SSH: Connection refused





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}







1















SSH connection has been working properly, but today unfortunately it stopped.



I had lots of tries to solve it.






linux@mylinux:~$ ssh root@XX.XX.XXX.XXX

ssh: connect to host XX.XX.XXX.XXX port 22: Connection refused



linux@mylinux:~$ ssh root@XX.XX.XXX.XXX -p 8787

ssh: connect to host XX.XX.XXX.XXX port 8787: Connection refused






>>>linux@mylinux:~$ ssh root@XX.XX.XXX.XXX -vvv

OpenSSH_7.4p1 Ubuntu-10, OpenSSL 1.0.2g  1 Mar 2016

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: /etc/ssh/ssh_config line 19: Applying options for *

debug2: resolving "XX.XX.XXX.XXX" port 22

debug2: ssh_connect_direct: needpriv 0

debug1: Connecting to XX.XX.XXX.XXX [XX.XX.XXX.XXX] port 22.

debug1: connect to address XX.XX.XXX.XXX port 22: Connection refused

ssh: connect to host XX.XX.XXX.XXX port 22: Connection refused



ssh - status



>● ssh.service - OpenBSD Secure Shell server

   Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)

   Active: active (running) since Sat 2017-11-18 15:42:28 IST; 31min ago

 Main PID: 6940 (sshd)

    Tasks: 1 (limit: 4915)

   CGroup: /system.slice/ssh.service

           └─6940 /usr/sbin/sshd -D


Also, I have removed openssh-sever and reinstalled it, but it can not succeed.



When I try to connect via localhost then it is a success, but on a remote site it is refused.



But I still can not succeed.



Why is my SSH connection refused?



cat /etc/ssh/sshd_config



Host *



*#    $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $



*# This is the sshd server system-wide configuration file.  See

*# sshd_config(5) for more information.



*# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin



*# The strategy used for options in the default sshd_config shipped with

*# OpenSSH is to specify options with their default value where

*# possible, but leave them commented.  Uncommented options override the

*# default value.



*#Port 22

*#AddressFamily any

*#ListenAddress 0.0.0.0

*#ListenAddress ::



*#HostKey /etc/ssh/ssh_host_rsa_key

*#HostKey /etc/ssh/ssh_host_ecdsa_key

*#HostKey /etc/ssh/ssh_host_ed25519_key



*# Ciphers and keying

*#RekeyLimit default none



*# Logging

*#SyslogFacility AUTH

*#LogLevel INFO



*# Authentication:



*#LoginGraceTime 2m

*#PermitRootLogin prohibit-password

*#StrictModes yes

*#MaxAuthTries 6

*#MaxSessions 10



*#PubkeyAuthentication yes



*# Expect .ssh/authorized_keys2 to be disregarded by default in future.

*#AuthorizedKeysFile    .ssh/authorized_keys .ssh/authorized_keys2



*#AuthorizedPrincipalsFile none



*#AuthorizedKeysCommand none

*#AuthorizedKeysCommandUser nobody



*# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

*#HostbasedAuthentication no

*# Change to yes if you don't trust ~/.ssh/known_hosts for

*# HostbasedAuthentication

*#IgnoreUserKnownHosts no

*# Don't read the user's ~/.rhosts and ~/.shosts files

*#IgnoreRhosts yes



*# To disable tunneled clear text passwords, change to no here!

*#PasswordAuthentication yes

*#PermitEmptyPasswords no



*# Change to yes to enable challenge-response passwords (beware issues with

*# some PAM modules and threads)

ChallengeResponseAuthentication no



*# Kerberos options

*#KerberosAuthentication no

*#KerberosOrLocalPasswd yes

*#KerberosTicketCleanup yes

*#KerberosGetAFSToken no



*# GSSAPI options

*#GSSAPIAuthentication no

*#GSSAPICleanupCredentials yes

*#GSSAPIStrictAcceptorCheck yes

*#GSSAPIKeyExchange no



*# Set this to 'yes' to enable PAM authentication, account processing,

*# and session processing. If this is enabled, PAM authentication will

*# be allowed through the ChallengeResponseAuthentication and

*# PasswordAuthentication.  Depending on your PAM configuration,

*# PAM authentication via ChallengeResponseAuthentication may bypass

*# the setting of "PermitRootLogin without-password".

*# If you just want the PAM account and session checks to run without

*# PAM authentication, then enable this but set PasswordAuthentication

*# and ChallengeResponseAuthentication to 'no'.

UsePAM yes



*#AllowAgentForwarding yes

*#AllowTcpForwarding yes

*#GatewayPorts no

X11Forwarding yes

*#X11DisplayOffset 10

*#X11UseLocalhost yes

*#PermitTTY yes

PrintMotd no

*#PrintLastLog yes

*#TCPKeepAlive yes

*#UseLogin no

*#UsePrivilegeSeparation sandbox

*#PermitUserEnvironment no

*#Compression delayed

*#ClientAliveInterval 0

*#ClientAliveCountMax 3

*#UseDNS no

*#PidFile /var/run/sshd.pid

*#MaxStartups 10:30:100

*#PermitTunnel no

*#ChrootDirectory none

*#VersionAddendum none



*# no default banner path

*#Banner none



*# Allow client to pass locale environment variables

AcceptEnv LANG LC_*



*# override default of no subsystems

Subsystem    sftp    /usr/lib/openssh/sftp-server



*# Example of overriding settings on a per-user basis

*#Match User anoncvs

*#    X11Forwarding no

*#    AllowTcpForwarding no

*#    PermitTTY no

*#    ForceCommand cvs server


Here






sudo netstat -tlpena | grep -i "ssh"






tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      0          25237      1260/sshd

tcp6       0      0 :::22                   :::*                    LISTEN      0          25239      1260/sshd


