SSH Works For Some Hosts, Not For Others - linux

I've been having problems SSHing into my work computer from home. I have been able to succesfully ssh into one of our web servers so I know the ssh daemon is working and my connection is at least allowing some ssh. But when I try to ssh to my work computer it times out.
I went to my University yesterday and I was able to succesfully ssh into both the web server and my work computer. I've looked into our firewall at work to see if there are any blocks on my IP but it isn't blocked.
My ISP is comcast if that helps at all. I've done a few google searches and some comcast customers say that comcast sometimes blocks file sharing ports such as the ssh port (22).
Any help would be appreciated. Thanks.

First check the /etc/hosts.deny file of your work computer. That may contain lines which might suggests that certain IP may be blocked. Then check /etc/hosts.allow file. You can add your home-computers outgoing IP to your work computers /etc/hosts.allow.
NOTE: This question should belong to superusers or serverfault. stackoverflow is for questions that involves coding...

There is not one single "ssh daemon"... there is one running on each host to which you connect successfully. If you cannot connect to a host there are two primary reasons:
There is no SSH daemon running on the host. In that case you will likely get "connection refused"
There is a firewall between you and the host, and it is not allowing port 22 to pass through. In that case you will likely get timeouts.
If you are trying to connect to a host behind a firewall from "outside", as you suggest, it is extremely likely that host is not reachable from the Internet. If the IP address of the "work computer" looks like 192.168.x.x or 172.[16-31].x.x or 10.x.x.x then it is an unroutable private address and you will not be able to reach it from the outside no matter what you do unless a specific port-forwarding rule is set up on the firewall; in that case you would be connecting to the firewall's IP address, not your target host.

Related

Port Forwarding in order to use running services

Well I'm running ssh server on my laptop which I'm portforwarding to my router and I assume that I can now connect through my routers ipv4 and port in order to tunnel back to my laptop but it doesn't work like that does it.
Can someone explain to me what I need to do in order to make this work. Simply please I don't want to get confused and I know this is a noob question but I went straight to other things instead of learning some basics and now I'm feeling the consequences lol.
Depends from where do you want to access your laptop. If it's just from your local network or LAN, you don't need to setup anything on the router. If, however, you want to access it from the internet, you need to setup port forwarding on the router, but probably also set it up with your ISP.
SSH server setup
SSH server normally runs on port 22 (SSH port). At first your laptop's firewall blocks all incoming traffic! So in order allow people to access your laptop through SSH, you need to tell your firewall to allow incoming traffic on port 22. Also, if you haven't already, set a static IP on your laptop so that you can configure the router for port forwarding and access your laptop easily. And make sure to exclude the static address from the DHCP range (so that your router doesn't your static IP to another device).
LAN connection
In case of SSH connection only on your local network, all you need is the local IP of your laptop. That's it.
WAN connection (internet)
So first, of course, you need to enable port forwarding on your router and specify the port 22 and your laptop's local IP address. But you need to know how are you connected to the internet. Because, ISP's can have an intermediate layer (or layers) network. And this network eventhough is way bigger than you home network is still a private network, and uses private IP addresses. So in order to access your laptop through the internet, you have to talk to your ISP. And the final public IP is the one you would need to access the SSH server.

Access Azure VM from behind a NAT

So I am pretty new to all of this and currently learning about ssh and NAT.
So I have a VM setup on Azure and in order to connect to it I need to ssh into it. But the problem is I am unable to ssh into it because I am behind a NAT as I am currently studying in a University, hence getting "connection timed out" error all the time.
Also I have tried changing the default port(22) to 443 or 80 still same error which confirms I am behind a NAT.
So currently the only way to ssh is to use a VPN which works fine.
But after researching a bit I found that I can also use Reverse SSH Tunneling to achieve the same but couldn't figured out a way of how to do it. I know it is a bit riskier than using a VPN only but anyway just wanted to try.
So can anyone help me?
An outgoing SSH connection (your machine -> Azure VM) should not be affected if you are behind a NAT. NAT usually blocks incoming SSH access to your machine not out from it.
Also I have tried changing the default port(22) to 443 or 80 still the same error which confirms I am behind a NAT.
You changed the default port on which machine, you or the Azure VM? Changing the default port on your machine will not affect the outgoing SSH connection as it is only for incoming SSH connection to the SSH server on your machine (if you have one running locally).
Your best bet would be to actually look at the security groups of the Azure Virtual Network you VM is located in. Make sure it allows incoming SSH connection on port 22 to your VM.

Somewhat convoluted ssh issue. Can ping, but not ssh, but only from on-site

I am trying to ssh into my server at work (CentOS) from my laptop (Ubuntu). When I am at home, I do it by running the following script on the server (I start it while I am physically at work):
ssh -R (port #):localhost:22 (name#home ip)
I do this because it doesn't accept connections from external IPs. Then, I can ssh into the specified port on my laptop, and it works fine.
However, when I am actually at work, I cant ssh to the server. The other people in my office can. They do this very simple command (only works while they are at work, since they need an IP from inside the system):
ssh (username)#(work ip)
And they are automatically logged in. When I do that, I get no response; no public key denial, no wrong username, no response at all. Eventually it times out. But I know the server has ssh running, because everyone else can do it.
Additionally, if I do this on my laptop, while at work:
ping (work ip)
I do get response packets, with no loss, almost no lag. But ssh doesn't work.
I can ssh to other places from my laptop, both while I am at home and at work. So my laptop is properly configured to ssh to things, it just doesn't reach the work server for some reason. I talked to the guy who set it up and he insists there is no whitelist; the only security from internal IPs (and I am physically on site, so I have an internal IP, so there should be no need to do the ssh -r like I do at home) is the private/public RSA key system, and I know the keys must be already set up, because it works when I do the ssh -R from home. Plus, if the keys were not set up, I would get a public key denial, instead of no response at all, right?
If I do ssh -vv, this is the last line before it times out:
debug1: Connecting to ccny6 [work ip] port 22.
I see other people have posted similar questions, but the responses they seem to generally be "is the server running the ssh service" etc, which I know it is as other people can ssh to do (as can I if I'm using the ssh -r tunnel), so none of those responses did me much good, unfortunately.
Summary: I can ssh to a server from OFF site via a ssh tunnel, but can't ssh to it while I am right next to it using direct ssh, even though I can ping it, and others can ssh to it.
The most possible reason for the same is your ISP. I too had this issue few months back. They had closed ssh ports. Ask them and get it released.
Just a confirmation, try to do ssh to other IP's as well. It wont work either if your ISP has blocked it.

