24 Jul
2004
24 Jul
'04
3:12 p.m.
Especially the Windows-Sysadmins poor-sports tend to block everything
they think isn't useful to the "normal" user with their clickorama
firewalls. Why should they block an ssh outgoing connection?
It is possible to run an sshd or telnetd on a different port. So what
well-known ports do you think are normally not blocked by the admins of
universities and internetcafés? I thought of maybe IRC or something else
which people like to play with and would get angry if they couldn't.
What do you think would be the best choice?
24 Jul
24 Jul
4:17 p.m.
Jay Christnach wrote:
It is possible to run an sshd or telnetd on a
different port. So what
It is possible to run sshd on any port you want.
Just edit /etc/ssh/sshd_config or any onter path your distro has chosen
to put sshd_config in. There is a line with the keyword Port. Uncommend
it and change the port number.
Greetings, Patrick Kaell
5:01 p.m.
I don't want to have to stop another service like http,smtp,ftp,pop3, so
So I'm looking for another port that is most likely to work from any site.
A second requirement is that I don't need to install software on the
client side because they won't let me. (except for the ssh/telnet client
putty which is a simple executable which doesn't kneed to be
"installed"). A solution would be a java based thing like what Patrick
Lemmers suggested.
Perhaps there is also a way to encapsulate ssh into http, but what would
I have to run on the http-server to accomplish this?
I'm thinking of a php script with login that would activate/deactivate a
sshd on a different port than normal and set/unset iptables rules
accordingly. But which port to use if I don't want to sacrifice http or
ftp etc.? As a last resort I would shut down ftpd and start sshd on port
21.
What about nntp (119)? I guess this could be a good one.
Patrick Kaell wrote:
Jay Christnach wrote:
It is possible to run an sshd or telnetd on a
different port. So what
It is possible to run sshd on any port you want.
Just edit /etc/ssh/sshd_config or any onter path your distro has chosen
to put sshd_config in. There is a line with the keyword Port. Uncommend
it and change the port number.
Greetings, Patrick Kaell
25 Jul
25 Jul
12:42 a.m.
Jay Christnach a écrit :
Perhaps there is also a way to encapsulate ssh into
http, but what
would I have to run on the http-server to accomplish this?
Have a look at httptunnel.
--
Brent Frère
Private e-mail: Brent(a)BFrere.net
Postal address: 5, rue de Mamer
L-8280 Kehlen
Grand-Duchy of Luxembourg
European Union
Mobile: +352-021/29.05.98
Fax: +352-26.30.05.96
Home: +352-307.341
URL: http://BFrere.net
3:44 p.m.
On Sat, Jul 24, 2004 at 06:17:13PM +0200, Patrick Kaell wrote:
Jay Christnach wrote:
What about the netbios ports 139 ro the aother one I never remember ? They are most often
open on windows networks.
If not then maybe dns, don't think that on your server you'll have a dns server
running.
It is possible to run an sshd or telnetd on a
different port. So what
It is possible to run sshd on any port you want.
Just edit /etc/ssh/sshd_config or any onter path your distro has chosen
to put sshd_config in. There is a line with the keyword Port. Uncommend
it and change the port number.
Greetings, Patrick Kaell
_______________________________________________
Lilux-help mailing list
Lilux-help(a)lilux.lu
http://lilux.lu/mailman/listinfo/lilux-help
--
Pascal Steichen
pascal.steichen(a)linux.lu
Lilux ASBL
www.lilux.lu
" Linux is like a woman, hard to understand
But very nice once you get under the hood. "
6:54 p.m.
Pascal Steichen wrote:
What about the netbios ports 139 ro the aother one I
never remember ? They are most often open on windows networks.
If not then maybe dns, don't think that on your server you'll have a dns server
running.
YES! How could I forget! I have a DNS caching only server but this is
not really necessary, on my home network (it was a good thing when I
still had a modem connection). I use samba too at home (only on the
internal network card). The other computer I wish to access does not
have a dns or windows networking, but I really doubt that the netbios
ports will be open for traffic across a firewall, but the DNS port is
certainly open since it is required for surfing the web. The only
problem could be that dns is udp whereas ssh requires tcp, I hope the
firewalls are not that restrictive.
Thanks for the hint!
27 Jul
27 Jul
9:36 a.m.
On Saturday 24 July 2004 17:12, Jay Christnach wrote:
Especially the Windows-Sysadmins poor-sports tend to
block everything
they think isn't useful to the "normal" user with their clickorama
firewalls. Why should they block an ssh outgoing connection?
Well, if you have legitimate reason to use so, just ask them to open the
port.
But to me, blocking outgoing connection is a good way to prevent a lot
of attacks, like worms ( where would be slammer if udp was
filtered ? ) , or exploit on weird port. Or even on normal port.
So, there is nothing wrong here. Even if this is really annoying.
--
Mickaël Scherer
7:49 p.m.
Hi,
On Sat, 24 Jul 2004, Jay Christnach wrote:
Especially the Windows-Sysadmins poor-sports tend to
block everything
they think isn't useful to the "normal" user with their clickorama
firewalls.