AND






sudo iptables -S






-P INPUT DROP

-P FORWARD DROP

-P OUTPUT ACCEPT

-N ufw-after-forward

-N ufw-after-input

-N ufw-after-logging-forward

-N ufw-after-logging-input

-N ufw-after-logging-output

-N ufw-after-output

-N ufw-before-forward

-N ufw-before-input

-N ufw-before-logging-forward

-N ufw-before-logging-input

-N ufw-before-logging-output

-N ufw-before-output

-N ufw-logging-allow

-N ufw-logging-deny

-N ufw-not-local

-N ufw-reject-forward

-N ufw-reject-input

-N ufw-reject-output

-N ufw-skip-to-policy-forward

-N ufw-skip-to-policy-input

-N ufw-skip-to-policy-output

-N ufw-track-forward

-N ufw-track-input

-N ufw-track-output

-N ufw-user-forward

-N ufw-user-input

-N ufw-user-limit

-N ufw-user-limit-accept

-N ufw-user-logging-forward

-N ufw-user-logging-input

-N ufw-user-logging-output

-N ufw-user-output

-A INPUT -j ufw-before-logging-input

-A INPUT -j ufw-before-input

-A INPUT -j ufw-after-input

-A INPUT -j ufw-after-logging-input

-A INPUT -j ufw-reject-input

-A INPUT -j ufw-track-input

-A FORWARD -j ufw-before-logging-forward

-A FORWARD -j ufw-before-forward

-A FORWARD -j ufw-after-forward

-A FORWARD -j ufw-after-logging-forward

-A FORWARD -j ufw-reject-forward

-A FORWARD -j ufw-track-forward

-A OUTPUT -j ufw-before-logging-output

-A OUTPUT -j ufw-before-output

-A OUTPUT -j ufw-after-output

-A OUTPUT -j ufw-after-logging-output

-A OUTPUT -j ufw-reject-output

-A OUTPUT -j ufw-track-output

-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input

-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input

-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input

-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input

-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input

-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input

-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input

-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "

-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "

-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT

-A ufw-before-forward -p icmp -m icmp --icmp-type 4 -j ACCEPT

-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT

-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT

-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT

-A ufw-before-forward -j ufw-user-forward

-A ufw-before-input -i lo -j ACCEPT

-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny

-A ufw-before-input -m conntrack --ctstate INVALID -j DROP

-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT

-A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT

-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT

-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT

-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT

-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT

-A ufw-before-input -j ufw-not-local

-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT

-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT

-A ufw-before-input -j ufw-user-input

-A ufw-before-output -o lo -j ACCEPT

-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A ufw-before-output -j ufw-user-output

-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "

-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN

-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "

-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN

-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN

-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN

-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny

-A ufw-not-local -j DROP

-A ufw-skip-to-policy-forward -j DROP

-A ufw-skip-to-policy-input -j DROP

-A ufw-skip-to-policy-output -j ACCEPT

-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT

-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT

-A ufw-user-input -p tcp -m tcp --dport 22 -j ACCEPT

-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "

-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable

-A ufw-user-limit-accept -j ACCEPT





ssh 17.04







share|improve this question

























  • Is SSH service listening on the ports you're trying to connect? perhaps iptables problem? Are you allowed to log in as root?

    – fugitive
    Nov 18 '17 at 11:02











  • Is there a firewall blocking access? Have you verified that sshd is running on remote end? This is the two most likely answers.

    – vidarlo
    Nov 18 '17 at 11:02











  • lol @vidarlo :)

    – fugitive
    Nov 18 '17 at 11:02











  • @vidarlo yeah there is firewall but i do not there is blocking access or not

    – ketty
    Nov 18 '17 at 11:03






  • 1





    Edit your question with output of iptables -S && netstat -tlpnea , also post your /etc/ssh/sshd_config

    – fugitive
    Nov 18 '17 at 11:04




















1















SSH connection has been working properly, but today unfortunately it stopped.



I had lots of tries to solve it.






linux@mylinux:~$ ssh root@XX.XX.XXX.XXX

ssh: connect to host XX.XX.XXX.XXX port 22: Connection refused



linux@mylinux:~$ ssh root@XX.XX.XXX.XXX -p 8787

ssh: connect to host XX.XX.XXX.XXX port 8787: Connection refused






>>>linux@mylinux:~$ ssh root@XX.XX.XXX.XXX -vvv

OpenSSH_7.4p1 Ubuntu-10, OpenSSL 1.0.2g  1 Mar 2016

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: /etc/ssh/ssh_config line 19: Applying options for *

debug2: resolving "XX.XX.XXX.XXX" port 22

debug2: ssh_connect_direct: needpriv 0

debug1: Connecting to XX.XX.XXX.XXX [XX.XX.XXX.XXX] port 22.

debug1: connect to address XX.XX.XXX.XXX port 22: Connection refused

ssh: connect to host XX.XX.XXX.XXX port 22: Connection refused



ssh - status



>● ssh.service - OpenBSD Secure Shell server

   Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)

   Active: active (running) since Sat 2017-11-18 15:42:28 IST; 31min ago

 Main PID: 6940 (sshd)

    Tasks: 1 (limit: 4915)

   CGroup: /system.slice/ssh.service

           └─6940 /usr/sbin/sshd -D


Also, I have removed openssh-sever and reinstalled it, but it can not succeed.



When I try to connect via localhost then it is a success, but on a remote site it is refused.



But I still can not succeed.



Why is my SSH connection refused?



cat /etc/ssh/sshd_config



Host *



*#    $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $



*# This is the sshd server system-wide configuration file.  See

*# sshd_config(5) for more information.



*# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin



*# The strategy used for options in the default sshd_config shipped with

*# OpenSSH is to specify options with their default value where

*# possible, but leave them commented.  Uncommented options override the

*# default value.



*#Port 22

*#AddressFamily any

*#ListenAddress 0.0.0.0

*#ListenAddress ::



*#HostKey /etc/ssh/ssh_host_rsa_key

*#HostKey /etc/ssh/ssh_host_ecdsa_key

*#HostKey /etc/ssh/ssh_host_ed25519_key



*# Ciphers and keying

*#RekeyLimit default none



*# Logging

*#SyslogFacility AUTH

*#LogLevel INFO



*# Authentication:



*#LoginGraceTime 2m

*#PermitRootLogin prohibit-password

*#StrictModes yes

*#MaxAuthTries 6

*#MaxSessions 10



*#PubkeyAuthentication yes



*# Expect .ssh/authorized_keys2 to be disregarded by default in future.

*#AuthorizedKeysFile    .ssh/authorized_keys .ssh/authorized_keys2



*#AuthorizedPrincipalsFile none



*#AuthorizedKeysCommand none

*#AuthorizedKeysCommandUser nobody



*# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

*#HostbasedAuthentication no

*# Change to yes if you don't trust ~/.ssh/known_hosts for

*# HostbasedAuthentication

*#IgnoreUserKnownHosts no

*# Don't read the user's ~/.rhosts and ~/.shosts files

*#IgnoreRhosts yes



*# To disable tunneled clear text passwords, change to no here!

