# SSHing to my computer that's behind a campus firewall...

## hjlane3

Ok here's a problem I have. I currently have my pc hooked up in my dorm room that is connected to the campus network. Now i'm frequently somehwere else on campus with my wireless laptop on the school netwok too, and want/need to grab some files off my pc (papers, research, etc.). Thing is, they seemed to be firewalled from each other. I can't log into my PC from my laptop that's on the wireless side.  IS there a way I can log into my pc from the wireless connection, even though the pc is behind a firewall? In the goodling i have done it seems tunneling might be my answer, but i'm not quite sure what it is or how it would apply here. Can someone enlighten me on this subject, and explain it to me?

Thanks in advanced.

-HJ

----------

## zeky

You wan't get pass your firewall if ports for ssh are closed. What about using a VPN? Just a thought...   :Rolling Eyes: 

----------

## ramon

 *hjlane3 wrote:*   

> Ok here's a problem I have. I currently have my pc hooked up in my dorm room that is connected to the campus network. Now i'm frequently somehwere else on campus with my wireless laptop on the school netwok too, and want/need to grab some files off my pc (papers, research, etc.). Thing is, they seemed to be firewalled from each other. I can't log into my PC from my laptop that's on the wireless side.  IS there a way I can log into my pc from the wireless connection, even though the pc is behind a firewall? In the goodling i have done it seems tunneling might be my answer, but i'm not quite sure what it is or how it would apply here. Can someone enlighten me on this subject, and explain it to me?

 

You need at least one open port on the firewall to be able to reach your computer. I'm guessing but maybe http or https is open.

Once you've found a port on the firewall which allows traffic from the outside to your computer simply reconfigure sshd to answer on that port as well and you're all set.

Grtz Ramon

----------

## zeky

 *ramon wrote:*   

> 
> 
> You need at least one open port on the firewall to be able to reach your computer. I'm guessing but maybe http or https is open.
> 
> Once you've found a port on the firewall which allows traffic from the outside to your computer simply reconfigure sshd to answer on that port as well and you're all set.
> ...

 

WHAT????   :Shocked:  Two different services listening on the sam port???

I don't think so   :Confused: 

----------

## OdinsDream

 *z3ky wrote:*   

>  *ramon wrote:*   
> 
> You need at least one open port on the firewall to be able to reach your computer. I'm guessing but maybe http or https is open.
> 
> Once you've found a port on the firewall which allows traffic from the outside to your computer simply reconfigure sshd to answer on that port as well and you're all set.
> ...

 

This was the method I used to configure a web server properly for on-campus use. Within campus, port 80 worked fine, while outside of campus, I was only free to use anything above 1024, with the exception of many P2P ports.

I set up Apache to listen on both 80 and 8080. This way people on campus didn't have to remember to put :8080, but people off-campus were still getting the same pages.

The same method was used for sshd. It listened on both 22 and 2222. 

Maybe this violates some stringent standard of which I'm not aware, but it served a purpose, and didn't break anything...

----------

## ramon

 *z3ky wrote:*   

>  *ramon wrote:*   
> 
> You need at least one open port on the firewall to be able to reach your computer. I'm guessing but maybe http or https is open.
> 
> Once you've found a port on the firewall which allows traffic from the outside to your computer simply reconfigure sshd to answer on that port as well and you're all set.
> ...

 

Neither do I, but if you can point me to the part where he says he wants to run a webserver ? Linux doesn't force you to run a webserver  :Very Happy: 

Of course he couldn't run two services on the same port, he could however use the http port to login into his box with ssh.

For all I care he could use port 1111 to log into his box, but http is a common open port on firewalls on campusses.

Maybe anything above the priviledged ports is allowed and he can use one of those as another poster suggested.

Grtz Ramon

----------

## OdinsDream

Mostly my antectode was meant to point out that I did indeed have a service (http) running on two ports.

I also mentioned that I did the same thing for the sshd service, running it concurrently on 22 and 2222.

Of course, there's no need to run it on anything but 2222 (or whatever) if you're fine with that.

----------

## andrew_j_w

 *OdinsDream wrote:*   

> Mostly my antectode was meant to point out that I did indeed have a service (http) running on two ports.

 

But it was suggested that he run two services on one port, not one service on two ports....

----------

## ozonator

 *andrew_j_w wrote:*   

>  *OdinsDream wrote:*   Mostly my antectode was meant to point out that I did indeed have a service (http) running on two ports. 
> 
> But it was suggested that he run two services on one port, not one service on two ports....

 

Hmmm.  I think the "one service listening to two ports" has been conflated with "two services on one port".

It seems to me that ramon's suggestion was essentially just "find a port that's open".  It wasn't a suggestion to run two services on one port, which isn't possible simultaneously; nor was it suggested that anyone run the service that normally might belong to the port that's open.  The original poster only needs to run one service (sshd), after all.  (0dinsDream pointed out that the service could even listen to multiple ports; this isn't necessary, but could be useful in some cases.)  If the open port happens to be port 80, that only means the person could run an http server or any other server on that port, not that they are running a web server (open port on firewall != running service on host).

So, at the risk of redundancy, but in the hope that it's clearer:  if port 80 is open (i.e., not blocked by some firewall in between), try putting sshd on port 80.  More generally, if traffic on <some port> gets through, try putting sshd on <some port>.

