Re: ssh from 012 cable to server in US fail
On Tue, Apr 28, 2009 at 11:10 AM, Rami Addady r...@active.co.il wrote: Hi, I have weird problem , staring this morning I can't ssh to a server in US, from some computers that connect to the Internet using 012 cabels. But if I'm ssh to server in 012 farm and then from it to the US server is work fine! I called 012 technical support but they didn't help me. It's not a FW issue because the ssh session start. When I try to ssh it start and after some time fail , here is debug session. ssh -v -l user 111.111.111.111 Try to see if */sbin/ifconfig eth0 mtu 1200* helps (or whatever your Ethernet NIC might be) When Israeli ISPs play with QoS boxes, they have this weird side effect of lowering the MTU... And I have been experiencing MTU issues lately in 012 (as a business user on a fiber connection). For me, going down to 1400 sufficed in solving all the weird connectivity issues I had. I am asking you to try lower because if you're on cables, there are MORE tunnels involved... if it solves the problem, you can go up on a trial-and-error game. HTH, -- Shimi ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: ssh from 012 cable to server in US fail
Thanks for all the replays, Now after 3 day it suddenly stat to work. I didn't done any change in both sides. My guess is that 012 block port 22 abroad, because of some ssh worm that attract from local PC's and consume bandwidths etc. Rami shimi wrote: On Tue, Apr 28, 2009 at 11:10 AM, Rami Addady r...@active.co.il wrote: Hi, I have weird problem , staring this morning I can't ssh to a server in US, from some computers that connect to the Internet using 012 cabels. But if I'm ssh to server in 012 farm and then from it to the US server is work fine! I called 012 technical support but they didn't help me. It's not a FW issue because the ssh session start. When I try to ssh it start and after some time fail , here is debug session. ssh -v -l user 111.111.111.111 Try to see if /sbin/ifconfig eth0 mtu 1200 helps (or whatever your Ethernet NIC might be) When Israeli ISPs play with QoS boxes, they have this weird side effect of lowering the MTU... And I have been experiencing MTU issues lately in 012 (as a business user on a fiber connection). For me, going down to 1400 sufficed in solving all the weird connectivity issues I had. I am asking you to try lower because if you're on cables, there are MORE tunnels involved... if it solves the problem, you can go up on a trial-and-error game. HTH, -- Shimi ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: ssh from 012 cable to server in US fail
Hi, Can't change port number. Some user connect this server from post 22. Rami Tzafrir Cohen wrote: On Tue, Apr 28, 2009 at 11:10:30AM +0300, Rami Addady wrote: Hi, I have weird problem , staring this morning I can't ssh to a server in US, from some computers that connect to the Internet using 012 cabels. But if I'm ssh to server in 012 farm and then from it to the US server is work fine! I called 012 technical support but they didn't help me. Trial and error: what if you use a different port number for the server? For testing: /usr/sbin/sshd -D -p 1234 ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
RE: ssh from 012 cable to server in US fail
FWIW, Netvision, although they've started blocking outgoing SMTP (port 25), still allow SSH with no problems, both locally and to the US. I doubt that it's a Big Brother type of issue (yet). Who was it that said not to attribute to malice that which can be attributed to stupidity? Chag Sameach, Rony -Original Message- From: linux-il-boun...@cs.huji.ac.il [mailto:linux-il-boun...@cs.huji.ac.il] On Behalf Of Ira Abramov Sent: Tuesday, April 28, 2009 1:58 PM To: linux-il@cs.huji.ac.il Subject: Re: ssh from 012 cable to server in US fail Quoting Tomer Cohen, from the post of Tue, 28 Apr: Hi, I had the same issue yesterday evening (012, cable). After few hours I periodically tried, I was able to access the machines (one is located in Dreamhost, the other at sourceforge.net), but very slowly and with sudden disconnections after about one minute of each connection. these all sound annoyingly like the adventures a friend of mine had when connecting to my server from china, including obvious man-in-the-middle attacks, such as each time hׁ” tried to connect, the server would display a different host key. If the state of Israel has started building a great firewall they are both doing it wrong, as well as against the current law. very sad :-( On Tue, Apr 28, 2009 at 11:10, Rami Addady r...@active.co.il wrote: Hi, I have weird problem , staring this morning I can't ssh to a server in US, from some computers that connect to the Internet using 012 cabels. But if I'm ssh to server in 012 farm and then from it to the US server is work fine! I called 012 technical support but they didn't help me. It's not a FW issue because the ssh session start. When I try to ssh it start and after some time fail , here is debug session. ssh -v -l user 111.111.111.111 OpenSSH_3.9p1, OpenSSL 0.9.7a Feb 19 2003 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Connecting to ... port 22. debug1: Connection established. debug1: identity file /home/user/.ssh/identity type -1 debug1: identity file /home/user/.ssh/id_rsa type -1 debug1: identity file /home/user/.ssh/id_dsa type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3 debug1: match: OpenSSH_4.3 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.9p1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server-client aes128-cbc hmac-md5 none debug1: kex: client-server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(102410248192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP ... after few minutes... Connection closed by 111.111.111.111 Any idea what wrong Rami ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il -- Tomer Cohen http://tomercohen.com H. L. Mencken - It is even harder for the average ape to believe that he has descended from man. http://www.brainyquote.com/quotes/authors/h/h_l_mencken.html ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il -- The way of the world Ira Abramov http://ira.abramov.org/email/ ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: ssh from 012 cable to server in US fail