*#PasswordAuthentication yes

*#PermitEmptyPasswords no



*# Change to yes to enable challenge-response passwords (beware issues with

*# some PAM modules and threads)

ChallengeResponseAuthentication no



*# Kerberos options

*#KerberosAuthentication no

*#KerberosOrLocalPasswd yes

*#KerberosTicketCleanup yes

*#KerberosGetAFSToken no



*# GSSAPI options

*#GSSAPIAuthentication no

*#GSSAPICleanupCredentials yes

*#GSSAPIStrictAcceptorCheck yes

*#GSSAPIKeyExchange no



*# Set this to 'yes' to enable PAM authentication, account processing,

*# and session processing. If this is enabled, PAM authentication will

*# be allowed through the ChallengeResponseAuthentication and

*# PasswordAuthentication.  Depending on your PAM configuration,

*# PAM authentication via ChallengeResponseAuthentication may bypass

*# the setting of "PermitRootLogin without-password".

*# If you just want the PAM account and session checks to run without

*# PAM authentication, then enable this but set PasswordAuthentication

*# and ChallengeResponseAuthentication to 'no'.

UsePAM yes



*#AllowAgentForwarding yes

*#AllowTcpForwarding yes

*#GatewayPorts no

X11Forwarding yes

*#X11DisplayOffset 10

*#X11UseLocalhost yes

*#PermitTTY yes

PrintMotd no

*#PrintLastLog yes

*#TCPKeepAlive yes

*#UseLogin no

*#UsePrivilegeSeparation sandbox

*#PermitUserEnvironment no

*#Compression delayed

*#ClientAliveInterval 0

*#ClientAliveCountMax 3

*#UseDNS no

*#PidFile /var/run/sshd.pid

*#MaxStartups 10:30:100

*#PermitTunnel no

*#ChrootDirectory none

*#VersionAddendum none



*# no default banner path

*#Banner none



*# Allow client to pass locale environment variables

AcceptEnv LANG LC_*



*# override default of no subsystems

Subsystem    sftp    /usr/lib/openssh/sftp-server



*# Example of overriding settings on a per-user basis

*#Match User anoncvs

*#    X11Forwarding no

*#    AllowTcpForwarding no

*#    PermitTTY no

*#    ForceCommand cvs server


Here






sudo netstat -tlpena | grep -i "ssh"






tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      0          25237      1260/sshd

tcp6       0      0 :::22                   :::*                    LISTEN      0          25239      1260/sshd


AND






sudo iptables -S






-P INPUT DROP

-P FORWARD DROP

-P OUTPUT ACCEPT

-N ufw-after-forward

-N ufw-after-input

-N ufw-after-logging-forward

-N ufw-after-logging-input

-N ufw-after-logging-output

-N ufw-after-output

-N ufw-before-forward

-N ufw-before-input

-N ufw-before-logging-forward

-N ufw-before-logging-input

-N ufw-before-logging-output

-N ufw-before-output

-N ufw-logging-allow

-N ufw-logging-deny

-N ufw-not-local

-N ufw-reject-forward

-N ufw-reject-input

-N ufw-reject-output

-N ufw-skip-to-policy-forward

-N ufw-skip-to-policy-input

-N ufw-skip-to-policy-output

-N ufw-track-forward

-N ufw-track-input

-N ufw-track-output

-N ufw-user-forward

-N ufw-user-input

-N ufw-user-limit

-N ufw-user-limit-accept

-N ufw-user-logging-forward

-N ufw-user-logging-input

-N ufw-user-logging-output

-N ufw-user-output

-A INPUT -j ufw-before-logging-input

-A INPUT -j ufw-before-input

-A INPUT -j ufw-after-input

-A INPUT -j ufw-after-logging-input

-A INPUT -j ufw-reject-input

-A INPUT -j ufw-track-input

-A FORWARD -j ufw-before-logging-forward

-A FORWARD -j ufw-before-forward

-A FORWARD -j ufw-after-forward

-A FORWARD -j ufw-after-logging-forward

-A FORWARD -j ufw-reject-forward

-A FORWARD -j ufw-track-forward

-A OUTPUT -j ufw-before-logging-output

-A OUTPUT -j ufw-before-output

-A OUTPUT -j ufw-after-output

-A OUTPUT -j ufw-after-logging-output

-A OUTPUT -j ufw-reject-output

-A OUTPUT -j ufw-track-output

-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input

-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input

-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input

-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input

-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input

-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input

-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input

-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "

-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "

-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT

-A ufw-before-forward -p icmp -m icmp --icmp-type 4 -j ACCEPT

-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT

-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT

-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT

-A ufw-before-forward -j ufw-user-forward

-A ufw-before-input -i lo -j ACCEPT

-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny

-A ufw-before-input -m conntrack --ctstate INVALID -j DROP

-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT

-A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT

-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT

-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT

-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT

-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT

-A ufw-before-input -j ufw-not-local

-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT

-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT

-A ufw-before-input -j ufw-user-input

-A ufw-before-output -o lo -j ACCEPT

-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A ufw-before-output -j ufw-user-output

-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "

-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN

-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "

-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN

-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN

-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN

-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny

-A ufw-not-local -j DROP

-A ufw-skip-to-policy-forward -j DROP

-A ufw-skip-to-policy-input -j DROP

-A ufw-skip-to-policy-output -j ACCEPT

-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT

-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT

-A ufw-user-input -p tcp -m tcp --dport 22 -j ACCEPT

-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "

-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable

-A ufw-user-limit-accept -j ACCEPT





ssh 17.04







share|improve this question

























  • Is SSH service listening on the ports you're trying to connect? perhaps iptables problem? Are you allowed to log in as root?

    – fugitive
    Nov 18 '17 at 11:02











  • Is there a firewall blocking access? Have you verified that sshd is running on remote end? This is the two most likely answers.

    – vidarlo
    Nov 18 '17 at 11:02











  • lol @vidarlo :)

    – fugitive
    Nov 18 '17 at 11:02











  • @vidarlo yeah there is firewall but i do not there is blocking access or not

    – ketty
    Nov 18 '17 at 11:03






  • 1





    Edit your question with output of iptables -S && netstat -tlpnea , also post your /etc/ssh/sshd_config

    – fugitive
    Nov 18 '17 at 11:04
















1












1








1


1






SSH connection has been working properly, but today unfortunately it stopped.



