Re: [gentoo-user] Bizarre SSH connection reset
fire-eyes wrote: I don't have the pcap file yet ;) Not much I can do. Pardon the delay in reply. I've been getting behind on my reading. The capture has been forwarded. Cheers, -Collin -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] Bizarre SSH connection reset
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mick wrote: | On Monday 10 March 2008, Dan Farrell wrote: | On Mon, 10 Mar 2008 15:43:55 -0400 | | Mike Edenfield [EMAIL PROTECTED] wrote: | Comcast? | I was on comcast for a long time (2.5 yrs) and never had a problem like | this. They might have blocked port 25 and squelched my bittorrenting | at times, but never anything like this. Of course, ymmv. | | IIRC they also block port 80 for sure on their retail accounts. They don't | want the average punter to run a webserver at home. This isn't exactly true, I'm a comcast subscriber and I successfully run ssh/httpd and I bittorrent legal stuff on occasion and I've never been squelched by the Upstream servers. If anyone desires proof, contact me off-list and I shall provide this aspect. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFH2VMQ8hUIAnGfls4RAp3BAJ0c+NrKEccH6nG0uBO5gh2ih4mrHQCggDkn vQFLKTFSLykunKx+1kcwZio= =gPeC -END PGP SIGNATURE- -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] Bizarre SSH connection reset
Collin: it may not be a 5-second rule. It may just be cutting it off after a certain amount of traffic has passed based on the protocol/port used. But I'm just speculating. Let's hear what fire-eyes has to say. -- - Mark Shields I don't have the pcap file yet ;) Not much I can do. -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] Bizarre SSH connection reset
On Tuesday 11 March 2008, Dan Farrell wrote: On Mon, 10 Mar 2008 22:51:42 + Mick [EMAIL PROTECTED] wrote: On Monday 10 March 2008, Dan Farrell wrote: On Mon, 10 Mar 2008 15:43:55 -0400 Mike Edenfield [EMAIL PROTECTED] wrote: Comcast? I was on comcast for a long time (2.5 yrs) and never had a problem like this. They might have blocked port 25 and squelched my bittorrenting at times, but never anything like this. Of course, ymmv. IIRC they also block port 80 for sure on their retail accounts. They don't want the average punter to run a webserver at home. Even when they blocked port 25 for me bidirectionally (evidently sending 6 gigs through that port made me look like a spammer, even if it was all to the same address ;) ), and I called security assurance and they listed that among all the open ports I wasn't allowed on a residential account, even then, they still didn't block port 80 (or 26, 22, 21, 110, 993, or any other port!). Hmm, I don't know . . . The particular address I was trying to connect was definitely blocked. Other than not beeing able to connect with a browser, nc, httping and tcptraceroute confirmed it). Could it be an area/account specific block perhaps? When I questioned the owner he said that this was common practice and that his ISP does not allow webservers to run. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Bizarre SSH connection reset
Hmm, I don't know . . . The particular address I was trying to connect was definitely blocked. Other than not beeing able to connect with a browser, nc, httping and tcptraceroute confirmed it). Could it be an area/account specific block perhaps? When I questioned the owner he said that this was common practice and that his ISP does not allow webservers to run. Get me a full packet capture of the entire ssh session, and I'll have a look at it. Install tcpdump if you don't have it: emerge tcpdump If you already have it or it's now installed, as root, just before you start the session: tcpdump -i dev -s 0 host IP and port PORT -w ssh-session-1.pcap where host is the IP you are connecting to, PORT is the port you're connecting to, and dev is the network interface it's going through (such as eth0). Log in, do your thing, and after the ssh session craps, ctl-c the tcpdump. Send the file directly to me, [EMAIL PROTECTED] The information I'll be able to see is the client and server IP, port, ssh client version, and user name, fyi. I'll reply directly to you and if you agree, we'll post the findings to the list. -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] Bizarre SSH connection reset
