FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 10-24-2011, 12:27 PM
Marko Vojinovic
 
Default Unable to ssh nodes with global IP

On Monday 24 October 2011 12:15:03 Abu Attar Musharih wrote:
> I tried INCOMING ssh several times and check file /var/log/secure
> No entries related to login attempt found.
> Now, it becomes even worse. Yesterday I could do OUTGOING ssh, but not
> anymore. The following site is inaccessible
>
> http://www.yougetsignal.com/tools/open-ports/
>
> While using different provider, there is no problem.

I think that by now it is obvious that the problem is not with your machine,
and that your ISP has closed down the ports. Your choices are probably the
following:

(1) Talk to your provider and ask them to open all ports to your IP. This is a
reasonable request, since you have a public IP number, and should be able to
use it however you like (provided that nobody complains about spam or attacks
coming from your IP). Note, though, that the ISP may choose to charge you
extra money for this.

(2) Change the ISP for another that is more forthcoming.

(3) Scan your IP from outside for any open ports, pick one and use it for
ssh/openvpn/whatever, without discussing it with your ISP. This will work, but
may not be considered legal by the ISP. Also, you might have a hard time
choosing a port, if only a few of them are open, since you may need them all
for their regular job (like ports 80/443 for the web, 25 for e-mail, etc.).

YMMV.

Best, :-)
Marko

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 10-24-2011, 01:31 PM
Steven Stern
 
Default Unable to ssh nodes with global IP

On 10/23/2011 06:04 AM, Reindl Harald wrote:
>
>
> Am 23.10.2011 12:58, schrieb suvayu ali:
>
>> I am no expert, I just said what worked for me in the past. I ssh into
>> many systems everyday so changing to non-standard ports is
>> inconvenient
>
> where is there any single problem if you can read manuals?
> you have to specify the port only once per client and after
> that rsync, ssh, scp and sftp even in konqueror is using this
> port
>
> cat /etc/ssh/ssh_config
> Host *
> GSSAPIAuthentication no
> Compression yes
> CompressionLevel 9
> Protocol 2
> StrictHostKeyChecking ask
>
> Host yourhost.domain.tld
> Port 10022
>

If the issue is with the ISP blocking 22, then leave SSHD on port 22 and
simply map some external port on the WAN router (e.g., 10022) to 22
internally. It makes life a lot easier, because no matter how many
machines you have on the internal network, you control it from a single
point.



--
-- Steve
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 10-24-2011, 04:12 PM
Tim
 
Default Unable to ssh nodes with global IP

On Sun, 2011-10-23 at 12:12 +0200, Reindl Harald wrote:
> put sshd on port 10022 and all is well
>
> this has the additional benefit to get rid of the most
> idiots trying password-attacks all day long

Though it won't stop the more determined ones. Like those who scan for
all open ports, and then look at what responses they get to determine
what sort of server is listening.

If you have a (potentially) vulnerable server exposed, using something
like fail2ban (if I remembered the name correctly) can be a good idea.
It allows a limited number of attempts from an IP, then temporarily
blacklists that IP. A hacker would have to have tremendous luck to
guess a password in only two attempts, for instance.


--
[tim@localhost ~]$ uname -r
2.6.27.25-78.2.56.fc9.i686

Don't send private replies to my address, the mailbox is ignored. I
read messages from the public lists.



--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 10-24-2011, 04:31 PM
Reindl Harald
 
Default Unable to ssh nodes with global IP

Am 24.10.2011 18:12, schrieb Tim:
> On Sun, 2011-10-23 at 12:12 +0200, Reindl Harald wrote:
>> put sshd on port 10022 and all is well
>>
>> this has the additional benefit to get rid of the most
>> idiots trying password-attacks all day long
>
> Though it won't stop the more determined ones. Like those who scan for
> all open ports, and then look at what responses they get to determine
> what sort of server is listening.
>
> If you have a (potentially) vulnerable server exposed, using something
> like fail2ban (if I remembered the name correctly) can be a good idea.
> It allows a limited number of attempts from an IP, then temporarily
> blacklists that IP. A hacker would have to have tremendous luck to
> guess a password in only two attempts, for instance.

i know this all but it is not in standard-nmap and so
you have not the whole day the logfiles full and the
overhead for non-standard-port is practically non-existent