Standard procedure, as long as you're not talking ISP.
You block everything by default, except what you absolutely need.
This is not "Windows-Sysadmins poor-sports", but normal network
security paranoia (where question is never whether you're paranoid,
but whether you're paranoid enough!). If something's needed, you
get the guy(s) in charge of network security to open that thing
up.
Why should they block an ssh outgoing connection?
Good question. I've heard about setups where they authorized
telnet, but didn't even know what ssh was...
One reason might be that you can tunnel about whatever you like
through simple means with ssh, making life more difficult for
the network security guy.
Normally, I sure wouldn't block ssh (<mode=BOFH>at least originating
from my own machine</mode>).
It is possible to run an sshd or telnetd on a
different port.
You don't want telnetd.
Yes, you can run sshd on whatever port you want. IPCop by default
runs sshd on port 222 IIRC, for instance.
So what
well-known ports do you think are normally not blocked by the admins of
universities and internetcafés?
Often, high ports (over 1024) are not blocked, with the possible
exception of some well-known ports used by P2P software or trojans.
I thought of maybe IRC or something else
which people like to play with and would get angry if they couldn't.
<mode=paranoia>You do know that some viruses spread through certain
well-established IRC clients? mirc on Windows is one often-targeted
client. For that reason alone, you'll see IRC blocked.</mode>
Also, many larger chatservers offer web-interfaces, many users
wouldn't even know what IRC is or that there are specific clients
other than those web-interfaces.
What do you think would be the best choice?
If you want to do some testing, why not listen to traffic on
some linux machine you control (using tcpdump for instance),
and run an nmap scan from the location you want to connect from?
You'd easily see what reaches the server, nmap might tell you
whether certain ports are filtered.
Greets Eric
28 Jul
28 Jul
7:51 p.m.
On Sat, 24 Jul 2004, Jay Christnach wrote:
Why should they block an ssh outgoing connection?
At BEI - EIB (European Investment Bank), even port 443 is blocked, which
means that for security reasons, the SECURE http port (https) is not
allowed...
This way, the use of sites exchanging sensitive information is not
possible, or you have to switch to the unsecure mode (http) if available...
For me, as long as this is the policy applied to a private network, it's
OK. It's the choice of the company to decide what service is provided to
the employee. But for ISPs, it's not acceptable. If all ports that might
contains potentially risks are closed, then there is no more Internet
access. More than that, I consider some providers, such as BCE, Colt,
MCI, Equant, Alternet as telecom providers, not simple end-users ISPs,
and thus they are giving TOTAL FREE access to the Internet. That's what
I'm expecting from an Internet connection, but I'm not a "normal"
end-user...
Just my 0.1 eurocent
--
Brent Frère
Private e-mail: Brent(a)BFrere.net
Postal address: 5, rue de Mamer
L-8280 Kehlen
Grand-Duchy of Luxembourg
European Union
Mobile: +352-021/29.05.98
Fax: +352-26.30.05.96
Home: +352-307.341
URL: http://BFrere.net
29 Jul
29 Jul
12:58 p.m.
On Wed, Jul 28, 2004 at 09:51:54PM +0200, Brent Frère wrote:
On Sat, 24 Jul 2004, Jay Christnach wrote:
I fully agree with you Brent : Internet acces means INTERNET access not port 25, 80 and
110 access ;)
ciao,
pst
Why should they block an ssh outgoing connection?
At BEI - EIB (European Investment Bank), even port 443 is blocked, which
means that for security reasons, the SECURE http port (https) is not
allowed...
This way, the use of sites exchanging sensitive information is not
possible, or you have to switch to the unsecure mode (http) if available...
For me, as long as this is the policy applied to a private network, it's
OK. It's the choice of the company to decide what service is provided to
the employee. But for ISPs, it's not acceptable. If all ports that might
contains potentially risks are closed, then there is no more Internet
access. More than that, I consider some providers, such as BCE, Colt,
MCI, Equant, Alternet as telecom providers, not simple end-users ISPs,
and thus they are giving TOTAL FREE access to the Internet. That's what
I'm expecting from an Internet connection, but I'm not a "normal"
end-user...
Just my 0.1 eurocent
--
Brent Frère
Private e-mail: Brent(a)BFrere.net
Postal address: 5, rue de Mamer
L-8280 Kehlen
Grand-Duchy of Luxembourg
European Union
Mobile: +352-021/29.05.98
Fax: +352-26.30.05.96
Home: +352-307.341
URL: http://BFrere.net
_______________________________________________
Lilux-help mailing list
Lilux-help(a)lilux.lu
http://lilux.lu/mailman/listinfo/lilux-help
--
Pascal Steichen
pascal.steichen(a)linux.lu
Lilux ASBL
www.lilux.lu
" Linux is like a woman, hard to understand
But very nice once you get under the hood. "
7413
days inactive
7418
days old
10 comments
6 participants
participants (6)
-
Brent Frère -
Eric Dondelinger -
Jay Christnach -
Michael Scherer -
Pascal Steichen -
Patrick Kaell