Mick wrote: On Tuesday 11 March 2008, Dan Farrell wrote: On Mon, 10 Mar 2008 22:51:42 + Mick [EMAIL PROTECTED] wrote: On Monday 10 March 2008, Dan Farrell wrote: On Mon, 10 Mar 2008 15:43:55 -0400 Mike Edenfield [EMAIL PROTECTED] wrote: Comcast? I was on comcast for a long time (2.5 yrs) and never had a problem like this. They might have blocked port 25 and squelched my bittorrenting at times, but never anything like this. Of course, ymmv. IIRC they also block port 80 for sure on their retail accounts. They don't want the average punter to run a webserver at home. Even when they blocked port 25 for me bidirectionally (evidently sending 6 gigs through that port made me look like a spammer, even if it was all to the same address ;) ), and I called security assurance and they listed that among all the open ports I wasn't allowed on a residential account, even then, they still didn't block port 80 (or 26, 22, 21, 110, 993, or any other port!). Hmm, I don't know . . . The particular address I was trying to connect was definitely blocked. Other than not beeing able to connect with a browser, nc, httping and tcptraceroute confirmed it). Could it be an area/account specific block perhaps? When I questioned the owner he said that this was common practice and that his ISP does not allow webservers to run. When I was on Comcast, the only ports they blocked outright, that I found, were mail related. Presumably this was a spam prevention measure more than anything else. However, they did *monitor* other common ports for traffic. Occasionally I'd put some local service or another on my firewall during development, or for testing, or whatnot. If it happened to be on port 80, 443, or 21, I'd usually get a nasty-gram from then within a day reminding me of their AUP. --Mike -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] Bizarre SSH connection reset
On Tue, Mar 11, 2008 at 10:30 AM, Mike Edenfield [EMAIL PROTECTED] wrote: Mick wrote: On Tuesday 11 March 2008, Dan Farrell wrote: On Mon, 10 Mar 2008 22:51:42 + Mick [EMAIL PROTECTED] wrote: On Monday 10 March 2008, Dan Farrell wrote: On Mon, 10 Mar 2008 15:43:55 -0400 Mike Edenfield [EMAIL PROTECTED] wrote: Comcast? I was on comcast for a long time (2.5 yrs) and never had a problem like this. They might have blocked port 25 and squelched my bittorrenting at times, but never anything like this. Of course, ymmv. IIRC they also block port 80 for sure on their retail accounts. They don't want the average punter to run a webserver at home. Even when they blocked port 25 for me bidirectionally (evidently sending 6 gigs through that port made me look like a spammer, even if it was all to the same address ;) ), and I called security assurance and they listed that among all the open ports I wasn't allowed on a residential account, even then, they still didn't block port 80 (or 26, 22, 21, 110, 993, or any other port!). Hmm, I don't know . . . The particular address I was trying to connect was definitely blocked. Other than not beeing able to connect with a browser, nc, httping and tcptraceroute confirmed it). Could it be an area/account specific block perhaps? When I questioned the owner he said that this was common practice and that his ISP does not allow webservers to run. When I was on Comcast, the only ports they blocked outright, that I found, were mail related. Presumably this was a spam prevention measure more than anything else. However, they did *monitor* other common ports for traffic. Occasionally I'd put some local service or another on my firewall during development, or for testing, or whatnot. If it happened to be on port 80, 443, or 21, I'd usually get a nasty-gram from then within a day reminding me of their AUP. --Mike -- gentoo-user@lists.gentoo.org mailing list Who knows their Sandvine equipment is horrendous. But let's not get off topic. Collin: it may not be a 5-second rule. It may just be cutting it off after a certain amount of traffic has passed based on the protocol/port used. But I'm just speculating. Let's hear what fire-eyes has to say. -- - Mark Shields
Re: [gentoo-user] Bizarre SSH connection reset
Dan Farrell wrote: On Sun, 9 Mar 2008 20:16:09 -0400 Mark Shields [EMAIL PROTECTED] wrote: Are you thinking his ISP is doing port-based connection filtering? What kind of connection filtering allows a connection to go through for 5 seconds, then resets it? Comcast? -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] Bizarre SSH connection reset
On Mon, 10 Mar 2008 15:43:55 -0400 Mike Edenfield [EMAIL PROTECTED] wrote: Comcast? I was on comcast for a long time (2.5 yrs) and never had a problem like this. They might have blocked port 25 and squelched my bittorrenting at times, but never anything like this. Of course, ymmv. -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] Bizarre SSH connection reset
On Monday 10 March 2008, Dan Farrell wrote: On Mon, 10 Mar 2008 15:43:55 -0400 Mike Edenfield [EMAIL PROTECTED] wrote: Comcast? I was on comcast for a long time (2.5 yrs) and never had a problem like this. They might have blocked port 25 and squelched my bittorrenting at times, but never anything like this. Of course, ymmv. IIRC they also block port 80 for sure on their retail accounts. They don't want the average punter to run a webserver at home. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Bizarre SSH connection reset
