Peer closed connection with lftp to remote host

Hi erman,

We are connecting to a remote server and fetching a file through a concurrent program.It worked for several months and all of the sudden we have an issue today.
ipadress and port is masked for security reasons

#Fetch the latest file name available in target Server
lftp -u ${USER},${PASS} sftp://${HOST}:${PORT} <<EOF-->used for connecting to target host.
cd /FILES-->is the location in target server where the files are placed

method :1
=========

[applprod@erpprodapp01 bin]$ lftp -u ${USER},${PASS} sftp://${HOST}:${PORT}
lftp username@*********:~> cd /FILES
cd `/ERPFILES' [Delaying before reconnect: 20]------>we are facing this error

We have enabled debug and below is the error


[applprod@app01 bin]$ lftp -u ${USER},${PASS} sftp://${HOST}:${PORT}
lftp username@*********:~> debug
lftp username@*********:~> cd /FILES
---- Running connect program (ssh -a -x -s -l username-p port **** sftp)============>Error message

---> sending a packet, length=5, type=1(INIT), id=0
<--- ssh_exchange_identification: read: Connection reset by peer
**** Peer closed connection
---- Disconnecting


method 2:
==========

[applprod@erpprodapp01 bin]$ lftp -u ${USER},${PASS} sftp://${HOST}:${PORT}
lftp ttderp@***.***.***.***:~> debug
lftp ttderp@***.***.***.***:~> set sftp:connect-program "ssh -a -x -o PubkeyAuthentication=false"
lftp ttderp@***.***.***.***:~> cd /ERPFILES
---- Connecting to ***.***.***.***(***.***.***.***) port ****
**** Peer closed connection
---- Closing control socket


telnet output

[applprod@app01 bin]$ telnet ipadress port
Trying ***.***.***.***...
Connected to ***.***.***.***.
Escape character is '^]'.
Connection closed by foreign host.
[applprod@app01 bin]$

Kindly suggest

Thank you

There might be a configurational change in the remote server that you connect via sftp..
You need to check the server side..
As far as I see, you are doing sftp.  It is built upon the SSH transport layer..
So it is ssh based.
Well.. I suggest you to check the sshd debug on the remote server..
This may give you a clue..

Dear Erman,

Is port 22 mandatory to be opened in remote server while using sftp?Here we are using 1963 and this port is opened in remote server.But in logs,it is showing as connecting to port 22

[applprod@app01 ~]$ sftp -o PubkeyAuthentication=no -vvv ttderp@111.111.111.111:1963
OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 56: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to 111.111.111.111[111.111.111.111] port 22.
debug1: connect to address 111.111.111.111 port 22: Connection refused
ssh: connect to host 111.111.111.111 port 22: Connection refused
Couldn't read packet: Connection reset by peer
[applprod@app01 ~]$

As I said, sftp is a ssh based protocol.
Normally, sshd port should be opened.
In your case, you connect the sftp server using port 1963, but then the traffic is again going through the port 22.
So that 1963 is probably just an additional configuration of yours. Maybe it is configured to forward the traffic to port 22 / to sshd.. In that case sshd port(the default is 22) should be opened.

What happens when you just use ssh to connect to that port?

I mean -> ssh ttderp@111.111.111.111:1963

Dear Erman,

[applprod@app01 ~]$ ssh ttderp@111.111.111.111
ssh: connect to host 111.111.111.111 port 22: Connection refused
[applprod@app01 ~]$


[applprod@app01 ~]$ ssh ttderp@111.111.111.111:1963
ssh: Could not resolve hostname 111.111.111.111:1963: Name or service not known
[applprod@app01 ~]$

[applprod@app01 ~]$ ping 111.111.111.111
PING 111.111.111.111(111.111.111.111) 56(84) bytes of data.
64 bytes from 111.111.111.111: icmp_seq=1 ttl=63 time=0.200 ms
64 bytes from 111.111.111.111: icmp_seq=2 ttl=63 time=0.206 ms
64 bytes from 111.111.111.111: icmp_seq=3 ttl=63 time=0.196 ms

^C
--- 111.111.111.111 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 0.196/0.200/0.206/0.016 ms
[applprod@app01 ~]$

You can just ssh to a different port that way.

Try : ssh user@111.111.111.111 -p 1963

However; this will just give us an additional view of the problem..

My opinion is that, the sshd port should be opened.
In your case, you connect the sftp server using port 1963, but then the traffic is again going through the port 22.
So that 1963 is probably just an additional configuration of yours. Maybe it is configured to forward the traffic to port 22 / to sshd.. In that case sshd port(the default is 22) should be opened.

Hi Erman,

Thank you for the valuable updates.

In below logs,there is no reference that it is connecting to port 22 and also the connection is established with 1963.Just want to confirm if port 22 needs to be opened

[applprod@app01 bin]$ sftp -o PubkeyAuthentication=false -P 1963 -vvv ttderp@111.111.111.111
OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 56: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to 111.111.111.111 [111.111.111.111] port 1963.
debug1: Connection established.=============================
debug3: Incorrect RSA1 identifier
debug3: Could not load "/home/applprod/.ssh/id_rsa" as a RSA1 public key
debug1: identity file /home/applprod/.ssh/id_rsa type 1
debug1: identity file /home/applprod/.ssh/id_rsa-cert type -1
debug3: Incorrect RSA1 identifier
debug3: Could not load "/home/applprod/.ssh/id_dsa" as a RSA1 public key
debug1: identity file /home/applprod/.ssh/id_dsa type 2
debug1: identity file /home/applprod/.ssh/id_dsa-cert type -1
debug1: identity file /home/applprod/.ssh/id_ecdsa type -1
debug1: identity file /home/applprod/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/applprod/.ssh/id_ed25519 type -1
debug1: identity file /home/applprod/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1
ssh_exchange_identification: read: Connection reset by peer
Couldn't read packet: Connection reset by peer
[applprod@app01 bin]$

Thank you

Your sftp may not be configured properly.

Did you check your sshd_config file?

Do you see a line like the following?

Subsystem sftp /usr/libexec/openssh/sftp-server (your sftp-server path ofcourse)

Also check the ownership  and grants of the sftp destination directory...

So,port 22 is not a problem here?

[root@app01 ~]# grep -i sftp /etc/ssh/sshd_config
Subsystem       sftp    /usr/libexec/openssh/sftp-server

[root@app01 ~]# ls -lrt /usr/libexec/openssh/sftp-server
-rwxr-xr-x. 1 root root 84016 Sep  6  2016 /usr/libexec/openssh/sftp-server
[root@app01 ~]#

Thank you

I think your sftp  is not  configured properly.
In order to run sftp using a different port than the ssh port, there are thing to do..

It is inside your sshd_config.

Please check the internet, there are lots of articles available for that.
So your solution is in the sftp-server side, and it is in sshd_config.

For ex, here we have an article that might give you the clue->

https://www.thegeekdiary.com/how-to-configure-separate-port-for-ssh-and-sftp-on-centos-rhel/

ofcourse don't directly implement the things written in the document above. Customize it according to your situation and then implement.

Thank you.

"your solution is in the sftp-server side, and it is in sshd_config".This means we have to check this in targer server to which we r connecting from our local machine?

Yes