Hi all, I am new to Vserver, but i followed the tuto here: http://howtoforge.com/linux_vserver_debian_etch I ran Code: newvserver --vsroot /var/lib/vservers/ --hostname mail --domain mydom.com --ip 192.168.0.100/24 --dist etch --mirror http://ftp.au.debian.org/debian/ --interface eth1 and then i entered my new vserver. I instaled ssh. But then, when i connect on ssh on 192.168.0.100, i am connected on the host (the one hosting the vservers). I can find all my files from my home folder, and so ... If i scan 192.168.0.100, i have all open ports of the host.. Any ideas ? Thanks
Here is what I get in my vserver: Code: root@test1:/# uname -r 2.6.22-3-vserver-k7 root@test1:/# Code: root@test1:/# ps -a PID TTY TIME CMD 11050 pts/0 00:00:00 vcontext 11383 pts/3 00:00:00 ps root@test1:/# Code: root@test1:/# netstat -a Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node Path unix 2 [ ] DGRAM 261782 /dev/log root@test1:/# Code: root@test1:/# ifconfig -a eth1 Link encap:Ethernet HWaddr 00:13:8F:2F:66:80 inet addr:192.168.10.100 Bcast:192.168.10.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2672522 errors:0 dropped:0 overruns:0 frame:0 TX packets:3621570 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1106348049 (1.0 GiB) TX bytes:3610628966 (3.3 GiB) Interrupt:17 Base address:0xb800 root@test1:/# These network stats are the one of my host !! And if I search for OpenSSH, Code: root@test1:/# /etc/init.d/ssh restart Restarting OpenBSD Secure Shell server: sshd. root@test1:/# ps -aux Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.1 0.1 2036 700 ? Ss 12:35 0:01 init [2] root 11037 0.0 0.1 1628 616 ? Ss 12:35 0:00 /sbin/syslogd root 11425 7.5 0.0 116 36 pts/0 S+ 12:48 0:00 login root 11452 6.0 0.4 4740 2528 pts/3 Ss 12:48 0:00 /bin/bash -logi root 11465 0.0 0.1 3428 1000 pts/3 R+ 12:48 0:00 ps -aux root@test1:/# Where is OpenSSH process ?
I hope it would be that. But my host is using another IP address. On my host Code: romain@mars:~$ sudo ifconfig [sudo] password for romain: eth1 Link encap:Ethernet HWaddr 00:13:8f:2f:66:80 inet addr:192.168.10.10 Bcast:192.168.10.255 Mask:255.255.255.0 inet6 addr: fe80::213:8fff:fe2f:6680/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:3015328 errors:0 dropped:0 overruns:0 frame:0 TX packets:4108881 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1240736548 (1.1 GiB) TX bytes:4082702572 (3.8 GiB) Interrupt:17 Base address:0xb800 On my guest: Code: root@test1:/# ifconfig eth1 Link encap:Ethernet HWaddr 00:13:8F:2F:66:80 inet addr:192.168.10.100 Bcast:192.168.10.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:3027805 errors:0 dropped:0 overruns:0 frame:0 TX packets:4126431 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1246326050 (1.1 GiB) TX bytes:4098424900 (3.8 GiB) Interrupt:17 Base address:0xb800 root@test1:/# 192.168.10.10 != 192.168.10.100
On my host, firewall policies are at ACCEPT by default: (fail2ban is a bit messing the output) Code: romain@mars:~$ sudo iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-sasl tcp -- anywhere anywhere multiport dports smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s fail2ban-named-refused-tcp tcp -- anywhere anywhere multiport dportsdomain,953 fail2ban-vsftpd tcp -- anywhere anywhere multiport dports ftp,ftp-data,ftps,ftps-data fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh fail2ban-named-refused-udp udp -- anywhere anywhere multiport dportsdomain,953 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain fail2ban-named-refused-tcp (1 references) target prot opt source destination RETURN all -- anywhere anywhere Chain fail2ban-named-refused-udp (1 references) target prot opt source destination RETURN all -- anywhere anywhere Chain fail2ban-sasl (1 references) target prot opt source destination RETURN all -- anywhere anywhere Chain fail2ban-ssh (1 references) target prot opt source destination RETURN all -- anywhere anywhere Chain fail2ban-vsftpd (1 references) target prot opt source destination RETURN all -- anywhere anywhere romain@mars:~$ On the guest Vserver: Code: root@test3:/# route -nee Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface MSS Window irtt 192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 * 0 0 0 192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 0 0 0 0.0.0.0 0.0.0.0 0.0.0.0 UG 0 0 0 * 0 0 0 root@test3:/#
Ok, i got the answer: http://linux-vserver.org/Frequently...led_sshd_on_the_guest._What.27s_wrong_here.3F In short, all applications like SSH that are listening on 0.0.0.0 are intercepting the access to the guest. So i reconfigured my host with: Code: Port 22 # Use these options to restrict which interfaces/protocols sshd will bind to ListenAddress 192.168.10.10 And my guest with: Code: Port 22 # Use these options to restrict which interfaces/protocols sshd will bind to ListenAddress 192.168.10.100 It is working smooth now
