OVH Dedicated Server, SSH suddenly stops working

rdan · Dec 15, 2015

What aspects should I diagnose?
CSF disabled via csf -x doesn't help.

I can only connect to this server via our backup server on BackupSy which I luckily setup password less ssh via Public Key Authentication .

Other machine I tried to access via SSH doesn't work and all timeouts.

Website/Forums on that server works fine.
I can also access the main IP via browser/port 80.

Even if I manually added my desktop public key on the server, still can't connect, maybe because I'm not yet registered as known host?

rdan · Dec 15, 2015

I changed this server SSH port to custom one since Nov 3, after initial install.
And all access works fine until today.
Last time I connect via SSH was yesterday.

eva2000 · Dec 15, 2015

Did you whitelist IPs ?

CSF firewall related CSF - CSF Firewall info | Centmin Mod Community and CSF Firewall - Centmin Mod - Menu based Nginx installer for CentOS servers

more info might be helpful
What version of Centmin Mod ? .07 stable or .08 beta ? If .08 beta when was it installed and when was last time you updated the .08 beta code (there's constant updates to the code).

What's your VPS/Server hardware specifications ? Xen/KVM/OpenVZ ? cpu type ? memory available ? disk space ? OS and version ? i.e. CentOS 6.6 or 7.1 ?

Who's your web host ?

Your ISP ip address static/dynamic ?

What were you doing connection wise to your server leading up to the blockage ?

If you're on dynamic ip, you may need additional steps CSF Firewall as per Getting Started Guide step 4
Other steps: Does your web host offer out of band VNC/KVM/IPMI Console access? If you can, check if you ips are blocked using csf -g grep command
Code:
csf -g YOURIPADDRESS
commands you can see for csf via
Code:
csf -h
whitelist your ISP range of ips if you know the range
Code:
csf -a IPADDRESSORRANGE
remove temp and permanent blocks from csf
Code:
csf -tr IPADDRESS
csf -dr IPADDRESS
also check CSF /var/log/lfd.log for clues
Code:
tail -50 /var/log/lfd.log
another log is /var/log/messages you can grep it for your ips
Code:
grep IPADDRESS /var/log/messages

rdan · Dec 15, 2015

eva2000 said: ↑

What version of Centmin Mod ? .07 stable or .08 beta ? If .08 beta when was it installed and when was last time you updated the .08 beta code (there's constant updates to the code).
Click to expand...

.09beta
I installed it on Novermber 3, 2015.
centmin code is latest 09.

eva2000 said: ↑

What's your VPS/Server hardware specifications ? Xen/KVM/OpenVZ ? cpu type ? memory available ? disk space ? OS and version ? i.e. CentOS 6.6 or 7.1 ?
Click to expand...

Dedicated server CentOS 6.7

eva2000 said: ↑

Who's your web host ?
Click to expand...

OVH .

eva2000 said: ↑

Your ISP ip address static/dynamic ?
Click to expand...

Dynamic, but doesn't matter as I have tried connecting to that server using my other VPS/Dedicated server also, still not working.

eva2000 said: ↑

What were you doing connection wise to your server leading up to the blockage ?
Click to expand...

Nothing, just suddenly stops me from connecting via SSH.

eva2000 said: ↑

If you can, check if you ips are blocked using csf -g grep command
Click to expand...

No it's not block.

rdan · Dec 15, 2015

Tried white listed my system IP use to connect, but still receiving "Connection timed out" error.

rdan · Dec 15, 2015

eva2000 said: ↑

also check CSF /var/log/lfd.log for clues
Click to expand...

