Ask a Question

Simple setup but authentication fails when accessing remotly

0 votes
by (120 points)

I have a basic setup of Rebex SFTP on an active Windows server 2022 standard. It's a simple server setup running AD. I have Rebex set up with the local server IP address as the listening address on port 22. I have set my firewall to use a dedicated static IP address to NAT forward all data to that server (I'll change that later for security reasons.) When I use an SFTP client in my environment to connect to the SFTP server using its local IP address the connection works but when I use the external IP address the connection is established and the certificate is shared and it accepts the username but when I enter the password it says "access denied." What am I missing? Thanks!

1 Answer

0 votes
by (2.0k points)

Please check the logs to gain insight why this happens. You can find more information here: https://www.rebex.net/doc/buru-sftp-server/features/logging/

by (120 points)
edited by
Thanks, I setup logging and the log populated when connecting locally but showed no record when trying to connect using the external IP. I did however check my SFTP log and this is what it came back with:

2024-02-14 08:12:52.025 Looking up host "4.1.216.**" for SSH connection
. 2024-02-14 08:12:52.025 Connecting to 4.1.216.** port 22
. 2024-02-14 08:12:52.045 We claim version: SSH-2.0-WinSCP_release_5.17.8
. 2024-02-14 08:12:52.479 Remote version: SSH-2.0-OpenSSH_8.3
. 2024-02-14 08:12:52.479 Using SSH protocol version 2
. 2024-02-14 08:12:52.480 Have a known host key of type rsa2
. 2024-02-14 08:12:52.495 Doing ECDH key exchange with curve Curve25519 and hash SHA-256
. 2024-02-14 08:12:53.055 Host key fingerprint is:
. 2024-02-14 08:12:53.055 ssh-rsa 2048 78:81:9f:1d:15:65:73:24:42:31:(removed for security) JEHwCn7ws4KWBAu3pRPoXrFVNPmgCuq2k4=
. 2024-02-14 08:12:53.109 Host key matches cached key
. 2024-02-14 08:12:53.110 Initialised AES-256 SDCTR (AES-NI accelerated) outbound encryption
. 2024-02-14 08:12:53.110 Initialised HMAC-SHA-256 outbound MAC algorithm
. 2024-02-14 08:12:53.110 Initialised AES-256 SDCTR (AES-NI accelerated) inbound encryption
. 2024-02-14 08:12:53.110 Initialised HMAC-SHA-256 inbound MAC algorithm
. 2024-02-14 08:12:53.113 Prompt (username, "SSH login name", <no instructions>, "login as: ")
. 2024-02-14 08:13:01.299 Response: "username"
. 2024-02-14 08:13:01.361 Server offered these authentication methods: publickey,password,keyboard-interactive
. 2024-02-14 08:13:01.361 Attempting keyboard-interactive authentication
. 2024-02-14 08:13:01.371 Server refused keyboard-interactive authentication
. 2024-02-14 08:13:01.371 Server offered these authentication methods: publickey,password,keyboard-interactive
. 2024-02-14 08:13:01.371 Prompt (password, "SSH password", <no instructions>, "&Password: ")
. 2024-02-14 08:13:11.451 Sent password
. 2024-02-14 08:13:11.469 Password authentication failed
! 2024-02-14 08:13:11.469 Access denied
. 2024-02-14 08:13:11.484 Server offered these authentication methods: publickey,password,keyboard-interactive
. 2024-02-14 08:13:11.484 Prompt (password, "SSH password", <no instructions>, "&Password: ")
. 2024-02-14 08:13:16.629 Attempt to close connection due to fatal exception:
. 2024-02-14 08:13:16.629 Closing connection.
* 2024-02-14 08:13:16.650 (ESshFatal)
by (2.0k points)
Can you try setting the server log level to Debug to see what is going on? This late in connection it does not look like a firewall issue. My best guess would be that the password is indeed wrong (caps lock, different keyboard layout, etc.). The server log should give an answer.
by (120 points)
edited by
So I can connect from SFTP clients on any internal PC as seen below but I have tried several internal and external clients to connect using the external IP and they do find the SFTP server but fail to authenticate. They just get denied when trying to authenticate and don't show up in the debug logs!! Below are several successful connections but no sign of my unsuccessful attempts?!