I had lots of tries to solve it.






linux@mylinux:~$ ssh root@XX.XX.XXX.XXX

ssh: connect to host XX.XX.XXX.XXX port 22: Connection refused



linux@mylinux:~$ ssh root@XX.XX.XXX.XXX -p 8787

ssh: connect to host XX.XX.XXX.XXX port 8787: Connection refused






>>>linux@mylinux:~$ ssh root@XX.XX.XXX.XXX -vvv

OpenSSH_7.4p1 Ubuntu-10, OpenSSL 1.0.2g  1 Mar 2016

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: /etc/ssh/ssh_config line 19: Applying options for *

debug2: resolving "XX.XX.XXX.XXX" port 22

debug2: ssh_connect_direct: needpriv 0

debug1: Connecting to XX.XX.XXX.XXX [XX.XX.XXX.XXX] port 22.

debug1: connect to address XX.XX.XXX.XXX port 22: Connection refused

ssh: connect to host XX.XX.XXX.XXX port 22: Connection refused



ssh - status



>● ssh.service - OpenBSD Secure Shell server

   Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)

   Active: active (running) since Sat 2017-11-18 15:42:28 IST; 31min ago

 Main PID: 6940 (sshd)

    Tasks: 1 (limit: 4915)

   CGroup: /system.slice/ssh.service

           └─6940 /usr/sbin/sshd -D


Also, I have removed openssh-sever and reinstalled it, but it can not succeed.



When I try to connect via localhost then it is a success, but on a remote site it is refused.



But I still can not succeed.



Why is my SSH connection refused?



cat /etc/ssh/sshd_config



Host *



*#    $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $



*# This is the sshd server system-wide configuration file.  See

*# sshd_config(5) for more information.



*# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin



*# The strategy used for options in the default sshd_config shipped with

*# OpenSSH is to specify options with their default value where

*# possible, but leave them commented.  Uncommented options override the

*# default value.



*#Port 22

*#AddressFamily any

*#ListenAddress 0.0.0.0

*#ListenAddress ::



*#HostKey /etc/ssh/ssh_host_rsa_key

*#HostKey /etc/ssh/ssh_host_ecdsa_key

*#HostKey /etc/ssh/ssh_host_ed25519_key



*# Ciphers and keying

*#RekeyLimit default none



*# Logging

*#SyslogFacility AUTH

*#LogLevel INFO



*# Authentication:



*#LoginGraceTime 2m

*#PermitRootLogin prohibit-password

*#StrictModes yes

*#MaxAuthTries 6

*#MaxSessions 10



*#PubkeyAuthentication yes



*# Expect .ssh/authorized_keys2 to be disregarded by default in future.

*#AuthorizedKeysFile    .ssh/authorized_keys .ssh/authorized_keys2



*#AuthorizedPrincipalsFile none



*#AuthorizedKeysCommand none

*#AuthorizedKeysCommandUser nobody



*# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

*#HostbasedAuthentication no

*# Change to yes if you don't trust ~/.ssh/known_hosts for

*# HostbasedAuthentication

*#IgnoreUserKnownHosts no

*# Don't read the user's ~/.rhosts and ~/.shosts files

*#IgnoreRhosts yes



*# To disable tunneled clear text passwords, change to no here!

*#PasswordAuthentication yes

*#PermitEmptyPasswords no



*# Change to yes to enable challenge-response passwords (beware issues with

*# some PAM modules and threads)

ChallengeResponseAuthentication no



*# Kerberos options

*#KerberosAuthentication no

*#KerberosOrLocalPasswd yes

*#KerberosTicketCleanup yes

*#KerberosGetAFSToken no



*# GSSAPI options

*#GSSAPIAuthentication no

*#GSSAPICleanupCredentials yes

*#GSSAPIStrictAcceptorCheck yes

*#GSSAPIKeyExchange no



*# Set this to 'yes' to enable PAM authentication, account processing,

*# and session processing. If this is enabled, PAM authentication will

*# be allowed through the ChallengeResponseAuthentication and

*# PasswordAuthentication.  Depending on your PAM configuration,

*# PAM authentication via ChallengeResponseAuthentication may bypass

*# the setting of "PermitRootLogin without-password".

*# If you just want the PAM account and session checks to run without

*# PAM authentication, then enable this but set PasswordAuthentication

*# and ChallengeResponseAuthentication to 'no'.

UsePAM yes



*#AllowAgentForwarding yes

*#AllowTcpForwarding yes

*#GatewayPorts no

X11Forwarding yes

*#X11DisplayOffset 10

*#X11UseLocalhost yes

*#PermitTTY yes

PrintMotd no

*#PrintLastLog yes

*#TCPKeepAlive yes

*#UseLogin no

*#UsePrivilegeSeparation sandbox

*#PermitUserEnvironment no

*#Compression delayed

*#ClientAliveInterval 0

*#ClientAliveCountMax 3

*#UseDNS no

*#PidFile /var/run/sshd.pid

*#MaxStartups 10:30:100

*#PermitTunnel no

*#ChrootDirectory none

*#VersionAddendum none



*# no default banner path

*#Banner none



*# Allow client to pass locale environment variables

AcceptEnv LANG LC_*



*# override default of no subsystems

Subsystem    sftp    /usr/lib/openssh/sftp-server



*# Example of overriding settings on a per-user basis

*#Match User anoncvs

*#    X11Forwarding no

*#    AllowTcpForwarding no

*#    PermitTTY no

*#    ForceCommand cvs server


Here






sudo netstat -tlpena | grep -i "ssh"






tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      0          25237      1260/sshd

tcp6       0      0 :::22                   :::*                    LISTEN      0          25239      1260/sshd