----------

## hjlane3

How can I see what port are open? As far as I can tell, none of them are...

----------

## BradN

What kind of IP address do you get?  i.e., is it a public IP address, or a private one (10.*.*.* or 192.168.*.* or a couple others) that is only accessible on the local network to begin with?  

If it's a private one, you won't have any way to get incoming connections, and if you really need remote access, you'd have to rig it up to try to connect to something every so often and forward a shell connection or some such...  You might look into using dyndns.org or a similar thing to set as the target (so you can change it remotely) for the outgoing connections.  I don't really know the specifics of how you'd set it up, but it's an idea at least.

If you have a public IP address, you'd just have to think of what sort of ports they would allow to be open... perhaps stuff for some games or things like that?  Is there some communication software that needs a port open locally?  I don't know.  There must be some stuff open, otherwise they wouldn't waste the expense of providing you with public IP addresses.

----------

## hjlane3

I do get a public IP ( 155.31.*.* )...

----------

## ponds

Just scan your IP block ( all IPs in XXX.XXX.XXX.* ), and see if you can find ports that consistantly have servers of different kinds running on them.  That port will likely be open.

For me it was 113.

----------

## ozonator

Since your earlier post indicated you might be wondering, likely the best tool for portscanning is nmap.  Another option is hping.

Depending on whether or not your network has a policy regarding whether or not portscanning is allowed, you may want to, uh, scan gently.  For example, scan only a small range of ports and/or machines at a time, possibly in combination with an option like nmap's "-T Sneaky".

You could also just make a guess about which port(s) might be open (113, auth, isn't a bad guess; others might be easy to guess based on what servers might be allowed -- anyone running game servers open to the world?  ask around).  Then, run sshd on that port, and try connecting.  If it doesn't work, however, trial and error likely will cease to be fun pretty quickly.    :Smile:    Best of luck.

----------

## ramon

 *hjlane3 wrote:*   

> How can I see what port are open? As far as I can tell, none of them are...

 

Surf to any security test site and test the connection to your pc/ip. This will give you a quick&dirty idea what ports are open.

If you're running a firewall yourself you can check the logs to see what's coming through.

If you're not running a firewal, ports that list as blocked are probably open on the firewall.

Off the top of my head 

[url] http://grc.com [/url]

[url] http://digisec.de [/url]

To be absolutely sure you need to run a portscan on your own machine from outside your network. nmap can do this for you, nessus is also a excellent tool.

Grtz Ramon

----------

## sawanv

If you wish to see the current stat of your firewall:

```
iptables -L
```

Check that it is allowing ssh in you INPUT chain:

```
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:ssh 
```

Sawan

----------

## scout

At school I pass the firewall by using the socks5 server which is meant for ICQ: I use the tsocks package and told my "home" computer to forward port 5190 (ICQ) to 22   :Wink:  . That's not authorized but they didn't see it yet. you might also check httptunnel or corkscrew (not in portage) if you want to pass through a http proxy; but all this works only if these proxy let you access your dorm room computer.

----------

## thepeel

If both computers were on all the time, you could initiate a reverse ssh session from within the firewall. Then once outside you could ssh through the intiated tunnel and access everything behind the firewall. This could be done in a similiar manner like this:

ssh -R 22:localhost:<ip outside firewall>:22 -l <user>

enter in the password

Yay, you have a ssh tunnel ready to go. You might need to disable some timeout values in the /etc/sshd_config file. I don't know anything about that though.

Then from the computer on the outside ssh to localhost. This connection will then be tunneled through the existing ssh session and into the internal network.

----------

## dma

 *ozonator wrote:*   

> Since your earlier post indicated you might be wondering, likely the best tool for portscanning is nmap.  Another option is hping.
> 
> Depending on whether or not your network has a policy regarding whether or not portscanning is allowed, you may want to, uh, scan gently.  For example, scan only a small range of ports and/or machines at a time, possibly in combination with an option like nmap's "-T Sneaky".
> 
> You could also just make a guess about which port(s) might be open (113, auth, isn't a bad guess; others might be easy to guess based on what servers might be allowed -- anyone running game servers open to the world?  ask around).  Then, run sshd on that port, and try connecting.  If it doesn't work, however, trial and error likely will cease to be fun pretty quickly.      Best of luck.

 

Ahh... once again the RIAA is destroying the internet...

I just nmapped myself from the outside (and I even posted the results on my university webspace!).  It took awhile but it was worth it.  Now I can go home and visit my parents and still have access to my materials.

EDIT: Oddly enough, they didn't block the KaZaA ports...  I guess that would push most students over the edge.  They already rate-limit that port to a mere trickle.

Keep in mind that you are verifying the security of your system (as seen from the Internet) so it shouldn't be illegal to portscan yourself.  People do it all the time.

If ALL inbound connections are blocked, then they have given you some sort of hideous broken substitute for Internet access instead of the real thing.

----------

## professorn

Ever considerd to talk to the admin(s)?

----------

## garn

at my school dorms have 172.16 ips, which are internal, and the wireless interent is another network of 172.16s. So I can't ssh from my top to my box in my room directly. What I did is I leave an ssh connection open to the ftp server here (which has an external ip) that forwards a port to my port 22.

ssh user@host -R2222:localhost:22

then i ssh user@host -p2222 from the laptop

However this requires having an ftp server or something with an external ip to use.

----------