2024-02-14 15:30:28.258 -07:00 [Information] Buru SFTP Server version 2.11.3 (component version 7.0.8769.0)
2024-02-14 15:30:28.412 -07:00 [Information] Loading configuration C:\ProgramData\Rebex\BuruSftp\config.yaml
2024-02-14 15:30:28.413 -07:00 [Information] Loading aliases C:\ProgramData\Rebex\BuruSftp\aliases
2024-02-14 15:30:28.413 -07:00 [Information] Loading users C:\ProgramData\Rebex\BuruSftp\users.ldb
2024-02-14 15:30:30.753 -07:00 [Debug] SSH encryption algs: ["aes256-gcm@openssh.com", "aes128-gcm@openssh.com", "aes256-ctr", "aes192-ctr", "aes128-ctr", "chacha20-poly1305@openssh.com", "twofish256-ctr", "twofish192-ctr", "twofish128-ctr", "aes256-cbc", "aes192-cbc", "aes128-cbc", "twofish256-cbc", "twofish192-cbc", "twofish128-cbc", "twofish-cbc", "3des-ctr", "3des-cbc"]
2024-02-14 15:30:30.762 -07:00 [Debug] SSH host key algs: ["ssh-ed25519", "ecdsa-sha2-nistp521", "ecdsa-sha2-nistp384", "ecdsa-sha2-nistp256", "ecdsa-sha2-1.3.132.0.10", "rsa-sha2-512", "ssh-rsa-sha256@ssh.com", "rsa-sha2-256", "x509v3-ecdsa-sha2-nistp521", "x509v3-ecdsa-sha2-nistp384", "x509v3-ecdsa-sha2-nistp256", "x509v3-rsa2048-sha256", "x509v3-sign-rsa-sha256@ssh.com", "ssh-dss", "ssh-rsa", "x509v3-sign-rsa", "x509v3-sign-dss"]
2024-02-14 15:30:30.763 -07:00 [Debug] SSH kex algs: ["curve25519-sha256", "curve25519-sha256@libssh.org", "ecdh-sha2-nistp521", "ecdh-sha2-nistp384", "ecdh-sha2-nistp256", "ecdh-sha2-1.3.132.0.10", "diffie-hellman-group16-sha512", "diffie-hellman-group15-sha512", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group14-sha256", "diffie-hellman-group14-sha1", "diffie-hellman-group-exchange-sha1"]
2024-02-14 15:30:30.764 -07:00 [Debug] SSH mac algs: ["hmac-sha2-512-etm@openssh.com", "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512", "hmac-sha2-256", "hmac-sha1", "hmac-sha1-96"]
2024-02-14 15:30:31.110 -07:00 [Information] Using key ECDSA NIST P-256 (SHA256:hM4Kt3tBoL4F7XfOHd0pD273VbwAJz9CF9vg0XRNhjw) from C:\ProgramData\Rebex\BuruSftp\keys\key_ecdsanistp256_256.
2024-02-14 15:30:31.128 -07:00 [Information] Using key 256-bit Ed25519 (SHA256:/ubmRn3s/npvVa8jc3mbSXtqxhF6I+sDa+gah/c+HKA) from C:\ProgramData\Rebex\BuruSftp\keys\key_ed25519_256.
2024-02-14 15:30:31.129 -07:00 [Information] Using key 2048-bit RSA (SHA256:JYigj2dtmAYxrK/iF4GtGbToRt6C+f8f3LAkFn8+oC4) from C:\ProgramData\Rebex\BuruSftp\keys\key_rsa_2048.
2024-02-14 15:30:31.204 -07:00 [Information] Server will listen for Scp requests on 10.0.4.35:22.
2024-02-14 15:30:31.287 -07:00 [Information] Server will listen for Sftp requests on 10.0.4.35:22.
2024-02-14 15:30:31.300 -07:00 [Information] Starting server.
2024-02-14 15:30:31.306 -07:00 [Information] Listening for connections at 10.0.4.35:22.
2024-02-14 15:30:31.306 -07:00 [Information] Server started.
