[colug-432] SSH

Steve VanSlyck s.vanslyck at spamcop.net
Thu Mar 10 08:57:30 EST 2011 

I'm not sure how to do that (scan a public IP address), but I did a ping 
attempt (see below). It may be, though, that my router is configured to 
ignore ping requests from the outside. I can check that tonite.

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\>ping 24.210.58.99

Pinging 24.210.58.99 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 24.210.58.99:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\>

----- Original Message -----
From: Richard Hornsby <richardjhornsby at gmail.com>
To: Central OH Linux User Group - 432xx <colug-432 at colug.net>
Date: Thu, 10 Mar 2011 07:48:21 -0600
Subject: Re: [colug-432] SSH

> 
> 
> On Mar 10, 2011, at 7:34, "Hal I. Tosis" <dmesg at frontier.com> wrote:
> 
> > Have you tried port scanning your public IP address to see if the port 
is truly open?
> 
> One thing that comes to mind (someone else may have mentioned this) is 
that RR might be blocking inbound traffic to high ports on a residential 
link/account for security purposes. It doesn't mean there aren't any, but 
I can't think offhand of any well-known services running on ports > 9999 
and I don't have an /etc/services handy.
> 
> If you haven't, I would try putting everything back to port 22 first and 
see if that works. Start with the simplest case/setup - usually the 
defaults - find success and incrementally build complexity until you 
reach your desired & working configuration.
> 
> -rj
> 
> > Hal
> > 
> > 
> > 
> > On Thu, Mar 10, 2011 at 06:30:05AM -0500, Steve VanSlyck wrote:
> >> I changed the port number from 22 to something else. I'm simply using
> >> 31210 as an example. I did restart ssh. The command was service sshd
> >> restart. (The OS is CentOS 5.5.)
> >> 
> >> The changed port number was used in the client. I tested both from
> >> across town (with the updated port number) and from somewhere else on
> >> the planet, via an IRC friend.
> >> 
> >> An incorrect port number was the first thing I assumed, so I changed it
> >> back (in ssh_config, sshd_config, on the router, and got the same
> >> result. My initial thinking is to take the router out of the mix since
> >> it's working inside 192.168.X.X but not from outside.
> >> 
> >> 
> >> On Wed, 2011-03-09 at 20:17 -0600, Richard Hornsby wrote:
> >>> On Mar 9, 2011, at 19:51 , Steve VanSlyck wrote:
> >>> 
> >>>> Well, I can ssh from the same box, and ssh from a box on the same
> >>>> network, but cannot ssh from across town. The session times out
> >>>> 
> >>>> Port forwarding is set up on the router (Linksys). Using fake port
> >>>> numbers,
> >>> 
> >>> "fake port numbers"?  port numbers matter, and unlike IP addresses, 
don't personally identify your machine.  22 is the normal port for SSH, 
it is listed in /etc/services, and is considered "well-known" for SSH.  
Are the port numbers in your email fake?
> >>> 
> >>> If you wish to change the port, that is your prerogative.  There are 
a couple of things I can think of off hand:
> >>> 
> >>> 1. After changing sshd_config, make sure you restart sshd.  IIRC (it 
has been a while) on RH variants it is something like
> >>> 
> >>> /etc/init.d/rc.d/sshd restart
> >>> 
> >>> (oh how I miss the days of sending a process a simple HUP to make it 
re-read the config.)
> >>> 
> >>> 2. You have to specify a non-standard port in your ssh client.  It 
might be that you're able to log in locally because your client assumes 
22, and you haven't restarted sshd yet.  When you try to get in 
externally, the port forwarding isn't configured for 22 - it is set up 
for 31210 - but again, sshd isn't listening on 31210.
> >>> 
> >>> 
> >>> These might be obvious, and they're related.
> >>> 
> >>> If for some reason you want ssh to be on a non-standard port on the 
external facing side, you can always tell your router to port forward 
external:31210 to internal:22
> >>> 
> >>> I, however, wouldn't go changing it from 22 in the first place.  Just 
makes things harder on myself and doesn't add any meaningful measure of 
security.
> >>> 
> >>> -rj
> >>> 
> >>> 
> >>> 
> >>>> 
> >>>> I have sshd_config set to port 31210, ssh_config set to the same 
thing,
> >>>> and the applications and gaming page on the router forwards port 
31210
> >>>> (same number for both start and end of the range) to IP 
192.168.1.102,
> >>>> which ifconfig reports as being the box's internal IP address:
> >>>> 
> >>>> [steve at localhost ~]$ ifconfig
> >>>> eth0      Link encap:Ethernet  HWaddr 00:11:85:65:41:38  
> >>>>         inet addr:192.168.1.102  Bcast:192.168.1.255
> >>>> Mask:255.255.255.0
> >>>>         inet6 addr: fe80::211:85ff:fe65:4138/64 Scope:Link
> >>>>         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
> >>>>         RX packets:7360 errors:0 dropped:0 overruns:0 frame:0
> >>>>         TX packets:9076 errors:0 dropped:0 overruns:0 carrier:0
> >>>>         collisions:0 txqueuelen:1000 
> >>>>         RX bytes:6045785 (5.7 MiB)  TX bytes:1255649 (1.1 MiB)
> >>>>         Interrupt:177 Memory:f0300000-f0310000 
> >>>> 
> >>>> lo        Link encap:Local Loopback  
> >>>>         inet addr:127.0.0.1  Mask:255.0.0.0
> >>>>         inet6 addr: ::1/128 Scope:Host
> >>>>         UP LOOPBACK RUNNING  MTU:16436  Metric:1
> >>>>         RX packets:1431 errors:0 dropped:0 overruns:0 frame:0
> >>>>         TX packets:1431 errors:0 dropped:0 overruns:0 carrier:0
> >>>>         collisions:0 txqueuelen:0 
> >>>>         RX bytes:2303832 (2.1 MiB)  TX bytes:2303832 (2.1 MiB)
> >>>> 
> >>>> [steve at localhost ~]$
> >>>> 
> >>>> Ideas or thoughts?
> >>>> 
> >>>> 
> >>>> _______________________________________________
> >>>> colug-432 mailing list
> >>>> colug-432 at colug.net
> >>>> http://lists.colug.net/mailman/listinfo/colug-432
> >>> 
> >>> 
> >>> _______________________________________________
> >>> colug-432 mailing list
> >>> colug-432 at colug.net
> >>> http://lists.colug.net/mailman/listinfo/colug-432
> >> 
> >> _______________________________________________
> >> colug-432 mailing list
> >> colug-432 at colug.net
> >> http://lists.colug.net/mailman/listinfo/colug-432
> > _______________________________________________
> > colug-432 mailing list
> > colug-432 at colug.net
> > http://lists.colug.net/mailman/listinfo/colug-432
> 
> _______________________________________________
> colug-432 mailing list
> colug-432 at colug.net
> http://lists.colug.net/mailman/listinfo/colug-432
> 
>

More information about the colug-432 mailing list