As you can see on this log:

Dec 14 00:00:03 ovh lfd[23528]: CSF Tracking...
Dec 14 00:00:03 ovh lfd[23528]: IPv6 Enabled...
Dec 14 00:00:03 ovh lfd[23528]: LOAD Tracking...
Dec 14 00:00:03 ovh lfd[23528]: DynDNS Tracking...
Dec 14 00:00:03 ovh lfd[23528]: Country Code Lookups...
Dec 14 00:00:03 ovh lfd[23528]: Exploit Tracking...
Dec 14 00:00:03 ovh lfd[23528]: Directory Watching...
Dec 14 00:00:03 ovh lfd[23528]: Temp to Perm Block Tracking...
Dec 14 00:00:03 ovh lfd[23528]: Account Tracking...
Dec 14 00:00:03 ovh lfd[23528]: SSH Tracking...
Dec 14 00:00:03 ovh lfd[23528]: SU Tracking...
Dec 14 00:00:03 ovh lfd[23528]: Watching /var/log/messages...
Dec 14 00:00:03 ovh lfd[23528]: Watching /var/log/secure...
Dec 14 00:00:03 ovh lfd[23528]: Watching /var/log/customlog...
Dec 14 00:00:03 ovh lfd[23528]: Watching /var/log/httpd/error_log...
Dec 14 00:01:23 ovh lfd[28313]: *SSH login* from MY_DESKTOP_IP_HERE into the root account using password authentication
Dec 14 00:07:23 ovh lfd[16704]: *SSH login* from MY_DESKTOP_IP_HERE into the root account using password authentication
Dec 14 00:07:43 ovh lfd[17836]: *SSH login* from MY_DESKTOP_IP_HERE into the root account using password authentication
Dec 14 00:18:23 ovh lfd[23739]: *SSH login* from MY_DESKTOP_IP_HERE into the root account using password authentication
Dec 14 00:32:03 ovh lfd[27493]: *SSH login* from MY_DESKTOP_IP_HERE into the root account using password authentication
Dec 14 00:37:43 ovh lfd[29004]: *SSH login* from MY_DESKTOP_IP_HERE into the root account using password authentication
Dec 14 01:09:43 ovh lfd[6557]: *SSH login* from MY_DESKTOP_IP_HERE into the root account using password authentication
Dec 14 01:20:03 ovh lfd[10095]: *SSH login* from MY_DESKTOP_IP_HERE into the root account using password authentication
Dec 14 01:21:43 ovh lfd[10759]: *SSH login* from MY_DESKTOP_IP_HERE into the root account using password authentication
Dec 14 01:25:23 ovh lfd[11620]: *SSH login* from MY_DESKTOP_IP_HERE into the root account using password authentication
Dec 14 01:29:43 ovh lfd[12459]: *SSH login* from MY_DESKTOP_IP_HERE into the root account using password authentication
Dec 14 02:01:44 ovh lfd[21434]: *SSH login* from MY_DESKTOP_IP_HERE into the root account using password authentication
Dec 14 02:03:24 ovh lfd[22144]: *SSH login* from MY_DESKTOP_IP_HERE into the root account using password authentication
Dec 14 02:16:24 ovh lfd[25287]: *SSH login* from MY_DESKTOP_IP_HERE into the root account using password authentication
Dec 14 02:25:04 ovh lfd[4927]: *SSH login* from MY_BACKUP_SERVER_IP_HERE into the root account using publickey authentication
Dec 14 02:36:04 ovh lfd[8023]: *SSH login* from MY_DESKTOP_IP_HERE into the root account using password authentication
Dec 14 02:45:04 ovh lfd[10413]: *SSH login* from MY_DESKTOP_IP_HERE into the root account using password authentication
Dec 14 02:51:04 ovh lfd[12127]: *SSH login* from MY_DESKTOP_IP_HERE into the root account using password authentication
Dec 14 02:55:04 ovh lfd[13258]: *SSH login* from MY_DESKTOP_IP_HERE into the root account using password authentication
Dec 14 03:06:24 ovh lfd[16479]: *SSH login* from MY_DESKTOP_IP_HERE into the root account using password authentication
