SSH "kex_exchange_identification: read: Connection reset by peer"

Question

The setup:

• Raspberry 3B running Raspbian Stretch 9 on an external HDD and using ZRAM
• Raspi used as a webserver running LAMP and MERN stacks and accessed remotely via SSH with 1 IDE (Coda for Mac OS)
• SSH port forwarded by router with static IP
• fail2ban running

The problem:

When accessing the raspberry from a remote location (over the Internet) via SSH, it works until the connection hangs. This occurs randomly. I can sometimes SSH it again after few minutes, and sometimes not until I restart the Raspi.

What I've tried:

• SSH in verbose mode from remote location:

debug1: Local version string SSH-2.0-OpenSSH_8.1
kex_exchange_identification: read: Connection reset by peer

• SSH in verbose mode from local network (I actually SSH another machine on the local network remotely, then SSH the Raspi from that machine). Same result: Connection reset by peer
• Checked /etc/hosts.allow and /etc/hosts.deny => Nothing there
• Checked iptables via iptables -L --line-number => Nothing there
• Checked logs: /var/log/fail2ban.log and sudo journalctl -t sshd => Nothing striking there
• Updated sshd_config with no DNS
• Re-installed SSH via apt-get --reinstall install openssh-server openssh-client

I am running out of ideas here and no clue about what's happening. As someone encountered the same problem with SSH connection before ? Could it be a load issue on the raspberry ?

Answer 1

Long story short, my problem had nothing to do with a network issue and was fixed by examining the syslog.

In details:

I noticed that none of the webapps (via LAMP or MERN stacks) while up and running before the issue started, were not reachable anymore.

So I dug up the syslog with the tail -f -n X /var/log/syslog command (replacing X with the number of lines you want to display). I then noticed few lines mentioning a Voltage problem (sorry I did keep the exact terms). But basically it meant that my Raspi which an external HDD was plugged on did not have a strong enough power supply.

Then it looked that the HDD was unmounted and the system crashed, which explains all the issues mentioned above.

So I removed the HDD put the SD card back and ran the Raspi again while going through the syslog again and monitoring the memory with htop. It turned out that when I started both the apache and node servers, the RAM and SWAP memories were getting full repeating the same consequences mentioned above.

So finally I increased the SWAP memory by using ZRAM. Link here .

Now everything runs well but still monitoring.

Answer 2

I didn't see ufw (firewall) was installed.

ufw disable

(Or configure ufw.)

Now the ports are reachable as expected.

Answer 3

I found another scenario that causes this precise error. Be sure you check permissions on the OpenSSH generated public / private key files in /etc/ssh on the host system you are trying to connect to with SSH. These keys are used by the SSH daemon.

Since OpenSSH is cross platform the same would apply to any operating system running SSHd. These files must have the proper permissions.

/etc/ssh is the default path but if you are on Windows or other OS it may vary. But for most Unix/Linux/macOS systems it should be /etc/ssh.

sudo chmod 600 *_key
sudo chmod 644 *.pub

You should also verify that the SSH client has the correct permissions on the ~/.ssh and the public / private keys, config, authorized_keys, etc. Although if these are wrong you will be told right away. But when the permissions on keys for the SSH daemon are wrong you receive errors in the logs.

When it's not DNS nor certificates, then it's always permissions.

Answer 4

Another scenario where the error: kex_exchange_identification: read: Connection reset by peer appears is a configuration restricting access via ssh in hosts.allow with a line like: sshd: 192.168.178.12 and then trying to ssh from an IP different then then one above.

I need medical attention for my foot now....