AND






sudo iptables -S






-P INPUT DROP

-P FORWARD DROP

-P OUTPUT ACCEPT

-N ufw-after-forward

-N ufw-after-input

-N ufw-after-logging-forward

-N ufw-after-logging-input

-N ufw-after-logging-output

-N ufw-after-output

-N ufw-before-forward

-N ufw-before-input

-N ufw-before-logging-forward

-N ufw-before-logging-input

-N ufw-before-logging-output

-N ufw-before-output

-N ufw-logging-allow

-N ufw-logging-deny

-N ufw-not-local

-N ufw-reject-forward

-N ufw-reject-input

-N ufw-reject-output

-N ufw-skip-to-policy-forward

-N ufw-skip-to-policy-input

-N ufw-skip-to-policy-output

-N ufw-track-forward

-N ufw-track-input

-N ufw-track-output

-N ufw-user-forward

-N ufw-user-input

-N ufw-user-limit

-N ufw-user-limit-accept

-N ufw-user-logging-forward

-N ufw-user-logging-input

-N ufw-user-logging-output

-N ufw-user-output

-A INPUT -j ufw-before-logging-input

-A INPUT -j ufw-before-input

-A INPUT -j ufw-after-input

-A INPUT -j ufw-after-logging-input

-A INPUT -j ufw-reject-input

-A INPUT -j ufw-track-input

-A FORWARD -j ufw-before-logging-forward

-A FORWARD -j ufw-before-forward

-A FORWARD -j ufw-after-forward

-A FORWARD -j ufw-after-logging-forward

-A FORWARD -j ufw-reject-forward

-A FORWARD -j ufw-track-forward

-A OUTPUT -j ufw-before-logging-output

-A OUTPUT -j ufw-before-output

-A OUTPUT -j ufw-after-output

-A OUTPUT -j ufw-after-logging-output

-A OUTPUT -j ufw-reject-output

-A OUTPUT -j ufw-track-output

-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input

-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input

-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input

-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input

-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input

-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input

-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input

-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "

-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "

-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT

-A ufw-before-forward -p icmp -m icmp --icmp-type 4 -j ACCEPT

-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT

-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT

-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT

-A ufw-before-forward -j ufw-user-forward

-A ufw-before-input -i lo -j ACCEPT

-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny

-A ufw-before-input -m conntrack --ctstate INVALID -j DROP

-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT

-A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT

-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT

-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT

-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT

-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT

-A ufw-before-input -j ufw-not-local

-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT

-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT

-A ufw-before-input -j ufw-user-input

-A ufw-before-output -o lo -j ACCEPT

-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A ufw-before-output -j ufw-user-output

-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "

-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN

-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "

-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN

-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN

-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN

-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny

-A ufw-not-local -j DROP

-A ufw-skip-to-policy-forward -j DROP

-A ufw-skip-to-policy-input -j DROP

-A ufw-skip-to-policy-output -j ACCEPT

-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT

-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT

-A ufw-user-input -p tcp -m tcp --dport 22 -j ACCEPT

-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "

-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable

-A ufw-user-limit-accept -j ACCEPT





ssh 17.04







share|improve this question
















SSH connection has been working properly, but today unfortunately it stopped.



I had lots of tries to solve it.






linux@mylinux:~$ ssh root@XX.XX.XXX.XXX

ssh: connect to host XX.XX.XXX.XXX port 22: Connection refused



linux@mylinux:~$ ssh root@XX.XX.XXX.XXX -p 8787

ssh: connect to host XX.XX.XXX.XXX port 8787: Connection refused






>>>linux@mylinux:~$ ssh root@XX.XX.XXX.XXX -vvv

OpenSSH_7.4p1 Ubuntu-10, OpenSSL 1.0.2g  1 Mar 2016

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: /etc/ssh/ssh_config line 19: Applying options for *

debug2: resolving "XX.XX.XXX.XXX" port 22

debug2: ssh_connect_direct: needpriv 0

debug1: Connecting to XX.XX.XXX.XXX [XX.XX.XXX.XXX] port 22.

debug1: connect to address XX.XX.XXX.XXX port 22: Connection refused

ssh: connect to host XX.XX.XXX.XXX port 22: Connection refused



ssh - status



>● ssh.service - OpenBSD Secure Shell server

   Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled)

   Active: active (running) since Sat 2017-11-18 15:42:28 IST; 31min ago

 Main PID: 6940 (sshd)

    Tasks: 1 (limit: 4915)

   CGroup: /system.slice/ssh.service

           └─6940 /usr/sbin/sshd -D


Also, I have removed openssh-sever and reinstalled it, but it can not succeed.



When I try to connect via localhost then it is a success, but on a remote site it is refused.



But I still can not succeed.



Why is my SSH connection refused?



cat /etc/ssh/sshd_config



Host *



*#    $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $



*# This is the sshd server system-wide configuration file.  See

*# sshd_config(5) for more information.



*# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin



*# The strategy used for options in the default sshd_config shipped with

*# OpenSSH is to specify options with their default value where

*# possible, but leave them commented.  Uncommented options override the

*# default value.



*#Port 22

*#AddressFamily any

*#ListenAddress 0.0.0.0

*#ListenAddress ::



*#HostKey /etc/ssh/ssh_host_rsa_key

*#HostKey /etc/ssh/ssh_host_ecdsa_key

*#HostKey /etc/ssh/ssh_host_ed25519_key



*# Ciphers and keying

*#RekeyLimit default none



*# Logging

*#SyslogFacility AUTH

*#LogLevel INFO



*# Authentication:



*#LoginGraceTime 2m

*#PermitRootLogin prohibit-password

*#StrictModes yes

*#MaxAuthTries 6

*#MaxSessions 10



*#PubkeyAuthentication yes



*# Expect .ssh/authorized_keys2 to be disregarded by default in future.

*#AuthorizedKeysFile    .ssh/authorized_keys .ssh/authorized_keys2



*#AuthorizedPrincipalsFile none



*#AuthorizedKeysCommand none

*#AuthorizedKeysCommandUser nobody



*# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

*#HostbasedAuthentication no

*# Change to yes if you don't trust ~/.ssh/known_hosts for

*# HostbasedAuthentication

*#IgnoreUserKnownHosts no

*# Don't read the user's ~/.rhosts and ~/.shosts files

*#IgnoreRhosts yes



*# To disable tunneled clear text passwords, change to no here!

