作为DBA或运维同学远程服务器是日常操作的刚需。但总有一些报错能让你在排查许久后发现元凶竟是一个不起眼的配置文件。最近我就遇到了一个经典案例远程连接服务器时终端抛出kex_exchange_identification: read: Connection reset by peer今天就结合这次完整的排查过程给大家拆解这个极易被忽略的SSH报错问题全程干货看完就能避坑一、报错现场先还原一下报错场景相信很多人都有共鸣[rootvbox ~]# ssh root192.168.56.102kex_exchange_identification: read: Connection reset by peer第一反应是防火墙没关但执行ping 192.168.56.102发现丢包率 0%再探测端口也正常防火墙也已经关闭为什么SSH还是被重置先给大家划重点kex_exchange_identification: read: Connection reset by peer的核心不是网络不通而是服务器在SSH协议的密钥交换阶段主动拒绝了你的连接请求。二、排查实录为了让大家少走弯路我把这次的排查逻辑按从易到难的顺序进行排查每一步都是日常排查的常规操作大家遇到也可以直接对照参考。1. 网络连通性[rootvbox ~]# ping 192.168.56.102PING 192.168.56.102 (192.168.56.102) 56(84) bytes of data.64 bytes from 192.168.56.102: icmp_seq1 ttl64 time0.625 ms64 bytes from 192.168.56.102: icmp_seq2 ttl64 time1.30 ms64 bytes from 192.168.56.102: icmp_seq3 ttl64 time1.09 ms64 bytes from 192.168.56.102: icmp_seq4 ttl64 time0.830 ms2. 目标端口验证[rootvbox ~]# telnet 192.168.56.102 22Trying 192.168.56.102...Connected to 192.168.56.102.Escape character is ^].Connection closed by foreign host.3. 防火墙状态检查查看目标服务器防火墙状态[rootvbox ~]# systemctl status firewalld● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled) Active: inactive (dead) Docs: man:firewalld(1)4. SSH 服务状态查看目标服务器sshd状态[rootvbox ~]# systemctl status sshd● sshd.service - OpenSSH server daemon Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2026-03-11 16:32:21 CST; 25min ago可见服务运行中里面也显示了拒绝192.168.56.103的请求。5. SSH配置语法检查检查目标端ssh的配置是否有异常[rootvbox ~]# sshd -t6. 客户端日志调试在192.168.56.103上进行日志调试[rootvbox ~]# ssh -vv root192.168.56.102OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017debug1: Reading configuration data /etc/ssh/ssh_configdebug1: /etc/ssh/ssh_config line 58: Applying options for *debug2: resolving 192.168.56.102 port 22debug2: ssh_connect_direct: needpriv 0debug1: Connecting to 192.168.56.102 [192.168.56.102] port 22.debug1: Connection established.debug1: permanently_set_uid: 0/0debug1: key_load_public: No such file or directorydebug1: identity file /root/.ssh/id_rsa type -1debug1: key_load_public: No such file or directorydebug1: identity file /root/.ssh/id_rsa-cert type -1debug1: key_load_public: No such file or directorydebug1: identity file /root/.ssh/id_dsa type -1debug1: key_load_public: No such file or directorydebug1: identity file /root/.ssh/id_dsa-cert type -1debug1: key_load_public: No such file or directorydebug1: identity file /root/.ssh/id_ecdsa type -1debug1: key_load_public: No such file or directorydebug1: identity file /root/.ssh/id_ecdsa-cert type -1debug1: key_load_public: No such file or directorydebug1: identity file /root/.ssh/id_ed25519 type -1debug1: key_load_public: No such file or directorydebug1: identity file /root/.ssh/id_ed25519-cert type -1debug1: Enabling compatibility mode for protocol 2.0debug1: Local version string SSH-2.0-OpenSSH_7.4ssh_exchange_identification: read: Connection reset by peer客户端已经准备好和服务器交换SSH协议版本信息进入密钥交换阶段但服务器端直接发送了TCP RST包强制重置了连接。7. 核心配置排查查看目标服务器/etc/hosts.allow及/etc/hosts.deny文件[rootvbox ~]# cat /etc/hosts.allow ## hosts.allow This file contains access rules which are used to# allow or deny connections to network services that# either use the tcp_wrappers library or that have been# started through a tcp_wrappers-enabled xinetd.## See man 5 hosts_options and man 5 hosts_access# for information on rule syntax.# See man tcpd for information on tcp_wrappers sshd:192.168.56.1:allow[rootvbox ~]# cat /etc/hosts.deny ## hosts.deny This file contains access rules which are used to# deny connections to network services that either use# the tcp_wrappers library or that have been# started through a tcp_wrappers-enabled xinetd.## The rules in this file can also be set up in# /etc/hosts.allow with a deny option instead.## See man 5 hosts_options and man 5 hosts_access# for information on rule syntax.# See man tcpd for information on tcp_wrapperssshd:all:deny至此发现了原因目标端仅允许192.168.56.1连接其他的来源均被拒绝至此找到了元凶。这两个文件的核心规则是/etc/hosts.allow允许列表定义允许访问的IP/主机/服务/etc/hosts.deny拒绝列表定义禁止访问的IP/主机/服务这么配置是为了安全考虑例如我们的生产环境仅允许堡垒机及集群内的节点ssh方式登录其他节点不允许登录。8. 添加配置测试添加上当前客户端机器的IP在进行测试[rootvbox ~]# vim /etc/hosts.allow [rootvbox ~]# systemctl reload sshd[rootvbox ~]# cat /etc/hosts.allow ## hosts.allow This file contains access rules which are used to# allow or deny connections to network services that# either use the tcp_wrappers library or that have been# started through a tcp_wrappers-enabled xinetd.## See man 5 hosts_options and man 5 hosts_access# for information on rule syntax.# See man tcpd for information on tcp_wrappers sshd:192.168.56.1:allowsshd:192.168.56.103:allow配置完毕后终于可以连接成功了。三、 总结这次的SSH报错排查看似复杂实则遵循了网络层→端口层→服务层→配置层的排查逻辑。很多时候我们容易被Connection reset by peer的字面意思误导以为是网络问题却忽略了系统层面的访问控制配置。对于DBA和运维同学来说这类“小配置、大影响”的坑还有很多而解决问题的关键就是养成 “按步骤排查、抓核心逻辑” 的习惯同时重视配置文件的备份与验证。
WSABuilds:Windows Android子系统终极配置方案与深度技术指南 【免费下载链接】WSABuilds Run Windows Subsystem For Android on your Windows 10 and Windows 11 PC using prebuilt binaries with Google Play Store (MindTheGapps) and/or Magisk or KernelSU (r…
为什么需要ChatGPT-API-Leakage?终极OpenAI密钥安全扫描解决方案 【免费下载链接】ChatGPT-API-Leakage Scan GitHub for available OpenAI API Keys 项目地址: https://gitcode.com/gh_mirrors/ch/ChatGPT-API-Leakage
在当今AI技术快速发展的时代ÿ…