| View previous topic :: View next topic |
| Author |
Message |
Cr0t
l33t
Joined: 27 Apr 2002
Posts: 945
Location: USA
|
 Posted: Tue Nov 10, 2009 7:27 pm Post subject: ssh tunneling |
 |
|
My router at home forwards port 2222 to port 22 to one of my linux machines. My work doesn't allow me to connect to port 2222. I have been playing around with ssh tunneling, but I am unable to connect.
_________________
cya |
|
| Back to top |
|
 |
HeXiLeD
Veteran
Joined: 20 Aug 2005
Posts: 1159
Location: Online
|
| Posted: Tue Nov 10, 2009 8:23 pm Post subject: |
|
|
Check THIS video
Change ports if necessary such as 443 in some cases instead of 22 for ssh
Add [SOLVED] to your topic if the problem gets solved
_________________
Do you hear the sound of inevitability?
With age, comes great grumpiness and that, was 20 years ago...
CertFP: becbbd161d5a5c31de3c45171b77bf710911db29 / d985d21f89fe2977b593c4d381a1a86802e62990d9328d893db76d59f9935244 |
|
| Back to top |
|
|
Cr0t
l33t
Joined: 27 Apr 2002
Posts: 945
Location: USA
|
| Posted: Tue Nov 10, 2009 8:51 pm Post subject: |
|
|
Didn't work....
_________________
cya |
|
| Back to top |
|
|
the.root
Apprentice
Joined: 29 Apr 2007
Posts: 210
Location: -84.706059324915, -62.4843750666430
|
| Posted: Tue Nov 10, 2009 9:29 pm Post subject: |
|
|
Does your work use a proxy that all traffic must go through?
And i didnt watch that video, but i assume you tried forwarding port 443 to 22 on your router to PC, if that fails port 80 to 22 on your router to PC? And also assume you can connect to your PC port 22 internally no problem.
_________________
Ps = (1.5 x 6 x .75) / {(4/3) (pi) [(31.039 x 10^15) (46.5 x 10^9)]^3}
Seems like a waste.. |
|
| Back to top |
|
|
Cr0t
l33t
Joined: 27 Apr 2002
Posts: 945
Location: USA
|
| Posted: Tue Nov 10, 2009 11:14 pm Post subject: |
|
|
| the.root wrote: | Does your work use a proxy that all traffic must go through?
And i didnt watch that video, but i assume you tried forwarding port 443 to 22 on your router to PC, if that fails port 80 to 22 on your router to PC? And also assume you can connect to your PC port 22 internally no problem. |
If I forward port 22 to my internal port 22, I can connect just fine from work. I had to change the port, because otherwise people try to hack me all day long. So I forwarded port 2222 to port 22.
Now if I try to connect from work it just times out. | Code: | | [WORK] -> Router:2222 -> forward -> gentoo:22 |
_________________
cya |
|
| Back to top |
|
|
the.root
Apprentice
Joined: 29 Apr 2007
Posts: 210
Location: -84.706059324915, -62.4843750666430
|
| Posted: Wed Nov 11, 2009 12:07 am Post subject: |
|
|
| Cr0t wrote: | | the.root wrote: | Does your work use a proxy that all traffic must go through?
And i didnt watch that video, but i assume you tried forwarding port 443 to 22 on your router to PC, if that fails port 80 to 22 on your router to PC? And also assume you can connect to your PC port 22 internally no problem. |
If I forward port 22 to my internal port 22, I can connect just fine from work. I had to change the port, because otherwise people try to hack me all day long. So I forwarded port 2222 to port 22.
Now if I try to connect from work it just times out. | Code: | | [WORK] -> Router:2222 -> forward -> gentoo:22 |
|
Have you tried from other external places besides your work? Maybe its a limitation/restriction within your work's network. You should be able to try it from your internal just the same. ssh $user@$external_ip -p 2222 . If you cant do that then id say theres an issue with the FWD on the router. What kind of router is it, did you set it up for tcp/udp, what are the timeouts, etc etc. There may also be a firewall or similar on the router blocking it. Another possibility (although i've only seen it a couple times), your ISP could be blocking it.
_________________
Ps = (1.5 x 6 x .75) / {(4/3) (pi) [(31.039 x 10^15) (46.5 x 10^9)]^3}
Seems like a waste.. |
|
| Back to top |
|
|
eccerr0r
Watchman
Joined: 01 Jul 2004
Posts: 9883
Location: almost Mile High in the USA
|
| Posted: Wed Nov 11, 2009 9:41 pm Post subject: |
|
|
I have a similar problem rootcaused - my work firewall prohibits ports other than 22 (and 80, and 443, but I have an https server) going out. Basically there's really no solution. If you have a friendly firewall admin they'll open a hole for you; but likely if you're at a large company it's a definite 'NO' ...
and so I continue to get hack attempts. Just pray that my accounts all have secure passwords or use key-based authentication.
Another thing I was thinking about to slightly reduce hacking attempts is to have a (port 80) URL that allows new port 22 connects for a short while, then either another url to block or timeout to shut it off again. While not great security, it definitely would reduce the number of attempts yet still allow myself to login externally.
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
| Back to top |
|
|
the.root
Apprentice
Joined: 29 Apr 2007
Posts: 210
Location: -84.706059324915, -62.4843750666430
|
| Posted: Wed Nov 11, 2009 9:46 pm Post subject: |
|
|
| eccerr0r wrote: | I have a similar problem rootcaused - my work firewall prohibits ports other than 22 going out. Basically there's really no solution. If you have a friendly firewall admin they'll open a hole for you; but likely if you're at a large company it's a definite 'NO' ...
and so I continue to get hack attempts. Just pray that my accounts all have secure passwords or use key-based authentication.
Another thing I was thinking about to slightly reduce hacking attempts is to have a (port 80) URL that allows new port 22 connects for a short while, then either another url to block or timeout to shut it off again. While not great security, it definitely would reduce the number of attempts yet still allow myself to login externally. |
Another couple ideas is to only allow ssh from certain ip's, and if you can setup port knocking on your firewall/router that might help. Also, key based authentication is idea.
Normally its odd for place to ONLY allow 22 out. Generally you have 80 & 443, maybe some mail ports, proxy ports, something else open you can use.
_________________
Ps = (1.5 x 6 x .75) / {(4/3) (pi) [(31.039 x 10^15) (46.5 x 10^9)]^3}
Seems like a waste.. |
|
| Back to top |
|
|
eccerr0r
Watchman
Joined: 01 Jul 2004
Posts: 9883
Location: almost Mile High in the USA
|
| Posted: Thu Nov 12, 2009 12:45 am Post subject: |
|
|
I ended up not whitelisting because if I'm at a random wifi hotspot, I won't know my IP address in advance. Not to mention my work uses a rotating proxy and I'm not sure if I've gotten every single possible proxy yet.
I've even been to one wifi hotspot that had free net access -- but disallowed everything but port 80. Didn't have to use it long to figure out that it was not going to be useful as I can't use it for secure connections (either VPNing back home (udp 1194 blocked), https (tcp 443 blocked), or ssh(tcp 22 blocked).) Was kind of hesitant to even use f.g.o through it or anything else, probably only useful to check the weather, google maps, or something.
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
| Back to top |
|
|
|
Networking & Security
