Re: SSH Connection Time Problems

From: Erik Trulsson (ertr1013@student.uu.se)
Date: 04/17/02


Date: Wed, 17 Apr 2002 00:35:00 +0200
From: Erik Trulsson <ertr1013@student.uu.se>
To: "Michael W. Collette" <metrol@metrol.net>

On Tue, Apr 16, 2002 at 03:23:37PM -0700, Michael W. Collette wrote:

[This should probably have gone to -questions instead.]

> Recently I have had some problems with getting an SSH connection from my
> FreeBSD 4.5-Stable box to my web hosting company's servers, also running
> FreeBSD. It takes over a minute to establish a connection, which is really
> mucking up the tunnelling of services I have going to them.

Two possibilities come to mind: DNS or ident

> Initially I was thinking that something changed on the web host, as I was able
> to make http and pop3 connections to them without delay. Upon writing them
> about this they suggested that the problem with network latency. Didn't make
> much sense to me, as latency shouldn't be protocol specific. Even still, I
> contacted my ISP about this.

Probably not DNS then.

>
> The tech at my ISP didn't have any delay getting a connection to the web host.
> He then set me up with a shell account on a RedHat box they were running
> their hosting on. I was able to get an SSH connection directly to them
> without delay.
>
> I'm running IPFW here, so I added a pass everything rule to cancel it out. No
> difference.

Try adding the following rule to your IPFW rule set.

ipfw add reset tcp from any to me 113

Normally when you try to connect with ssh, the ssh daemon at the other
end tries to connect to port 113 (auth) on your machine to see who you
are. If nothing is listening on that port it will eventually continue
anyway.

The 'reset' rule I gave above will immediately return a 'nobody
listening here' message to the other end instead of just dropping the
packet and thus forcing the other to wait for a timeout (which takes
about a minute.)

-- 
<Insert your favourite quote here.>
Erik Trulsson
ertr1013@student.uu.se
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message


Relevant Pages

  • Re: Fbsd gateway+restrictions
    ... > I want This Box to work as a Internet gateway, ... > connection, and i want to block that one. ... use ipfw to deny specific ports to specific users / ips. ... FreeBSD unregistered;) user ...
    (freebsd-questions)
  • Re: Somewhat OT -- Looking for ideas on how to test status of SSH TCP tunnel
    ... > I am planning on setting up a TCP tunnel through an SSH connection ... > This tunnel will be used to provide a connection between a Perforce ... > The OS for Korean proxy server will be Redhat FC3 using OpenSSH. ...
    (Fedora)
  • Re: ipfw, natd, and keep-state - strange behavior?
    ... > # Deny ACK packets that did not match the dynamic rule table ... initiating an ssh connection with an external ... > the rule for my external ip, though, only gets the lifetime value from the ... > when i remove the word "setup" from rule 640, though, ssh connection does ...
    (FreeBSD-Security)
  • Somewhat OT -- Looking for ideas on how to test status of SSH TCP tunnel
    ... I am planning on setting up a TCP tunnel through an SSH connection ... tunnel will be used to provide a connection between a Perforce Proxy ... server in Korea and our main Perforce server in the US. ...
    (Fedora)
  • Re: ssh port forwarding problem
    ... I mean that the connection works fine for a while (I can continuously surf ... > SS> ssh connection will drop sometimes in a matter of minutes. ... > debug output from the server. ...
    (comp.security.ssh)