we have a server and several workstations with fixed IPs. The server is configured to basically deny all ssh requests except for those that are entered in hosts.allow. Here is the configuration.
hosts.deny
sshd: ALLhosts.allow
sshd: 192.168.28.38, 192.168.28.182, 192.168.28.120 #and so onHowever, only some of the entered IPs can log in via SSH (e.g. 192.168.28.182). Other IPs that are also in hosts.allow(e.g. 192.168.28.38) cannot log in and see the error message "kex_exchange_identification: read: Connection reset by peer"
sudo service sshd status outputs the following:
● ssh.service - OpenBSD Secure Shell server Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled) Active: active (running) since Tue 2022-01-18 21:41:00 CET; 26min ago Docs: man:sshd(8) man:sshd_config(5) Process: 171575 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS) Main PID: 171576 (sshd) Tasks: 1 (limit: 9257) CGroup: /system.slice/ssh.service└─171576 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startupsJan 18 21:41:00 nas3 systemd[1]: Starting OpenBSD Secure Shell server...Jan 18 21:41:00 nas3 sshd[171576]: Server listening on 0.0.0.0 port 1636.Jan 18 21:41:00 nas3 sshd[171576]: Server listening on :: port 1636.Jan 18 21:41:00 nas3 systemd[1]: Started OpenBSD Secure Shell server.Jan 18 21:41:02 nas3 sshd[171587]: refused connect from 2003:cf:2732:be00:5dab:2f56:ef10:5536 (2003:cf:2732:be00:5dab:2f56:ef10:5536)Where the IPv6 address belongs to the network interface of the affected workstation.
fail2ban.log says this.
2022-01-16 22:30:48,213 fail2ban.filter [2016]: INFO Added logfile: '/var/log/auth.log' (pos = 193935, hash = e5c5bbd4fbfd8258434cad02588f1651f1bb8cb1)2022-01-16 22:30:48,264 fail2ban.jail [2016]: INFO Jail 'sshd' started2022-01-17 17:36:58,043 fail2ban.filter [2016]: INFO [sshd] Found 2003:cf:2739:ba00:75f3:6b2a:1f36:c465 - 2022-01-17 17:36:582022-01-17 20:53:20,133 fail2ban.filter [2016]: INFO [sshd] Found 2003:cf:2739:ba00:75f3:6b2a:1f36:c465 - 2022-01-17 20:53:202022-01-18 18:11:49,169 fail2ban.filter [2016]: INFO [sshd] Found 2003:cf:2732:be00:2879:c81c:c30:4483 - 2022-01-18 18:11:492022-01-18 21:12:10,519 fail2ban.filter [2016]: INFO [sshd] Found 192.168.28.33 - 2022-01-18 21:12:102022-01-18 21:40:24,794 fail2ban.filter [2016]: INFO [sshd] Found 2003:cf:2732:be00:5dab:2f56:ef10:5536 - 2022-01-18 21:40:242022-01-18 21:41:03,159 fail2ban.filter [2016]: INFO [sshd] Found 2003:cf:2732:be00:5dab:2f56:ef10:5536 - 2022-01-18 21:41:02The error exists only since a few days. Before that everything worked, so it doesn't seem to be a fundamental problem.
EDIT (new logs):
verbose ssh output of failig workstation (using Ethernet):
ssh config@nas3 -p 1636 -vOpenSSH_8.2p1 Ubuntu-4ubuntu0.4, OpenSSL 1.1.1f 31 Mar 2020debug1: Reading configuration data /etc/ssh/ssh_configdebug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no filesdebug1: /etc/ssh/ssh_config line 21: Applying options for *debug1: Connecting to nas3 [2003:cf:2732:be00::161] port 1636.debug1: Connection established.debug1: identity file /home/user/.ssh/id_rsa type 0debug1: identity file /home/user/.ssh/id_rsa-cert type -1debug1: identity file /home/user/.ssh/id_dsa type -1debug1: identity file /home/user/.ssh/id_dsa-cert type -1debug1: identity file /home/user/.ssh/id_ecdsa type -1debug1: identity file /home/user/.ssh/id_ecdsa-cert type -1debug1: identity file /home/user/.ssh/id_ecdsa_sk type -1debug1: identity file /home/user/.ssh/id_ecdsa_sk-cert type -1debug1: identity file /home/user/.ssh/id_ed25519 type -1debug1: identity file /home/user/.ssh/id_ed25519-cert type -1debug1: identity file /home/user/.ssh/id_ed25519_sk type -1debug1: identity file /home/user/.ssh/id_ed25519_sk-cert type -1debug1: identity file /home/user/.ssh/id_xmss type -1debug1: identity file /home/user/.ssh/id_xmss-cert type -1debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.4kex_exchange_identification: read: Connection reset by peerIt seems that all workstations that use Ethernet also automatically use IPv6. These cannot connect. All WiFi connected devices use IPv4 and can connect.
Would the solution be to simply add the IPv6 addresses to hosts.allow?However, I would like to know what could have caused that suddenly only IPv6 is used over Ethernet.
Where can I find more logs or does anyone already know what our error is?
Thanks already for your answers!