*#PasswordAuthentication yes

*#PermitEmptyPasswords no



*# Change to yes to enable challenge-response passwords (beware issues with

*# some PAM modules and threads)

ChallengeResponseAuthentication no



*# Kerberos options

*#KerberosAuthentication no

*#KerberosOrLocalPasswd yes

*#KerberosTicketCleanup yes

*#KerberosGetAFSToken no



*# GSSAPI options

*#GSSAPIAuthentication no

*#GSSAPICleanupCredentials yes

*#GSSAPIStrictAcceptorCheck yes

*#GSSAPIKeyExchange no



*# Set this to 'yes' to enable PAM authentication, account processing,

*# and session processing. If this is enabled, PAM authentication will

*# be allowed through the ChallengeResponseAuthentication and

*# PasswordAuthentication.  Depending on your PAM configuration,

*# PAM authentication via ChallengeResponseAuthentication may bypass

*# the setting of "PermitRootLogin without-password".

*# If you just want the PAM account and session checks to run without

*# PAM authentication, then enable this but set PasswordAuthentication

*# and ChallengeResponseAuthentication to 'no'.

UsePAM yes



*#AllowAgentForwarding yes

*#AllowTcpForwarding yes

*#GatewayPorts no

X11Forwarding yes

*#X11DisplayOffset 10

*#X11UseLocalhost yes

*#PermitTTY yes

PrintMotd no

*#PrintLastLog yes

*#TCPKeepAlive yes

*#UseLogin no

*#UsePrivilegeSeparation sandbox

*#PermitUserEnvironment no

*#Compression delayed

*#ClientAliveInterval 0

*#ClientAliveCountMax 3

*#UseDNS no

*#PidFile /var/run/sshd.pid

*#MaxStartups 10:30:100

*#PermitTunnel no

*#ChrootDirectory none

*#VersionAddendum none



*# no default banner path

*#Banner none



*# Allow client to pass locale environment variables

AcceptEnv LANG LC_*



*# override default of no subsystems

Subsystem    sftp    /usr/lib/openssh/sftp-server



*# Example of overriding settings on a per-user basis

*#Match User anoncvs

*#    X11Forwarding no

*#    AllowTcpForwarding no

*#    PermitTTY no

*#    ForceCommand cvs server


Here






sudo netstat -tlpena | grep -i "ssh"






tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      0          25237      1260/sshd

tcp6       0      0 :::22                   :::*                    LISTEN      0          25239      1260/sshd


AND






sudo iptables -S






-P INPUT DROP

-P FORWARD DROP

-P OUTPUT ACCEPT

-N ufw-after-forward

-N ufw-after-input

-N ufw-after-logging-forward

-N ufw-after-logging-input

-N ufw-after-logging-output

-N ufw-after-output

-N ufw-before-forward

-N ufw-before-input

-N ufw-before-logging-forward

-N ufw-before-logging-input

-N ufw-before-logging-output

-N ufw-before-output

-N ufw-logging-allow

-N ufw-logging-deny

-N ufw-not-local

-N ufw-reject-forward

-N ufw-reject-input

-N ufw-reject-output

-N ufw-skip-to-policy-forward

-N ufw-skip-to-policy-input

-N ufw-skip-to-policy-output

-N ufw-track-forward

-N ufw-track-input

-N ufw-track-output

-N ufw-user-forward

-N ufw-user-input

-N ufw-user-limit

-N ufw-user-limit-accept

-N ufw-user-logging-forward

-N ufw-user-logging-input

-N ufw-user-logging-output

-N ufw-user-output

-A INPUT -j ufw-before-logging-input

-A INPUT -j ufw-before-input

-A INPUT -j ufw-after-input

-A INPUT -j ufw-after-logging-input

-A INPUT -j ufw-reject-input

-A INPUT -j ufw-track-input

-A FORWARD -j ufw-before-logging-forward

-A FORWARD -j ufw-before-forward

-A FORWARD -j ufw-after-forward

-A FORWARD -j ufw-after-logging-forward

-A FORWARD -j ufw-reject-forward

-A FORWARD -j ufw-track-forward

-A OUTPUT -j ufw-before-logging-output

-A OUTPUT -j ufw-before-output

-A OUTPUT -j ufw-after-output

-A OUTPUT -j ufw-after-logging-output

-A OUTPUT -j ufw-reject-output

-A OUTPUT -j ufw-track-output

-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input

-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input

-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input

-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input

-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input

-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input

-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input

-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "

-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "

-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT

-A ufw-before-forward -p icmp -m icmp --icmp-type 4 -j ACCEPT

-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT

-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT

-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT

-A ufw-before-forward -j ufw-user-forward

-A ufw-before-input -i lo -j ACCEPT

-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny

-A ufw-before-input -m conntrack --ctstate INVALID -j DROP

-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT

-A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT

-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT

-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT

-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT

-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT

-A ufw-before-input -j ufw-not-local

-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT

-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT

-A ufw-before-input -j ufw-user-input

-A ufw-before-output -o lo -j ACCEPT

-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A ufw-before-output -j ufw-user-output

-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "

-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN

-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "

-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN

-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN

-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN

-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny

-A ufw-not-local -j DROP

-A ufw-skip-to-policy-forward -j DROP

-A ufw-skip-to-policy-input -j DROP

-A ufw-skip-to-policy-output -j ACCEPT

-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT

-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT

-A ufw-user-input -p tcp -m tcp --dport 22 -j ACCEPT

-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "

-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable

-A ufw-user-limit-accept -j ACCEPT





ssh 17.04




ssh 17.04






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Apr 14 '18 at 7:52









Peter Mortensen

1,03421016




1,03421016










asked Nov 18 '17 at 10:48









kettyketty

617




617













  • Is SSH service listening on the ports you're trying to connect? perhaps iptables problem? Are you allowed to log in as root?

    – fugitive
    Nov 18 '17 at 11:02











  • Is there a firewall blocking access? Have you verified that sshd is running on remote end? This is the two most likely answers.

    – vidarlo
    Nov 18 '17 at 11:02











  • lol @vidarlo :)

    – fugitive
    Nov 18 '17 at 11:02











  • @vidarlo yeah there is firewall but i do not there is blocking access or not

    – ketty
    Nov 18 '17 at 11:03






  • 1





    Edit your question with output of iptables -S && netstat -tlpnea , also post your /etc/ssh/sshd_config

    – fugitive
    Nov 18 '17 at 11:04





















  • Is SSH service listening on the ports you're trying to connect? perhaps iptables problem? Are you allowed to log in as root?

    – fugitive
    Nov 18 '17 at 11:02











  • Is there a firewall blocking access? Have you verified that sshd is running on remote end? This is the two most likely answers.

