Re: Getting around corporate firewalls to access ssh server
- From: General Schvantzkoph <schvantzkoph@xxxxxxxxx>
- Date: Fri, 17 Mar 2006 17:33:07 -0500
On Fri, 17 Mar 2006 14:10:56 -0600, Moe Trin wrote:
On Thu, 16 Mar 2006, in the Usenet newsgroup comp.os.linux.networking, in
article <pan.2006.03.17.04.10.21.766593@xxxxxxxxx>, General Schvantzkoph
wrote:
On Thu, 16 Mar 2006 20:54:25 -0600, Moe Trin wrote:
From my view, clean address, resolves both ways, and a known port would
_probably_ get the best results. Security for you comes from having
good usernames. and running on up-to-date Linux (or similar).
When I wrote that, I wasn't aware of your use of their public keys. That
pretty well takes care of the security angle.
I checked my IP address using rblcheck and it's clean. I can try swapping
the ports on the two servers and put the release server on 22. Do you
think the problem is due to the fact that I'm using a non-standard port?
Not knowing your IP address, I can't say for sure, but I would guess that
to be a strong possibility. A lot is going to depend on the policies and
paranoia level at the customers. I'm at an R&D facility, and we're very
restrictive of what the users are allowed to do with the network. We do
monitor traffic (generally speaking "after the fact"), and we do have
filters on the routers. I mentioned we block access to "home" netblocks as
one example. We also block all protocols except TCP, UDP and ICMP, and
even there we don't allow "everything". I know that (with a few
exceptions) we block outbound connection starts (SYN) to ports over 1024,
and (again with exceptions) inbound connection starts to most ports. The
idea is that our users should be able to initiate "normal" connections to
remote systems that may reasonably be expected to be work related, and
that no Internet visible servers exist in the user segment of the network,
so there would be no reason to allow such inbound connections. (The
Internet visible stuff is in DMZs and separate networks.)
For those customers where you are having problems, a short note to the
network operations people (RFC2142 says "NOC@domain" and we do have a
mailbox with that name - but try the lower case, and 'postmaster'
addresses if it doesn't work) may elicit some explanation. Whitelisting
generally has to come from inside user requests, and I think someone here
already mentioned having a web page or email form letter that your
customers can use to explain their need to their network/firewall people.
Old guy
Thanks to everyone. I've switched my release server to port 22, hopefully
that will help. I've also e-mailed my IP address to my customers and told
them to contact their IT people and ask them to allow access to my server.
The customer that's having trouble right now is in Japan so I doubt if
I'll know anything before Monday.
.
- References:
- Getting around corporate firewalls to access ssh server
- From: General Schvantzkoph
- Re: Getting around corporate firewalls to access ssh server
- From: Grant
- Re: Getting around corporate firewalls to access ssh server
- From: General Schvantzkoph
- Re: Getting around corporate firewalls to access ssh server
- From: Moe Trin
- Re: Getting around corporate firewalls to access ssh server
- From: General Schvantzkoph
- Re: Getting around corporate firewalls to access ssh server
- From: Moe Trin
- Re: Getting around corporate firewalls to access ssh server
- From: General Schvantzkoph
- Re: Getting around corporate firewalls to access ssh server
- From: Moe Trin
- Getting around corporate firewalls to access ssh server
- Prev by Date: Re: WiFi under Linux - rant no 7
- Next by Date: Re: WiFi under Linux - rant no 7
- Previous by thread: Re: Getting around corporate firewalls to access ssh server
- Next by thread: Re: Getting around corporate firewalls to access ssh server
- Index(es):
Relevant Pages
|