2024-02-14 15:33:36.978 -07:00 [Information] Buru SFTP Server version 2.11.3 (component version 7.0.8769.0)
2024-02-14 15:33:37.084 -07:00 [Information] Loading configuration C:\ProgramData\Rebex\BuruSftp\config.yaml
2024-02-14 15:33:37.085 -07:00 [Information] Loading aliases C:\ProgramData\Rebex\BuruSftp\aliases
2024-02-14 15:33:37.085 -07:00 [Information] Loading users C:\ProgramData\Rebex\BuruSftp\users.ldb
2024-02-14 15:33:37.423 -07:00 [Debug] SSH encryption algs: ["aes256-gcm@openssh.com", "aes128-gcm@openssh.com", "aes256-ctr", "aes192-ctr", "aes128-ctr", "chacha20-poly1305@openssh.com", "twofish256-ctr", "twofish192-ctr", "twofish128-ctr", "aes256-cbc", "aes192-cbc", "aes128-cbc", "twofish256-cbc", "twofish192-cbc", "twofish128-cbc", "twofish-cbc", "3des-ctr", "3des-cbc"]
2024-02-14 15:33:37.432 -07:00 [Debug] SSH host key algs: ["ssh-ed25519", "ecdsa-sha2-nistp521", "ecdsa-sha2-nistp384", "ecdsa-sha2-nistp256", "ecdsa-sha2-1.3.132.0.10", "rsa-sha2-512", "ssh-rsa-sha256@ssh.com", "rsa-sha2-256", "x509v3-ecdsa-sha2-nistp521", "x509v3-ecdsa-sha2-nistp384", "x509v3-ecdsa-sha2-nistp256", "x509v3-rsa2048-sha256", "x509v3-sign-rsa-sha256@ssh.com", "ssh-dss", "ssh-rsa", "x509v3-sign-rsa", "x509v3-sign-dss"]
2024-02-14 15:33:37.433 -07:00 [Debug] SSH kex algs: ["curve25519-sha256", "curve25519-sha256@libssh.org", "ecdh-sha2-nistp521", "ecdh-sha2-nistp384", "ecdh-sha2-nistp256", "ecdh-sha2-1.3.132.0.10", "diffie-hellman-group16-sha512", "diffie-hellman-group15-sha512", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group14-sha256", "diffie-hellman-group14-sha1", "diffie-hellman-group-exchange-sha1"]
2024-02-14 15:33:37.433 -07:00 [Debug] SSH mac algs: ["hmac-sha2-512-etm@openssh.com", "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512", "hmac-sha2-256", "hmac-sha1", "hmac-sha1-96"]
2024-02-14 15:33:37.598 -07:00 [Information] Using key ECDSA NIST P-256 (SHA256:hM4Kt3tBoL4F7XfOHd0pD273VbwAJz9CF9vg0XRNhjw) from C:\ProgramData\Rebex\BuruSftp\keys\key_ecdsanistp256_256.
2024-02-14 15:33:37.616 -07:00 [Information] Using key 256-bit Ed25519 (SHA256:/ubmRn3s/npvVa8jc3mbSXtqxhF6I+sDa+gah/c+HKA) from C:\ProgramData\Rebex\BuruSftp\keys\key_ed25519_256.
2024-02-14 15:33:37.617 -07:00 [Information] Using key 2048-bit RSA (SHA256:JYigj2dtmAYxrK/iF4GtGbToRt6C+f8f3LAkFn8+oC4) from C:\ProgramData\Rebex\BuruSftp\keys\key_rsa_2048.
2024-02-14 15:33:37.636 -07:00 [Information] Server will listen for Scp requests on 10.0.4.35:22.
2024-02-14 15:33:37.651 -07:00 [Information] Server will listen for Sftp requests on 10.0.4.35:22.
2024-02-14 15:33:37.665 -07:00 [Information] Starting server.
2024-02-14 15:33:37.670 -07:00 [Information] Listening for connections at 10.0.4.35:22.
2024-02-14 15:33:37.670 -07:00 [Information] Server started.
2024-02-14 15:36:41.741 -07:00 [Debug] Accepted connection from 10.0.4.35:57793.
