accessing SSH

Discussion in 'OT Technology' started by johnnywallywallace, Dec 1, 2003.

  1. from behind the firewall at work, on a machine running at home.

    I have SSHD listening on port 80; it's accessible from machines on my home network. unfortunately from work, behind a firewall outside of my control, I cannot seem to connect on port 80. any reason this might be?
     
  2. Rob

    Rob OT Supporter

    Joined:
    Jul 6, 2002
    Messages:
    88,631
    Likes Received:
    41
    Location:
    Atlanta, GA
    Could it be because you are only allowed acces through a proxy at work? Are you sure it is a true port forwarding firewall that you have at work?
     
  3. any way to determine if I'm proxied? IE is set to autoconfigure ... I'm able to access HTTP proxies outside the network for use with AOL ... I believe it is in fact a port forwarding firewall ... I was talking to help desk earlier while getting my laptop worked on, they're not the firewall people, but they're privy to more than I am, and from the sounds of things, it is a real firewall, not a proxy.
     
  4. DatacomGuy

    DatacomGuy is moving to Canada

    Joined:
    Oct 14, 2002
    Messages:
    16,546
    Likes Received:
    0
    Location:
    Tampa, FL
    ISP at home? Does it block 80?

    Try another port.. see if you can get out on 23 at your work network.
     
  5. what up steve. ummm, no, I don't _think_ TW blocks 80 ... unless they just started doing so ... I can port scan on my external IP and everything's open ...

    and, 23's blocked here :(
     
  6. SLED

    SLED build an idiot proof device and someone else will

    Joined:
    Sep 20, 2001
    Messages:
    28,118
    Likes Received:
    0
    Location:
    AZ, like a bauce!
    where are your port scanning from? if you port scan from the box itself, it won't actually be a true test unless you have to go through your ISP's routers. Try port scanning from a buddy's or something
     
  7. will do ...
     
  8. DatacomGuy

    DatacomGuy is moving to Canada

    Joined:
    Oct 14, 2002
    Messages:
    16,546
    Likes Received:
    0
    Location:
    Tampa, FL
    I have RoadRunner at home, and 80 is blocked for me.

    Try running through 23 or 8080..whatever is open at your office.
     
  9. RoadRunner around here didn't USED to block anything ... maybe their policies changed. getting scanned externally now ... but only by another TW customer ... steve I sent you my IP, if you get a chance, please :)
     
  10. broadband reports tells me all ports expected to be open or filtered are in fact open or filtered ... so it's not timewarner ...
     
  11. and a port scan of the office tells me:

    Code:
    21/tcp     open        ftp                     
    23/tcp     open        telnet                  
    25/tcp     open        smtp                    
    49/tcp     open        tacacs                  
    53/tcp     open        domain                  
    80/tcp     open        http                    
    111/tcp    filtered    sunrpc                  
    416/tcp    open        silverplatter           
    417/tcp    open        onmux                   
    418/tcp    open        hyper-g                 
    420/tcp    filtered    smpte                   
    425/tcp    open        icad-el                 
    442/tcp    open        cvc_hostd               
    443/tcp    open        https                   
    444/tcp    open        snpp                    
    481/tcp    open        dvs                     
    512/tcp    open        exec                    
    513/tcp    open        lo
    gin                   
    514/tcp    filtered    shell                   
    554/tcp    open        rtsp                    
    1433/tcp   open        ms-sql-s                
    1494/tcp   open        citrix-ica              
    1720/tcp   open        H.323/Q.931             
    7070/tcp   open        realserver              
    8080/tcp   open        http-proxy              
    8888/tcp   open        sun-answerbook  
    
    so I _shouldn't_ have a problem ......... unless it IS being proxied?
     
  12. SLED

    SLED build an idiot proof device and someone else will

    Joined:
    Sep 20, 2001
    Messages:
    28,118
    Likes Received:
    0
    Location:
    AZ, like a bauce!
    if you are being proxied then you wouldn't have been able to complete the scan... are you sure you're connecting to the right port with the client? if you want to pm me your ip, i'll give it a shot.


    btw... that is a HELL of a lot of ports open :ugh:
     
  13. I scanned from home, I left the office at 1pm :p

    yeah, I'm 100% sure on the client.

    I'll email you both home and office IPs ... I can't PM.
     
  14. DatacomGuy

    DatacomGuy is moving to Canada

    Joined:
    Oct 14, 2002
    Messages:
    16,546
    Likes Received:
    0
    Location:
    Tampa, FL
    Hmm. Can you try switching to another port, just for troubleshooting sake?
     
  15. it's a symantec raptor firewall ... so I believe so, yes.
     
  16. now that I know which ports are open, I'll be giving a few others a try tomorrow ... though, would it make a difference if I tried those ports using PuTTY on my VPN'd laptop? is that "the same" as being inside the network?
     
  17. so I was thinking maybe I WAS proxied ... but then, I can use telnet on non-standard ports, just not 23, where I get "Raptor Firewall Secure gateway / Access Denied / Connection to host lost." ... so I'm thinking I'm _not_ proxied and it's some other issue ... any thoughts?
     
  18. SLED

    SLED build an idiot proof device and someone else will

    Joined:
    Sep 20, 2001
    Messages:
    28,118
    Likes Received:
    0
    Location:
    AZ, like a bauce!
    well, i connected fine from my home connection. not sure why it would work here, but not from your work :dunno:
     
  19. doesn't ssh require an ephemeral port to be open? there are only a handful over 1024 that are open here ... maybe it's not finding them?
     
  20. Joe_Cool

    Joe_Cool Never trust a woman or a government. Moderator

    Joined:
    Jun 30, 2003
    Messages:
    299,496
    Likes Received:
    616
    Run a socks5 proxy on port 80 on your work comp. Set your ssh client to use socks5 on your local machine. Make sure port 80 is being forwarded to your ssh server at home. You should be ok, unless your work is using TOS (type of service) filtering. Then, the server can tell that it's not web traffic going over port 80, and filter it out.

    :dunno:
     
  21. wait ... run a socks5 proxy on my work machine? I've never run a socks5 proxy ... only plain old http, courtesy of Squid ... why run a proxy on my work machine? what's that do for me exactly?
     
  22. Rob

    Rob OT Supporter

    Joined:
    Jul 6, 2002
    Messages:
    88,631
    Likes Received:
    41
    Location:
    Atlanta, GA
    Just a side note. If you are trying to figure out what ports are open through your company firewall, you can't simply port scan it from the outside.

    If I were to portscan our firewall at work I would find that ports 80 and 22 are open. THIS TELLS ME NOTHING about what I can access from the inside to the outside.


    I hope that made sense. :eek3:
     
  23. I'm aware ... I'm also aware that 80 is DEFINITELY open, among others. so why can't I SSH to 80 when SSH is listening on 80 on my router at home?

    and, I did some testing using telnet today, I had a telnet server at home listening on various ports other than 23, and it can poke through from the office, including on 80 ...
     
  24. Rob

    Rob OT Supporter

    Joined:
    Jul 6, 2002
    Messages:
    88,631
    Likes Received:
    41
    Location:
    Atlanta, GA

    Maybe it is a router that can work on higher layers? (5 and above?)

    Why don't you just go ask the IT people. :big grin:
     
  25. because they're already paranoid when it comes to me, they already know I know more than they do about a lot of things and their boss thinks I'm some sort of hacker.
     

Share This Page