一、场景描述

ssh 连接服务器,发现连接失败,但是对应服务器的ip能够ping通,错误提示如下:

  1. # ssh hw
  2. ssh_exchange_identification: read: Connection reset by peer

ping 是一个网络层的协议,只是表面网络在3层是通的。ssh是应用层协议,具体还是从主机上找原因。

二、排错

2.1 ssh -v

ssh -v 去连有问题的服务器,会有比较详细的调试信息在屏幕上输出,可以帮助判断是哪一步出了问题。
主要是看是客户端还是服务器的问题。如果是客户端的问题,应该 log 中有写。如果是没有什么有用信息,就可能是服务器端出问题了。

  1. # ssh -v root@121.46.115.249
  2. OpenSSH_7.6p1, LibreSSL 2.6.2
  3. debug1: Reading configuration data /Users/bgl/.ssh/config
  4. debug1: Reading configuration data /etc/ssh/ssh_config
  5. debug1: /etc/ssh/ssh_config line 48: Applying options for *
  6. debug1: Connecting to 121.46.115.249 port 22.
  7. debug1: Connection established.
  8. debug1: identity file /Users/bgl/.ssh/id_rsa type 0
  9. debug1: key_load_public: No such file or directory
  10. debug1: identity file /Users/bgl/.ssh/id_rsa-cert type -1
  11. debug1: key_load_public: No such file or directory
  12. debug1: identity file /Users/bgl/.ssh/id_dsa type -1
  13. debug1: key_load_public: No such file or directory
  14. debug1: identity file /Users/bgl/.ssh/id_dsa-cert type -1
  15. debug1: key_load_public: No such file or directory
  16. debug1: identity file /Users/bgl/.ssh/id_ecdsa type -1
  17. debug1: key_load_public: No such file or directory
  18. debug1: identity file /Users/bgl/.ssh/id_ecdsa-cert type -1
  19. debug1: key_load_public: No such file or directory
  20. debug1: identity file /Users/bgl/.ssh/id_ed25519 type -1
  21. debug1: key_load_public: No such file or directory
  22. debug1: identity file /Users/bgl/.ssh/id_ed25519-cert type -1
  23. debug1: Local version string SSH-2.0-OpenSSH_7.6
  24. ssh_exchange_identification: Connection closed by remote host

现在看起来是服务器出问题了,虽然不能 ssh 到服务器,但一般来说主机会提供一些方法比去让你连接,比如通过物理终端连进去,具体情况具体对待,总之就是要连接到服务器上。

2.2 服务端排错

在服务端,先关闭 sshd 服务。然后通过命令重新开启 sshd 服务的日志信息。

  1. # service sshd stop
  2. # /usr/sbin/sshd -D -ddd

服务端打印的日志信息如下:

  1. # /usr/sbin/sshd -D -ddd
  2. ....snip....
  3. debug1: Bind to port 22 on ::.
  4. Server listening on :: port 22.
  5. debug3: fd 5 is not O_NONBLOCK
  6. debug1: Server will not fork when running in debugging mode.
  7. debug3: send_rexec_state: entering fd = 8 config len 583
  8. debug3: ssh_msg_send: type 0
  9. debug3: send_rexec_state: done
  10. debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
  11. debug1: inetd sockets after dupping: 3, 3
  12. debug1: Connection refused by tcp wrapper

日志 Connection refused by tcp wrapper 表明客户端 ip 可能被服务器给禁掉了,原因可能是fail2ban或者其他的程序可能把客户端ip扔到 /etc/hosts.deny 中了。

针对这种情况,打开 /etc/hosts.allow 文件,加上一行 sshd: ALL 即可,如下所示:
企业微信20200529110051.png

然后重启ssh服务。

  1. service sshd restart

如果问题真的出在 ip 被禁,这样重启之后应该就ok了。

2.3 命令简介

至此问题已解决,但是 /usr/sbin/sshd -D -ddd 又是什么意思呢?
# man sshd 看一下这两个参数。

  1.      -D      When this option is specified, sshd will not detach and does not become a daemon.  This allows easy monitoring of sshd.
  3.      -d      Debug mode.  The server sends verbose debug output to standard error, and does not put itself in the background.  The server also will not fork and will only
  4.              process one connection.  This option is only intended for debugging for the server.  Multiple -d options increase the debugging level.  Maximum is 3.

-d 是debug模式,服务器会向屏幕输出详细的debug信息, -ddd 表示输出日志的层级。

参考链接: