常见问题常见问题   搜索搜索   会员列表会员列表   团队团队   注册注册    个人资料个人资料   登录查看您的站内信件登录查看您的站内信件   登录登录 

9.2的系统下,启用了ipfw ssh就连不上了

 
发表新文章   回复文章    FreeBSD China -> 初学指南
阅读上一个主题 :: 阅读下一个主题  
作者 留言
鱼儿游
半仙


注册时间: 2004-07-31
文章: 44

文章发表于: Fri 2013-11-22 19:16:11    发表主题: 9.2的系统下,启用了ipfw ssh就连不上了 引用并回复

最近把单位的机器重新做做了系统,原来是7的现在升到9.2,出现了一个很奇怪的问题,只要关闭ipfw,ssh就可以登录,一旦打开ipfw,ssh就马上断线,服务器端提示

引用:
fatal:write failed:permission denied
或者是
fattal:write failed: permission denied (preauth)



关闭ipfw,马上就可以登录

应该不是规则的问题,我沿用了原来的规则,原来在7的系统的使用的很正常


以下是我的规则

引用:


#!/bin/sh
/sbin/ipfw -q -f flush
#cmd = '/sbin/ipfw -q ipfw add'
#$cmd=ipfw -q ipfw add

##########TCP##########00001~00009
ipfw add 00001 deny log ip from any to any ipoptions rr
ipfw add 00002 deny log ip from any to any ipoptions ts
ipfw add 00003 deny log ip from any to any ipoptions ssrr
ipfw add 00004 deny log ip from any to any ipoptions lsrr
ipfw add 00005 deny log tcp from any to any in tcpflags syn,fin

#不限制 loopback
ipfw add 00010 allow all from any to any via lo0

#允许封包通过,如果先前已经match keep-state 动态规则.
ipfw add 00015 check-state

# 允许存取DNS名称服务器 , 可以透过 /etc/resolv.conf 取得IP地址.
# 此例为 163.19.163.1
ipfw add 00110 allow tcp from any to any 53 out via bce0 setup keep-state
ipfw add 00111 allow udp from any to any 53 out via bce0 keep-state

# 允许root 使用 FreeBSD相关功能(make install & CVSUP)
ipfw add 00240 allow tcp from me to any out via bce0 setup keep-state uid root

# 允许对外 icmp 协议.
ipfw add 00250 allow icmp from any to any out via bce0 keep-state

# 允许使用SSH(secure shell)相关功能
ipfw add 00280 allow tcp from any to any 22 out via bce0 setup keep-state
ipfw add 00281 allow tcp from any to any 22 in via bce0 setup keep-state

# 拒绝不该出现在internet的IP地址连入机器
#ipfw add 00300 deny all from 192.168.0.0/16 to any in via bce0 #RFC 1918 private IP#这个把ssh关在了外面
ipfw add 00301 deny all from 172.16.0.0/12 to any in via bce0 #RFC 1918 private IP
ipfw add 00302 deny all from 10.0.0.0/8 to any in via bce0 #RFC 1918 private IP
ipfw add 00303 deny all from 127.0.0.0/8 to any in via bce0 #loopback
ipfw add 00304 deny all from 0.0.0.0/8 to any in via bce0 #loopback
ipfw add 00305 deny all from 169.254.0.0/16 to any in via bce0 #DHCP auto-config
ipfw add 00306 deny all from 192.0.2.0/24 to any in via bce0 #reserved for docs
ipfw add 00307 deny all from 204.152.64.0/23 to any in via bce0 #Sun cluster interconnect
ipfw add 00308 deny all from 224.0.0.0/3 to any in via bce0 #Class D & E multicast


# 除某区段之外 拒绝外部使用icmp ping (此例为163.19.163.0/24)
ipfw add 00309 allow icmp from 192.168.0.0/24 to any in via bce0
ipfw add 00310 allow icmp from x.x.x.x/24 to any in via bce0
ipfw add 00320 allow icmp from any to any in via bce0

# 拒绝任何延迟抵达的封包(late arriving packets)
ipfw add 00330 deny all from any to any frag in via bce0

# 允许 ftp 服务 , 20为 seesion数, 请自行决定
#ipfw add 00400 allow tcp from any to me 21 in via bce0 #setup limit src-ipfw addr 20

# 允许SSH相关 服务(若无 请移除) ,00410~00450
ipfw add 00410 allow all from any to me 22 in via bce0 #setup limit src-ipfw addr 20


# 允许 telnet 连结 , 由于telnet是采用明码传送,建议不使用.
#ipfw add 00470 allow tcp from any to me 23 in via bce0 setup limit src-ipfw addr 20

# 允许标准的www功能 (若有架设apache服务器) 00480~00510
ipfw add 00480 allow tcp from any to me 80 in via bce0 #setup limit src-ipfw addr 2000 #web
ipfw add 00481 allow tcp from any to x.x.x.x 3000 in via bce0 #setup limit src-ipfw addr 1000 #ntop
ipfw add 00482 allow tcp from any to 192.168.0.59 80 in via bce0 #setup limit src-ipfw addr 2000
ipfw add 00483 allow tcp from me to any 80 out via bce0 #setup #limit src-ipfw addr 2000
ipfw add 00484 allow tcp from me to any 3000 out via bce0 #setup limit src-ipfw addr 1000 #ntop
# Deny ident
#ipfw add 00515 deny log tcp from any to any 113 in

