Re: [gentoo-user] ssh connections time out
On Thursday 29 November 2007, Billy Holmes wrote: Mick wrote: I just ran some quick tcptraceroute tests and can see that my random port number has the same or less latency than port 80, or port 22 connections . . . try two things: 1) put your sshd on port 443 if you can. see if you can connect with no latency. or 2) perform this as root on BOTH boxes: # echo 0 /proc/sys/net/ipv4/tcp_window_scaling that will disable the large tcp window negotiation. some broken firewalls/packet filters cause connections with this enabled to fail or become unfriendly. http://lists.debian.org/debian-kernel/2007/01/msg00652.html Thanks! I'll try both and see what gives. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] ssh connections time out
On Wednesday 28 November 2007, Dale wrote: Billy Holmes wrote: that's what the REMOTE machine will do after you connect to it, but before you get a prompt. This can (normally) be configured on an application basis to not do it. OK. I read most of it, what I could get a grip on anyway. Basically it looks to see if that IP address has a name too. Sort of silly but, whatever works I guess. It does not stop there. It's usually used to prevent spoofing. The complete process is more or less as follows: suppose you connect with a spoofed IP address, then the remote end will do the reverse lookup to find out your dns name, do a forward lookup with the name it just found, and see if the resulting IP is the one you are connecting from. From man sshd_config: UseDNSSpecifies whether sshd(8) should look up the remote host name and check that the resolved host name for the remote IP address maps back to the very same IP address. The default is ``yes''. -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] ssh connections time out
On Tuesday 27 November 2007, Vladimir Rusinov wrote: On 11/27/07, Mick [EMAIL PROTECTED] wrote: Have you come across such a problem before? How can I troubleshoot it? In this day and age of broadband connections it seems strange to get worse performance than on a dialup network . . . I mean I have run VNC connections over a 56k dial up with more responsiveness than this! Tune QoS (Quality of Service). It's not very trivial, but there are some good howtos/articles. Trying to stick to the OP: I just ran some quick tcptraceroute tests and can see that my random port number has the same or less latency than port 80, or port 22 connections . . . -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] ssh connections time out
Etaoin Shrdlu wrote: On Wednesday 28 November 2007, Dale wrote: Billy Holmes wrote: that's what the REMOTE machine will do after you connect to it, but before you get a prompt. This can (normally) be configured on an application basis to not do it. OK. I read most of it, what I could get a grip on anyway. Basically it looks to see if that IP address has a name too. Sort of silly but, whatever works I guess. It does not stop there. It's usually used to prevent spoofing. The complete process is more or less as follows: suppose you connect with a spoofed IP address, then the remote end will do the reverse lookup to find out your dns name, do a forward lookup with the name it just found, and see if the resulting IP is the one you are connecting from. From man sshd_config: UseDNSSpecifies whether sshd(8) should look up the remote host name and check that the resolved host name for the remote IP address maps back to the very same IP address. The default is ``yes''. I was sort of thinking about it helping with that. I just wasn't sure that would work like I was thinking. I suspected it may be a security thing. It seems that most things with Linux are security related anyway. That's pretty cool. Some geek got a great idea. o_O Now it makes good sense. I think it is pretty cool that it does that, even if it messed me up at first. Just wish this wouold have fixed the OP's problem. Thanks. Dale :-) :-) :-)
Re: [gentoo-user] ssh connections time out
On Wed, 28 Nov 2007 09:57:25 + Mick [EMAIL PROTECTED] wrote: I just ran some quick tcptraceroute tests and can see that my random port number has the same or less latency than port 80, or port 22 connections . . . DNS Servers over loaded, on one side of the transaction or the other? -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] ssh connections time out
Mick wrote: I just ran some quick tcptraceroute tests and can see that my random port number has the same or less latency than port 80, or port 22 connections . . . try two things: 1) put your sshd on port 443 if you can. see if you can connect with no latency. or 2) perform this as root on BOTH boxes: # echo 0 /proc/sys/net/ipv4/tcp_window_scaling that will disable the large tcp window negotiation. some broken firewalls/packet filters cause connections with this enabled to fail or become unfriendly. http://lists.debian.org/debian-kernel/2007/01/msg00652.html -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] ssh connections time out
