Learn about Centmin Mod LEMP Stack today
Register Now

Security Sysadmin Can't SSH to the server...

Discussion in 'System Administration' started by modder, May 15, 2021.

  1. modder

    modder Member

    117
    16
    18
    Dec 6, 2019
    Ratings:
    +27
    Local Time:
    7:02 PM
    Using CentOS 7 at Vultr VPS.

    I'm using my server with latest Centmod. Root password and SSH port changed to 911.

    Actually everything seems to be okay. I installed Xenforo and some add-ons, styles wihtout problem. I got into the server with SSH terminal without any problem.

    But yesterday when I went home and tried to SSH with the right username/password/host IP/ssh port. It didn't let me get it. It replied with the following error:

    upload_2021-5-15_12-39-29.png

    I log in the server from Vultr's console and checked the SSHD is actually running:

    upload_2021-5-15_12-42-43.png

    xenforo's running fine.

    The only problem is I can't get into the server by SSH.

    What could be the cause of the problem? How can I diagnose it?


    Thanks.
     
  2. eva2000

    eva2000 Administrator Staff Member

    54,361
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    9:02 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    how did you change SSH port number and did SSH login issues happen before or after you changed the SSH port ? As you may have forgot to update CSF Firewall's whitelist SSH port if you manually changed SSH port. If you did manually do the change, change SSH port back to 22 and then do the centmin.sh menu option 16 method below.

    You can change the sshd listening port from default 22 to a number below 1024 via centmin.sh menu option 16.

    Running centmin.sh menu option 16, will change your sshd listening port by
    • first prompting to you enter existing sshd port = 22
    • and then prompt you for your desired new sshd port and will make appropriate changes in CSF Firewall
    • once change is made, DO NOT exit your current SSH session but open a new SSH session test connection to this server making sure to have changed your SSH session/profile's SSH port from 22, to the new port number you selected. See if the new separate SSH session can connect to the new sshd port. If it can, you should be good to go.
     
  3. modder

    modder Member

    117
    16
    18
    Dec 6, 2019
    Ratings:
    +27
    Local Time:
    7:02 PM
    Actually this server is just a snapshot of another server which I've been using for a year and many servers were developed from that snapshot. Ssh has never been a problem.

    I changed the ssh port with centminmod menu in the original server and this was among the first things to do when setting up the server.

    I didn't really do anything regarding ssh port in the new server. It just uses the same ssh port as the snapshot.

    It actually worked with I was working on my company. I could login by ssh without any problem. But when I came home on weekend, it won't allow me to get in.

    (Anyway I just reconfigured the SSH port to a new number in Centmin, it still doesn't work. I think it's better to do everything again.)
     
    Last edited: May 16, 2021
  4. eva2000

    eva2000 Administrator Staff Member

    54,361
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    9:02 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    check if you ips are blocked using csf -g grep command
    Code:
    csf -g YOURIPADDRESS
    commands you can see for csf via
    Code:
    csf -h
    whitelist your ISP range of ips if you know the range
    Code:
    csf -a IPADDRESSORRANGE
    remove temp and permanent blocks from csf
    Code:
    csf -tr IPADDRESS
    csf -dr IPADDRESS
    also check CSF /var/log/lfd.log for clues. Don't post the output of this command due to sensitive info
    Code:
    tail -50 /var/log/lfd.log
    another log is /var/log/messages you can grep it for your ips. Don't post the output of this command due to sensitive info
    Code:
    grep IPADDRESS /var/log/messages
    and your /var/log/secure. Don't post the output of this command due to sensitive info
    Code:
    tail -20 /var/log/secure
    Do you have a VPN connection you can use ? Try using that to SSH into your server. If you have VPN like private one with dedicated IP, you can also whitelist that VPN IP in CSF Firewall. That's what i usually do so have multiple avenues to connect to server via SSH.

    Ccheck if your ISP IP has been blocked by grepping csf firewall ips
    Code (Text):
    csf -g ISPIPADDRRESS

    if blocked remove your ISP IP address from /etc/csf/csf.deny and restart CSF Firewall
    or via command
    Code (Text):
    csf -dr ISPIPADDRESS
     
  5. modder

    modder Member

    117
    16
    18
    Dec 6, 2019
    Ratings:
    +27
    Local Time:
    7:02 PM
    Thanks or sharing your knowledge on how to deal with firewall. And most importantly, it solved my problem! Yes my IP was banned by the firewall.

    Why is it so sensitive?

    I didn't have such issue before.
     
  6. eva2000

    eva2000 Administrator Staff Member

    54,361
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    9:02 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Centmin Mod on initial install will whitelist the ISP IP address in CSF Firewall config you logged into via SSH with. So you are less likely to experience issues of false bans. Usually, you won't need to whitelist to access SSH. CSF Firewall however has login failure detection and port flooding protection, so if a lot of failed SSH logins occur, your IP can be banned temporarily which you will see in /var/log/lfd.log log along with reason for the ban.

    Port floods can occur if you initiate many connections i.e. FTP connections from same IP to a specific port CSF - Insight Guide - CSF Firewall Port Flood Blocking Pure-FTPD Connections

    Getting Started Guide step 4 also outlines recommended steps for CSF Firewall whitelisting