Dec 14 08:25:07 ovh lfd[3398]: *SSH login* from MY_BACKUP_SERVER_IP_HERE into the root account using publickey authentication
Dec 14 14:00:10 ovh lfd[27491]: *SSH login* from MY_BACKUP_SERVER_IP_HERE into the root account using publickey authentication
Dec 14 14:00:10 ovh lfd[27492]: *SSH login* from MY_BACKUP_SERVER_IP_HERE into the root account using publickey authentication
Dec 14 14:25:10 ovh lfd[1412]: *SSH login* from MY_BACKUP_SERVER_IP_HERE into the root account using publickey authentication
Dec 14 19:40:53 ovh lfd[20078]: *SSH login* from MY_BACKUP_SERVER_IP_HERE into the root account using publickey authentication
Dec 14 19:49:13 ovh lfd[22705]: *SSH login* from MY_BACKUP_SERVER_IP_HERE into the root account using publickey authentication
Dec 14 20:25:13 ovh lfd[32180]: *SSH login* from MY_BACKUP_SERVER_IP_HERE into the root account using publickey authentication
Dec 15 00:00:01 ovh lfd[23528]: TERM
Dec 15 00:00:01 ovh lfd[23528]: daemon stopped
Dec 15 00:00:01 ovh lfd[24460]: daemon started on ovh.host.com - csf v8.08 (generic)
Dec 15 00:00:01 ovh lfd[24460]: CSF Tracking...
Dec 15 00:00:01 ovh lfd[24460]: IPv6 Enabled...
Dec 15 00:00:01 ovh lfd[24460]: LOAD Tracking...
Dec 15 00:00:01 ovh lfd[24460]: DynDNS Tracking...
Dec 15 00:00:01 ovh lfd[24460]: Country Code Lookups...
Dec 15 00:00:01 ovh lfd[24460]: Exploit Tracking...
Dec 15 00:00:01 ovh lfd[24460]: Directory Watching...
Dec 15 00:00:01 ovh lfd[24460]: Temp to Perm Block Tracking...
Dec 15 00:00:01 ovh lfd[24460]: Account Tracking...
Dec 15 00:00:01 ovh lfd[24460]: SSH Tracking...
Dec 15 00:00:01 ovh lfd[24460]: SU Tracking...
Dec 15 00:00:01 ovh lfd[24460]: Watching /var/log/messages...
Dec 15 00:00:01 ovh lfd[24460]: Watching /var/log/secure...
Dec 15 00:00:01 ovh lfd[24460]: Watching /var/log/customlog...
Dec 15 00:00:01 ovh lfd[24460]: Watching /var/log/httpd/error_log...
Dec 15 00:16:02 ovh lfd[28814]: *SSH login* from MY_BACKUP_SERVER_IP_HERE into the root account using publickey authentication
Dec 15 00:21:02 ovh lfd[30179]: *SSH login* from MY_BACKUP_SERVER_IP_HERE into the root account using publickey authentication
Dec 15 00:34:02 ovh lfd[1273]: *SSH login* from MY_BACKUP_SERVER_IP_HERE into the root account using publickey authentication
Dec 15 00:34:10 ovh lfd[24460]: TERM
Dec 15 00:34:10 ovh lfd[24460]: daemon stopped
Dec 15 00:35:17 ovh lfd[1547]: daemon started on ovh.host.com - csf v8.08 (generic)
Dec 15 00:35:17 ovh lfd[1547]: CSF Tracking...
Dec 15 00:35:17 ovh lfd[1547]: IPv6 Enabled...
Dec 15 00:35:17 ovh lfd[1547]: LOAD Tracking...
Dec 15 00:35:17 ovh lfd[1547]: DynDNS Tracking...
Dec 15 00:35:17 ovh lfd[1547]: Country Code Lookups...
Dec 15 00:35:17 ovh lfd[1547]: Exploit Tracking...
Dec 15 00:35:17 ovh lfd[1547]: Directory Watching...
Dec 15 00:35:17 ovh lfd[1547]: Temp to Perm Block Tracking...
Dec 15 00:35:17 ovh lfd[1547]: Account Tracking...
Dec 15 00:35:17 ovh lfd[1547]: SSH Tracking...
Dec 15 00:35:17 ovh lfd[1547]: SU Tracking...
Dec 15 00:35:17 ovh lfd[1547]: Watching /var/log/messages...
Dec 15 00:35:17 ovh lfd[1547]: Watching /var/log/secure...
Dec 15 00:35:17 ovh lfd[1547]: Watching /var/log/customlog...
Dec 15 00:35:17 ovh lfd[1547]: Watching /var/log/httpd/error_log...
Dec 15 00:44:37 ovh lfd[4163]: *SSH login* from MY_BACKUP_SERVER_IP_HERE into the root account using publickey authentication
Click to expand...