2024-02-14 15:36:41.744 -07:00 [Debug] Client "10.0.4.35" connecting.
2024-02-14 15:36:41.750 -07:00 [Information] Session 1: Started on connection from 10.0.4.35:57793.
2024-02-14 15:36:41.752 -07:00 [Debug] Session 1: Local SSH version: SSH-2.0-RebexSSH_5.0.8769.0
2024-02-14 15:36:41.763 -07:00 [Debug] Session 1: Remote SSH version: SSH-2.0-WinSCP_release_5.17.8
2024-02-14 15:36:41.763 -07:00 [Debug] Session 1: Performing algorithm negotiation and key exchange.
2024-02-14 15:36:41.811 -07:00 [Debug] Session 1: Performing key exchange using curve25519-sha256@libssh.org with ssh-ed25519.
2024-02-14 15:36:41.848 -07:00 [Debug] Session 1: Cipher info: SSH 2.0, curve25519-sha256@libssh.org, ssh-ed25519, aes256-ctr/aes256-ctr, hmac-sha2-256/hmac-sha2-256
2024-02-14 15:36:41.964 -07:00 [Debug] Session 1: Key exchange finished.
2024-02-14 15:36:41.980 -07:00 [Debug] Session 1: Performing authentication.
2024-02-14 15:36:42.002 -07:00 [Debug] Session 1: Starting authentication as 'admin' for 'ssh-connection'.
2024-02-14 15:36:50.605 -07:00 [Debug] Session 1: "admin@10.0.4.35" authenticated using password.
2024-02-14 15:36:50.899 -07:00 [Debug] User mounts "C:\Classlink OneSync\" as "/mount/"
2024-02-14 15:36:50.997 -07:00 [Information] Session 1: Authentication for 'admin' succeeded.
2024-02-14 15:36:51.000 -07:00 [Debug] Session 1: Authenticated as 'admin' for 'ssh-connection'.
2024-02-14 15:36:51.012 -07:00 [Debug] Session 1: Received SSH_MSG_CHANNEL_REQUEST: simple@putty.projects.tartarus.org('').
2024-02-14 15:36:51.012 -07:00 [Debug] Session 1: Received SSH_MSG_CHANNEL_REQUEST: subsystem('sftp').
2024-02-14 15:36:51.017 -07:00 [Debug] Session 1: Starting SftpModule(1) subsystem.
2024-02-14 15:36:51.027 -07:00 [Information] Session 1: Attempting GetItemInfo FSO Read "/"
2024-02-14 15:36:51.058 -07:00 [Debug] Getting item info on '/': success.
2024-02-14 15:36:51.213 -07:00 [Information] Session 1: Attempting OpenDirectory FSO List "/"
2024-02-14 15:36:51.229 -07:00 [Debug] Opening directory '/': success.
2024-02-14 15:36:52.626 -07:00 [Debug] Closing directory '/': success (25 items enumerated).
2024-02-14 15:37:03.108 -07:00 [Information] Session 1: Connection closed by the remote host.
2024-02-14 15:37:03.115 -07:00 [Information] Session 1: Closed connection from 10.0.4.35:57793.
2024-02-14 15:37:03.117 -07:00 [Debug] Client "admin" in session 1 disconnected.
2024-02-14 15:48:42.485 -07:00 [Debug] Accepted connection from 10.0.4.72:34811.
2024-02-14 15:48:42.485 -07:00 [Debug] Client "10.0.4.72" connecting.
2024-02-14 15:48:42.485 -07:00 [Information] Session 2: Started on connection from 10.0.4.72:34811.
2024-02-14 15:48:42.485 -07:00 [Debug] Session 2: Local SSH version: SSH-2.0-RebexSSH_5.0.8769.0
2024-02-14 15:48:42.486 -07:00 [Debug] Session 2: Remote SSH version: SSH-2.0-FileZilla_3.66.5