Hi All, I have noticed this problem when I try to connect to two different machines in two different continents. One is on cable (US) the other on ISDN ADSL (Greece). In the evening and sometimes weekends ssh connections from my laptop to these two PCs are either taking ages or time out. This is ssh connections to sshd which is listening to random ports in the 200+ or 12000+ ranges. If I eventually manage to connect the latency is ridiculous - up to 5 seconds! Sometimes I enter a passwd, if I can get that far and then wait for hours with no response. Eventually, I have to close the terminal. Tracerouting does not get through although some clever tcptraceroute strings may on occasions (intermittently) get through. Both servers run on domestic networks. BTW, ssh-ing to servers in datacenters with their big fiber-optic pipes, although relatively slow in peak times, always gets through. The strange thing is that there is no problem talking to these boxen while they run Google-Talk, it's only the ssh connection that seems to suffer. Have you come across such a problem before? How can I troubleshoot it? In this day and age of broadband connections it seems strange to get worse performance than on a dialup network . . . I mean I have run VNC connections over a 56k dial up with more responsiveness than this! -- Regards, Mick Hi Mick, I have noticed these problems myself as well sometimes when connecting to a server connected to ADSL in the UK (I am currently in NL myself) Fortunately for me, I have full access to the ADSL-router from that server when I can connect and I found it usually coincides with connection problems between the router and the ISP. Can you (or someone else) check if there are any problems with this? Another cause could be that the ISP (you did mention these are domestic networks) is throttling/blocking certain ports/services/connection types. I have heard of ISPs in NL and Belgium (not sure if it's true) that tend to change these policies depending on the time of day. This could also be done by your ISP. Are the SSH-ports of the servers in DataCenters on 22 (default) or in the higher 200+ and 12000+ range? Kind regards, Joost Roeleveld -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] ssh connections time out
Christopher Copeland wrote: On 27 Nov 2007, at 10:19, Mick wrote: Hi All, I have noticed this problem when I try to connect to two different machines in two different continents. One is on cable (US) the other on ISDN ADSL (Greece). In the evening and sometimes weekends ssh connections from my laptop to these two PCs are either taking ages or time out. This is ssh connections to sshd which is listening to random ports in the 200+ or 12000+ ranges. If I eventually manage to connect the latency is ridiculous - up to 5 seconds! Sometimes I enter a passwd, if I can get that far and then wait for hours with no response. Eventually, I have to close the terminal. Tracerouting does not get through although some clever tcptraceroute strings may on occasions (intermittently) get through. Both servers run on domestic networks. BTW, ssh-ing to servers in datacenters with their big fiber-optic pipes, although relatively slow in peak times, always gets through. The strange thing is that there is no problem talking to these boxen while they run Google-Talk, it's only the ssh connection that seems to suffer. Have you come across such a problem before? How can I troubleshoot it? In this day and age of broadband connections it seems strange to get worse performance than on a dialup network . . . I mean I have run VNC connections over a 56k dial up with more responsiveness than this! -- Regards, Mick I've run across the same kind of issues on certain ISPs when using non-standard ports for sshd. Given other connections (Gtalk) are working, the first thing I would try in your position is to see if there is a difference when using 22 versus your random port. With certain ISPs in the UK I've found SSH connections to be unusable on anything but the default port. Of course it has everything to do with the smart traffic shaping at the ISP and there was nothing I could do about it. -- Christopher I also ran into something like this on a local network. I corrected this by adding the remote systems to my hosts file and putting the entry in the host file on the remote system. I'm not sure what affect this had but it worked like a charm after that. I guess it lets each other know who the other is or something. Hope that helps. Dale :-) :-) :-) :-) -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] ssh connections time out
On 27 Nov 2007, at 10:19, Mick wrote: Hi All, I have noticed this problem when I try to connect to two different machines in two different continents. One is on cable (US) the other on ISDN ADSL (Greece). In the evening and sometimes weekends ssh connections from my laptop to these two PCs are either taking ages or time out. This is ssh connections to sshd which is listening to random ports in the 200+ or 12000+ ranges. If I eventually manage to connect the latency is ridiculous - up to 5 seconds! Sometimes I enter a passwd, if I can get that far and then wait for hours with no response. Eventually, I have to close the terminal. Tracerouting does not get through although some clever tcptraceroute strings may on occasions (intermittently) get through. Both servers run on domestic networks. BTW, ssh-ing to servers in datacenters with their big fiber-optic pipes, although relatively slow in peak times, always gets through. The strange thing is that there is no problem talking to these boxen while they run Google-Talk, it's only the ssh connection that seems to suffer. Have