Hi Matt. There is no /var/log/auth.log, only /var/log/messages. (This is an OpenWrt-type device, loosely based on Chaos Calmer, using logd/logread. Is there anything I should do to increase dropbear’s log verbosity?)
I can see that successful ssh connections are logged to /var/log/messages. But nothing is logged for my unsuccessful attempts to connect via the reverse tunnel. Attempted telnet from relayserver: $ telnet localhost 10022 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Connection closed by foreign host. Attempted ssh from relayserver: $ ssh -p 10022 root@localhost ssh_exchange_identification: Connection closed by remote host Using tcpdump on the device, I can see that there is activity when the ssh connection attempt fails: # tcpdump host <relayserver> -i eth1 -vvvX tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes 12:13:06.442928 IP (tos 0x0, ttl 53, id 9167, offset 0, flags [DF], proto TCP (6), length 152) ec2-<relayserver>.eu-west-2.compute.amazonaws.com.ssh > 172.24.20.205.58658: Flags [P.], cksum 0x1e43 (correct), seq 4215067679:4215067779, ack 1099402958, win 227, options [nop,nop,TS val 327307585 ecr 103952497], length 100 0x0000: 4500 0098 23cf 4000 3506 e2fb 23b1 59ff E...#.@.5...#.Y. 0x0010: ac18 14cd 0016 e522 fb3c d41f 4187 8ece .......".<..A... 0x0020: 8018 00e3 1e43 0000 0101 080a 1382 5141 .....C........QA 0x0030: 0632 3071 b4df 8dd6 21d3 a1a9 10db 5274 .20q....!.....Rt 0x0040: 3da0 76c5 8894 0298 a40c 92af db23 dc63 =.v..........#.c 0x0050: 2434 786e 86a0 f2ec 3fd7 3844 46b4 c42e $4xn....?.8DF... 0x0060: e3fd f14c f210 da47 0aca 3902 ca94 6d63 ...L...G..9...mc 0x0070: b475 bc0b 7ece efe3 0f89 8476 cdd6 2ee9 .u..~......v.... 0x0080: 3948 8d8b 421d 4a34 4720 04ed 17a9 d451 9H..B.J4G......Q 0x0090: 8275 d002 bca2 a018 .u...... 12:13:06.471362 IP (tos 0x10, ttl 64, id 16162, offset 0, flags [DF], proto TCP (6), length 104) 172.24.20.205.58658 > ec2-<relayserver>.eu-west-2.compute.amazonaws.com.ssh: Flags [P.], cksum 0x4da8 (correct), seq 1:53, ack 100, win 587, options [nop,nop,TS val 103968949 ecr 327307585], length 52 0x0000: 4510 0068 3f22 4000 4006 bcc8 ac18 14cd E..h?"@.@....... 0x0010: 23b1 59ff e522 0016 4187 8ece fb3c d483 #.Y.."..A....<.. 0x0020: 8018 024b 4da8 0000 0101 080a 0632 70b5 ...KM........2p. 0x0030: 1382 5141 e61a ae5a 656a 3caa 4621 9194 ..QA...Zej<.F!.. 0x0040: 8302 c4fd 1267 b3bb 9396 d358 aabd c6ce .....g.....X.... 0x0050: e4fc 96b6 3c9e 8db2 3e70 9d00 0137 fb50 ....<...>p...7.P 0x0060: 60a7 26f8 0cef df93 `.&..... 12:13:06.489051 IP (tos 0x0, ttl 53, id 9168, offset 0, flags [DF], proto TCP (6), length 52) ec2-<relayserver>.eu-west-2.compute.amazonaws.com.ssh > 172.24.20.205.58658: Flags [.], cksum 0xd60a (correct), seq 100, ack 53, win 227, options [nop,nop,TS val 327307597 ecr 103968949], length 0 0x0000: 4500 0034 23d0 4000 3506 e35e 23b1 59ff E..4#.@.5..^#.Y. 0x0010: ac18 14cd 0016 e522 fb3c d483 4187 8f02 .......".<..A... 0x0020: 8010 00e3 d60a 0000 0101 080a 1382 514d ..............QM 0x0030: 0632 70b5 .2p. Can you glean anything from these packets? Thanks, Ben. From: Matt Johnston [mailto:m...@ucc.asn.au] Sent: 29 May 2018 14:45 To: Ben Kinsella Cc: dropbear@ucc.asn.au Subject: Re: Problem using reverse ssh tunnel (remote port forwading) Hi Ben, Does the device log anything from Dropbear in /var/log/auth.log or similar? If you "telnet localhost 10022" does it print anything? Cheers, Matt On Fri 25/5/2018, at 11:05 pm, Ben Kinsella <bkinse...@advantech-bb.com<mailto:bkinse...@advantech-bb.com>> wrote: I have various devices on a private network behind a router, and I typically use “ssh -R” to access them. i.e. On the device I run $ ssh -fN -R :10022:localhost:22 user@relayserver Then I can ssh in via relayserver. This works for several different device types. However, it is not working for a particular device with dropbear v2017.75. The initial “ssh -R” command works (I can confirm with netstat on relayserver), but when I attempt to connect I get an error: $ ssh -p 10022 root@localhost ssh_exchange_identification: Connection closed by remote host Any suggestions? Regards, Ben.