September 9th, 2004
Ok, so here's my problem.
I'm at work behind a firewall, and I've got a server colocated on a T1 line outside this firewall.
All I want is an SSH session to my server, and I'm trying to figure out a port I can do this on.
I'm bouncing the ssh server around on all the ports I can think of to try.
Ports 80 and 443 are proxied and content filtered, thus obviously out.
ports 22 and 23 are simply blocked.
Ports 20 and 21 (ftp) will allow me to make a passive ftp connection straight through, but it won't let an ssh session through. this is confusing me.
|Date:||September 9th, 2004 09:42 am (UTC)|| |
Do any IM systems work?
Another thing you might be able to try depending if the net admin is lazy is to find out the router the proxy or mail server uses. Sometimes there are 2 routers on the same switch. One routes internally and one router internally and externally. The second would do routing for email outside the company, the proxy, and the web server. If the company is a little smaller than say 500 ppl this is setup generally what you will encounter.
To find this sniff the network and look for where is tell packets. Most will be servers/workstations but you might be able to pick up the router that way. If there was a way to get the proxy or some server with access to this router to reboot generally it will yell for all of its network connections (routers subnet broadcast etc) when it starts its network.
Hmm.. look for non-standard ports on the firewall. Maybe DNS is open, or smtp.
You really need to try and map the net you're on so that you can figure out how things are setup. Depending on what you support you might be able to ask some simple questions to gain this info.. and it call it point of failure information.
A question that you could ask is this.. "If the email server is working internally, but I can't email outside the company. What router would I ping to make sure it's up and running and giving internet access to the mail server?" Though this would be if your on the internal helpdesk side. Otherwise break out the sniffer or be real nice to the network guys and try to make a friend with one so they will give you information.
|Date:||September 9th, 2004 10:43 pm (UTC)|| |
This may prove difficult, if your work is blocking all port 22 traffic out. No doubt your colocated server also has a firewall, so if you try moving the port around on that end, it will also likely be blocked.
Normally firewalls only block incoming connections, but port blocking can be setup on outgoing connections as well.
|Date:||September 10th, 2004 01:49 pm (UTC)|| |
// since he controls the colo'd server, he can open
// whatever ports he wants.
// also, thanks for clarifying what firewalls are.
|Date:||September 10th, 2004 01:45 pm (UTC)|| |
// 1. have you tried all the ports?
// do they block all high numbered ones? how about the
// ms specific protocol ones? do they happent to let tcp
// out over 53 (lazy dns fw rules)? outgoing smtp (25)?
// imap/s or pop/s (143,993 and 110,995)? does windows
// update go to ms's server, or are they proxying that
// 2. wrt ports 20 and 21
// passive ftp just means that the server can't connect
// to your machine on a high-numbered port--not surprising.
// however, if you can do passive ftp you *should* be able
// to do ssh.
// i'd recommend having netcat listen on port 21 on your
// server (nc -l -p 21) and then trying to netcat to that
// from you client. netcat is a straight tcp connection, so
// a packet-filter probably won't destroy it immediately.
// maybe they are filtering encrypted or ssh traffic??
// there is always a way in (or out).
|Date:||September 10th, 2004 03:00 pm (UTC)|| |
You and Meg are in Cambridge. I am in Cambridge. We should meet up at some point. Have you some time this weekend to grab tea or somesuch? :D
hmm... maybe sunday morning/noon...
I'll see if the girl had plans.
that's 10:30 sunday, not today. ;o)
|Date:||September 11th, 2004 07:21 am (UTC)|| |
Re: *poke poke*
10:30 Christophers. I will be there with bells on and such.