you come across such a problem before? How can I troubleshoot it? In this day and age of broadband connections it seems strange to get worse performance than on a dialup network . . . I mean I have run VNC connections over a 56k dial up with more responsiveness than this! -- Regards, Mick I've run across the same kind of issues on certain ISPs when using non- standard ports for sshd. Given other connections (Gtalk) are working, the first thing I would try in your position is to see if there is a difference when using 22 versus your random port. With certain ISPs in the UK I've found SSH connections to be unusable on anything but the default port. Of course it has everything to do with the smart traffic shaping at the ISP and there was nothing I could do about it. -- Christopher -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] ssh connections time out
Christopher Copeland wrote: On 27 Nov 2007, at 10:19, Mick wrote: Hi All, I have noticed this problem when I try to connect to two different machines in two different continents. One is on cable (US) the other on ISDN ADSL (Greece). In the evening and sometimes weekends ssh connections from my laptop to these two PCs are either taking ages or time out. This is ssh connections to sshd which is listening to random ports in the 200+ or 12000+ ranges. If I eventually manage to connect the latency is ridiculous - up to 5 seconds! Sometimes I enter a passwd, if I can get that far and then wait for hours with no response. Eventually, I have to close the terminal. snip I've run across the same kind of issues on certain ISPs when using non-standard ports for sshd. Given other connections (Gtalk) are working, the first thing I would try in your position is to see if there is a difference when using 22 versus your random port. With certain ISPs in the UK I've found SSH connections to be unusable on anything but the default port. Of course it has everything to do with the smart traffic shaping at the ISP and there was nothing I could do about it. -- Christopher I also ran into something like this on a local network. I corrected this by adding the remote systems to my hosts file and putting the entry in the host file on the remote system. I'm not sure what affect this had but it worked like a charm after that. I guess it lets each other know who the other is or something. Hope that helps. Dale Hi Dale, Your comment might actually indicate a problem with the DNS-server involved. Configuring the server(s) in the hosts file would be one solution. Mick, do you use IP-addresses or hostnames when you try to connect? If you are using hostnames, can you test with IP-addresses instead? Kind regards, Joost Roeleveld -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] ssh connections time out
Dale wrote: snipped I also ran into something like this on a local network. I corrected this by adding the remote systems to my hosts file and putting the entry in the host file on the remote system. I'm not sure what affect this had but it worked like a charm after that. I guess it lets each other know who the other is or something. Hope that helps. Dale :-) :-) :-) :-) I've had this problem as well. I've added UseDNS no to the sshd_config file and that had the same result. I usually only had high latency establishing the connection though. Once the connection was established and I was logged in, everything was fast again. I've also had connection issues while transferring files through ssh, and I got around that (somewhat) by added -l to the scp command. This tries to throttle the connection speed, and I can usually keep a connection going with that. I say that is somewhat fixed the issue because I also need to use ssh to port forward to an internal database and run scripts there, but there's no way that I know to do the same throttling with a port forwarding ssh command. Chris -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] ssh connections time out
Thank you all for your replies, On Tuesday 27 November 2007, Chris Frederick wrote: Dale wrote: I also ran into something like this on a local network. I corrected this by adding the remote systems to my hosts file and putting the entry in the host file on the remote system. [ship...] I've had this problem as well. I've added UseDNS no to the sshd_config file and that had the same result. I usually only had high latency establishing the connection though. Once the connection was established and I was logged in, everything was fast again. The problem is not with the DNS servers. I use IP addresses to access these machines and when I have tried FQDNs it makes no odds. I've also had connection issues while transferring files through ssh, and I got around that (somewhat) by added -l to the scp command. This tries to throttle the connection speed, and I can usually keep a connection going with that. I say that is somewhat fixed the issue because I also need to use ssh to port forward to an internal database and run scripts there, but there's no way that I know to do the same throttling with a port forwarding ssh command. The -l option is to apply a protocol specific type of QoS and limit the bandwidth consumed by scp so that other critical services on the server don't run dry. My problem is that I do not seem to have enough bandwidth to start with. The ports of the servers are random numbers in the 200+ and 12000+ range and I have checked that no other applications are using/listening on these ports. I've not tried port 22 yet, but I'll give it a go tonight. I tend to use higher random ports just to achieve some basic 'security by obscurity' from script kiddies and botnets. The issue with port 22 is that the world-and-his-wife will try to hack in and cause DoS to the little bandwidth that seems to be available. :p Ha! I'll deal with this at the firewall. The datacenter servers are listening on port 22. This difference in performance between the production and the domestic servers also made me think that there may well be some traffic shaping by the ISPs at their routers, but don't know if I can test this for definite somehow. I don't think that setting up QoS at the domestic servers is going to make any difference. These machines are not stressed at all and off peak I can access them fine. It is at peak times that things really go pear shape, hence it should be a network congestion/traffic shaping issue. I don't know if people started going mad at the pre-Christmas online shopping and things have been particularly bad since last Saturday, or if it is just some ISP network maintenance that made my connections impossible. More about my trials and tribulations on port 22 tomorrow . . . -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] ssh connections time out
Mick wrote: Thank you all for your replies, On Tuesday 27 November 2007, Chris Frederick wrote: Dale wrote: I also ran into something like this on a local network. I corrected this by adding the remote systems to my hosts file and putting the entry in the host file on the remote system. [ship...] I've had this problem as well. I've added UseDNS no to the sshd_config file and that had the same result. I usually only had high latency establishing the connection though. Once the connection was established and I was logged in, everything was fast again. The problem is not with the DNS servers. I use IP addresses to access these machines and when I have tried FQDNs it makes no odds. I've also had connection issues while transferring files through ssh, and I got around that (somewhat) by added -l to the scp command. This tries to throttle the connection speed, and I can usually keep a connection going with that. I say that is somewhat fixed the issue because I also need to use ssh to port forward to an internal database and run scripts there, but there's no way that I know to do the same throttling with a port forwarding ssh command. The -l option is to apply a protocol specific type of QoS and limit the bandwidth consumed by scp so that other critical services on the server don't run dry. My problem is that I do not seem to have enough bandwidth to start with. The ports of the servers are random numbers in the 200+ and 12000+ range and I have checked that no other applications are using/listening on these ports. I've not tried port 22 yet, but I'll give it a go tonight. I tend to use higher random ports just to achieve some basic 'security by obscurity' from script kiddies and botnets. The issue with port 22 is that the world-and-his-wife will try to hack in and cause DoS to the little bandwidth that seems to be available. :p Ha! I'll deal with this at the firewall. The datacenter servers are listening on port 22. This difference in performance between the production and the domestic servers also made me think that there may well be some traffic shaping by the ISPs at their routers, but don't know if I can test this for definite somehow. I don't think that setting up QoS at the domestic servers is going to make any difference. These machines are not stressed at all and off peak I can access them fine. It is at peak times that things really go pear shape, hence it should be a network congestion/traffic shaping issue. I don't know if people started going mad at the pre-Christmas online shopping and things have been particularly bad since last Saturday, or if it is just some ISP network maintenance that made my connections impossible. More about my trials and tribulations on port 22 tomorrow . . . Just to add to this, I was using the IP address too and it was very slow. This was also on a local network. After adding the lines to my host files, it was fast no matter whether I used the name or the IP address. I still don't understand why this matters tho. Just a thought. Dale :-) :-) :-)
Re: [gentoo-user] ssh connections time out
On Tue, 27 Nov 2007 13:26:18 -0600 Dale [EMAIL PROTECTED] wrote: Just to add to this, I was using the IP address too and it was very slow. This was also on a local network. After adding the lines to my host files, it was fast no matter whether I used the name or the IP address. I still don't understand why this matters tho. Just a thought. Dale I am guessing your /etc/nsswitch.conf says: hosts: files dns in this case, the /etc/hosts file will be consulted before the dns. If you provide an IP address, it will probably want to do a reverse lookup to the name (for .ssh/known-hosts for one); if provided a domain name, it will have to look it up. -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] ssh connections time out
