Category Archives: Linux

sshd fatal: cipher & key exhange

I did some update on an old debian system and then SSH server refused to let me in.
I got the message:

sshd[19482]: fatal: no matching cipher found:

Just have a look in your /var/log/auth file and determine what cipher the client and server are using. This error message means there is no common cipher between the client and the server.

I added in /etc/ssh/sshd_config file the lines:

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,blowfish-cbc,aes128-cbc,3des-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc

Then I got a new error message:

sshd[20362]: fatal: Unable to negotiate a key exchange method [preauth]

Just precise key exchange method by adding the following line in your /etc/ssh/sshd_config file:

KexAlgorithms=curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

Setting up iptables for Debian

This is a starting script for iptables:

touch /etc/init.d/mon_firewall
chmod +x /etc/init.d/mon_firewall
#!/bin/sh

### BEGIN INIT INFO
# Provides:      iptables
# Required-Start:
# Should-Start:
# Required-Stop:
# Should-Stop:
# Default-Start:   2 3 4 5
# Default-Stop:       0 1 6
# Short-description:   iptables
# Description:       Firewall
### END INIT INFO

# chargement/déchargement d'iptables

case "$1" in
'start')
/sbin/iptables-restore < /etc/config_firewall
RETVAL=$?
;;
'stop')
/sbin/iptables-save > /etc/config_firewall
RETVAL=$?
;;
'clean')

/sbin/iptables -t filter -F
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F
/sbin/iptables -t raw -F
/sbin/iptables -t filter -P INPUT ACCEPT
/sbin/iptables -t filter -P OUTPUT ACCEPT
/sbin/iptables -t filter -P FORWARD ACCEPT
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT ACCEPT
/sbin/iptables -t mangle -P PREROUTING ACCEPT
/sbin/iptables -t mangle -P OUTPUT ACCEPT
/sbin/iptables -t mangle -P POSTROUTING ACCEPT
/sbin/iptables -t mangle -P FORWARD ACCEPT
/sbin/iptables -t mangle -P INPUT ACCEPT
/sbin/iptables -t raw -P OUTPUT ACCEPT
/sbin/iptables -t raw -P PREROUTING ACCEPT
RETVAL=$?
;;
'restart')
$0 stop && $0 start
RETVAL=$?
;;
*)
echo "Usage: $0 { start | stop | restart | clean}"
RETVAL=1
;;
esac
exit $RETVAL
chmod +x /etc/init.d/mon_firewall
update-rc.d mon_parefeu start XX S . stop YY 0 6 .

with XX number before networking and YY after networking