Amazon Nodejs webserver

I'm getting stuck here, so i have an amazon ec2 (standard redhat server) host up and working. i can connect to it personally no problem, however it cannot be connected to outside of my ip.
I've checked the rules and i have port 80 and 3000 open to 0.0.0.0/0 to be able to communicate, however outside of my computer (and computers in this network) i can not connect.
Everything I've found is about connecting to ssh which works fine, i have no rules in iptables, i haven't dealt much with them before, but since i can connect to the service i don't think its the issue.
summary:
Web server is running, i can connect from my computer to it, and any others in my local network, but nothing outside of it works.
i do have httpd installed as well as a simple forward from the browser to port 3000, however i cant connect to it either from outside my network.
so this is a new one for me, the dns forwarding works in houst, but not outside. so inside and outside here, i can use IP address to connect, but inside only i can connect with my dns lookup. not sure what caused this, but its not an amazon problem at least. going to look at that side.

xampp server (How to get up and running)

I've been developing locally on a little ubuntu netbook with xampp for about 7 months. Two weeks ago I got a computer I'd like to use as a server. I've installed the latest Ubuntu distribution and xampp, moved all my files over, and forwarded port 80. I've also got a domain name from dyndns.com which is being updated by a client which runs in my router (a Netgear WGR6154 v8).
Now, when I try to access my server by typing in the address I got from dyndns.com the browser loads until it timesout. I can access everything locally using localhost as the address so I believe xampp is running, just unable to connect with the internet.
In order to be able to view my files over the internet what should I do next?
Thanks to all in advance...
[I'm starting a bounty for the first person to help me get my files successfully online]
You have a combination of issues here, and that is something of a problem. Each issue is complex in an of itself. Here is what I would recommend to get you going for certain.
First verify that you can surf the web from your server. This will confirm that you have a working ethernet interface.
Step 1 make sure that XAMPP, and your files are viewable from your home network. I assume you are using something like 192.168.1.X for your network and perhaps your server is 192.168.1.10
Go to another computer in your house and type http://192.168.1.10/ and see if you can see your files. If you can then you know that the server is properly configured and XAMPP is working.
Then add an entry to your hosts file to resolve yourdnsrecord.com (or whatever your dyndns record is) to your private ip address. Then when you type yourdnsrecord.com into a browser from that computer you should still get your files. This will rule out your server being improperly configured to listen for that domain name.
Next you need to test to see if there is a firewall problem. To simplify this, first remove your home router from the equation. Instead, place your new server directly onto your internet connection. (assuming you can). This way, you do not need to have NAT or firewalls properly configured. Your dyndns name should map to a public IP and your server should then have that IP and be connected directly to the Internet. If you have your server directly connected, and the command ifconfig from the root prompt returns the same public IP address that your dynamic dns record is point to, then it should work.
It will make your life easier if you have an iphone or some other way to test how your network is seen from the Internet.
If your public IP as shown by ifconfig is different than the IP record in your dyndns account, then your dynamic dns update script is broken. manually set the IP, and see if things work.
It is very possible that this will not work. Some ISPs firewall port 80 preventing their subscribers from hosting servers. Once you have your server directly connected to the internet you can test this (even if your dns is not working) by using the public IP address. As root, type ifconfig from the command prompt to get your public ip address. Then type the command tcpdump -i eth? port 80 from the root prompt. eth? needs to be the same interface that you saw had a public IP address from the ifconfig command. usually this is eth0 but it might be wire0 or something like that.
This command will show you all traffic coming on port 80 to your server.
From an iphone (or whatever second Internet connection you have) browse to the IP address that you got from your ifconfig command. If you see something on your server (and it is directly connected to your ISP) then your ISP is not firewalling you.
If you can get to your server, when it is directly connected to the Internet, either by IP address or by DynDNS address, then your ISP is OK and it is time to debug your firewall.
Two things need to work for your firewall to be configured NAT, where the public address that your router gets from your ISP is converted into your private network and a firewall rule which permits that traffic. If you get this far, then you know your firewall is the problem and then it is just a matter of getting its configuration correct. There are far to many home routers to document here, but you usually can find how-to instructions for your router for this task from the manufacturers website (usually it is part of the manual)
If you follow these instructions exactly you will get your system working. Make comments on the process and I will be happy to modify this to make it clearer.
HTH,
-FT
You should make sure your xampp is not listening to only the localhost.
to do so edit your apache configuration file and check and search for Listen directive
you should be able to know also by analysing the output of netstat -a.
After that make sure your router is forwarding properly, using tcpdump would help.
drop me a comment if you need more help.
Cheers

Resources