Dan Farrell wrote: On Tue, 27 Nov 2007 13:26:18 -0600 Dale [EMAIL PROTECTED] wrote: Just to add to this, I was using the IP address too and it was very slow. This was also on a local network. After adding the lines to my host files, it was fast no matter whether I used the name or the IP address. I still don't understand why this matters tho. Just a thought. Dale I am guessing your /etc/nsswitch.conf says: hosts:files dns in this case, the /etc/hosts file will be consulted before the dns. If you provide an IP address, it will probably want to do a reverse lookup to the name (for .ssh/known-hosts for one); if provided a domain name, it will have to look it up. You are correct. It has that exact line in the nsswitch.conf file. Someone tried to explain the lookup thing but it just went over my head. I know when I go to google for example that it goes to a DNS server to get the IP to know where to go to. I just never could figure why it did that when it has the number already. I just know that adding that to the host file worked like a charm. I'm still curious as to why the OP is having this problem. I suspect, like me all the time, it will be something pretty simple. We always find the complicated stuff. LOL Dale :-) :-) :-)
Re: [gentoo-user] ssh connections time out
On Nov 27, 2007 4:19 PM, Dale [EMAIL PROTECTED] wrote: Dan Farrell wrote: On Tue, 27 Nov 2007 13:26:18 -0600 Dale [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Just to add to this, I was using the IP address too and it was very slow. This was also on a local network. After adding the lines to my host files, it was fast no matter whether I used the name or the IP address. I still don't understand why this matters tho. Just a thought. Dale I am guessing your /etc/nsswitch.conf says: hosts:files dns in this case, the /etc/hosts file will be consulted before the dns. If you provide an IP address, it will probably want to do a reverse lookup to the name (for .ssh/known-hosts for one); if provided a domain name, it will have to look it up. You are correct. It has that exact line in the nsswitch.conf file. Someone tried to explain the lookup thing but it just went over my head. I know when I go to google for example that it goes to a DNS server to get the IP to know where to go to. I just never could figure why it did that when it has the number already. I just know that adding that to the host file worked like a charm. I'm still curious as to why the OP is having this problem. I suspect, like me all the time, it will be something pretty simple. We always find the complicated stuff. LOL Dale :-) :-) :-) The lookup thing is very similar to the same kind of DNS query used when visiting a website. -- - Mark Shields
Re: [gentoo-user] ssh connections time out
Mark Shields wrote: On Nov 27, 2007 4:19 PM, Dale [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Dan Farrell wrote: On Tue, 27 Nov 2007 13:26:18 -0600 Dale [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: You are correct. It has that exact line in the nsswitch.conf file. Someone tried to explain the lookup thing but it just went over my head. I know when I go to google for example that it goes to a DNS server to get the IP to know where to go to. I just never could figure why it did that when it has the number already. I just know that adding that to the host file worked like a charm. I'm still curious as to why the OP is having this problem. I suspect, like me all the time, it will be something pretty simple. We always find the complicated stuff. LOL Dale :-) :-) :-) The lookup thing is very similar to the same kind of DNS query used when visiting a website. -- - Mark Shields Yea, I got that part but why does it do that when you are using the IP number to go to it? That was what was confusing me. Up until that time, I didn't even name the systems since all I used them for was to run folding. After I named them and put the entries in the hosts file, it worked fine even when ssh'ing in with the IP number. Before that, it took forever to login. I would think that it would just go straight to it without a look-up at that point. Then again, I'm not networking guru either. Dale :-) :-)
Re: [gentoo-user] ssh connections time out
Dale wrote: didn't even name the systems since all I used them for was to run folding. After I named them and put the entries in the hosts file, it worked fine even when ssh'ing in with the IP number. Before that, it took forever to login. google: reverse lookup dns wikipedia click on the first link that's what the REMOTE machine will do after you connect to it, but before you get a prompt. This can (normally) be configured on an application basis to not do it. -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] ssh connections time out
Billy Holmes wrote: Dale wrote: didn't even name the systems since all I used them for was to run folding. After I named them and put the entries in the hosts file, it worked fine even when ssh'ing in with the IP number. Before that, it took forever to login. google: reverse lookup dns wikipedia click on the first link that's what the REMOTE machine will do after you connect to it, but before you get a prompt. This can (normally) be configured on an application basis to not do it. OK. I read most of it, what I could get a grip on anyway. Basically it looks to see if that IP address has a name too. Sort of silly but, whatever works I guess. At least now I sort of get what it means. Thanks for the info. Dale :-) :-) :-)