does anyone
have any other ideas?

Thanks,

> In /var/log/messages I'm getting
>
> Jul 2 21:18:44 saratoga kernel: audit(1120353524.648:0): avc: denied {
> name_connect } for dest=22 scontext=user_u:system_r:unconfined_t
> tcontext=system_ubject_r:reserved_port_t tclass=tcp_socket
>
> Is there something in 2.6.12.1 that is causing the problem? Does anyone
> have any other ideas?

30 seconds with Google (denied name_connect) tells me this is probably
an SELinux error message. I expect you will get more accurate answers
from SELinux related mailing lists. The Google results may even contain
enough information to get you started.

Thanks for your reply.

Still can't get to my server from the outside.

On Sat, 02 Jul 2005 22:59:28 -0400, Allen McIntosh wrote:

>
>> In /var/log/messages I'm getting
>>
>> Jul 2 21:18:44 saratoga kernel: audit(1120353524.648:0): avc: denied {
>> name_connect } for dest=22 scontext=user_u:system_r:unconfined_t
>> tcontext=system_ubject_r:reserved_port_t tclass=tcp_socket
>>
>> Is there something in 2.6.12.1 that is causing the problem? Does anyone
>> have any other ideas?
>
> 30 seconds with Google (denied name_connect) tells me this is probably
> an SELinux error message. I expect you will get more accurate answers
> from SELinux related mailing lists. The Google results may even contain
> enough information to get you started.

It looks like it's a new SELinux feature that was added in 2.6.12.1,
everything is denied unless explicitly allowed. Does anyone know how to
control the SELinux features? For the time being I've dropped back to
2.6.11.5 which works normally.

"edamron" <(E-Mail Removed)> writes:

>Thanks for your reply.

>Still can't get to my server from the outside.

I'm sorry. Look in the logs to get a hint why. We cannot do that.
/var/log/messages, /var/log/syslog
grep -r ssh /var/log
....

Wow! Lots of stuff in my logs. So much I can't tell a thing except
that someone is trying to hack me!

/var/log/messages:Jun 30 05:16:37 Stellar-Portal sshd[841]: Invalid
user mikael from ::ffff:67.93.232.174
/var/log/messages:Jun 30 05:16:37 Stellar-Portal sshd[841]: Address
67.93.232.174 maps to chenandassociates.com, but this does not map back
to the address - POSSIBLE BREAKIN ATTEMPT!
/var/log/messages:Jun 30 05:16:38 Stellar-Portal sshd[843]: Invalid
user mikael from ::ffff:67.93.232.174
/var/log/messages:Jun 30 05:16:38 Stellar-Portal sshd[843]: Address
67.93.232.174 maps to chenandassociates.com, but this does not map back
to the address - POSSIBLE BREAKIN ATTEMPT!
/var/log/messages:Jun 30 05:16:39 Stellar-Portal sshd[845]: Invalid
user mikael from ::ffff:67.93.232.174
/var/log/messages:Jun 30 05:16:39 Stellar-Portal sshd[845]: Address
67.93.232.174 maps to chenandassociates.com, but this does not map back
to the address - POSSIBLE BREAKIN ATTEMPT!
/var/log/messages:Jun 30 05:16:40 Stellar-Portal sshd[847]: Invalid
user resin from ::ffff:67.93.232.174
/var/log/messages:Jun 30 05:16:40 Stellar-Portal sshd[847]: Address
67.93.232.174 maps to chenandassociates.com, but this does not map back
to the address - POSSIBLE BREAKIN ATTEMPT!
/var/log/messages:Jun 30 05:16:41 Stellar-Portal sshd[849]: Invalid
user resin from ::ffff:67.93.232.174
/var/log/messages:Jun 30 05:16:41 Stellar-Portal sshd[849]: Address
67.93.232.174 maps to chenandassociates.com, but this does not map back
to the address - POSSIBLE BREAKIN ATTEMPT!
/var/log/messages:Jun 30 05:16:42 Stellar-Portal sshd[851]: Invalid
user resin from ::ffff:67.93.232.174
/var/log/messages:Jun 30 05:16:42 Stellar-Portal sshd[851]: Address
67.93.232.174 maps to chenandassociates.com, but this does not map back
to the address - POSSIBLE BREAKIN ATTEMPT!

For many days the above has been going on!

