Just did a fresh install of Debian 11 on software raid 1. Me coming from the CentOS world, it was very difficult. CentOS install on software raid is super easy. Anyway it is done with manually creating the raid for uefi partion after the installation then installing efi in the raided partition. Then did the ISPConfig autoinstall and all went well. I could not login into the server through ssh. Can get into ispconfig but not ssh. Found the problem was monit was stopping the ssh. Also noticed nginx was restarting after a few minutes. Anyway all that stopped when monit was stopped. i am guessing the monit config is not updated for systemd. For the record, here is the command used to with autoinstall. wget -O - https://get.ispconfig.org | sh -s -- --channel=stable --lang=en --use-nginx --use-php=7.4,8.0,8.1 --use-ftp-ports=40110-40210 --no-mailman --monit [email protected] --ssh-permit-root=without-password --ssh-password-authentication=no --ssh-harden --unattended-upgrades=autoclean,reboot
Here is the log. I can see the problem of the sshd. Some file is missing. Do we still have to use dsa? 2023-03-07T22:32:16+0800] error : 'sshd_dsa_key' file doesn't exist [2023-03-07T22:32:16+0800] error : 'sshd' failed to start -- could not start required services: 'sshd_dsa_key' [2023-03-07T22:33:16+0800] error : 'sshd_dsa_key' file doesn't exist [2023-03-07T22:33:16+0800] info : 'sshd_dsa_key' trying to restart [2023-03-07T22:33:16+0800] error : 'sshd_dsa_key' file doesn't exist [2023-03-07T22:33:16+0800] error : 'sshd' failed to start -- could not start required services: 'sshd_dsa_key' [2023-03-07T22:33:16+0800] error : 'nginx' failed protocol test [DEFAULT] at [localhost]:443 [TCP/IP] -- Connection refused [2023-03-07T22:33:16+0800] info : 'nginx' trying to restart [2023-03-07T22:33:16+0800] info : 'nginx' stop: '/usr/bin/systemctl stop nginx' [2023-03-07T22:33:16+0800] info : 'nginx' start: '/usr/bin/systemctl start nginx' [2023-03-07T22:34:16+0800] error : 'sshd_dsa_key' file doesn't exist [2023-03-07T22:34:16+0800] info : 'sshd_dsa_key' trying to restart [2023-03-07T22:34:16+0800] error : 'sshd_dsa_key' file doesn't exist [2023-03-07T22:34:16+0800] error : 'sshd' failed to start -- could not start required services: 'sshd_dsa_key' [2023-03-07T22:35:17+0800] error : 'sshd_dsa_key' file doesn't exist [2023-03-07T22:35:17+0800] info : 'sshd_dsa_key' trying to restart [2023-03-07T22:35:17+0800] error : 'sshd_dsa_key' file doesn't exist [2023-03-07T22:35:17+0800] error : 'sshd' failed to start -- could not start required services: 'sshd_dsa_key' [2023-03-07T22:35:17+0800] error : 'nginx' failed protocol test [DEFAULT] at [localhost]:443 [TCP/IP] -- Connection refused [2023-03-07T22:35:17+0800] info : 'nginx' trying to restart [2023-03-07T22:35:17+0800] info : 'nginx' stop: '/usr/bin/systemctl stop nginx' [2023-03-07T22:35:17+0800] info : 'nginx' start: '/usr/bin/systemctl start nginx'
is sshd_dsa_key considered insecure now? i'm wondering if the -ssh-harden option removes the dsa encryption... you could remove the dsa config from /etc/monit/conf-enabled/sshd... i don't know if debian 11 just doesn't create/use sshd_dsa_key, or if the -ssh-harden option removed it.. but removing the dsa config from the monit sshd configuration file should at least stop monit from killing the service