Hi, We are not aware of such problem, and if such one exists, it is not intentional. Please provide me with some more information off-list (IP addresses, capture files of connection attempts if possible etc.), and we will check into it. --imriz ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: ssh from 012 cable to server in US fail
On Tuesday 28 April 2009 13:57:36 Ira Abramov wrote: these all sound annoyingly like the adventures a friend of mine had when connecting to my server from china, including obvious man-in-the-middle attacks, such as each time hׁ” tried to connect, the server would display a different host key. If the state of Israel has started building a great firewall they are both doing it wrong, as well as against the current law. very sad A bit paranoid, aren't we? :) ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: ssh from 012 cable to server in US fail
2009/4/29 ronys ro...@gmx.net: FWIW, Netvision, although they've started blocking outgoing SMTP (port 25), still allow SSH with no problems, both locally and to the US. I doubt that it's a Big Brother type of issue (yet). Who was it that said not to attribute to malice that which can be attributed to stupidity? Yesterday afternoon, Netvision was randomly blocking port 25 and 587, pop3 (110) and 995. I called to complain and when I got through the phone maze, I was hung up on. By around 10pm last night, things were back to normal, 587,110 and 995 were working. SSH, HTTP and HTTPS worked the entire time. I use a HOT cable modem and a PPTP tunnel. I'll go with your second explanation. BTW, does anyone know whom the new Minister of Telecommunications is? The English press reported that there was one, but never mentioned who it was. Geoff. -- Geoffrey S. Mendelson N3OWJ/4X1GM Jerusalem, Israel ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: ssh from 012 cable to server in US fail
Hi Geoffrey, On Thu, Apr 30, 2009 at 07:31:43AM +0300, Geoffrey Mendelson wrote: BTW, does anyone know whom the new Minister of Telecommunications is? The English press reported that there was one, but never mentioned who it was. According to the page at http://www.moc.gov.il/137-en/MOC.aspx (English) the minister of communication is Moshe Kachlon (Likud). baruch -- ~. .~ Tk Open Systems =}ooO--U--Ooo{= - bar...@tkos.co.il - tel: +972.2.679.5364, http://www.tkos.co.il - ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: ssh from 012 cable to server in US fail
On Tue, Apr 28, 2009 at 11:10:30AM +0300, Rami Addady wrote: Hi, I have weird problem , staring this morning I can't ssh to a server in US, from some computers that connect to the Internet using 012 cabels. But if I'm ssh to server in 012 farm and then from it to the US server is work fine! So you can look at the server logs and see what went wrong. You can also try and run it with '-v' to add verbosity there too. If you do, first try it on a local machine to make sure you do not kill it accidentally. I have no idea re the actual problem. -- Didi ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: ssh from 012 cable to server in US fail
Can you provide the server logs? (The connected site) It can easily shed light on the subject. On RHEL the log file in interest is /var/log/secure. - Noam On Tue, Apr 28, 2009 at 11:10 AM, Rami Addady r...@active.co.il wrote: Hi, I have weird problem , staring this morning I can't ssh to a server in US, from some computers that connect to the Internet using 012 cabels. But if I'm ssh to server in 012 farm and then from it to the US server is work fine! I called 012 technical support but they didn't help me. It's not a FW issue because the ssh session start. When I try to ssh it start and after some time fail , here is debug session. ssh -v -l user 111.111.111.111 OpenSSH_3.9p1, OpenSSL 0.9.7a Feb 19 2003 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Connecting to ... port 22. debug1: Connection established. debug1: identity file /home/user/.ssh/identity type -1 debug1: identity file /home/user/.ssh/id_rsa type -1 debug1: identity file /home/user/.ssh/id_dsa type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3 debug1: match: OpenSSH_4.3 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.9p1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server-client aes128-cbc hmac-md5 none debug1: kex: client-server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(102410248192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP ... after few minutes... Connection closed by 111.111.111.111 Any idea what wrong Rami ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: ssh from 012 cable to server in US fail
