7

I have a VPS to be set as my socket5 proxy, the Firefox plugin AutoProxy was installed.

ssh -p 2034 -D 127.0.0.1:1080  root@vps_ip

The port on my VPS is 2034.

The command can work for some time, maybe 10 minutes or 20 minutes,during the time, I opened many web pages with my Firefox, suddenly, the connect was blocked,and an error info displayed.

channel 8: open failed: administratively prohibited
channel 9: open failed: administratively prohibited
channel 10: open failed: administratively prohibited

I have searched the problem on stackoverflow, for example :SSH tunneling error: "channel 1: open failed: administratively prohibited: open failed"

My problem differ from that!

  1. I just can create ssh tunnel every time properly.
  2. When the ssh tunnel was created,i can browse web pages for sometime,about 10 or 20 minutes.
  3. After many web pages opened by my Firefox,the tunnel broken.
  4. If I close my Firefox and console for sometime, I can create the tunnel again.

It will keep circulating.
What is the matter with my VPS and ssh service? My system is debian8.1, where is the ssh logfile?no /var/log/secure in my debian.Maybe the ssh logfile can tell more fact.

Community
  • 1
showkey
  • 323

3 Answers3

7

It sounds like you're running into the SSH server's limit on the number of simultaneous sessions per connection. Your command-line session to the remote server is one session, and each individual forwarded TCP connection is another session.

You can change the server's limit through the MaxSessions parameter in the server's sshd_config file:

MaxSessions
Specifies the maximum number of open sessions permitted per network connection. The default is 10.

You'd update sshd_config like this:

  1. Find the file. It's usually /etc/ssh/sshd_config.
  2. Edit it as root.
  3. In the file look for an existing MaxSessions setting if any. Otherwise, add a new line. Set the number to 15 or so. Save the new file.
  4. Restart sshd to make it reread the file.
  5. Make a new ssh connection and see if the behavior changes.
Kenster
  • 3,410
0

Yes, likely your hitting MaxSessions + be sure to check your FireFox about:config setting for network.http.pipelining.maxrequests + note this value.

Default is usually 5.

If your visiting several sites simultaneously, meaning you hit new page or new tab, while waiting on first page to present, target setting MaxSessions to - network.http.pipelining.maxrequests * number of simultaneous visits you might have in progress at any time.

Then double or triple this to account for background AJAX connections, like if you're logged into WordPress which causes your browser to send AJAX ping requests continually.

Likely there's some deep debugging you can turn on in sshd + your ssh tunnel command to see if MaxSessions is ever exceeded + if it is, just increase it more.

David Favor
  • 423
0

Try a different DNS server (OpenDNS or google).

I was having this problem and upping MaxSessions didn't help.

In /var/log/auth.log I found many errors along the lines of:

sshd[24976]: error: connect_to p.ebaystatic.com: unknown host (Name or service not known)

Even though I could ping all the hosts and it would find them no problem. For me, switching from google DNS to OpenDNS fixed it (for now). (Perhaps the ultimate cause is dropped packets on my Internet connection causing DNS timeouts. Not sure.)

Anyways, when you try to socks proxy connect to a host that DNS cannot find, I think it is one cause of the "administratively prohibited" error message.

HalosGhost
  • 4,790
Rob
  • 1