Hi,
I found that the source IP in your tcpdump is 140.211.166.200,
which is not the configured whitelisted IP "140.211.166.217"
to access our server's SSH port. Therefore, the traffic is blocked
from the firewall.
I don't know whether the outgoing IP from the syncing server
would be different base on different circumstances.
If that is true, adding other IP addresses may solve this issues.
Best regards,
陳少甫 / Shao-Fu Chen (shfchen)
助教 / Teach Assistant
國立陽明交通大學 資訊工程學系資訊中心 (NYCU CS IT Center)
Information Technology Center,
Department of Computer Science,
National Yang Ming Chiao Tung University
Hi, I'm also not sure why it would fail, but it definitely does seem like something is filtering the traffic at a packet inspection level. I've run some traffic dumps while attempting connections in various ways. Running "ssh" with the wrong username results in a "permission denied" error, as would be expected, and a small amount of traffic. Using a non-protocol-aware tool such as telnet or "nc" results in: 16:49:22.206649 enP2p1s0f0 Out IP 140.211.166.200.43766 > 140.113.17.5.22: Flags [S], seq 475671543, win 64240, options [mss 1460,sackOK,TS val 4134193521 ecr 0,nop,wscale 7], length 0 0x0000: 4510 003c 3500 4000 4006 349a 8cd3 a6c8 E..<5.@.@.4..... 0x0010: 8c71 1105 aaf6 0016 1c5a 2bf7 0000 0000 .q.......Z+..... 0x0020: a002 faf0 d140 0000 0204 05b4 0402 080a .....@.......... 0x0030: f66a c971 0000 0000 0103 0307 .j.q........ 16:49:22.366820 enP2p1s0f0 P IP 140.113.17.5 > 140.211.166.200: ICMP host 140.113.17.5 unreachable - admin prohibited, length 68 0x0000: 45c0 0058 3afa 0000 3001 7dd9 8c71 1105 E..X:...0.}..q.. 0x0010: 8cd3 a6c8 030a ce36 0000 0000 4500 003c .......6....E..< 0x0020: 3500 4000 3106 43aa 8cd3 a6c8 8c71 1105 5.@.1.C......q.. 0x0030: aaf6 0016 1c5a 2bf7 0000 0000 a002 faf0 .....Z+......... 0x0040: c8c2 0000 0204 05b4 0402 080a f66a c971 .............j.q 0x0050: 0000 0000 0103 0307 ........ Regards, Adam On Tue, 2023-10-03 at 18:07 +0800, Shao-Fu Chen wrote:Hello, I can find two successful login attempts on our server: [shfchen@linux ~]$ sudo cat /var/log/secure | grep 140.211.166.217 Oct 3 00:17:04 linux sshd[10238]: Accepted publickey for debi_adm from 140.211.166.217 port 56915 ssh2: RSA SHA256:VzG9tNbWoaaqqsjrW9e6NzlhgIcwz8ZlVkc76fR1q2Y Oct 3 02:15:44 linux sshd[10241]: Received disconnect from 140.211.166.217 port 56915:11: disconnected by user Oct 3 02:15:44 linux sshd[10241]: Disconnected from 140.211.166.217 port 56915 Oct 3 16:29:54 linux sshd[22419]: Accepted publickey for debi_adm from 140.211.166.217 port 42715 ssh2: RSA SHA256:VzG9tNbWoaaqqsjrW9e6NzlhgIcwz8ZlVkc76fR1q2Y P.s. The log timestamp is UTC+8. I have no idea why the push attempt would failed. Best regards, 陳少甫 / Shao-Fu Chen (shfchen) 助教 / Teach Assistant 國立陽明交通大學 資訊工程學系資訊中心 (NYCU CS IT Center) Information Technology Center, Department of Computer Science, National Yang Ming Chiao Tung University Adam D. Barratt 於 2023/10/3 16:47 寫道:On Tue, 2023-10-03 at 07:02 +0100, Adam D. Barratt wrote:On Mon, 2023-10-02 at 21:24 +0800, Shao-Fu Chen wrote:Hello, We have already updated the firewall configuration to accept the two IP addresses and sent a response mail back then. However, it is sorry that we didn't notice the response mail had been bounced back due to the wrong configurations on our mail service. I can confirm that 140.211.166.217 can successfully trigger pushes before September 22nd. If everything is OK, please re-enable pushes.Thanks for confirming. I've re-enabled pushes.The first automated push attempt failed: === bash: warning: setlocale: LC_ALL: cannot change locale (C.UTF-8) /bin/sh: warning: setlocale: LC_ALL: cannot change locale (C.UTF-8) bash: warning: setlocale: LC_ALL: cannot change locale (C.UTF-8) Timeout, server debian.cs.nctu.edu.tw not responding. === Manual attempts to connect to the server also fail currently, but worked yesterday evening: adsb@mirror-osuosl:~$ nc -v debian.cs.nctu.edu.tw 22 nc: connect to debian.cs.nctu.edu.tw (140.113.17.5) port 22 (tcp) failed: No route to host An MTR from the same host looks fine. Is it being filtered on your side somewhere? Regards, Adam
Attachment:
OpenPGP_0xD7113DB145945352.asc
Description: OpenPGP public key
Attachment:
OpenPGP_signature.asc
Description: OpenPGP digital signature