Access ssh from a restricted firewall

jasonwryan · 2012-05-10 03:03:38

"Anal retentive elitist" strikes me as neither respectful, and therefore inconsistent with our Etiquette, nor helpful--given the way the thread started to unravel.

If you want to disagree, that's fine: we are comfortable with robust or vigorous discussion of the issues, but please do not resort to flaming.

fukawi2 · 2012-05-10 11:19:20

ArchaiosFiniks wrote:

I am wondering if the entire arch community is so rude, now. Not a good second impression of the arch forums nonethless.

No, we are not all so rude

ArchaiosFiniks wrote:

No, I did not try to access it from behind another port (that I know of. Nowadays, most routers comes with built-in firewalls though), but it should not mather, right?

I don't fully understand what you are saying here, but what ports have you tried? I think you've said you've tried 22 and 443? Completely understandable that a school would block outbound 22 (or apply harsh restrictions). Since 443 doesn't work, and you've said it's a school, their firewall probably has some kind of DPI (Deep Packet Inspection) as mentioned by someone else. If this is the case then you're pretty much bushed whatever you try. Perhaps try

ArchaiosFiniks wrote:

but if it is that much of a bother, forget it guys. Just don't go bashing on everything and everyone, looks bad for the entire community. :l

It's not a bother, it is why (most) of the forum members come here in the first place. To be honest I don't really understand how this thread degraded so fast into petty bickering. Let's try and focus on the original issue?

ArchaiosFiniks wrote:

I am just trying to learn more, and trying to access ssh from my school looked like a nice thing to do to learn a little bit more about Linux.

I encourage you again gently to respect the admin and the network. It is provided to you to assist with your education. If Linux is part of that education (part of the curriculum the school is providing) then you should have little problems working with the sysadmin to grant you access. If it's not part of the curriculum the school is providing, then perhaps best to leave the Linux learning to out-of-school hours, or at least off the school network

ArchaiosFiniks · 2012-05-10 18:00:10

fukawi2 wrote:

ArchaiosFiniks wrote:
I am wondering if the entire arch community is so rude, now. Not a good second impression of the arch forums nonethless.
No, we are not all so rude

That's nice to hear!

fukawi2 wrote:

ArchaiosFiniks wrote:
No, I did not try to access it from behind another port (that I know of. Nowadays, most routers comes with built-in firewalls though), but it should not mather, right?
I don't fully understand what you are saying here, but what ports have you tried? I think you've said you've tried 22 and 443? Completely understandable that a school would block outbound 22 (or apply harsh restrictions). Since 443 doesn't work, and you've said it's a school, their firewall probably has some kind of DPI (Deep Packet Inspection) as mentioned by someone else. If this is the case then you're pretty much bushed whatever you try. Perhaps try

Oh, I mean to say firewall, not port, I am sorry!
Yes, I think, of what I learned here, that they might indeed use a packet inspection system.

fukawi2 wrote:

ArchaiosFiniks wrote:
I am just trying to learn more, and trying to access ssh from my school looked like a nice thing to do to learn a little bit more about Linux.
I encourage you again gently to respect the admin and the network. It is provided to you to assist with your education. If Linux is part of that education (part of the curriculum the school is providing) then you should have little problems working with the sysadmin to grant you access. If it's not part of the curriculum the school is providing, then perhaps best to leave the Linux learning to out-of-school hours, or at least off the school network

Oh how I wish I would be in a school where Linux is teached, but no, in our computer class, we only learn how to use Microsoft Office. There is no other courses, and I find it pretty lame. The teacher said because I was advanced that I could just do whatever I wanted to do to pass my time. Since the school is owned by the provincial government, though, I believe they are using provincial firewalls, which would be of a great bother, so I think I'll just give up. Would've been nice though!

Thank you!

Leonid.I · 2012-05-10 18:05:02

fukawi2 wrote:

I encourage you again gently to respect the admin and the network. It is provided to you to assist with your education. If Linux is part of that education (part of the curriculum the school is providing) then you should have little problems working with the sysadmin to grant you access. If it's not part of the curriculum the school is providing, then perhaps best to leave the Linux learning to out-of-school hours, or at least off the school network

Agreed. And speaking of education, sysadmins are a pretty good resource.