The last SSH login I successfully did via password auth on my desktop was:
Dec 14 03:06:24 ovh lfd[16479]

eva2000 · Dec 15, 2015

can you do the reverse and ssh and ping your other systems and yourself via OVH server SSH ?

Did you change SSH port number from 22 ?

eva2000 · Dec 15, 2015

RoldanLT said: ↑

Tried white listed my system IP use to connect, but still receiving "Connection timed out" error.
Click to expand...

enable SSH client verbose mode when you connect for further clues too

rdan · Dec 15, 2015

RoldanLT said: ↑

I changed this server SSH port to custom one since Nov 3, after initial install.
And all access works fine until today.
Last time I connect via SSH was yesterday.
Click to expand...

eva2000 said: ↑

Did you change SSH port number from 22 ?
Click to expand...

eva2000 · Dec 15, 2015

and your /var/log/secure for clues

rdan · Dec 15, 2015

eva2000 said: ↑

can you do the reverse and ssh and ping your other systems and yourself via OVH server SSH ?
Click to expand...

Yes, it works fine Eva.

rdan · Dec 15, 2015

eva2000 said: ↑

and your /var/log/secure for clues
Click to expand...

Dec 14 02:54:57 ovh sshd[13198]: subsystem request for sftp
Dec 14 02:56:02 ovh sshd[13198]: pam_unix(sshd:session): session closed for user root
Dec 14 03:06:07 ovh sshd[16437]: Accepted password for root from MY_DESKTOP_IP_HERE port 39758 ssh2
Dec 14 03:06:07 ovh sshd[16437]: pam_unix(sshd:session): session opened for user root by (uid=0)
Dec 14 03:06:08 ovh sshd[16437]: subsystem request for sftp
Dec 14 03:07:12 ovh sshd[16437]: pam_unix(sshd:session): session closed for user root
Dec 14 03:10:31 ovh sshd[5426]: pam_unix(sshd:session): session closed for user root
Dec 14 08:25:03 ovh sshd[3386]: Accepted publickey for root from MY_BACKUP_SERVER_IP_HERE port 43408 ssh2
Dec 14 08:25:03 ovh sshd[3386]: pam_unix(sshd:session): session opened for user root by (uid=0)
Dec 14 08:25:04 ovh sshd[3386]: Received disconnect from MY_BACKUP_SERVER_IP_HERE: 11: disconnected by user
Dec 14 08:25:04 ovh sshd[3386]: pam_unix(sshd:session): session closed for user root
Dec 14 14:00:04 ovh sshd[27174]: Accepted publickey for root from MY_BACKUP_SERVER_IP_HERE port 43522 ssh2
Dec 14 14:00:04 ovh sshd[27174]: pam_unix(sshd:session): session opened for user root by (uid=0)
Dec 14 14:00:04 ovh sshd[27175]: Accepted publickey for root from MY_BACKUP_SERVER_IP_HERE port 43525 ssh2
Dec 14 14:00:04 ovh sshd[27175]: pam_unix(sshd:session): session opened for user root by (uid=0)
Dec 14 14:00:05 ovh sshd[27174]: Received disconnect from MY_BACKUP_SERVER_IP_HERE: 11: disconnected by user
Dec 14 14:00:05 ovh sshd[27174]: pam_unix(sshd:session): session closed for user root
Dec 14 14:05:46 ovh sshd[27175]: Received disconnect from MY_BACKUP_SERVER_IP_HERE: 11: disconnected by user
Dec 14 14:05:46 ovh sshd[27175]: pam_unix(sshd:session): session closed for user root
Dec 14 14:25:03 ovh sshd[1400]: Accepted publickey for root from MY_BACKUP_SERVER_IP_HERE port 43535 ssh2
Dec 14 14:25:03 ovh sshd[1400]: pam_unix(sshd:session): session opened for user root by (uid=0)
Dec 14 14:25:04 ovh sshd[1400]: Received disconnect from MY_BACKUP_SERVER_IP_HERE: 11: disconnected by user
Dec 14 14:25:04 ovh sshd[1400]: pam_unix(sshd:session): session closed for user root
Dec 14 19:40:41 ovh sshd[20052]: Accepted publickey for root from MY_BACKUP_SERVER_IP_HERE port 43644 ssh2
Dec 14 19:40:41 ovh sshd[20052]: pam_unix(sshd:session): session opened for user root by (uid=0)
Dec 14 19:41:51 ovh sshd[2414]: Received signal 15; terminating.
Dec 14 19:41:51 ovh sshd[20164]: Server listening on 0.0.0.0 port 1018.
Dec 14 19:41:51 ovh sshd[20164]: Server listening on :: port 1018.
Dec 14 19:47:49 ovh sshd[20052]: Received disconnect from MY_BACKUP_SERVER_IP_HERE: 11: disconnected by user
Dec 14 19:47:49 ovh sshd[20052]: pam_unix(sshd:session): session closed for user root
Dec 14 19:49:11 ovh sshd[22677]: Accepted publickey for root from MY_BACKUP_SERVER_IP_HERE port 43648 ssh2
Dec 14 19:49:11 ovh sshd[22677]: pam_unix(sshd:session): session opened for user root by (uid=0)
Dec 14 19:51:04 ovh sshd[22677]: Received disconnect from MY_BACKUP_SERVER_IP_HERE: 11: disconnected by user
Dec 14 19:51:04 ovh sshd[22677]: pam_unix(sshd:session): session closed for user root
Dec 14 20:25:03 ovh sshd[32165]: Accepted publickey for root from MY_BACKUP_SERVER_IP_HERE port 43662 ssh2
Dec 14 20:25:03 ovh sshd[32165]: pam_unix(sshd:session): session opened for user root by (uid=0)
Dec 14 20:25:04 ovh sshd[32165]: Received disconnect from MY_BACKUP_SERVER_IP_HERE: 11: disconnected by user
Dec 14 20:25:04 ovh sshd[32165]: pam_unix(sshd:session): session closed for user root
Dec 15 00:15:51 ovh sshd[28742]: Accepted publickey for root from MY_BACKUP_SERVER_IP_HERE port 43741 ssh2
Dec 15 00:15:51 ovh sshd[28742]: pam_unix(sshd:session): session opened for user root by (uid=0)
Dec 15 00:20:43 ovh sshd[28742]: Received disconnect from MY_BACKUP_SERVER_IP_HERE: 11: disconnected by user
Dec 15 00:20:43 ovh sshd[28742]: pam_unix(sshd:session): session closed for user root
Dec 15 00:20:51 ovh sshd[29819]: Accepted publickey for root from MY_BACKUP_SERVER_IP_HERE port 43743 ssh2
Dec 15 00:20:51 ovh sshd[29819]: pam_unix(sshd:session): session opened for user root by (uid=0)
Dec 15 00:22:32 ovh sshd[29819]: Received disconnect from MY_BACKUP_SERVER_IP_HERE: 11: disconnected by user
Dec 15 00:22:32 ovh sshd[29819]: pam_unix(sshd:session): session closed for user root
Dec 15 00:33:53 ovh sshd[1201]: Accepted publickey for root from MY_BACKUP_SERVER_IP_HERE port 43749 ssh2
Dec 15 00:33:53 ovh sshd[1201]: pam_unix(sshd:session): session opened for user root by (uid=0)
Dec 15 00:35:27 ovh sshd[1201]: Received disconnect from MY_BACKUP_SERVER_IP_HERE: 11: disconnected by user
Dec 15 00:35:27 ovh sshd[1201]: pam_unix(sshd:session): session closed for user root
Dec 15 00:44:36 ovh sshd[4142]: Accepted publickey for root from MY_BACKUP_SERVER_IP_HERE port 43753 ssh2
Dec 15 00:44:36 ovh sshd[4142]: pam_unix(sshd:session): session opened for user root by (uid=0)
Click to expand...

rdan · Dec 15, 2015

eva2000 said: ↑

another log is /var/log/messages you can grep it for your ips
Click to expand...

This doesn't apply right since I can't connect on every system.
Not just my own desktop.

rdan · Dec 15, 2015

eva2000 said: ↑

enable SSH client verbose mode when you connect for further clues too
Click to expand...

