2

I have inherited a hosted Linux Server where all our Mails and other stuff are organized. With Debian Linux.

I assume he didn't touch anything for like 10 Years so its pretty old stuff.

Every time I want to connect through SSH this phrase appears:

Unable to negotiate with [MyIP] port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

I know the right command after this is:

ssh -oKexAlgorithms=diffie-hellman-group1-sha1 -c aes128-cbc root@[MyIP]

But what I really don't understand is why this exactly happens and what do I have to do that its stops to appear?

Is the SSH Version too old? Or can I Update my SSH without having login problems?

Is it Debian? And can I update my Debian through SSH/Bash?

Improve this question

1 Answer 1

Reset to default
0

Sounds like the server you inherited is running a very old version of Debian. If, as you say, it hasn't been upgraded for 10 years, it's probably running Squeeze or Wheezy. Both of these are ancient and really shouldn't be in production use on the public internet.

To find out which version, try looking at files like /etc/debian_version, /etc/os-release, /etc/motd, /etc/issue. Also /etc/apt/sources.list and any files in directory /etc/apt/sources.list.d/ - knowing what version of Debian is installed is important and useful information, especially if you intend to upgrade it to a more recent version.

It's impossible to give you complete step-by-step instructions on what to do with your server, so here's a few useful tips:

  1. The ...no matching key exchange method... error message is because the server is running an old version of sshd, with deprecated ciphers and key exchange methods.

    You should upgrade this as soon as you can (there were good reasons for the obsolete ciphers to be deprecated) but in the meantime, you can configure your local ssh client to always use diffie-hellman-group1-sha1 and aes128-cbc when connecting to your server. edit ~/.ssh/config and add the following:

    Host your_server_name KexAlgorithms diffie-hellman-group1-sha1 Ciphers aes128-cbc

    You could also use your server's IP address instead of (or as well as) "your_server_name". BTW, don't forget to undo this after you've upgraded sshd on your server to a modern version.

  2. If your server is running Debian, you will be able to upgrade it....and upgrading it remotely via ssh from the bash command line is no problem. You'll have to use apt, apt-get, aptitude or other command-line tools instead of graphical tools like synaptic but Debian was designed to be upgraded in-place like this.

    The recommended procedure is to upgrade it one version at a time, from whatever it is currently running to the next version. e.g. if it currently has Debian 6 ("Squeeze") installed, you would upgrade it to Debian 7 ("Wheezy"), then to Debian 8 ("Jessie"), and so on until it was running Debian 11 ("Bullseye"). There's a good summary of Debian's release history and version numbering/naming at https://en.wikipedia.org/wiki/Debian_version_history

    BTW, by "recommended procedure", I mean that Debian only really guarantees a successful upgrade from one release version to the next. In some cases, it is possible to jump two or more releases at a time, but I advise against even thinking about attempting to do that, especially if you don't have physical access to the machine, and especially when the installed Debian release is so ancient. Attempting this will be very likely to result in a broken (and possibly unfixable) system.

    There will probably be several things that need to be manually reconfigured on every upgrade. Most packages will be fine, but some will have incompatibilities, new features, and/or deprecated old features in various daemons that are installed (e.g. sshd, apache, nginx, squid, postfix, or whatever else is installed).

    Note: the main debian archives only have repos for the current stable release (Bullseye) and oldstable (Buster). Older releases are available on https://www.debian.org/distrib/archive and you will have to use archive.debian.org URLs (or a nearby mirror of it) in your sources.list URLs.

    For example, instead of something like deb http://ftp.au.debian.org/debian/ wheezy main contrib non-free, you'd have to use deb http://archive.debian.org/debian/ wheezy main contrib non-free

  3. Whenever you upgrade sshd, I very strongly recommend testing that the new version works correctly by trying to ssh in from another terminal window or tab. Do not log out of your current ssh session until you have verified that the new version of sshd works otherwise you may not be able to log back in - at some point (I can't remember exactly which version), the new sshd will no longer support the old ciphers or key exchange methods, so you will have to undo the configuration changes you made to your ~/.ssh/config. You will probably have to make minor changes to /etc/ssh/sshd_config on your server at some point, too.

    This is extremely important and very much worth repeating:

    Do NOT logout of your ssh session until you've confirmed that you can login again.