And this kind of entries just today:

/var/log/messages:Jul 3 02:00:53 Stellar-Portal sshd[10888]: Invalid
user user from ::ffff:199.224.80.134
/var/log/messages:Jul 3 02:00:54 Stellar-Portal sshd[10890]: Invalid
user user from ::ffff:199.224.80.134
/var/log/messages:Jul 3 02:00:55 Stellar-Portal sshd[10892]: Invalid
user user from ::ffff:199.224.80.134
/var/log/messages:Jul 3 02:00:56 Stellar-Portal sshd[10894]: Invalid
user oracle from ::ffff:199.224.80.134
/var/log/messages:Jul 3 02:00:57 Stellar-Portal sshd[10896]: Invalid
user oracle from ::ffff:199.224.80.134
/var/log/messages:Jul 3 02:00:58 Stellar-Portal sshd[10898]: Invalid
user oracle from ::ffff:199.224.80.134
/var/log/messages:Jul 3 02:00:59 Stellar-Portal sshd[10900]: Invalid
user sybase from ::ffff:199.224.80.134
/var/log/messages:Jul 3 02:01:01 Stellar-Portal sshd[10904]: Invalid
user seoulselection from ::ffff:199.224.80.134
/var/log/messages:Jul 3 02:01:02 Stellar-Portal sshd[10906]: Invalid
user anonymous from ::ffff:199.224.80.134
/var/log/messages:Jul 3 02:01:03 Stellar-Portal sshd[10908]: Invalid
user anonymous from ::ffff:199.224.80.134
/var/log/messages:Jul 3 02:01:06 Stellar-Portal sshd[10914]: Invalid
user phpbb2_general from ::ffff:199.224.80.134
/var/log/messages:Jul 3 02:01:07 Stellar-Portal sshd[10916]: Invalid
user mysql from ::ffff:199.224.80.134
/var/log/messages:Jul 3 02:01:08 Stellar-Portal sshd[10918]: Invalid
user mysql from ::ffff:199.224.80.134
/var/log/messages:Jul 3 02:01:09 Stellar-Portal sshd[10920]: Invalid
user mysql from ::ffff:199.224.80.134
/var/log/messages:Jul 3 02:01:10 Stellar-Portal sshd[10922]: Invalid
user tomte1 from ::ffff:199.224.80.134
/var/log/messages:Jul 3 02:01:12 Stellar-Portal sshd[10926]: Invalid
user contabil from ::ffff:199.224.80.134
/var/log/messages:Jul 3 02:01:13 Stellar-Portal sshd[10928]: Invalid
user tara from ::ffff:199.224.80.134
/var/log/messages:Jul 3 02:01:14 Stellar-Portal sshd[10930]: Invalid
user sales from ::ffff:199.224.80.134
/var/log/messages:Jul 3 02:01:23 Stellar-Portal sshd[10948]: Invalid
user carol from ::ffff:199.224.80.134
/var/log/messages:Jul 3 02:01:24 Stellar-Portal sshd[10950]: Invalid
user cesar from ::ffff:199.224.80.134
/var/log/messages:Jul 3 02:01:25 Stellar-Portal sshd[10952]: Invalid
user clark from ::ffff:199.224.80.134
/var/log/messages:Jul 3 02:01:26 Stellar-Portal sshd[10954]: Invalid
user clinton from ::ffff:199.224.80.134
/var/log/messages:Jul 3 02:01:27 Stellar-Portal sshd[10956]: Invalid
user kayla from ::ffff:199.224.80.134
/var/log/messages:Jul 3 02:01:28 Stellar-Portal sshd[10958]: Invalid
user russ from ::ffff:199.224.80.134
/var/log/messages:Jul 3 02:01:29 Stellar-Portal sshd[10960]: Invalid
user white from ::ffff:199.224.80.134
/var/log/messages:Jul 3 02:01:30 Stellar-Portal sshd[10962]: Invalid
user danny from ::ffff:199.224.80.134

What does one do when one sees that one's server is being hammered?

"edamron" <(E-Mail Removed)> writes:

>Wow! Lots of stuff in my logs. So much I can't tell a thing except
>that someone is trying to hack me!

Yes. That is why you need to make sure you use good passwords.


.....
>What does one do when one sees that one's server is being hammered?

Smile that the hammering is failing.

You could contact the IP (try (E-Mail Removed)) but that machine is probably
cracked anyway.

> What does one do when one sees that one's server is being hammered?

One sets up iptables to drop SYN packets for the SSH port from all but a
small number of networks.