$ ssh -vvv -p 2222 root@8.8.8.8
OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to 8.8.8.8 [8.8.8.8] port 2222.
debug1: connect to address 8.8.8.8 port 2222: Connection timed out
ssh: connect to host 8.8.8.8 port 2222: Connection timed out
Click to expand...

$ ssh -v -p 2222 root@8.8.8.8
OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 8.8.8.8 [8.8.8.8] port 2222.
debug1: connect to address 8.8.8.8 port 2222: Connection timed out
ssh: connect to host 8.8.8.8 port 2222: Connection timed out
Click to expand...

8.8.8.8 being the OVH server IP and 2222 the custom port.

eva2000 · Dec 15, 2015

your secure log says sshd listening on port 1018 but here you trying port 2222 ?

rdan · Dec 15, 2015

I edited it manually to hide my custom port # .
Yes, 1018 is my custom port original, just forgot to modify it on secure log :|.

eva2000 · Dec 15, 2015

you testing with CSF enabled ? if you disable CSF firewall, you want have any default iptable rules in place so alot of stuff might be blocked port wise

With CSF enabled, I'd double check your ports are whitelisted for SSHD port
Code:
egrep '^TCP_|^TCP6_|^UDP_|^UDP6_' /etc/csf/csf.conf
and check listening ports
Code:
netstat -ntl

rdan · Dec 15, 2015

eva2000 said: ↑

you testing with CSF enabled ?
Click to expand...

Yes.

# egrep '^TCP_|^TCP6_|^UDP_|^UDP6_' /etc/csf/csf.conf
TCP_IN = "20,21,1018,25,53,80,110,143,161,443,465,587,993,995,1110,1186,1194,2202,11211,11212,11213,11214,2112,22000,22001,2222,3000,3334,8080,8888,81,9000,9001,9312,9418,10000,10500,10501,6081,6082,30865,30001:50011"
TCP_OUT = "993,995,465,587,1110,1194,9418,20,21,22,25,53,80,110,113,443,587,993,995"
UDP_IN = "67,68,1110,33434:33534,20,21,53"
UDP_OUT = "67,68,1110,33434:33534,20,21,53,113,123"
TCP6_IN = "20,21,22,25,53,80,110,143,161,443,465,587,993,995,1110,1186,1194,2202,11211,11212,11213,11214,2112,22000,22001,2222,3000,3334,8080,8888,81,9000,9001,9312,9418,10000,10500,10501,6081,6082,30865,30001:50011"
TCP6_OUT = "993,995,465,587,20,21,22,25,53,80,110,113,443,587,993,995"
UDP6_IN = "20,21,53"
UDP6_OUT = "20,21,53,113,123"
Click to expand...

rdan · Dec 15, 2015

eva2000 said: ↑

With CSF enabled, I'd double check your ports are whitelisted for SSHD port
Click to expand...

Yes it is, since I can connect via backup Server.

rdan · Dec 15, 2015

eva2000 said: ↑

and check listening ports
Click to expand...

Log in / Register

Forums

Join the community today

OVH Dedicated Server, SSH suddenly stops working

rdan Well-Known Member

rdan Well-Known Member

eva2000 Administrator Staff Member

rdan Well-Known Member

rdan Well-Known Member

rdan Well-Known Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

rdan Well-Known Member

eva2000 Administrator Staff Member

rdan Well-Known Member

rdan Well-Known Member

rdan Well-Known Member

rdan Well-Known Member

eva2000 Administrator Staff Member

rdan Well-Known Member

eva2000 Administrator Staff Member

rdan Well-Known Member

rdan Well-Known Member

rdan Well-Known Member

.

Log in / Register

Useful Searches

Join the community today

OVH Dedicated Server, SSH suddenly stops working

rdan Well-Known Member

rdan Well-Known Member

eva2000 Administrator Staff Member

rdan Well-Known Member

rdan Well-Known Member

rdan Well-Known Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

rdan Well-Known Member

eva2000 Administrator Staff Member

rdan Well-Known Member

rdan Well-Known Member

rdan Well-Known Member

rdan Well-Known Member

eva2000 Administrator Staff Member

rdan Well-Known Member

eva2000 Administrator Staff Member

rdan Well-Known Member

rdan Well-Known Member

rdan Well-Known Member

.