Lew Wolfgang wrote:
Seeing the ssh banner means the TCP connection was established, so the firewall and port-forwarding all seem to be working.
Try ssh -v to see the debug output. -vv and -vvv give increasing detailed debug data. Be sure to sanitize the output before posting here.
jknott@E520:~> ssh -4 aaaa.bbbb.ccc -p 21 -v OpenSSH_6.0p1, OpenSSL 1.0.1c 10 May 2012 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 20: Applying options for * debug1: Connecting to aaaa.bbbb.ccc [xxx.xxx.xxx.xxx] port 21. debug1: Connection established. debug1: identity file /home/jknott/.ssh/id_rsa type 1 debug1: identity file /home/jknott/.ssh/id_rsa-cert type -1 debug1: identity file /home/jknott/.ssh/id_dsa type -1 debug1: identity file /home/jknott/.ssh/id_dsa-cert type -1 debug1: identity file /home/jknott/.ssh/id_ecdsa type -1 debug1: identity file /home/jknott/.ssh/id_ecdsa-cert type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.0 debug1: match: OpenSSH_6.0 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.0 debug1: SSH2_MSG_KEXINIT sent Connection closed by xxx.xxx.xxx.xxx jknott@E520:~> ssh -4 aaaa.bbbb.ccc -p 21 -vv OpenSSH_6.0p1, OpenSSL 1.0.1c 10 May 2012 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 20: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to aaaa.bbbb.ccc [xxx.xxx.xxx.xxx] port 21. debug1: Connection established. debug1: identity file /home/jknott/.ssh/id_rsa type 1 debug1: identity file /home/jknott/.ssh/id_rsa-cert type -1 debug1: identity file /home/jknott/.ssh/id_dsa type -1 debug1: identity file /home/jknott/.ssh/id_dsa-cert type -1 debug1: identity file /home/jknott/.ssh/id_ecdsa type -1 debug1: identity file /home/jknott/.ssh/id_ecdsa-cert type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.0 debug1: match: OpenSSH_6.0 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.0 debug2: fd 3 setting O_NONBLOCK debug1: SSH2_MSG_KEXINIT sent Connection closed by xxx.xxx.xxx.xxx jknott@E520:~> ssh -4 aaaa.bbbb.ccc -p 21 -vvv OpenSSH_6.0p1, OpenSSL 1.0.1c 10 May 2012 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 20: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to aaaa.bbbb.ccc [xxx.xxx.xxx.xxx] port 21. debug1: Connection established. debug3: Incorrect RSA1 identifier debug3: Could not load "/home/jknott/.ssh/id_rsa" as a RSA1 public key debug1: identity file /home/jknott/.ssh/id_rsa type 1 debug1: identity file /home/jknott/.ssh/id_rsa-cert type -1 debug1: identity file /home/jknott/.ssh/id_dsa type -1 debug1: identity file /home/jknott/.ssh/id_dsa-cert type -1 debug1: identity file /home/jknott/.ssh/id_ecdsa type -1 debug1: identity file /home/jknott/.ssh/id_ecdsa-cert type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.0 debug1: match: OpenSSH_6.0 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.0 debug2: fd 3 setting O_NONBLOCK debug3: put_host_port: [aaaa.bbbb.ccc]:21 debug3: load_hostkeys: loading entries for host "[aaaa.bbbb.ccc]:21" from file "/home/jknott/.ssh/known_hosts" debug3: load_hostkeys: loaded 0 keys debug1: SSH2_MSG_KEXINIT sent Connection closed by xxx.xxx.xxx.xxx
This sort of thing makes me glad I'm running IPv6 on my network, as when I'm away and have IPv6 access, I can go directly to that computer without having to worry about getting past NAT. Unfortunately, it's not always possible to use IPv6.
With an Internet-facing server, you are running the host-based firewall, right? And with ssh exposed, are you running something like BlockHosts or sshguard?
I have a firewall for my network. I also use authorized keys instead of passwords. BTW, one nice thing about IPv6 is the incredibly huge number of addresses, which makes it very difficult to even find a computer. My own subnet has 2^72 address or about a trillion times the entire IPv4 address space. Also, my computers are configured to use a random 64 bit number to create an IPv6 address for outgoing connections. That random number changes every few hours. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org