2024-02-14 15:48:42.486 -07:00 [Debug] Session 2: Performing algorithm negotiation and key exchange.
2024-02-14 15:48:42.488 -07:00 [Debug] Session 2: Performing key exchange using curve25519-sha256 with ssh-ed25519.
2024-02-14 15:48:42.500 -07:00 [Debug] Session 2: Cipher info: SSH 2.0, curve25519-sha256, ssh-ed25519, aes256-gcm@openssh.com/aes256-gcm@openssh.com
2024-02-14 15:48:44.152 -07:00 [Debug] Session 2: Key exchange finished.
2024-02-14 15:48:44.156 -07:00 [Debug] Session 2: Performing authentication.
2024-02-14 15:48:44.160 -07:00 [Debug] Session 2: Starting authentication as 'admin' for 'ssh-connection'.
2024-02-14 15:48:44.161 -07:00 [Debug] Session 2: "admin@10.0.4.72" authenticated using password.
2024-02-14 15:48:44.163 -07:00 [Debug] User mounts "C:\Classlink OneSync\" as "/mount/"
2024-02-14 15:48:44.164 -07:00 [Information] Session 2: Authentication for 'admin' succeeded.
2024-02-14 15:48:44.164 -07:00 [Debug] Session 2: Authenticated as 'admin' for 'ssh-connection'.
2024-02-14 15:48:44.165 -07:00 [Debug] Session 2: Received SSH_MSG_CHANNEL_REQUEST: simple@putty.projects.tartarus.org('').
2024-02-14 15:48:44.165 -07:00 [Debug] Session 2: Received SSH_MSG_CHANNEL_REQUEST: subsystem('sftp').
2024-02-14 15:48:44.165 -07:00 [Debug] Session 2: Starting SftpModule(2) subsystem.
2024-02-14 15:48:44.165 -07:00 [Information] Session 2: Attempting GetItemInfo FSO Read "/"
2024-02-14 15:48:44.166 -07:00 [Debug] Getting item info on '/': success.
2024-02-14 15:48:44.169 -07:00 [Information] Session 2: Attempting OpenDirectory FSO List "/"
2024-02-14 15:48:44.169 -07:00 [Debug] Opening directory '/': success.
2024-02-14 15:48:44.179 -07:00 [Debug] Closing directory '/': success (25 items enumerated).
2024-02-14 15:49:02.777 -07:00 [Information] Session 2: Connection reset by peer.
2024-02-14 15:49:02.777 -07:00 [Information] Session 2: Closed connection from 10.0.4.72:34811.
2024-02-14 15:49:02.777 -07:00 [Debug] Client "admin" in session 2 disconnected.
by (2.0k points)
My take on this is that you're actually connecting to a completely different server when using the external IP.
by (120 points)
You are right. Man, I hate it when the solution is so simple! When you are staring at something too long it all blends together. Thanks for lending me your eyes! There was a list of NAT settings and in my haste, I changed the external IP of the wrong one. It's now working like a champ!
by (2.0k points)
I am glad to hear that :)
by (120 points)
Interesting fact. Within 30 minutes of setting it up, I had 5 brute-force attacks/attempts. I have set stringent settings in the firewall so it's no longer an easy attack vector but still. I did some digging and one of the login attempts was from a location in China... no surprise. mind you.
...