All Products
Search
Document Center

:The "ssh_exchange_identification: read: Connection reset by peer" error is displayed when you log on to an ECS instance through SSH

Last Updated:Apr 27, 2022

Disclaimer: This topic may be contributed by the community or involve information about third-party products. We recommend that you visit the official website of the community or third-party products for help and support. The third-party products are not supported by Alibaba Cloud after-sales service. This article is for reference only. Alibaba Cloud does not make any implied or other forms of commitment.

Issue

When you log on to an ECS instance by using SSH, the following error message appears even if the user and password are correct.

ssh_exchange_identification: read: Connection reset by peer.
sshd[11949]: refused connect from 192.168.0.0 (192.168.0.0).

Cause

  • Edit the file of the TCP Wrapper:
    You Linux set the /etc/hosts.allow or /etc/hosts.deny the file to enable the TCP Wrapper RAM and prohibit you from using SSH login.
  • The connection is blocked by Apsara Stack Security.
  • The local network problem.

Solution

Take note of the following items:

  • Before you perform high-risk operations such as modifying the specifications or data of an Alibaba Cloud instance, we recommend that you check the disaster recovery and fault tolerance capabilities of the instance to ensure data security.
  • Before you modify the specifications or data of an Alibaba Cloud instance, such as an Elastic Compute Service (ECS) instance or an ApsaraDB RDS instance, we recommend that you create snapshots or enable backups for the instance. For example, you can enable log backups for an ApsaraDB RDS instance.
  • If you have granted specific users the permissions on sensitive information, such as usernames and passwords, or submitted sensitive information in the Alibaba Cloud Management Console, we recommend that you modify the sensitive information at the earliest opportunity.

The Linux configurations and descriptions in this topic have been tested in CentOS 6.5 64-bit operating systems. The configurations of other operating systems may vary. For more information, see the official documentation of the corresponding operating system.

  1. Edit the file of the TCP Wrapper:
    You can refer to the following steps to dynamically set the access control list by modifying the configuration file. After modification, you do not need to restart the server to make the configuration take effect.
    1. Log on to the instance by using VNC. For more information, see Management terminal.
    2. Run the cat command to check whether the /etc/hosts.allow and /etc/hosts.deny files contain similar configurations.
      all:all:deny

    3. Modify the configuration in the /etc/hosts.allow and /etc/hosts.deny files to delete the entire line or add comments as follows.
      Note: If you want to modify the policy configuration, you must back up files.
      # all:all:deny

  2. The connection is blocked by Apsara Stack Security:
    1. Visit the Taobao IP Address Library to view and record your local IP address.
    2. Log on to the IP address whitelist page, select the target object type, and then select the target instance object. Enter the local IP address recorded in the previous step in the Source IP field, and then click OK.
      Note: If your ECS instance uses an EIP, you must select EIP (NAT) for Object Type.
  3. Local network problem:
    Use another network environment to test whether the connection is normal, such as the mobile phone 4G network, and check whether you can log in normally.

References

TCP Wrapper is a common standard security framework in Linux. Its function is similar to IPTABLES and is used to control access to TCP-based applications launched from inetd. Its daemon is tcpd, which determines whether to allow or deny the incoming TCP connections by reading the relevant policy configurations in the following two files. When you configure a rule, configure the hosts.allow rule and then the hosts.deny rule. The general approach is to configure a trust host rule in hosts.allow, and then reject all other hosts in hosts.deny.

/etc/hosts.allow
/etc/hosts.deny

Note: For more information about TCP Wrapper, see TCP Wrapper.

References

You can also refer to the following documents to further troubleshoot and analyze the problem that ECS instances cannot log on to.

Applicable scope

  • Elastic Compute Service