    – vidarlo
    Nov 18 '17 at 11:02











  • lol @vidarlo :)

    – fugitive
    Nov 18 '17 at 11:02











  • @vidarlo yeah there is firewall but i do not there is blocking access or not

    – ketty
    Nov 18 '17 at 11:03






  • 1





    Edit your question with output of iptables -S && netstat -tlpnea , also post your /etc/ssh/sshd_config

    – fugitive
    Nov 18 '17 at 11:04



















Is SSH service listening on the ports you're trying to connect? perhaps iptables problem? Are you allowed to log in as root?

– fugitive
Nov 18 '17 at 11:02





Is SSH service listening on the ports you're trying to connect? perhaps iptables problem? Are you allowed to log in as root?

– fugitive
Nov 18 '17 at 11:02













Is there a firewall blocking access? Have you verified that sshd is running on remote end? This is the two most likely answers.

– vidarlo
Nov 18 '17 at 11:02





Is there a firewall blocking access? Have you verified that sshd is running on remote end? This is the two most likely answers.

– vidarlo
Nov 18 '17 at 11:02













lol @vidarlo :)

– fugitive
Nov 18 '17 at 11:02





lol @vidarlo :)

– fugitive
Nov 18 '17 at 11:02













@vidarlo yeah there is firewall but i do not there is blocking access or not

– ketty
Nov 18 '17 at 11:03





@vidarlo yeah there is firewall but i do not there is blocking access or not

– ketty
Nov 18 '17 at 11:03




1




1





Edit your question with output of iptables -S && netstat -tlpnea , also post your /etc/ssh/sshd_config

– fugitive
Nov 18 '17 at 11:04







Edit your question with output of iptables -S && netstat -tlpnea , also post your /etc/ssh/sshd_config

– fugitive
Nov 18 '17 at 11:04












1 Answer
1






active

oldest

votes


















0














Edit your sshd config with:



Port 22

PermitRootLogin yes


and restart sshd service. Also, not sure why your lines starts with *, is that a formatting issue?
If there are * on sshd config please do sed -i 's/^*//g' /etc/ssh/sshd_config






share|improve this answer
























  • yeah there is formatting issue so i put "*"

    – ketty
    Nov 18 '17 at 11:29











  • not working!!!!!!again Connection refused

    – ketty
    Nov 18 '17 at 11:30











  • Have you done a restart of sshd to apply changes? Please show output of iptables -S and netstat -tlpena

    – fugitive
    Nov 18 '17 at 11:31











  • yes i do that!!!!!!!!

    – ketty
    Nov 18 '17 at 11:32






  • 4





    PermitRootLogin no would not lead to connectoin refused. Connection refused happens because nothing is listening, or a firewall somewhere in the path stops the connection.

    – vidarlo
    Nov 18 '17 at 11:45












Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f977701%2fssh-connection-refused%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









0














Edit your sshd config with:



Port 22

PermitRootLogin yes


and restart sshd service. Also, not sure why your lines starts with *, is that a formatting issue?
If there are * on sshd config please do sed -i 's/^*//g' /etc/ssh/sshd_config






share|improve this answer
























  • yeah there is formatting issue so i put "*"

    – ketty
    Nov 18 '17 at 11:29











  • not working!!!!!!again Connection refused

    – ketty
    Nov 18 '17 at 11:30











  • Have you done a restart of sshd to apply changes? Please show output of iptables -S and netstat -tlpena

    – fugitive
    Nov 18 '17 at 11:31











  • yes i do that!!!!!!!!

    – ketty
    Nov 18 '17 at 11:32






  • 4





    PermitRootLogin no would not lead to connectoin refused. Connection refused happens because nothing is listening, or a firewall somewhere in the path stops the connection.

    – vidarlo
    Nov 18 '17 at 11:45
















0














Edit your sshd config with:



Port 22

PermitRootLogin yes


and restart sshd service. Also, not sure why your lines starts with *, is that a formatting issue?
If there are * on sshd config please do sed -i 's/^*//g' /etc/ssh/sshd_config






share|improve this answer
























  • yeah there is formatting issue so i put "*"

    – ketty
    Nov 18 '17 at 11:29











  • not working!!!!!!again Connection refused

    – ketty
    Nov 18 '17 at 11:30











  • Have you done a restart of sshd to apply changes? Please show output of iptables -S and netstat -tlpena

    – fugitive
    Nov 18 '17 at 11:31











  • yes i do that!!!!!!!!

    – ketty
    Nov 18 '17 at 11:32






  • 4





    PermitRootLogin no would not lead to connectoin refused. Connection refused happens because nothing is listening, or a firewall somewhere in the path stops the connection.

    – vidarlo
    Nov 18 '17 at 11:45














0












0








0







Edit your sshd config with:



Port 22

PermitRootLogin yes


and restart sshd service. Also, not sure why your lines starts with *, is that a formatting issue?
If there are * on sshd config please do sed -i 's/^*//g' /etc/ssh/sshd_config






share|improve this answer













Edit your sshd config with:



Port 22

PermitRootLogin yes


and restart sshd service. Also, not sure why your lines starts with *, is that a formatting issue?
If there are * on sshd config please do sed -i 's/^*//g' /etc/ssh/sshd_config







share|improve this answer












share|improve this answer



share|improve this answer










answered Nov 18 '17 at 11:21









fugitivefugitive

748414




748414













  • yeah there is formatting issue so i put "*"

    – ketty
    Nov 18 '17 at 11:29











  • not working!!!!!!again Connection refused

    – ketty
    Nov 18 '17 at 11:30











  • Have you done a restart of sshd to apply changes? Please show output of iptables -S and netstat -tlpena

    – fugitive
    Nov 18 '17 at 11:31











  • yes i do that!!!!!!!!

    – ketty
    Nov 18 '17 at 11:32






  • 4





    PermitRootLogin no would not lead to connectoin refused. Connection refused happens because nothing is listening, or a firewall somewhere in the path stops the connection.

    – vidarlo
    Nov 18 '17 at 11:45



















  • yeah there is formatting issue so i put "*"

    – ketty
    Nov 18 '17 at 11:29











  • not working!!!!!!again Connection refused

    – ketty
    Nov 18 '17 at 11:30











  • Have you done a restart of sshd to apply changes? Please show output of iptables -S and netstat -tlpena

    – fugitive
    Nov 18 '17 at 11:31











  • yes i do that!!!!!!!!

