Re: SSH connection thru corporate firewall to home sshd on Port 80

From: Andrew E. Schulman (andrew-schulman@deadspam.com)
Date: 02/16/02

• Next message: fsh: "Re: OpenBSD2.9 ssh to OpenBSD3.0 sshd - Secure connection to <ipaddress> refused."
• Previous message: Richard E. Silverman: "Re: OpenBSD2.9 ssh to OpenBSD3.0 sshd - Secure connection to <ipaddress> refused."
• In reply to: Bruce Gilmore: "SSH connection thru corporate firewall to home sshd on Port 80"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: Andrew E. Schulman <andrew-schulman@deadspam.com>
Date: Fri, 15 Feb 2002 21:12:09 -0500

> Hello all. I'm perplexed by the results of an effort to establish a
ssh
> session and perhaps someone can explain this to me.
>
> I have a FreeBSD server running sshd listening on port 80 at home.
> I can successfully establish a ssh session from a Winnt/putty:80 box the
> internet to this SSHD:80 server (no firewall involved).
> When I take the same Winnt machine behind a corporate firewall which passes
> outgoing port 80 connections, I cannot establish a ssh session to the same
> sshd:80 home server.
>
> The firewall is a Checkpoint and I've also tested it against an
> IPChains/Linux flavor without success.
>
> While testing behind the Checkpoint, I could successfully port scan the
> FreeBSD server on port 80 and get a response using nmapNT.
> Additionally, I captured the client traffic of the ssh/putty attempt where I
> could see the 3-way handshake (syn, syn/ack, ack) with my home server but
> nothing more. What gives?
>
> Is the firewall dropping my packets because they are not legit http packets
> (i.e. Layer 7 filtering)?

That would be a simple explanation for the problem. My company's
firewall does the same. A likely solution: run your sshd on port 443,
instead of port 80. Since this is usually used for encrypted (SSL)
connections, some firewalls (e.g. my company's) don't bother trying to
filter at the application level on port 443.

-- 
To reply by e-mail, change "deadspam" to "home"

---

• Next message: fsh: "Re: OpenBSD2.9 ssh to OpenBSD3.0 sshd - Secure connection to <ipaddress> refused."
• Previous message: Richard E. Silverman: "Re: OpenBSD2.9 ssh to OpenBSD3.0 sshd - Secure connection to <ipaddress> refused."
• In reply to: Bruce Gilmore: "SSH connection thru corporate firewall to home sshd on Port 80"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: How to Maintain an IIS Server? ... > server running on a Windows 2000 server. ... before a firewall and antivirus have been installed]. ... open ports; however, this will not identify which program is using the port. ... (microsoft.public.inetserver.iis.security) Re: CEICW fails at firewall config ... ISA Server prevents connection to a remote desktop when you connect through ... Remote Web Workplace on a Windows Small Business Server 2003-based computer ... Acceleration Server as a firewall. ... connection uses TCP port 4125. ... (microsoft.public.windows.server.sbs) Re: How to Maintain an IIS Server? ... >> server running on a Windows 2000 server. ... > before a firewall and antivirus have been installed]. ... > program or executable using that port. ... (microsoft.public.inetserver.iis.security) Re: Activesync / Airsync - Alternative Ports ... Setup a reverse HTTP proxy. ... Another idea is to use the PPTP capabilities of a Windows Server to allow ... Satellite - Cisco Firewall - Exchange Server ... So on the server side you would configure the port 80 to redirect to ... (microsoft.public.pocketpc.activesync) Re: Activesync / Airsync - Alternative Ports ... "Chris De Herrera" wrote: ... Another idea is to use the PPTP capabilities of a Windows Server to allow ... Satellite - Cisco Firewall - Exchange Server ... So on the server side you would configure the port 80 to redirect to 8888 ... (microsoft.public.pocketpc.activesync)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(18)