But anyway, can you provide some links about how DPI works in practice, please , because 90% of what I could find was about stupid privacy concerns with little technical info... just trying to learn.

lgeek · 2012-05-10 21:05:10

You might get ssh through the tor Network.
pacman -S vidalia and also yaourt -S proxychains
Run vidalia, and wait a bit. When connect to Tor Network do proxychains ssh user@ip
PS: This is quite useful, but might be slow. If you have a firewall setup, you have to stop the firewall. Also If the computer is behind a router, port forward 22 is the router.

Last edited by lgeek (2012-05-10 21:09:42)

fukawi2 · 2012-05-10 23:21:33

Leonid.I wrote:

But anyway, can you provide some links about how DPI works in practice, please , because 90% of what I could find was about stupid privacy concerns with little technical info... just trying to learn.

The wikipedia article seems to link to some good material in the References and External Links section:
http://en.wikipedia.org/wiki/Deep_packet_inspection

Specficially:
What is Deep Packet Inspection?
How to subvert Deep Packet Inspection the Right Way
Linux l7-filter

nesneros · 2012-05-12 18:28:50

@ArchaiosFiniks - can you please post a copy of your

sshd_config

as well as the output of

sudo netstat -tulpn

Next, is your server (assuming this server is at your home) behind a firewall or router? If so, is port forwarding enabled to forward traffic over port 443 to the server? Finally, does your ISP allow incoming traffic on port 443? Reason I ask that is because my ISP blocks most standard http(s) ports (80, 443, 8080, etc.)

fukawi2 · 2012-05-13 09:54:22

@nesneros The OP said in the first post that they can access their box via SSH on port 443 from other locations:

ArchaiosFiniks wrote:

I know my sshd is binded correctly, since I can access it from other places with port 443.

nesneros · 2012-05-13 20:21:34

fukawi2 wrote:

@nesneros The OP said in the first post that they can access their box via SSH on port 443 from other locations:

I realized this, after what I read I had posted yesterday, my bad, and as a note to myself -- never crawl the forums while drunk

Bebo · 2012-05-13 21:43:29

@ArchaiosFiniks: Sure, they may be using some IPS (Intrusion Prevention System) to block your connection attempts, but they might also just be using a web proxy - and talking ssh to/through a web proxy doesn't really work... httptunnel may work, and shellinabox was a nice tip, I've haven't seen that one before. I was about to suggest Ajaxterm, but seeing shellinabox I won't (It has support for stuff like top and vim as well as a history buffer - just by scrolling! )

The problem with shellinabox or AjaxTerm or other similar projects that I have looked at, is that they send everything in clear text. And ssl doesn't necessarily help you, if the proxy you want to tunnel through is a proxy that terminates the ssl, erm, "sessions" (don't know what else to call it right now). If it does, anyone monitoring or maintaining that proxy can see your username and password. The probability of anyone actually caring to do so is of course another question.

To be on the safe side, I think httptunnel or something similar, like proxytunnel, is your best bet. It was quite some time ago I looked at how they worked, but if I remember correctly, I was more impressed by proxytunnel than httptunnel. Of course that might not work either, depending on how the proxy is set up and if they're using an IPS... In that case, if you're desperate, try shellinabox and hope they don't detect you

Last edited by Bebo (2012-05-13 21:49:17)

Arch Linux

#26 2012-05-10 03:03:38

Re: Access ssh from a restricted firewall

#27 2012-05-10 11:19:20

Re: Access ssh from a restricted firewall

#28 2012-05-10 18:00:10

Re: Access ssh from a restricted firewall

#29 2012-05-10 18:05:02

Re: Access ssh from a restricted firewall

#30 2012-05-10 21:05:10

Re: Access ssh from a restricted firewall

#31 2012-05-10 23:21:33

Re: Access ssh from a restricted firewall

#32 2012-05-12 18:28:50

Re: Access ssh from a restricted firewall

#33 2012-05-13 09:54:22

Re: Access ssh from a restricted firewall

#34 2012-05-13 20:21:34

Re: Access ssh from a restricted firewall

#35 2012-05-13 21:43:29

Re: Access ssh from a restricted firewall

Board footer