LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 12-02-2009, 06:11 AM   #1
konqi
Member
 
Registered: Oct 2007
Distribution: Gentoo, Slackware
Posts: 160

Rep: Reputation: 16
SSH over internet local port blocked


At school it's not possible to SSH to my server at home.

To check the open ports
Code:
netstat -nap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name   
tcp        1      0 10.10.101.59:52770      74.125.79.100:80        CLOSE_WAIT 13073/firefox-bin   
tcp        1      0 10.10.101.59:60617      74.125.172.37:80        CLOSE_WAIT 13073/firefox-bin   
udp        0      0 0.0.0.0:68              0.0.0.0:*                          12668/dhcpcd        
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node PID/Program name    Path
unix  2      [ ACC ]     STREAM     LISTENING     14173    12868/gam_server    @/tmp/fam-frank-
unix  2      [ ACC ]     STREAM     LISTENING     14174    12869/menu-cached   /tmp/.menu-cached-:0-frank
unix  2      [ ACC ]     STREAM     LISTENING     17034    12961/lxterminal    /tmp/.lxterminal-socket:0.0-frank
unix  2      [ ACC ]     STREAM     LISTENING     13407    12842/X             /tmp/.X11-unix/X0
unix  2      [ ACC ]     STREAM     LISTENING     12600    12236/syslog-ng     /dev/log
unix  2      [ ACC ]     STREAM     LISTENING     13406    12842/X             @/tmp/.X11-unix/X0
unix  2      [ ]         DGRAM                    3321     9492/udevd          @/org/kernel/udev/udevd
unix  2      [ ACC ]     STREAM     LISTENING     14161    12864/pcmanfm       /tmp/.pcmanfm-socket:0.0-frank
unix  3      [ ]         STREAM     CONNECTED     30535    12842/X             /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     30534    13073/firefox-bin   
unix  3      [ ]         STREAM     CONNECTED     17037    12962/gnome-pty-hel 
unix  3      [ ]         STREAM     CONNECTED     17036    12961/lxterminal    
unix  3      [ ]         STREAM     CONNECTED     17030    12842/X             /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     17029    12961/lxterminal    
unix  3      [ ]         STREAM     CONNECTED     14194    12868/gam_server    @/tmp/fam-frank-
unix  3      [ ]         STREAM     CONNECTED     14193    12864/pcmanfm       
unix  3      [ ]         STREAM     CONNECTED     14179    12869/menu-cached   /tmp/.menu-cached-:0-frank
unix  3      [ ]         STREAM     CONNECTED     14178    12863/lxpanel       
unix  3      [ ]         STREAM     CONNECTED     14158    12842/X             /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     14157    12863/lxpanel       
unix  3      [ ]         STREAM     CONNECTED     14156    12842/X             /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     14155    12864/pcmanfm       
unix  3      [ ]         STREAM     CONNECTED     14141    12842/X             /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     14140    12860/openbox       
unix  4      [ ]         STREAM     CONNECTED     14082    12842/X             /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     14080    12841/xinit         
unix  3      [ ]         STREAM     CONNECTED     13373    12236/syslog-ng     /dev/log
unix  3      [ ]         STREAM     CONNECTED     13372    12814/login         
unix  3      [ ]         STREAM     CONNECTED     13124    12236/syslog-ng     /dev/log
unix  3      [ ]         STREAM     CONNECTED     13123    12668/dhcpcd
Is this the right way?

Let's clarify the situation a bit more. At home I have a server (port 22 is forwarded by the router). I want to SSH to this server. However (I think) port 22 is blocked.

How can I SSH to the home server?


I'm not an network expert, so I might be wrong at some points.
 
Old 12-02-2009, 06:14 AM   #2
repo
LQ 5k Club
 
Registered: May 2001
Location: Belgium
Distribution: Linux Mint
Posts: 8,468

Rep: Reputation: 879Reputation: 879Reputation: 879Reputation: 879Reputation: 879Reputation: 879Reputation: 879
try to use
nmap your_IP
However, if the school blocks port 22, talk to the IT people
 
1 members found this post helpful.
Old 12-02-2009, 06:20 AM   #3
druuna
LQ Veteran
 
Registered: Sep 2003
Posts: 10,532
Blog Entries: 7

Rep: Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371
Hi,

The netstat output given (from school I assume and not at home) will probably only show processes that belong to the user that executed that command. You need to run this as user (probably not possible at school) to get all the information.

Depending on how good things are set up by the admin at school, it might not be possible to ssh from school to home.

One thing you could try: run ssh on port 80 instead of 22 (will not be possible if you also have apache running on port 80), and try connecting from school with ssh on port 80.

Some might say this is hacking, I personally see this as an (school) admin not knowing what he's doing. If things are set up correctly you should not be able to do this, but experience has shown that this sometimes does work.

Hope this helps.

BTW: Happy Birthday!!
 
Old 12-02-2009, 06:24 AM   #4
zhjim
Senior Member
 
Registered: Oct 2004
Distribution: Debian Squeeze x86_64
Posts: 1,436
Blog Entries: 11

Rep: Reputation: 181Reputation: 181
Quote:
Originally Posted by konqi View Post
At school it's not possible to SSH to my server at home.

To check the open ports

Code:
netstat -nap
Is this the right way?
Straight from the man page
Quote:
netstat - Print network connections, routing tables,
interface statistics, masquerade connections, and multicast memberships
It just prints network relation on your computer.
If you want to know open ports you should look for the word LISTEN in the state column. These are the port your computer waits for incoming connections. But to be sure that they are really open you have to check on the firewall.
Code:
iptables -L -v
Lists all firewall rules in place (maybe check on the -t nat and -t mangle table as well).

All the above only refers to your computer and not to the network.
Next stop on the way to your server would be the gateway.
Code:
ip routes
should tell you which one it is.
If you can access the gateway check out the iptables rules to see which ports are open. If not trial and error remains.

What I saw from your netstat -nap output is that you can HTTP to the outside. Just put your SSH on port 80 and you should be set. Maybe port 443 is also an option.
 
0 members found this post helpful.
Old 12-02-2009, 10:51 AM   #5
konqi
Member
 
Registered: Oct 2007
Distribution: Gentoo, Slackware
Posts: 160

Original Poster
Rep: Reputation: 16
Quote:
Originally Posted by repo View Post
try to use
nmap your_IP
However, if the school blocks port 22, talk to the IT people
I allready asked if they could open port 21 and 22 for FTP and SSH. However because there too lazy, they don't want to open the ports "It was too insecure, because there's no virus scanner on the server" (they use windows on the server).




===== Quote from druuna =====
Hi,

The netstat output given (from school I assume and not at home) will probably only show processes that belong to the user that executed that command. You need to run this as user (probably not possible at school) to get all the information.

Depending on how good things are set up by the admin at school, it might not be possible to ssh from school to home.

One thing you could try: run ssh on port 80 instead of 22 (will not be possible if you also have apache running on port 80), and try connecting from school with ssh on port 80.

Some might say this is hacking, I personally see this as an (school) admin not knowing what he's doing. If things are set up correctly you should not be able to do this, but experience has shown that this sometimes does work.

Hope this helps.

BTW: Happy Birthday!!
===== End quote =====

Well, I run gentoo linux from an usb-key, so I have complete root access.

When I use SSH over port 80, will I lose the regular functionality (webbrowsing etc)?



I will give it a try to see what ports are open. However, let's say I can use port 80 to SSH. What form sh should the SSH command have? Does it to be something like this?
Code:
ssh -R 80:localhost:22 user@remote_server
Or I'm I wrong?


PS: How can I use more than one quote in a post?

Last edited by konqi; 12-02-2009 at 10:54 AM.
 
