现象
ssh突然无法登录部分外网阿里云主机,主机配置未发送变化,之前可以正常登录。
ssh <host_domain> -i /root/.ssh/host_key提示ssh_exchange_identification: read: Connection reset by peer
排查
- 检查阿里云主机的安全组配置正常,放行
0.0.0.0/0;检查阿里云主机的firewalld未运行;/etc/hosts.allow /etc/hosts.deny文件未配置 - 排除client的问题,用其他内网主机发现也无法ssh登录阿里云主机,但是从阿里云的另外一台主机上ssh发现可正常连接
- 从client访问阿里云主机上其他端口正常
- telnet阿里云主机22端口是通的,但是连上后马上断开
telnet <host_ip> 22Trying <host_ip>... Connected to <host_ip>. Escape character is '^]'. Connection closed by foreign host. - ssh -v 查看详细信息
ssh <host_domain> -i /root/.ssh/host_key -vOpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017 debug1: Reading configuration data /root/.ssh/config debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 58: Applying options for * debug1: Connecting to <host_domain> [<host_ip>] port 22. debug1: Connection established. debug1: permanently_set_uid: 0/0 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/host_key type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/host_key-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.4 ssh_exchange_identification: read: Connection reset by peer - 抓包
tcpdump host <host_domain> -w /tmp/host.cap发现阿里云收到ssh请求之后直接reset - 将ssh端口换成10000之后,可以正常登录。怀疑是公司ACL策略问题,找公司IT解决。公司的网络策略,为防止将数据拷贝到外网的服务器上,所以可能会限制外网服务器22端口的访问。
结论待确认