# Deny all Netbios service. 137=name, 138=datagram, 139=session
# Netbios is MS/Windows sharing services.
# Block MS/Windows hosts2 name server requests 81
ipfw add 00520 deny log tcp from any to any 137 in
ipfw add 00521 deny log tcp from any to any 138 in
ipfw add 00522 deny log tcp from any to any 139 in
ipfw add 00523 deny log tcp from any to any 81 in


# 允许Sftp相关 服务(winscpt用 若无 请移除) ,00600`00649
ipfw add 00600 allow all from any to me 115 in via bce0 #setup limit src-ipfw addr 20

# 允许netconf-ssh相关 服务(ssh用 若无 请移除) ,00650~00699
#ipfw add 00650 allow all from any to me 830 in via bce0 #setup limit src-ipfw addr 20

# update time
ipfw add 00950 allow tcp from 210.72.145.44 to me 123 in via bce0
ipfw add 00951 allow tcp from me to 210.72.145.44 123 out via bce0
ipfw add 00952 allow udp from 210.72.145.44 to me 123 in via bce0
ipfw add 00953 allow udp from me to 210.72.145.44 123 out via bce0

#blank 黑名单10000~20000
ipfw add 10010 deny log all from 74.207.251.0/24 to me in
ipfw add 10011 deny log all from 74.207.251.39 to me in


##########ICMP##########
ipfw add 30000 allow icmp from any to any icmptypes 3
ipfw add 30001 allow icmp from any to any icmptypes 4
ipfw add 30002 allow icmp from any to any icmptypes 8 out
ipfw add 30003 allow icmp from any to any icmptypes 0 in
ipfw add 30004 allow icmp from any to any icmptypes 11 in
#


# Everything else is denied by default
# deny and log all packets that fell through to see what they are
ipfw add 65530 deny log all from any to any

引用:


最后进行编辑的是 鱼儿游 on Fri 2013-11-22 22:41:41, 总计第 2 次编辑
返回页首
阅览会员资料 发送站内信件 MSN Messenger
鱼儿游
半仙


注册时间: 2004-07-31
文章: 44

文章发表于: Fri 2013-11-22 19:17:02    发表主题: 引用并回复

网上查了好多资料,没有我说的这种情况,现在毫无头绪

特别说明,不是permission denied publickey
也修改了sshd_config,不论怎么修改,提示的都是这个


引用:
sshd[xxx]:fatal:Write Failed Permission denied



刚才是了一下,可以在服务器端直接用ssh登录本机

服务器端使用netstat -an可以看见22端口正在监听,此外服务器端192.168.0.59已经连接到了ssh

引用:
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 192.168.0.59.22 192.168.0.59.16428 ESTABLISHED
tcp4 0 0 192.168.0.59.16428 192.168.0.59.22 ESTABLISHED
tcp4 0 0 *.22 *.* LISTEN
tcp6 0 0 *.22 *.* LISTEN
tcp4 0 0 *.111 *.* LISTEN
tcp6 0 0 *.111 *.* LISTEN
udp6 0 0 *.* *.*
udp4 0 0 *.858 *.*
udp4 0 0 *.111 *.*
udp6 0 0 *.790 *.*
udp6 0 0 *.111 *.*
udp4 0 0 *.514 *.*
udp6 0 0 *.514 *.*
Active UNIX domain sockets
Address Type Recv-Q Send-Q Inode Conn Refs Nextref Addr
c5e37158 stream 0 0 c5f26e6c 0 0 0 /var/run/rpcbind.sock
c5e3735c stream 0 0 c5e34354 0 0 0 /var/run/devd.pipe
c5e33ac0 dgram 0 0 0 c5f1d4b4 0 c5e30c18
c5e30c18 dgram 0 0 0 c5f1d4b4 0 0
c5f1d4b4 dgram 0 0 c5e2e238 0 c5e33ac0 0 /var/run/logpriv
c5f1d560 dgram 0 0 c5e2e354 0 0 0 /var/run/log
返回页首
阅览会员资料 发送站内信件 MSN Messenger
alphachi
老妖


注册时间: 2007-12-10
文章: 1263
来自: @tweetxa

文章发表于: Sat 2013-11-23 19:26:26    发表主题: 引用并回复

客户端这边ssh -v看下什么提示?
_________________
Paranoid in Sabbath ...
返回页首
阅览会员资料 发送站内信件
鱼儿游
半仙


注册时间: 2004-07-31
文章: 44

文章发表于: Sun 2013-11-24 17:04:58    发表主题: 引用并回复

客户端是windows,用putty连接,从哪里输入ssh-v?
返回页首
阅览会员资料 发送站内信件 MSN Messenger
baigame
半仙


注册时间: 2005-04-20
文章: 46

文章发表于: Sat 2013-11-30 21:38:32    发表主题: 引用并回复

停了防火墙就能用,很显然不是ssh的问题了
返回页首
阅览会员资料 发送站内信件
从以前的文章开始显示:   
发表新文章   回复文章    FreeBSD China -> 初学指南 论坛时间为 北京时间
1页/共1

 
转跳到:  
不能发布新主题
不能在这个论坛回复主题
不能在这个论坛编辑自己的文章
不能在这个论坛删除自己的文章
不能在这个论坛发表投票


Powered by phpBB 2023cc © 2003 Opensource Steps; © 2003-2009 The FreeBSD Simplified Chinese Project
Powered by phpBB © 2001, 2005 phpBB Group
Protected by Project Honey Pot and phpBB.cc
silvery-trainer
The FreeBSD China Project 网站: 中文计划网站 社区网站
The FreeBSD China Project 版权所有 (C) 1999 - 2003 网页设计版权 著作权和商标