openssh server remote access

Karl Auer kauer at biplane.com.au
Fri Oct 22 08:14:59 UTC 2021 

On Fri, 2021-10-22 at 08:25 +0200, Bo Berglund wrote:
> "Connection refused" and even "Connection actively refused" are
> messages thatconfused me ages ago and are still in use...
> 
> But in actual fact it means the the IP address is not available
> (because it is not on the same subnet for instance) or that there is
> noone listening on that
> port...
> 
> The error should have been one of:
> 
> "Cannot reach server address"
> or
> "Server not responding to call at port 22"


Um, not really right, Bo.

If the IP address does not exist, you will typically get a relatively
long wait then "no route to host", or you will just get a very long
wait followed by some kind of time out.

If the IP address does exist, and you can reach it, but nothing is
listening on the port you are trying to reach, then you will get an
immediate "connection refused".

If there is any kind of filter between you and the address/port you are
trying to reach, and that filter does not want to forward your packets,
it may do one of two things. It may simply discard them, in which case
you will get a long wait followed by a time out (typically several
minutes for TCP connections and 30 seconds for UDP connections, but
operating systems, network stacks and individual applications can have
their own, different timeouts). Or it may reject them, in which case
you will "get connection refused". Most filtered services have no
interest in providing you with any useful information, so filters tend
to discard packets rather than reject them.

There are other possibilities, but those are way the most common.

Things are further complicated by things like NAT, DNS, multicast,
anycast etc.
 
Here are some examples:

This is me trying to connect to a non-existent address on my home
network:

   kauer at kt1:~$ ssh 192.168.1.101
   ssh: connect to host 192.168.1.101 port 22: No route to host

This is me trying to connect internally to my laptop on a port where
nothing is listening:

   kauer at kt1:~$ telnet localhost 1234
   Trying 127.0.0.1...
   telnet: Unable to connect to remote host: Connection refused

This is me trying to ssh to my wifi-connected phone, which does not
have an ssh server on it:

   kauer at kt1:~$ ssh 192.168.1.253
   ssh: connect to host 192.168.1.253 port 22: Connection refused

This is me trying to ssh into Google :-)

   kauer at kt1:~$ time ssh -4 www.google.com
   ssh: connect to host www.google.com port 22: Connection timed out
   real	2m10.266s

This is a DNS lookup (UDP) of a fake name to my wifi-connected phone,
which does not have a DNS server on it:

   kauer at kt1:~$ time dig +short blah.blah.blah @192.168.1.253
   ;; connection timed out; no servers could be reached
   real	0m15.010s

This is a DNS lookup (UDP) of a real name to my wifi-connected phone,
which does not have a DNS server on it:

   kauer at kt1:~$ time dig +short www.google.com @192.168.1.253
   ;; connection timed out; no servers could be reached
   real	0m15.007s

Regards, K.

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer (kauer at biplane.com.au)
http://www.biplane.com.au/kauer

GPG fingerprint: 61A0 99A9 8823 3A75 871E 5D90 BADB B237 260C 9C58
Old fingerprint: 2561 E9EC D868 E73C 8AF1 49CF EE50 4B1D CCA1 5170

More information about the ubuntu-users mailing list