  4. Instead of upgrading through multiple versions of Debian, you may find it easier to just backup your data and config files, wipe your server, do a fresh install of Debian 11, and then restore your data and config files. If it's only running a few important services, probably much easier.

    An even better alternative would be to rent a second hosted server, install Debian 11 on it, and gradually migrate services from the old server to the new. This is probably the easiest method, and least prone to problems or failure - you can migrate each service one at a time AND test that each new service works before cutting over to it. It gives you time to think and avoid the kind of mistakes you might make in a panic or under extreme time pressure.

    Either way, you're going to need to have a comprehensive list of exactly what it's running and why - and how important it is for each service to keep running on that particular machine or whether it can be retired or migrated to another machine. Having a good understanding of what those programs do, how they work, and how to configure them will also be important.

    Some of this you can get by investigating the system and its config files, and some you can only get by talking to people in your organisation and getting someone senior to make decisions about the importance and priorities of particular services - the upgrade process is going to be long and tedious and there will be at least temporary breakage at various stages so CYA by getting a manager to make the decisions. Remember that nobody notices when a sysadmin does a good job, but everybody notices when things break.

    In short, don't just jump into the upgrades without thorough planning. You will need to plan each step of the upgrade, and that plan should include testing that each important service is still running correctly after each upgrade.

  5. Backup everything before doing anything. Also, if the machine is running RAID of any kind, remember that RAID is not a substitute for backups. There is no substitute for backups. If your server doesn't currently have a regular backup schedule, then setting one up should probably be the second thing you do. The first should be making a current backup.

  6. You should practice the upgrade by installing Squeeze or Wheezy on a VM and then going through the process of upgrading it all the way up to Bullseye. It won't be exactly the same as upgrading your real server, but at least you'll become very familiar with the process. You can take a snapshot of the VM before each upgrade step, so you can revert if anything goes wrong that you can't easily fix.

  7. Every Debian release comes with upgrade notes telling you about major changes and incompatibilities. You should read these before each upgrade.

Improve this answer
7
  • Thank you so much for this Answer! Yesterday I wanted to update Debian and I accidentally deleted the status files. An till then my apt stopped working. I know this is a classic noob mistake and I hate myself for this. But I think the server cant be updated anymore if apt doesnt work. I backuped the status file but I couldnt get apt working again. But your answer helped me alot! Commented Nov 12, 2021 at 10:46
  • which status files? i hope you don't mean /var/lib/dpkg/status? how did you manage that? do you have a recent backup to restore them from? even a status file that's out of date is better than none at all. btw, dpkg keeps its own backup in /var/lib/dpkg/status-old. Also, look in /var/backups/ - there should be the last several days worth of files from /var/lib/dpkg/ in there. Commented Nov 12, 2021 at 11:16
  • Before I say something that is wrong I paste the error: E: Malformed provides line E: Error occured while processing node-acorn (NewVersion1) E: Problem with MergeList /var/lib/apt/lists/deb.debian.org_debian_dists_unstable_main_binary-i386_Packages E: The package lists or status file could not be parsed or opened. On a Website they wrote to delete the dpkg directory or another I cant find the source anymore. Till then apt-get doesnt work anymore. Im so sorry for my mistakes. I have the feeling I have to go through this to really understand what executing commands under root means. Commented Nov 12, 2021 at 19:45
  • If you deleted /var/lib/dpkg/ and everything under it, your only option is to rent a second server, install bullseye on it, and migrate your important services and data over to it. It is possible to recover some of the files that were in /var/lib/dpkg/ from the copies in /var/backups (the numbered versions of alternatives.tar, dpkg.arch, dpkg.diversions, dpkg.statoverride, and dpkg.status) but that won't restore the files that were in /var/lib/dpkg/info (package file lists, pre and post install and uninstall scripts, md5sums etc) Commented Nov 13, 2021 at 4:54
  • Also, from the error message, it seems that your server has debian sid aka unstable installed. That means it's not running any particular release version of debian. It's running whatever was in sid when it was last updated - which is very unusual for a production server. I run unstable on most of my machines, but I'm a debian developer and have been using debian since 1994....but this is very much not recommended at all for anyone without a lot of experience with debian, especially if they don't have the ability to upgrade it regularly and fix the inevitable problems. Commented Nov 13, 2021 at 5:00

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.