Old 12-02-2009, 11:00 AM   #6
deadeyes
Member
 
Registered: Aug 2006
Posts: 605

Rep: Reputation: 78
Quote:
Originally Posted by konqi View Post
I allready asked if they could open port 21 and 22 for FTP and SSH. However because there too lazy, they don't want to open the ports "It was too insecure, because there's no virus scanner on the server" (they use windows on the server).




===== Quote from druuna =====
Hi,

The netstat output given (from school I assume and not at home) will probably only show processes that belong to the user that executed that command. You need to run this as user (probably not possible at school) to get all the information.

Depending on how good things are set up by the admin at school, it might not be possible to ssh from school to home.

One thing you could try: run ssh on port 80 instead of 22 (will not be possible if you also have apache running on port 80), and try connecting from school with ssh on port 80.

Some might say this is hacking, I personally see this as an (school) admin not knowing what he's doing. If things are set up correctly you should not be able to do this, but experience has shown that this sometimes does work.

Hope this helps.

BTW: Happy Birthday!!
===== End quote =====

Well, I run gentoo linux from an usb-key, so I have complete root access.

When I use SSH over port 80, will I lose the regular functionality (webbrowsing etc)?



I will give it a try to see what ports are open. However, let's say I can use port 80 to SSH. What form sh should the SSH command have? Does it to be something like this?
Code:
ssh -R 80:localhost:22 user@remote_server
Or I'm I wrong?


PS: How can I use more than one quote in a post?
Browsing will work. Except if you have a webserver on your homeserver on port 80.
The tunnel you configure will connect to remote_server as user "user", and create a reverse tunnel from port 22 at localhost (seen from the ssh server where you logged in) to port 80.
If I am correct.
So you would have to switch them (dont shoot me if I am wrong). You can test this and then use netstat -tapn | grep 80

But you can just run sshd on port 80 which seems alot simpler to me.
 
Old 12-02-2009, 11:09 AM   #7
drstupid
LQ Newbie
 
Registered: Dec 2009
Posts: 21

Rep: Reputation: 15
hey Konqi,

simplest solution would be to change the listening port in the ssh config file ( /etc/ssh/sshd_config) to port 80.

restart sshd service, also make sure that traffic to port 80 from your home router/firewall is forwarded to the home server.

To ssh from school just change the port in mutt to 80.

Cheers
 
Old 12-02-2009, 11:11 AM   #8
druuna
LQ Veteran
 
Registered: Sep 2003
Posts: 10,532
Blog Entries: 7

Rep: Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371
Hi,

Quote:
When I use SSH over port 80, will I lose the regular functionality (webbrowsing etc)?
I'm not sure if you get the concept of my idea.

If you want to try my suggestion you should reconfigure your sshd (at home) to listen on port 80, not the default 22. If you have a website set up at home, things will become a bit more complicated because it already listens on port 80.....

After you have reconfigured sshd you can connect from the outside world with ssh to your ssh server which listens on port 80. Which would look something like this: ssh -p 80 username@ssh.at.home the -p sets the port to connect to.

But like I said before, this will only work if the admins at school did a lousy job setting up the firewall.

Your browsing (seen from school) won't be a problem. You are actually (mis)using the fact that the firewall is (hopefully for you) set up to allow all outgoing traffic with destination ports 80, 8080 or 443 (which are all default "web" ports).

Hope this clears things up a bit.
 
Old 12-02-2009, 11:52 AM   #9
drstupid
LQ Newbie
 
Registered: Dec 2009
Posts: 21

Rep: Reputation: 15
In my opinion this will definitely work - as port 80 from school is allowed. No matter if its a lousy or good job - if port 80 is allowed (for http) which it is then how can a admin can block it for ssh?
 
