SSH into a namespace, connection refused

4

I have an Ubuntu Server with two network interfaces and a namespace named "bluewire" (named after the color of the Ethernet cable connected to it).

Diagram

The bluewire namespace has the enp4s0 interface added to it and is isolated from the WAN (which is desired). I can SSH with PuTTY from my desktop into the server itself via 192.168.1.1:22, but PuTTY throws a "Connection Refused" error when I try to connect through 192.168.1.2:22. I suspect the namespace is not listening to any ports at all.

The Delimma: How do I enable listening within the namespace so I can SSH in through the blue wire? Or if it's something other than a listening issue, what do I need to do to get SSH working through the blue wire?

Additional info:

  • The UFW is open both on the server side and ip netns exec bluewire side to OpenSSH.
  • The iptables rules for the bluewire namespace are wide open (everything set to ACCEPT).
  • The server is pingable from the .2 address, it's just refusing the connection. After running an ip netns exec bluewire tcpdump -n dst port 22, I can assume the server knows it's receiving a request from the desktop.
  • Running netns -an reveals the server itself is listening to port 22, but ip netns exec bluewire netstat -an turns up an empty table. That's where I suspect the problem is.
  • In case you're wondering why I have such a setup: The red wire connects the sever to the internet while the blue wire is blocked off from the internet. The reason being if I suspect my server is under attack (such as my private keys getting swiped), then I can disconnect or ifdown the red wire interface and restrict server access to the local network so I can SSH in only through the desktop to change the locks.

EDIT

Per Blerg's comment below, a screenshot of netstat -plunt enter image description here

  • Both interfaces are pingable through the Windows cmd on my Desktop.
  • As far as I know the router isn't blocking any ports on the internal network; it just blocks all access from the outside world with the exception of 1194, which I use for OpenVPN. I can connect through the .1 interface without any problems using the desktop PuTTY so I doubt the router is the culprit... maybe.

  • My /etc/ssh/sshd_config file 

    [07:28]<~ @ > $ cat /etc/ssh/sshd_config
# Package generated configuration file
# See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
ListenAddress 192.168.1.1
ListenAddress 192.168.1.2
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024
# Logging
SyslogFacility AUTH
LogLevel INFO 
# Authentication:
LoginGraceTime 120
PermitRootLogin prohibit-password
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile     %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for 
# RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no    
#MaxStartups 10:30:60
Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*    
Subsystem sftp /usr/lib/openssh/sftp-server    
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
[07:29]<~ @ > $

MrZander

Posted 2017-07-09T21:37:24.493

Reputation: 95

Well you obviously need sshd running inside the namespace...? – Daniel B – 2017-07-09T21:53:30.940

I've tried ip netns exec bluewire service sshd start, but to no avail either. Is there something else I need to do to get sshd running within the namespace? – MrZander – 2017-07-09T21:59:03.800

Because you only have a network namespace, this will just see sshd as already running, as per /var/run or whatever. You must start it manually, without your service manager. – Daniel B – 2017-07-10T05:38:24.737

I think I understand what you mean. But I don't fully understand what I need to do to get it working within the namespace. Would you mind explaining what I need to do or direct me to some literature that would explain it? – MrZander – 2017-07-10T14:36:23.637

Answers

3

For those interested, I found the solution from here: https://blog.bofh.it/debian/id_446.

The trick is to start a separate sshd server in each namespace:

ip netns exec mynamesapce /usr/sbin/sshd -o PidFile=/run/sshd-mynamespace.pid

Of course firewall must allow tcp/ssh

 

simon

Posted 2017-07-09T21:37:24.493

Reputation: 31

1

From what I can tell from your post, you probably only have your SSH daemon listening on one interface. In your /etc/ssh/sshd_config file, make sure you have ListenAddress listed as this: #ListenAddress. If it is enabled, the OpenSSH server will only listen for incoming connections on the specified address(es). If you want to use ListenAddress for multiple IPs, then you will need to have them on separate lines, like this:

ListenAddress 192.168.1.1
ListenAddress 192.168.1.2

Blerg

Posted 2017-07-09T21:37:24.493

Reputation: 1 094

I peeked in the sshd_config file and ListenAddress was already commented out. I tried adding those two lines and restarting the service but I'm still getting a connection refusal. – MrZander – 2017-07-09T22:43:38.703

What did you use to open port 22 on your server? – Blerg – 2017-07-09T22:57:57.320

I'm pretty sure OpenSSH is doing something under the hood to open port 22 during the startup process. I, personally, have done nothing to open a port manually; I'm not sure how to do it manually if there is a way to do so, or what command I would start with. – MrZander – 2017-07-09T23:11:48.110

Run this and try accessing the server again: sudo ufw allow ssh The installer doesn't always open ports for you since you could have one of many firewalls. If you installed OpenSSH when you installed Ubuntu, it probably only opened the firewall on what it thought would be the main interface/IP address. More information about the UFW can be found here.

– Blerg – 2017-07-09T23:37:48.297

I ran that command both on its own and with the full netns command. Both times it responded with "Skipping adding existing rule". I guess the rule for OpenSSH already covers that. – MrZander – 2017-07-10T00:01:10.540

Odd. What does netstat -plunt return, and what happens when you ping both addresses? Now that I think of it, are you allowing traffic to flow to/from the ports on the router as well? – Blerg – 2017-07-10T00:30:24.057

I edited the bottom of my question to respond to your comment. – MrZander – 2017-07-10T01:13:30.643

Looking at your netstat results, the 5th entry shows that it is listening on 192.168.1.1:22, but not on anything else, so there seems to be something wrong in the /etc/ssh/sshd_config file, or the SSH daemon isn't restarting properly. Could you please post your sshd_config file. Might have to look at the logs next. To restart the SSH daemon, use sudo service ssh restart – Blerg – 2017-07-10T02:05:26.567

Because 192.168.1.2 exists in a different namespace you cannot listen on it from outside that namespace. – Daniel B – 2017-07-10T05:40:08.517

Asked: 2017-07-09T21:37:24.493

Viewed: 2 940 times

Active: 2017-12-02T18:22:42.307