    – ketty
    Nov 18 '17 at 11:32






  • 4





    PermitRootLogin no would not lead to connectoin refused. Connection refused happens because nothing is listening, or a firewall somewhere in the path stops the connection.

    – vidarlo
    Nov 18 '17 at 11:45

















yeah there is formatting issue so i put "*"

– ketty
Nov 18 '17 at 11:29





yeah there is formatting issue so i put "*"

– ketty
Nov 18 '17 at 11:29













not working!!!!!!again Connection refused

– ketty
Nov 18 '17 at 11:30





not working!!!!!!again Connection refused

– ketty
Nov 18 '17 at 11:30













Have you done a restart of sshd to apply changes? Please show output of iptables -S and netstat -tlpena

– fugitive
Nov 18 '17 at 11:31





Have you done a restart of sshd to apply changes? Please show output of iptables -S and netstat -tlpena

– fugitive
Nov 18 '17 at 11:31













yes i do that!!!!!!!!

– ketty
Nov 18 '17 at 11:32





yes i do that!!!!!!!!

– ketty
Nov 18 '17 at 11:32




4




4





PermitRootLogin no would not lead to connectoin refused. Connection refused happens because nothing is listening, or a firewall somewhere in the path stops the connection.

– vidarlo
Nov 18 '17 at 11:45





PermitRootLogin no would not lead to connectoin refused. Connection refused happens because nothing is listening, or a firewall somewhere in the path stops the connection.

– vidarlo
Nov 18 '17 at 11:45


















draft saved

draft discarded




















































Thanks for contributing an answer to Ask Ubuntu!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f977701%2fssh-connection-refused%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

How did Captain America manage to do this?

Image
2 How does Captain America lift Thor's hammer? In Avengers: Age of Ultron , he is not worthy but how he is worthy in this film. plot-explanation marvel-cinematic-universe avengers-age-of-ultron avengers-endgame share | improve this question edited 19 mins ago A J ♦ 42.7k 16 229 246 asked 39 mins ago Andi AR Andi AR 325 1 4 14
Read more

迪纳利

Image
迪纳利峰 位于迪纳利国家公园和保留区的迪纳利峰(旧名麦金利峰) 最高点 海拔 20,237英尺(6,168米)   NGVD 29 . [1] [2] 相對高度 20,073英尺(6,118米) 列表 各洲最高峰列表 特独立山峰 各国最高点列表 美国最高点  排名第一 [3] 坐标 63°04′10″N 151°00′27″W  /  63.06944°N 151.00750°W  / 63.06944; -151.00750  ( Mount McKinley ) 坐标: 63°04′10″N 151°00′27″W  /  63.06944°N 151.00750°W  / 63.06944; -151.00750  ( Mount McKinley )   地理 位置   美國阿拉斯加州迪纳利自治市镇 迪纳利国家公园和保留区 山脈 阿拉斯加山脉 攀山 首次登頂 ( 英语 : First ascent ) 1913年6月7日 哈德逊·史塔克 哈里·卡斯坦斯 沃尔特·哈珀 罗伯特·塔特姆 最簡路線 西坡路线(攀登冰川/雪) 迪纳利 (北阿萨巴斯卡语支、 英语: Denali , / d ᵻ ˈ n ɑː l i / ,直译“高山”),1917年至2015年官方名称为 麦金利山 (另译作 麦金利峰 , 英语: Mount McKinley ),位于阿拉斯加州东南部、阿拉斯加山脉中段,海拔6194米,是北美洲最高峰,也是美国的最高峰。它的俄语名称是 Большая Гора , 罗马化:Bolshaya Gora ,意思是“大山”。 迪纳利山地区拥有变幻莫测的高山风、典型的北极植被以及野生动植物。这里大部分地区终年积雪,山间经常浓雾不断,雾气在皑皑白雪中缭绕弥漫时,几百米之外的景物便不可见。夏季,迪纳利山的青青山坡上鲜花盛开,紫色的杜鹃和精巧的铃状石南花随处可见。迪纳利山还是世界登山爱好者的汇集之地。每年5月到7月有数百人登山,只有一半不到的人能登顶成功。一次登山约花3个星期。 2015年8月31日,美國政府宣佈將山名由“麦金利山”改回原名“迪纳利山”。美國內政部發表聲
Read more

南乌拉尔铁路局

Image
南乌拉尔铁路局 Южно-Уральская железная дорога 成立 1934年1月4日 国家   蘇聯(1934年—1991年)   俄羅斯(1991年—) 总部 车里雅宾斯克 隶属 俄罗斯铁路股份公司 路局代码 80 铁路里程 4,934.9公里 奖项 网址 http://yuzd.rzd.ru/ 查 论 编 南乌拉尔铁路局 (俄语: Южно-Уральская железная дорога , 羅馬化: Yuzhno-Uralskaya zheleznaya doroga ,简称 ЮУЖД )是俄罗斯铁路股份公司属下的铁路管理局之一,总部位于车里雅宾斯克,负责管辖俄罗斯联邦乌拉尔南部地区的铁路系统,范围包括奥伦堡州、车里雅宾斯克州、库尔干州的大部分铁路,以及萨马拉州、斯维尔德洛夫斯克州、巴什科尔托斯坦共和国的少部分铁路,并有部分铁路延伸至或穿过哈萨克斯坦境内。南乌拉尔铁路局的营业里程为4,934.9公里,与伏尔加铁路局、古比雪夫铁路局、斯维尔德洛夫斯克铁路局、西西伯利亚铁路局相邻,并与南方的哈萨克斯坦铁路连接。 外部链接 (俄文) Южно-Уральская железная дорога — филиал ОАО РЖД (俄文) 南乌拉尔铁路局管辖路线图(一) (俄文) 南乌拉尔铁路局管辖路线图(二) 查 论 编 俄罗斯铁路(集团)股份公司 十月铁路局 · 莫斯科铁路局 · 北高加索铁路局 · 高尔基铁路局 · 古比雪夫铁路局 · 北方铁路局 · 伏尔加铁路局 · 东南铁路局 · 斯维尔德洛夫斯克铁路局 · 南乌拉尔铁路局 · 西西伯利亚铁路局 · 克拉斯诺亚尔斯克铁路局 · 东西伯利亚铁路局 · 后贝加尔铁路局 · 远东铁路局 · 加里宁格勒铁路局 This page is only for reference, If you need detailed information, please check here
Read more