0 members found this post helpful.
Old 12-02-2009, 12:45 PM   #10
chrislski
LQ Newbie
 
Registered: Jul 2007
Posts: 14

Rep: Reputation: 0
As others have stated you can change the SSHD listener to listen to another port. The solution I have used frequently is setting up my router so that it forwards a specific port on the outside to port 22 on the SSH server. I usually try to use 443 or 8080 but port 80 should work. That allows all your other SSH clients to use the same configuration as SSHD would still be listening on port 22 but allow you to get through from your school.
 
Old 12-02-2009, 01:30 PM   #11
drstupid
LQ Newbie
 
Registered: Dec 2009
Posts: 21

Rep: Reputation: 15
yes a very good idea by Chrislski - if your router supports port translation then this could work flawlessly.
 
0 members found this post helpful.
Old 12-03-2009, 01:59 AM   #12
zhjim
Senior Member
 
Registered: Oct 2004
Distribution: Debian Squeeze x86_64
Posts: 1,436
Blog Entries: 11

Rep: Reputation: 181Reputation: 181
Could use iptables to redirect incoming connections on port 80 from a certain address to port 22 on your machine. I guess the school has a fixed ip. Find it out and put something like this into your iptables rules.
Code:
iptables -A INPUT -s sch.oo.l.ip -p tcp --dport 80 -j REDIRECT --to-ports 22
Or check on the recent module of iptables and set up some knocking script. This script would need a remake but the idea should get across. You would definetly change the #We finally allow the user iptables script to the REDIRECT target.

Code:
#!/bin/bash
# Defining ports and time slice
PORT1=2001
PORT2=2002


# define some vars for easier reading and ajustment
IPT=/sbin/iptables
IPTI="$IPT -A CUSTOMINPUT -i ppp0"
NAME="--name ssh"

# Connect to first port an put RemoteHost in Recent List
# We still drop the connection so portscans don't find them
$IPTI -p tcp --dport $PORT1 -m recent $NAME --set -j REJECT

# Connect to the second port and see if we allready had
# a connection attempt in the last 2 seconds
$IPTI -p tcp --dport $PORT2 -m recent $NAME --update --seconds 2 --hitcount 1 -j REJECT

# We finally allow the user to login
#$IPTI -p tcp --dport 22 -m recent $NAME --rcheck --seconds 2 --hitcount 2 -j ACCEPT

# Maybe we should remove the IP from the list?
$IPTI -p tcp --dport 22 -m recent $NAME --remove -j ACCEPT
 
Old 12-03-2009, 02:23 AM   #13
deadeyes
Member
 
Registered: Aug 2006
Posts: 605

Rep: Reputation: 78
Also note if your school uses a (transparent) proxy this wont work!
 
Old 12-03-2009, 05:08 AM   #14
konqi
Member
 
Registered: Oct 2007
Distribution: Gentoo, Slackware
Posts: 160

Original Poster
Rep: Reputation: 16
I will try to redirect port 80 on my router to port 22 on my server, so I can use port 22 for internal use and port 80 for external use.

I will try programs like iptables etc, however they're aren't installed on my usb-stick yet. I will install them when I'm at home.
 
Old 12-03-2009, 10:12 AM   #15
chrislski
LQ Newbie
 
Registered: Jul 2007
Posts: 14

Rep: Reputation: 0
You are going to want to configure iptables on the computer at home for the port redirecting. Not that having iptables configured on your thumb drive is a bad thing they just won't help if configured on the thumbdrive.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SSH over the Internet to a local-network-specific IP sadarax Linux - Networking 3 07-30-2007 07:35 AM
Problem with SSH local port forwarding suhas! Linux - Security 3 07-25-2007 10:06 AM
Howto do Secured ssh from port https or port80(standard) to ssh d listening port 22 ? Xeratul Linux - General 4 11-23-2006 06:09 AM
Allowing SSH from Internet via router port forward. gboutwel Suse/Novell 5 05-09-2006 10:59 PM
SSH help/blocked port YellowFin Linux - Networking 2 09-29-2005 04:25 PM


All times are GMT -5. The time now is 04:57 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration