# SSH Protocol Blocking?

## RayDude

I've been using ssh from work to log into my home machine (located on a DSL connection) for years.

Its great. I had NoMachine setup and could check the network for my wife, look for files and information, do remote copies.

Highly useful.

However this Monday when I came into work I could no longer log in.

I thought maybe they were blocking the port I setup, so I changed to several others, but alas it still doesn't work.

Here's a verbose log (-vvv doesn't provide anymore information)

```
ssh -p 2222 me@mydomain.com -vv

OpenSSH_4.7p1, OpenSSL 0.9.8g 19 Oct 2007

debug1: Reading configuration data /etc/ssh/ssh_config

debug2: ssh_connect: needpriv 0

debug1: Connecting to mydomain.com [my.ip.add.res] port 2222.

debug1: Connection established.

debug2: key_type_from_name: unknown key type '-----BEGIN'

debug2: key_type_from_name: unknown key type '-----END'

debug1: identity file /home/me/.ssh/identity type 1

debug2: key_type_from_name: unknown key type '-----BEGIN'

debug2: key_type_from_name: unknown key type '-----END'

debug1: identity file /home/me/.ssh/id_rsa type 1

debug2: key_type_from_name: unknown key type '-----BEGIN'

debug2: key_type_from_name: unknown key type '-----END'

debug1: identity file /home/me/.ssh/id_dsa type 2

debug1: Remote protocol version 2.0, remote software version OpenSSH_4.6

debug1: match: OpenSSH_4.6 pat OpenSSH*

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_4.7

debug2: fd 3 setting O_NONBLOCK

debug1: SSH2_MSG_KEXINIT sent

Read from socket failed: Connection reset by peer
```

I think the firewall here at work is detecting SSH2_MSG_KEXINIT and severing the connection.

Is there a way to work around this?

I really miss doing my emerge --syncs and emerge -DNuvp world to see what's changed.

Signed,

A Gentoo Addict.

----------

## upengan78

Check if connectivity is fine ? try ping IP and see if packets are getting dropped ?

----------

## RayDude

 *upengan78 wrote:*   

> Check if connectivity is fine ? try ping IP and see if packets are getting dropped ?

 

The connection is fine. I'm running squid and it works fine, and I cat get to my router web page as well as my domain's web pages.

And I know I can log in from other places because I remote logged in to a friends machine from home and then ssh-ed back to my own machine and that worked fine as well.

Its definitely my work's firewall.

Raydude

----------

## upengan78

Can you inquire with network guys at your work place if outgoing ssh is blocked ?  :Smile: 

sorry I think it is 2222   :Laughing:  ask them about 2222

There should be something at server end logs too

----------

## RayDude

 *upengan78 wrote:*   

> Can you inquire with network guys at your work place if outgoing ssh is blocked ? 
> 
> sorry I think it is 2222   ask them about 2222
> 
> There should be something at server end logs too

 

I moved it around quite a bit and it gave me the same error message. I even put it on port 22. But no dice.

I will check my server logs when I get home, but I can't now, heh.

And asking the network guys if they are blocking my external ssh access is simply not a good idea in an extremely large organization who likes to record every keystroke you make, every website you hit and blocks various web pages because of content.

Raydude

----------

## manaka

Try enabling debug mode on your server. So you will know if the SSH exchange is blocked.

Application filters can be circumvented, though. net-misc/httptunnel and net-misc/socat are handy for this sort of things  :Smile: .

The decision to try these tools is personal. It will depend on your situation and your organization policies.

----------

## RayDude

 *manaka wrote:*   

> Try enabling debug mode on your server. So you will know if the SSH exchange is blocked.
> 
> Application filters can be circumvented, though. net-misc/httptunnel and net-misc/socat are handy for this sort of things .
> 
> The decision to try these tools is personal. It will depend on your situation and your organization policies.

 

kewl. Thanks.

Raydude

----------

## upengan78

 *Quote:*   

> 
> 
> And asking the network guys if they are blocking my external ssh access is simply not a good idea in an extremely large organization who likes to record every keystroke you make, every website you hit and blocks various web pages because of content.
> 
> 

 

Hope this does not create problems for you when you use that application suggested

----------

## RayDude

Thanks! httptunnel works like a charm.

As for the "appropriateness" of the whole thing. I'm not doing anything illegal or even immoral. If the company's position is that I'm a security threat, then they need to understand that's true whether or not I have the ability to log in to my home machine. I can do what ever I want with my username and password. To work here I have to be considered trustworthy why aren't they trusting me?

If they are doing it to prevent people from breaking in, more power to them, however I can't see how blocking outgoing ssh packets prevents hackers from hacking in.

In my opinion the IS group should focus on preventing people from hacking in via the internet and the local network not on employees accessing the outside world.

Devoting time to foiling my fun is simply a waste of everyone's time.

(illegal content is a much longer discussion, but IMO its a waste of time to block illegal sites. People who do illegal things or things against company policy will be caught and fired sooner or later, why waste time trying to block every little site that _may_ contain questionable content?)

I'm a libertarian at heart (mostly) so maybe I'm just odd that way.

Raydude

----------

## RoundsToZero

They're probably worried about computers on the internal network with viruses that will spam sites with SSH login attempts, which would look like it is the company that is launching the attacks.  Anyone who has run a public SSH server (like you) and has looked at the logs knows what I'm talking about.  Now what would you think if you saw a bunch coming from *.upstanding-company.com?

----------

## think4urs11

 *RayDude wrote:*   

> If they are doing it to prevent people from breaking in, more power to them, however I can't see how blocking outgoing ssh packets prevents hackers from hacking in.
> 
> In my opinion the IS group should focus on preventing people from hacking in via the internet and the local network not on employees accessing the outside world.

 

Actually thats most probably what they do when they don't want you to ssh to a box outside.

What happens if your box at home is hacked and someone is able to use the tunnel *you* have established from inside your office's network to your machine to break into the coporate network via your home box?

Your IT department only has control over machines within their administrative reach - and your home box is not within that reach.

So _you_ extend the LAN to a system outside of their firewalls which they have exactly zero control over. If this box is broken the whole corporate network is open... It is as simple as that.

If your company has a internet usage policy which disallows this kind of tunnels and you have signed it you have a problem - if not you might have a problem too but can always state that you did nothing forbidden.

In later case i'd fire the one who wrote the policy but thats annother story  :Wink: 

----------

## RayDude

Ah. I understand both points: virus infection and hacker attempts. The issue is: if my external system is insecure, then they someone might be able to hack in to my company through my machine. Of course I haven't set up a reverse ssh in months (I used to do that to log in to work when they don't provide a usable linux vpn client), but recently I haven't needed to log in and when I do I use Citrix because it works well.

My machine has been on the internet for years and years and has been through countless attacks (yeah I have looked at the logs, I even at one time attempted to inform a Chinese company that they should stop trying to hack my machine. Waste of time...)

Still, I get it, they have to protect themselves from this sort of thing. So I'm going to continue to stay off the radar so I can have my gentoo fun and not make any waves.

Thanks both of you for helping me understand.

Raydude

----------

