SFTP, FTP, HTTP Connection Refused through clients
 

I have an off-site storage server that I've been using for a while. All of a sudden the past couple of weeks while trying to connect through Transmit or Cyberduck all I get is "connection refused" whenever I attempt to connect through SFTP, FTP, or HTTP. The IT guys for the server state it's fine but when I try to ping my ports on my mac my port 22 and 21 aren't visible.

What in the heck is going on?

Here is the log output for:
ssh -v -v -v username@remote.server.address

What does ssh_connect: needpriv 0 mean?

Brens-Mac-Pro:~ xxxx$ ssh -v -v -v smxxxx@serverf.xxxxxxx.net
OpenSSH_5.6p1, OpenSSL 0.9.8r 8 Feb 2011
debug1: Reading configuration data /etc/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to smxxxx@server.xxxxxxx.net [188.xxx.237.xx] port 22.
debug1: connect to address 188.xxx.237.xx port 22: Connection refused
ssh: connect to host smxxxx@server.xxxxxxx.net port 22: Connection refused

Is there a firewall in between you and the server?

It might be blocking the traffic.

Just the Mac firewall, as far as I know. When I turn it off I get the same connection refusal.

Just to be clear. What side is making the connection?

From your Mac to the server or the other way around?

I'm getting the refusal as I try to connect my Mac to the server.

What happens if you do a traceroute?

Does that finish?

Brents-Mac-Pro:~ brent$ traceroute -n serverf.xxxxxxx.net
traceroute to serverf.xxxxxxx.net (1xx.165.xx7.x9), 64 hops max, 52 byte packets
traceroute: sendto: No route to host
1 traceroute: wrote serverf.xxxxxxx.net 52 chars, ret=-1
*traceroute: sendto: No route to host
traceroute: wrote serverf.xxxxxxx.net 52 chars, ret=-1
*traceroute: sendto: No route to host
traceroute: wrote serverf.xxxxxxx.net 52 chars, ret=-1
*
traceroute: sendto: No route to host
2 traceroute: wrote serverf.xxxxxxx.net 52 chars, ret=-1
*traceroute: sendto: No route to host
traceroute: wrote serverf.xxxxxxx.net 52 chars, ret=-1
*traceroute: sendto: No route to host
traceroute: wrote serverf.xxxxxxx.net 52 chars, ret=-1
*
traceroute: sendto: No route to host
3 traceroute: wrote serverf.xxxxxxx.net 52 chars, ret=-1
*traceroute: sendto: No route to host
traceroute: wrote serverf.xxxxxxx.net 52 chars, ret=-1
*traceroute: sendto: No route to host
traceroute: wrote serverf.xxxxxxx.net 52 chars, ret=-1
*
traceroute: sendto: No route to host
4 traceroute: wrote serverf.xxxxxxx.net 52 chars, ret=-1
*traceroute: sendto: No route to host
traceroute: wrote serverf.xxxxxxx.net 52 chars, ret=-1
*traceroute: sendto: No route to host
traceroute: wrote serverf.xxxxxxx.net 52 chars, ret=-1
*
traceroute: sendto: No route to host
5 traceroute: wrote serverf.xxxxxxx.net 52 chars, ret=-1
*traceroute: sendto: No route to host
traceroute: wrote serverf.xxxxxxx.net 52 chars, ret=-1
*traceroute: sendto: No route to host
traceroute: wrote serverf.xxxxxxx.net 52 chars, ret=-1
*
traceroute: sendto: No route to host
6 traceroute: wrote serverf.xxxxxxx.net 52 chars, ret=-1
*traceroute: sendto: No route to host
traceroute: wrote serverf.xxxxxxx.net 52 chars, ret=-1
*traceroute: sendto: No route to host
traceroute: wrote serverf.xxxxxxx.net 52 chars, ret=-1
*
traceroute: sendto: No route to host
16 traceroute: wrote serverf.xxxxxxx.net 52 chars, ret=-1
*traceroute: sendto: No route to host
traceroute: wrote serverf.xxxxxxx.net 52 chars, ret=-1
*traceroute: sendto: No route to host
traceroute: wrote serverf.xxxxxxx.net 52 chars, ret=-1

Also I tried this:
Brents-Mac-Pro:~ brent$ ssh serverf.xxxxxxx.net -p 43222
ssh: connect to host serverf.xxxxxxx.net port 43222: Connection refused

"No route to host" on the first hop. I'd contact your ISP, I have a feeling you're not even connected to the internet.

