Tag Archives: ssh

Installing KVM guest OS via VNC over SSH tunnel

Verry merry and christmas is over. And I’ve bought myself a brand new server for this occasion :D So this is it – enough of doing-nothing or not-doing-anything and I had to start migrating services from the old box. And as old machine is just bare-metal env, where users kill each other for memory, than I decided – no more. KVM, cgroups and hell with ya guys – You won’t ever know about each other! And all this for the same price (as the old box has 2 years and I paid the same price for the new one, where I’ve got 8x more RAM, 2x more storage and some quad-core…).

Ok enough of this talking. So I’ve got clean CentOS 6.3 installation with basic KVM environment and SELinux set to Permissive mode (You could leave it in Enforcing, having to “chcon –reference /var/lib/libvirt/images /your/vm/repodir” – but i see no point in using SELinux in host OS – this would eat to much resources, and is at all not needed – what you have to do on host OS for security is using very strict rules.

So… Centos, KVM, Permissive and We’re ready to engage. For lazy guys I suggest using Virtual Manger (virt-manager) where You can click through the whole guest configuration process (for making this work You should turn off iptables for a while or open some virt-manager TCP ports). But as virt-manager is for lame, then we write on the terminal:

And installation is running. Now We’d like to connect to it – so VNC FTW! But…

VNC daemon is safely listening only on localhost, so We have to try some different way. We could make this daemon to listen also on WAN interface, but this would be to lame and risky. So we create SSH tunnel:

And just after that We can safely connect our VNC client (like Tiger-VNC) to our installation process using host 127.0.0.1:65322 :)

Of course after successfull installation I suggest creating clone of our brand-new VPS just to save some time for future installations – use virt-clone command to do this.

And that’s all for now – next time I’ll write how to configure guest OS to make it possible to use virsh console command to connect to it via serial console.

ssh_exchange_identification: Connection closed by remote host

Recently trying to connect via ssh using cssh to a particular server from 26 other boxes at the same time I wasn’t able to connect from some of those boxes and saw this message on those:

This was due to server configuration. Maximum default number of simultaneous connections tries (login attemps) is defined in /etc/ssh/sshd_config:

We can change above value or use new-style format:

Which stands for:

  1. 10 – number of allowed simultaneous connections attempts. Above this number SSHD will start to randomly drop connections with percentage chance of 30%
  2. 60 – number of simultaneous connections attempts after which SSHD will drop every new connection

MySQL tunneling via SSH and error “channel: open failed: connect failed: Connection refused”

Lately I wrote a short article about MySQL tunneling via SSH in order to start safe MySQL replication. Afterwards I noticed some problems with creating a new SSH tunnel for MySQL connection on a quite different environment. After creating SSH tunnel and trying to connect via this tunnel to the SSH server I received SSH error on tunnel error-log:

or:

And below:

in the MySQL terminal.

First of all We have to make sure, that our tunnel is working properly, so We just kill the current tunnel and create new one without “-f” and “-N” options:

If everything is ok, then We can assume that tunnel is working fine. We can also try to create another tunnel to some other service on different target port and then just try if this other service is working via the tunnel – just to exclude any problems with SSH tunneling.

My problem was that MySQL was configured in the way it was blocking any connections outside localhost. It is default MySQL configuration – We can achieve it via my.cnf entries:

or:

So in order to make our MySQL accessible via our tunnel We have to comment out the skip-networking line and make sure that We are connecting to the correct IP addr in our tunnel. For example If we have in our my.cnf this line:

Then our tunnel should look like:

(notice that 127.0.0.1 in the above command).

If We would bind our MySQL to some other IP, like:

Then We should change our tunneling parameters:

After commenting out that skip-networking our security depends on IP address We are binding the MySQL to. If it’s local IP addres in DMZ, than there is no security breaches here. Unwise would be to bind to the WAN address and leave MySQL port opened without any SSL encryption or without filtering traffic by the client IP addr…