On Mon, 10 Mar 2008 22:51:42 + Mick [EMAIL PROTECTED] wrote: On Monday 10 March 2008, Dan Farrell wrote: On Mon, 10 Mar 2008 15:43:55 -0400 Mike Edenfield [EMAIL PROTECTED] wrote: Comcast? I was on comcast for a long time (2.5 yrs) and never had a problem like this. They might have blocked port 25 and squelched my bittorrenting at times, but never anything like this. Of course, ymmv. IIRC they also block port 80 for sure on their retail accounts. They don't want the average punter to run a webserver at home. httpd has been on port 80 behind Comcast since forever with no problems. signature.asc Description: PGP signature
Re: [gentoo-user] Bizarre SSH connection reset
On Mon, 10 Mar 2008 22:51:42 + Mick [EMAIL PROTECTED] wrote: On Monday 10 March 2008, Dan Farrell wrote: On Mon, 10 Mar 2008 15:43:55 -0400 Mike Edenfield [EMAIL PROTECTED] wrote: Comcast? I was on comcast for a long time (2.5 yrs) and never had a problem like this. They might have blocked port 25 and squelched my bittorrenting at times, but never anything like this. Of course, ymmv. IIRC they also block port 80 for sure on their retail accounts. They don't want the average punter to run a webserver at home. Even when they blocked port 25 for me bidirectionally (evidently sending 6 gigs through that port made me look like a spammer, even if it was all to the same address ;) ), and I called security assurance and they listed that among all the open ports I wasn't allowed on a residential account, even then, they still didn't block port 80 (or 26, 22, 21, 110, 993, or any other port!). -- gentoo-user@lists.gentoo.org mailing list
[gentoo-user] Bizarre SSH connection reset
To preface the question, I should mention that I'm currently residing in China, so communication with the networking guys on this end is a bit difficult because the communication algorithm typically begins, Step 1: Learn Chinese. I am having difficulties with getting bumped out of an SSH connection from a server in the U.S. with Connection reset by peer maybe 5-10 seconds after logging in. It *only* occurs in my apartment; i.e., when I go to a local wifi hotspot, I have no difficulties whatsoever. So I don't think it's coming from my end, and I don't think it's coming from the server I'm logging in to. Some details: 1) To ensure that I'm not having problems with keepalives, I configured SSHD on the other end very liberally (with some impressively fast typing, if I do say so myself). In sshd_config, I have TCPKeepAlive no ClientAliveInterval 15 ClientAliveCountMax 12 2) I then set ethereal running. Just as I got bumped, it indicated SourceDestination Protocol Info (the server) (my laptop) TCP 22 1259 [RST, ACK] Seq=5357 Ack=4037 Win=63856 Len=0 I'm not a networking guy, but I think that means a reset packet is being sent, ostensibly from the server. 3) When I get bumped, ssh -vvv gives the following debug1: channel 0: free: client-session, nchannels 1 debug3: channel 0: status: The following connections are open: #0 client-session (t4 r0 i0/0 o0/0 fd 4/5 cfd -1) debug3: channel 0: close_fds r 4 w 5 e 6 c -1 Read from remote host www.bogusdomain.com: Connection reset by peer Connection to www.bogusdomain.com closed. debug1: Transferred: stdin 0, stdout 0, stderr 126 bytes in 17.1 seconds debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 7.4 debug1: Exit status -1 If the reset is not coming from the server or the client (I don't have any problems when I'm at a hotspot), where could it be coming from? Thanks in advance, -Collin -- Collin Starkweather, Ph.D. http://www.linkedin.com/in/collinstarkweather -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] Bizarre SSH connection reset
On Sunday 09 March 2008, Collin Starkweather wrote: To preface the question, I should mention that I'm currently residing in China, so communication with the networking guys on this end is a bit difficult because the communication algorithm typically begins, Step 1: Learn Chinese. I would argue that your Chinese domain is blacklisted due to exhaustive number of owned MSWindows boxen and botnets that ping the rest of us without respite, from China. I really wish their step 1 was learn how to protect your PC, even if it runs an illegitimate Mickey Mouse OS. /sarcasm I am having difficulties with getting bumped out of an SSH connection from a server in the U.S. with Connection reset by peer maybe 5-10 seconds after logging in. It *only* occurs in my apartment; i.e., when I go to a local wifi hotspot, I have no difficulties whatsoever. So I don't think it's coming from my end, and I don't think it's coming from the server I'm logging in to. Some details: 1) To ensure that I'm not