NOBODY should allow password-login on sshd, never and we do not

additionally:
iptables -A INPUT -p tcp --sport 1024:65535 -m state --syn --state NEW --dport YOURPORT -m limit --limit 60/minute
--limit-burst 20 -j ACCEPT
iptables -A INPUT -p tcp -m state --syn --state NEW --dport YOURPORT -j REJECT
___________

for portscans allow only 120 connections from the same ip per second
makes it really hard do a full port-scan because it longs forever and
aditionally webservers are proctected against a single dos-attack

try it with "ab -c 20 -n 100000 http://yourhost/" and you will see htop
shortly with 100% cpu and falling down to normal values in waves

iptables -I INPUT -p tcp -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp -i eth0 -m state --state NEW -m recent --update --seconds 1 --hitcount 120 -j DROP
___________

as you see security is never one setting and it is done and obscurity as
additional prevention is good and no overhead if someone knows to handle
his machines

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 10-24-2011, 04:50 PM
suvayu ali
 
Default Unable to ssh nodes with global IP

On Mon, Oct 24, 2011 at 18:12, Tim <ignored_mailbox@yahoo.com.au> wrote:
> If you have a (potentially) vulnerable server exposed, using something
> like fail2ban (if I remembered the name correctly) can be a good idea.
> It allows a limited number of attempts from an IP, then temporarily
> blacklists that IP. *A hacker would have to have tremendous luck to
> guess a password in only two attempts, for instance.

An alternative to fail2ban is denyhosts.

--
Suvayu

Open source is the future. It sets us free.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 10-25-2011, 08:48 AM
Tim
 
Default Unable to ssh nodes with global IP

On Mon, 2011-10-24 at 18:31 +0200, Reindl Harald wrote:
> for portscans allow only 120 connections from the same ip per second
> makes it really hard do a full port-scan because it longs forever and
> aditionally webservers are proctected against a single dos-attack

120 per second seems overly generous.

> try it with "ab -c 20 -n 100000 http://yourhost/" and you will see

Hmm, "ab"... Never go past *ix users for coming up with extremely
abbreviated commands.

> as you see security is never one setting and it is done and obscurity
> as additional prevention is good and no overhead if someone knows to
> handle his machines

Yes/no... It's too easy to think being obscure protects you when it
doesn't really. It only slightly shifts the goal posts.

--
[tim@localhost ~]$ uname -r
2.6.27.25-78.2.56.fc9.i686

Don't send private replies to my address, the mailbox is ignored. I
read messages from the public lists.



--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 10-25-2011, 12:28 PM
Abu Attar Musharih
 
Default Unable to ssh nodes with global IP

On Sat, Oct 22, 2011 at 7:12 PM, Andras Simon <szajmi@gmail.com> wrote:

> Can you ping the machine? If yes, then are there traces in the logs
> that show the connection attempts? (You can make iptables log those.)

Above is another important point. I can not ping the machine.
I am wondering how they do that. What port do they close?
Thanks,
AA
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 10-25-2011, 12:34 PM
Reindl Harald
 
Default Unable to ssh nodes with global IP

Am 25.10.2011 14:28, schrieb Abu Attar Musharih:
> On Sat, Oct 22, 2011 at 7:12 PM, Andras Simon <szajmi@gmail.com> wrote:
>
>> Can you ping the machine? If yes, then are there traces in the logs
>> that show the connection attempts? (You can make iptables log those.)
>
> Above is another important point. I can not ping the machine.
> I am wondering how they do that. What port do they close?

ping has no port nor is it TCP
ping is ICMP Type 8
as log you machine does not accept this it can not be pinged

so it is not sure if the ISP, some router or the machine himself
does not accept ICMP

this are the last two lines of all my firewalls
the first does accept ping and the second reject all
ports not explicitly opened

iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
iptables -A INPUT -j REJECT

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 10-25-2011, 12:41 PM
Marko Vojinovic
 
Default Unable to ssh nodes with global IP

On Tuesday 25 October 2011 13:28:05 Abu Attar Musharih wrote:
> On Sat, Oct 22, 2011 at 7:12 PM, Andras Simon <szajmi@gmail.com> wrote:
> > Can you ping the machine? If yes, then are there traces in the logs
> > that show the connection attempts? (You can make iptables log those.)
>
> Above is another important point. I can not ping the machine.
> I am wondering how they do that. What port do they close?

They filter out ICMP packets in the firewall. See

http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol

Best, :-)
Marko

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 10-25-2011, 06:00 PM
Joe Zeff
 
Default Unable to ssh nodes with global IP

On 10/25/2011 05:28 AM, Abu Attar Musharih wrote:
> Above is another important point. I can not ping the machine.
> I am wondering how they do that. What port do they close?
> Thanks,
> AA

Ping uses ICMP packets. I don't think it uses a port; at least, there's
no CLI option to change it.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 

Thread Tools




All times are GMT. The time now is 05:41 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org