I was afraid of that assessment. Thats the funny thing, I'm typing to you on the exact same connection that I am attempting to connect to the server. I can HTTP into the server from my browser but anything else is "connection refused".
(Then the ISP is blocking my SFTP attempts.)

How do you connect to the internet?

Do you use a modem/router? That may also contain a firewall.

Yes, I have a dsl modem. Is it possible that modem firewall could randomly change without my input? I've never touched the dsl modem's firewall.

Only if it's broken.

That said, there is some malware around that can login on a router and change settings. Not that common though.

You should definitely log in and verify it's settings. Also make sure you put a proper password on the administrative account used to configure it.

I got into my modem and it appears all stock. The only thing activated within it's internal firewall was: ip flood protection & firewall protection.
Everything else is blank like a stock set-up.

It's somewhat odd though. So you're saying you have no problem accessing your server (or any other website) on HTTP? But SSH fails to connect?

Can you connect to another host with SSH? No need to login, getting a connection just for test is enough.

I don't really have another ftp server handy to test but I tried accessing the mozilla ftp server via SFTP and it tried successfully, I was denied because I didn't have a login name or password.
With my storage server it would just tell me "connection refused".

If I log in, through my browser thru HTTPS then try to download a file I get a bad download return that tells me there is an invalid certificate from the server.

Try using ssh to connect to sirdice.nl (it's my server).
The first will use IPv4 and must work. The latter will use IPv6 and may not work on your system. One of them should at least ask for a username. If that works we can rule out any local issues or your ISP and the problem is most likely at the hoster's end.

Brents-Mac-Pro:~ brent$ ssh -4 sirdice.nl
The authenticity of host 'sirdice.nl (46.19.35.10)' can't be established.
RSA key fingerprint is cf:ex:98:ad:20:xx:8d:xx:63:b9:xx:f5:9e:30:3x:46.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'sirdice.nl,46.19.35.10' (RSA) to the list of known hosts.
Password:
Password:


Brents-Mac-Pro:~ brent$ ssh -6 sirdice.nl
ssh: connect to host sirdice.nl port 22: No route to host

Ah. We're getting closer.

I see you have no problems connecting with IPv4 to my server. But using IPv6 results in the now familiar "no route to host".

See if you can use that to connect to your server by using ssh -4.

If you don't have a need for IPv6 I'd try turning it off completely. If you do need IPv6 we'd need to dig a little deeper but currently it looks like a misconfigured IPv6 is the issue.

Brents-Mac-Pro:~ brent$ ssh -4 serverx.xxxxonster.net
ssh: connect to host serverx.xxxxonster.net port 22: Connection refused
Brents-Mac-Pro:~ brent$ ssh -6 serverx.xxxxonster.net
ssh: Could not resolve hostname serverx.xxxxonster.net: nodename nor servname provided, or not known


I have no idea how to turn off or on IPv6. I hope that it is pretty simple.

As far as I know I do not need IPv6, is that something I probably don't need then?

I tried setting IPv6 in my Network Settings to both "Link-Local Only" and "Manual" and in both instances I still get the 'connection refused' when trying to SFTP.
Under Lion I don't see any option in my Network Settings to totally turn of IPv6.

Not good :(

But this does seem to point to the hoster.

Alright, that simply tells us there's no IPv6 DNS for that host. No problem, it just means you can't use IPv6.


On Snow Leopard this is fairly easy, not sure how Lion handles it.

To be honest I'm a bit stumped now. Connecting to my server wasn't a problem so this pretty much rules out any local issues. I am a bit worried about the failing traceroute though, there's no reason why that should fail. At the very least you should see a couple of hops outside of your own network.

I thought I had it when IPv6 failed but I still can't put my finger on which side is causing the issue, your local machine or network, your ISP or the hoster.