having problems with keepalives, I configured SSHD on the other end very liberally (with some impressively fast typing, if I do say so myself). In sshd_config, I have TCPKeepAlive no ClientAliveInterval 15 ClientAliveCountMax 12 Why don't you leave keepalive On? I would switch that flag to yes and perhaps increase the Interval to 60 seconds or more? 2) I then set ethereal running. Just as I got bumped, it indicated SourceDestination Protocol Info (the server) (my laptop) TCP 22 1259 [RST, ACK] Seq=5357 Ack=4037 Win=63856 Len=0 The packet flag [RST, ACK] indicates that the port is closed. I'm not a networking guy, but I think that means a reset packet is being sent, ostensibly from the server. Yep, to indicate that the port has closed. 3) When I get bumped, ssh -vvv gives the following debug1: channel 0: free: client-session, nchannels 1 debug3: channel 0: status: The following connections are open: #0 client-session (t4 r0 i0/0 o0/0 fd 4/5 cfd -1) debug3: channel 0: close_fds r 4 w 5 e 6 c -1 Read from remote host www.bogusdomain.com: Connection reset by peer Connection to www.bogusdomain.com closed. debug1: Transferred: stdin 0, stdout 0, stderr 126 bytes in 17.1 seconds debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 7.4 debug1: Exit status -1 The server closes the connection. If the reset is not coming from the server or the client (I don't have any problems when I'm at a hotspot), where could it be coming from? Are you using the same NIC on the laptop? If yes, then the issue could be related to your router configuration., but my money is on your keepalive settings. See if my suggestions above help. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Bizarre SSH connection reset
Quoting Mick [EMAIL PROTECTED]: I would argue that your Chinese domain is blacklisted due to exhaustive number of owned MSWindows boxen and botnets that ping the rest of us without respite, from China. I really wish their step 1 was learn how to protect your PC, even if it runs an illegitimate Mickey Mouse OS. /sarcasm You're not whistlin' Dixie ... every USB stick I've ever been handed in China has a virus on it. Are you using the same NIC on the laptop? If yes, then the issue could be related to your router configuration., but my money is on your keepalive settings. See if my suggestions above help. Thanks. I'll give it a shot. -Collin -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] Bizarre SSH connection reset
Are you using the same NIC on the laptop? If yes, then the issue could be related to your router configuration., but my money is on your keepalive settings. See if my suggestions above help. Thanks. I'll give it a shot. -Collin Something to try if the above does not worka long shot if it works, but you can try setting the server to listen on another port, like . -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] Bizarre SSH connection reset
On Sun, Mar 9, 2008 at 12:03 PM, Andrey Falko [EMAIL PROTECTED] wrote: Are you using the same NIC on the laptop? If yes, then the issue could be related to your router configuration., but my money is on your keepalive settings. See if my suggestions above help. Thanks. I'll give it a shot. -Collin Something to try if the above does not worka long shot if it works, but you can try setting the server to listen on another port, like . -- gentoo-user@lists.gentoo.org mailing list Are you thinking his ISP is doing port-based connection filtering? -- - Mark Shields
Re: [gentoo-user] Bizarre SSH connection reset
On Sun, 9 Mar 2008 20:16:09 -0400 Mark Shields [EMAIL PROTECTED] wrote: Are you thinking his ISP is doing port-based connection filtering? What kind of connection filtering allows a connection to go through for 5 seconds, then resets it? -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] Bizarre SSH connection reset
Quoting Dan Farrell [EMAIL PROTECTED]: On Sun, 9 Mar 2008 20:16:09 -0400 Mark Shields [EMAIL PROTECTED] wrote: Are you thinking his ISP is doing port-based connection filtering? What kind of connection filtering allows a connection to go through for 5 seconds, then resets it? I've been wondering the same thing. Typically, one wouldn't even expect to get through in the first place if there were filtering. The Great Firewall of China works by immediately sending hangup packets to both sides, spoofing they're coming from the appropriate party. But typically that happens the instant you try to establish a connection. Moreover, because I can get in from the local hotspot, I wouldn't imagine it's a Great Firewall issue. Some ISPs and the university campus (I believe I'm going through the local university's ISP) do their own filtering, but I can't imagine why a 5-second rule would be implemented. -Collin -- gentoo-user@lists.gentoo.org mailing list
