LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 01-19-2006, 04:35 PM   #1
greengear
LQ Newbie
 
Registered: Jan 2006
Posts: 5

Rep: Reputation: 0
cannot ssh from some hosts


Hi,

I have a machine behind a firewall. The firewall forwards to port 22 on the machine. The machine is set to accept only public key authentication.

From two different outside machines, I was able to connect to the machine. However, ssh'ing from my workplace, ssh does not receive any response and so timeouts. Tried on both linux and windows XP using putty.

I was able to connect from my workplace the day before. I was also able to ssh out to other machines, so ssh does work.

Any idea why I'm able to ssh from some hosts but not from my workplace?

Thanks.
 
Old 01-19-2006, 08:33 PM   #2
kvedaa
Member
 
Registered: Mar 2004
Location: Virginia
Distribution: PacketProtector
Posts: 331

Rep: Reputation: 30
It might be worth while to see if you are routing to your firewall. I would start by seeing if you can ping your firewall (note in all examples please replace 10.10.10.10 with the apporiate IP address).

ping 10.10.10.10

This of course will only work if your firewall responds to pings. But you might find trace route to be more useful.

traceroute 10.10.10.10

Here you should look does it make it all the way to your firewall? Are there any really long delays at any of the spots along the way. Assuming that no smoking gun is located at this point, I would suggest that you try telneting to your ssh port to see if it responds,

telnet 10.10.10.10 22

If it connects you should see something like:

Trying 10.10.10.10...
Connected to your.machine.com.
Escape character is '^]'.
SSH-1.99-OpenSSH_3.9p1

This would be a succesful response. If you cannot get here, then you likely have a problem between your two systems. If you can, but you still cannot connect then something is likely off with the ssh client you are trying to use or the server that is listening.

I hope that this helps.
 
Old 01-20-2006, 12:02 AM   #3
greengear
LQ Newbie
 
Registered: Jan 2006
Posts: 5

Original Poster
Rep: Reputation: 0
Tried traceroute and saw that it was taking a very long time to reach my router. Then I realize that my router doesn't respond to traceroute. Finally I realized that maybe it had something to do with the port forwarding that I had in my firewall, so I tried changing it to something known. And I was now able to get ssh to connect. Seems like my firewall is blocking off the ports I was originally using.

Thanks for the pointers.
 
Old 01-20-2006, 11:48 AM   #4
greengear
LQ Newbie
 
Registered: Jan 2006
Posts: 5

Original Poster
Rep: Reputation: 0
OK, I thought about the problem more, and I have to take back some of what I wrote. In the original configuration, I had forwarded a port from the router to port 22 on the machine. I was able to ssh from some machines outside, but I was not able to ssh from my company. When I change the port numbers on the router, I was able to ssh from my company.

Since it was able to forward from the outside under the original configuration, it doesn't appear to be something to do with the router. Also, I was able to see traceroute go outside my company, so my company is not blocking it.

So, I'm still wondering how this could have happened.
 
Old 01-20-2006, 12:19 PM   #5
jonlake
Member
 
Registered: Apr 2004
Distribution: Slackware 11.0, Gentoo
Posts: 252

Rep: Reputation: 31
Traceroute uses icmp traffic to trace the route. Just because traceroute is getting there doesn't mean that ssh will get there. (Company firewall blocking certain outbound traffic). Were you using the same destination port at all times from your company(port 22). If one port worked, and the other didn't, chances are you company is blocking that outbound traffic.
 
Old 01-20-2006, 04:15 PM   #6
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 422Reputation: 422Reputation: 422Reputation: 422Reputation: 422
Maybe your workplace changed their firewall and are preventing you from sshing out. A lot of companies view it as a potential security leak to allow ssh traffic out of the network.
 
Old 01-20-2006, 08:52 PM   #7
kvedaa
Member
 
Registered: Mar 2004
Location: Virginia
Distribution: PacketProtector
Posts: 331

Rep: Reputation: 30
As stated by jonlake stated, a succesful traceroute is not proof that a request to a specific service is not being blocked. I had suggested it only to get a feel for any potential problem areas with the routing (possibly signified by exceptioanlly large delay times).

The effort to telnet to the port in question, provides some visablity into weather or not traffic is getting out of one network and into the other on the requested port.

Hangdog also makes a good point, in that these things are often not static. If something does not work one day, but does on another, it can well be a configuration change that is made at any numner of points between the two systems in question (such as your corporate IT staff, or possible resetting the config on your home router was the magic ticket).

Should you lose connectivity going forward, you should be in good shape for narrowing down the possible problem in short order.

Happy hunting,
 
Old 01-23-2006, 12:15 PM   #8
greengear
LQ Newbie
 
Registered: Jan 2006
Posts: 5

Original Poster
Rep: Reputation: 0
I am able to ssh out to other machines from my company. I can also ssh back to my own machine when I stick to certain port numbers on my router. But there are certain ranges that are not working, even though I could connect from other machines outside my company.
Thanks for all the suggestions, although it is still a mystery to me.
 
Old 01-23-2006, 01:39 PM   #9
dbogdan
Member
 
Registered: Feb 2005
Location: Metro Detroit, US
Distribution: Suse/Slackware/Mepis
Posts: 174

Rep: Reputation: 31
Just a thought.... could it be that you are attempting to access you're box from an SSH v1 connection and you're sshd config only allows v2 ?????

again, just a thought.
 
Old 01-29-2006, 02:48 AM   #10
greengear
LQ Newbie
 
Registered: Jan 2006
Posts: 5

Original Poster
Rep: Reputation: 0
Er, no, because in verbose mode ssh showed that it simply got stuck waiting for connection. Also, when I move to some other port, it was ok.

Is is possible that my company blocks some ports? Maybe. But given that I was able to get to many ports below and above those that failed, the probability seems to be low, however.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Accespting SSH connections from other hosts halfcan Linux - General 4 02-20-2005 03:59 PM
ssh and /etc/hosts.all & deny tebucky Linux - Security 8 01-27-2005 05:23 PM
hosts.deny doesn't block an SSH attempt vmattila Linux - Security 4 11-14-2004 12:18 PM
remote ssh commands on multiple hosts evilchild Linux - Software 6 08-12-2004 10:48 PM
SSH hosts.deny file WoodyH Linux - Security 1 10-11-2003 07:44 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 07:05 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration