Cannot loggin twice in ssh if DNS tunnel is active












1















I recently installed WireGuard so I can tunnel DNS request to the VPN.
I also have portsentry and fail2ban but now I disabled them until I find the solution to the problem.



When I login into my user in ssh, everything is ok. But I have to wait several minutes before the second login, even if I close the first connection, if not it tries a long time to connect but the connection is timed out. I have this problem only on wan, not on lan.
In other device (a smartphone) I can check that if I disable the VPN I can login several times without problems.
But what is really weird is that in my pc, even if I disable the VPN I have the same problem (and DNS without VPN are 8.8.8.8 and 9.9.9.9).



In /var/log/auth.log I could see the warning "POSSIBLE BREAK-IN ATTEMPT!" pointing to my IP. So, it must be a DNS reverse advice.
I disabled these warnings adding UseDNS no to the system's sshd_config file.
I still have this second login problem even now.



Some other information:




  • iptables is not banning my IP and after a iptables -X and iptables -F I have the same problem.


  • The IP is not in the /etc/hosts.deny file.



My /etc/ssh/sshd_config is:



# What ports, IPs and protocols we listen for
Port "myport"
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication yes

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

# Only allow "myuser"
AllowUsers "myuser"

# Allow DNS reverse (wireguard)
UseDNS no


where "myport" and "myuser" are my port and user data.



How can I check what is wrong?










share|improve this question





























    1















    I recently installed WireGuard so I can tunnel DNS request to the VPN.
    I also have portsentry and fail2ban but now I disabled them until I find the solution to the problem.



    When I login into my user in ssh, everything is ok. But I have to wait several minutes before the second login, even if I close the first connection, if not it tries a long time to connect but the connection is timed out. I have this problem only on wan, not on lan.
    In other device (a smartphone) I can check that if I disable the VPN I can login several times without problems.
    But what is really weird is that in my pc, even if I disable the VPN I have the same problem (and DNS without VPN are 8.8.8.8 and 9.9.9.9).



    In /var/log/auth.log I could see the warning "POSSIBLE BREAK-IN ATTEMPT!" pointing to my IP. So, it must be a DNS reverse advice.
    I disabled these warnings adding UseDNS no to the system's sshd_config file.
    I still have this second login problem even now.



    Some other information:




    • iptables is not banning my IP and after a iptables -X and iptables -F I have the same problem.


    • The IP is not in the /etc/hosts.deny file.



    My /etc/ssh/sshd_config is:



    # What ports, IPs and protocols we listen for
    Port "myport"
    # Use these options to restrict which interfaces/protocols sshd will bind to
    #ListenAddress ::
    #ListenAddress 0.0.0.0
    Protocol 2
    # HostKeys for protocol version 2
    HostKey /etc/ssh/ssh_host_rsa_key
    HostKey /etc/ssh/ssh_host_dsa_key
    HostKey /etc/ssh/ssh_host_ecdsa_key
    #Privilege Separation is turned on for security
    UsePrivilegeSeparation yes

    # Lifetime and size of ephemeral version 1 server key
    KeyRegenerationInterval 3600
    ServerKeyBits 1024

    # Logging
    SyslogFacility AUTH
    LogLevel INFO

    # Authentication:
    LoginGraceTime 120
    PermitRootLogin no
    StrictModes yes

    RSAAuthentication yes
    PubkeyAuthentication yes
    AuthorizedKeysFile %h/.ssh/authorized_keys

    # Don't read the user's ~/.rhosts and ~/.shosts files
    IgnoreRhosts yes
    # For this to work you will also need host keys in /etc/ssh_known_hosts
    RhostsRSAAuthentication no
    # similar for protocol version 2
    HostbasedAuthentication no
    # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
    #IgnoreUserKnownHosts yes

    # To enable empty passwords, change to yes (NOT RECOMMENDED)
    PermitEmptyPasswords no

    # Change to yes to enable challenge-response passwords (beware issues with
    # some PAM modules and threads)
    ChallengeResponseAuthentication yes

    # Change to no to disable tunnelled clear text passwords
    PasswordAuthentication yes

    # Kerberos options
    #KerberosAuthentication no
    #KerberosGetAFSToken no
    #KerberosOrLocalPasswd yes
    #KerberosTicketCleanup yes

    # GSSAPI options
    #GSSAPIAuthentication yes
    #GSSAPICleanupCredentials yes

    X11Forwarding yes
    X11DisplayOffset 10
    PrintMotd no
    PrintLastLog yes
    TCPKeepAlive yes
    #UseLogin no

    #MaxStartups 10:30:60
    #Banner /etc/issue.net

    # Allow client to pass locale environment variables
    AcceptEnv LANG LC_*

    Subsystem sftp /usr/lib/openssh/sftp-server

    # Set this to 'yes' to enable PAM authentication, account processing,
    # and session processing. If this is enabled, PAM authentication will
    # be allowed through the ChallengeResponseAuthentication and
    # PasswordAuthentication. Depending on your PAM configuration,
    # PAM authentication via ChallengeResponseAuthentication may bypass
    # the setting of "PermitRootLogin without-password".
    # If you just want the PAM account and session checks to run without
    # PAM authentication, then enable this but set PasswordAuthentication
    # and ChallengeResponseAuthentication to 'no'.
    UsePAM yes

    # Only allow "myuser"
    AllowUsers "myuser"

    # Allow DNS reverse (wireguard)
    UseDNS no


    where "myport" and "myuser" are my port and user data.



    How can I check what is wrong?










    share|improve this question



























      1












      1








      1


      1






      I recently installed WireGuard so I can tunnel DNS request to the VPN.
      I also have portsentry and fail2ban but now I disabled them until I find the solution to the problem.



      When I login into my user in ssh, everything is ok. But I have to wait several minutes before the second login, even if I close the first connection, if not it tries a long time to connect but the connection is timed out. I have this problem only on wan, not on lan.
      In other device (a smartphone) I can check that if I disable the VPN I can login several times without problems.
      But what is really weird is that in my pc, even if I disable the VPN I have the same problem (and DNS without VPN are 8.8.8.8 and 9.9.9.9).



      In /var/log/auth.log I could see the warning "POSSIBLE BREAK-IN ATTEMPT!" pointing to my IP. So, it must be a DNS reverse advice.
      I disabled these warnings adding UseDNS no to the system's sshd_config file.
      I still have this second login problem even now.



      Some other information:




      • iptables is not banning my IP and after a iptables -X and iptables -F I have the same problem.


      • The IP is not in the /etc/hosts.deny file.



      My /etc/ssh/sshd_config is:



      # What ports, IPs and protocols we listen for
      Port "myport"
      # Use these options to restrict which interfaces/protocols sshd will bind to
      #ListenAddress ::
      #ListenAddress 0.0.0.0
      Protocol 2
      # HostKeys for protocol version 2
      HostKey /etc/ssh/ssh_host_rsa_key
      HostKey /etc/ssh/ssh_host_dsa_key
      HostKey /etc/ssh/ssh_host_ecdsa_key
      #Privilege Separation is turned on for security
      UsePrivilegeSeparation yes

      # Lifetime and size of ephemeral version 1 server key
      KeyRegenerationInterval 3600
      ServerKeyBits 1024

      # Logging
      SyslogFacility AUTH
      LogLevel INFO

      # Authentication:
      LoginGraceTime 120
      PermitRootLogin no
      StrictModes yes

      RSAAuthentication yes
      PubkeyAuthentication yes
      AuthorizedKeysFile %h/.ssh/authorized_keys

      # Don't read the user's ~/.rhosts and ~/.shosts files
      IgnoreRhosts yes
      # For this to work you will also need host keys in /etc/ssh_known_hosts
      RhostsRSAAuthentication no
      # similar for protocol version 2
      HostbasedAuthentication no
      # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
      #IgnoreUserKnownHosts yes

      # To enable empty passwords, change to yes (NOT RECOMMENDED)
      PermitEmptyPasswords no

      # Change to yes to enable challenge-response passwords (beware issues with
      # some PAM modules and threads)
      ChallengeResponseAuthentication yes

      # Change to no to disable tunnelled clear text passwords
      PasswordAuthentication yes

      # Kerberos options
      #KerberosAuthentication no
      #KerberosGetAFSToken no
      #KerberosOrLocalPasswd yes
      #KerberosTicketCleanup yes

      # GSSAPI options
      #GSSAPIAuthentication yes
      #GSSAPICleanupCredentials yes

      X11Forwarding yes
      X11DisplayOffset 10
      PrintMotd no
      PrintLastLog yes
      TCPKeepAlive yes
      #UseLogin no

      #MaxStartups 10:30:60
      #Banner /etc/issue.net

      # Allow client to pass locale environment variables
      AcceptEnv LANG LC_*

      Subsystem sftp /usr/lib/openssh/sftp-server

      # Set this to 'yes' to enable PAM authentication, account processing,
      # and session processing. If this is enabled, PAM authentication will
      # be allowed through the ChallengeResponseAuthentication and
      # PasswordAuthentication. Depending on your PAM configuration,
      # PAM authentication via ChallengeResponseAuthentication may bypass
      # the setting of "PermitRootLogin without-password".
      # If you just want the PAM account and session checks to run without
      # PAM authentication, then enable this but set PasswordAuthentication
      # and ChallengeResponseAuthentication to 'no'.
      UsePAM yes

      # Only allow "myuser"
      AllowUsers "myuser"

      # Allow DNS reverse (wireguard)
      UseDNS no


      where "myport" and "myuser" are my port and user data.



      How can I check what is wrong?










      share|improve this question
















      I recently installed WireGuard so I can tunnel DNS request to the VPN.
      I also have portsentry and fail2ban but now I disabled them until I find the solution to the problem.



      When I login into my user in ssh, everything is ok. But I have to wait several minutes before the second login, even if I close the first connection, if not it tries a long time to connect but the connection is timed out. I have this problem only on wan, not on lan.
      In other device (a smartphone) I can check that if I disable the VPN I can login several times without problems.
      But what is really weird is that in my pc, even if I disable the VPN I have the same problem (and DNS without VPN are 8.8.8.8 and 9.9.9.9).



      In /var/log/auth.log I could see the warning "POSSIBLE BREAK-IN ATTEMPT!" pointing to my IP. So, it must be a DNS reverse advice.
      I disabled these warnings adding UseDNS no to the system's sshd_config file.
      I still have this second login problem even now.



      Some other information:




      • iptables is not banning my IP and after a iptables -X and iptables -F I have the same problem.


      • The IP is not in the /etc/hosts.deny file.



      My /etc/ssh/sshd_config is:



      # What ports, IPs and protocols we listen for
      Port "myport"
      # Use these options to restrict which interfaces/protocols sshd will bind to
      #ListenAddress ::
      #ListenAddress 0.0.0.0
      Protocol 2
      # HostKeys for protocol version 2
      HostKey /etc/ssh/ssh_host_rsa_key
      HostKey /etc/ssh/ssh_host_dsa_key
      HostKey /etc/ssh/ssh_host_ecdsa_key
      #Privilege Separation is turned on for security
      UsePrivilegeSeparation yes

      # Lifetime and size of ephemeral version 1 server key
      KeyRegenerationInterval 3600
      ServerKeyBits 1024

      # Logging
      SyslogFacility AUTH
      LogLevel INFO

      # Authentication:
      LoginGraceTime 120
      PermitRootLogin no
      StrictModes yes

      RSAAuthentication yes
      PubkeyAuthentication yes
      AuthorizedKeysFile %h/.ssh/authorized_keys

      # Don't read the user's ~/.rhosts and ~/.shosts files
      IgnoreRhosts yes
      # For this to work you will also need host keys in /etc/ssh_known_hosts
      RhostsRSAAuthentication no
      # similar for protocol version 2
      HostbasedAuthentication no
      # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
      #IgnoreUserKnownHosts yes

      # To enable empty passwords, change to yes (NOT RECOMMENDED)
      PermitEmptyPasswords no

      # Change to yes to enable challenge-response passwords (beware issues with
      # some PAM modules and threads)
      ChallengeResponseAuthentication yes

      # Change to no to disable tunnelled clear text passwords
      PasswordAuthentication yes

      # Kerberos options
      #KerberosAuthentication no
      #KerberosGetAFSToken no
      #KerberosOrLocalPasswd yes
      #KerberosTicketCleanup yes

      # GSSAPI options
      #GSSAPIAuthentication yes
      #GSSAPICleanupCredentials yes

      X11Forwarding yes
      X11DisplayOffset 10
      PrintMotd no
      PrintLastLog yes
      TCPKeepAlive yes
      #UseLogin no

      #MaxStartups 10:30:60
      #Banner /etc/issue.net

      # Allow client to pass locale environment variables
      AcceptEnv LANG LC_*

      Subsystem sftp /usr/lib/openssh/sftp-server

      # Set this to 'yes' to enable PAM authentication, account processing,
      # and session processing. If this is enabled, PAM authentication will
      # be allowed through the ChallengeResponseAuthentication and
      # PasswordAuthentication. Depending on your PAM configuration,
      # PAM authentication via ChallengeResponseAuthentication may bypass
      # the setting of "PermitRootLogin without-password".
      # If you just want the PAM account and session checks to run without
      # PAM authentication, then enable this but set PasswordAuthentication
      # and ChallengeResponseAuthentication to 'no'.
      UsePAM yes

      # Only allow "myuser"
      AllowUsers "myuser"

      # Allow DNS reverse (wireguard)
      UseDNS no


      where "myport" and "myuser" are my port and user data.



      How can I check what is wrong?







      server ssh dns vpn






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Jan 18 at 14:21







      magarto

















      asked Jan 18 at 13:55









      magartomagarto

      62




      62






















          0






          active

          oldest

          votes











          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "89"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1110883%2fcannot-loggin-twice-in-ssh-if-dns-tunnel-is-active%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          0






          active

          oldest

          votes








          0






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes
















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Ask Ubuntu!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1110883%2fcannot-loggin-twice-in-ssh-if-dns-tunnel-is-active%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          How to make a Squid Proxy server?

          Is this a new Fibonacci Identity?

          19世紀