Hi, I had the same issue yesterday evening (012, cable). After few hours I periodically tried, I was able to access the machines (one is located in Dreamhost, the other at sourceforge.net), but very slowly and with sudden disconnections after about one minute of each connection. On Tue, Apr 28, 2009 at 11:10, Rami Addady r...@active.co.il wrote: Hi, I have weird problem , staring this morning I can't ssh to a server in US, from some computers that connect to the Internet using 012 cabels. But if I'm ssh to server in 012 farm and then from it to the US server is work fine! I called 012 technical support but they didn't help me. It's not a FW issue because the ssh session start. When I try to ssh it start and after some time fail , here is debug session. ssh -v -l user 111.111.111.111 OpenSSH_3.9p1, OpenSSL 0.9.7a Feb 19 2003 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Connecting to ... port 22. debug1: Connection established. debug1: identity file /home/user/.ssh/identity type -1 debug1: identity file /home/user/.ssh/id_rsa type -1 debug1: identity file /home/user/.ssh/id_dsa type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3 debug1: match: OpenSSH_4.3 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.9p1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server-client aes128-cbc hmac-md5 none debug1: kex: client-server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(102410248192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP ... after few minutes... Connection closed by 111.111.111.111 Any idea what wrong Rami ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il -- Tomer Cohen http://tomercohen.com H. L. Mencken - It is even harder for the average ape to believe that he has descended from man. http://www.brainyquote.com/quotes/authors/h/h_l_mencken.html ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: ssh from 012 cable to server in US fail
Please follow these steps: 1. I will highly suggest to launch wireshark when you try to ssh. If you see a RST, I won't be surprised at all. You may see a RST that comes from your ip. Don't be surprised. 2. You must understand the following thing: they have clients rank A and clients rank D. from the farm it is possible to ssh (client rank A). from work/home directly you are client rank D. Take in consideration that you ssh to usa. you waste their bandwidth. 3. try to ssh to the usa server from other server that doesn't use 012. 4. try to ssh to a server in israel and compare. 5. Try to run the following command tcptraceroute -v the ip you want 22 and see where it gets stuck (timing). 6. I smell a Deep Packet Inspection. I will be very happy to be proved wrong. On Tue, Apr 28, 2009 at 12:37 PM, Rami Addady r...@active.co.il wrote: Hi, Can you provide the server logs? (The connected site) There are no new entry in /var/log/secure ou can also try and run it with '-v' to add verbosity there too. The -v output can be found in my first post Thank, Rami Noam Meltzer wrote: Can you provide the server logs? (The connected site) It can easily shed light on the subject. On RHEL the log file in interest is /var/log/secure. - Noam On Tue, Apr 28, 2009 at 11:10 AM, Rami Addady r...@active.co.il mailto: r...@active.co.il wrote: Hi, I have weird problem , staring this morning I can't ssh to a server in US, from some computers that connect to the Internet using 012 cabels. But if I'm ssh to server in 012 farm and then from it to the US server is work fine! I called 012 technical support but they didn't help me. It's not a FW issue because the ssh session start. When I try to ssh it start and after some time fail , here is debug session. ssh -v -l user 111.111.111.111 OpenSSH_3.9p1, OpenSSL 0.9.7a Feb 19 2003 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Connecting to ... port 22. debug1: Connection established. debug1: identity file /home/user/.ssh/identity type -1 debug1: identity file /home/user/.ssh/id_rsa type -1 debug1: identity file /home/user/.ssh/id_dsa type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3 debug1: match: OpenSSH_4.3 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.9p1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server-client aes128-cbc hmac-md5 none debug1: kex: client-server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(102410248192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP ... after few minutes... Connection closed by 111.111.111.111 Any idea what wrong Rami ___ Linux-il mailing list Linux-il@cs.huji.ac.il mailto:Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: ssh from 012 cable to server in US fail
Quoting Tomer Cohen, from the post of Tue, 28 Apr: Hi, I had the same issue yesterday evening (012, cable). After few hours I periodically tried, I was able to access the machines (one is located in Dreamhost, the other at sourceforge.net), but very slowly and with sudden disconnections after about one minute of each connection. these all sound annoyingly like the adventures a friend of mine had when connecting to my server from china, including obvious man-in-the-middle attacks, such as each time hׁ” tried to connect, the server would display a different host key. If the state of Israel has started building a great firewall they are both doing it wrong, as well as against the current law. very sad :-( On Tue, Apr 28, 2009 at 11:10, Rami Addady r...@active.co.il wrote: Hi, I have weird problem , staring this morning I can't ssh to a server in US, from some computers that connect to the Internet using 012 cabels. But if I'm ssh to server in 012 farm and then from it to the US server is work fine! I called 012 technical support but they didn't help me. It's not a FW issue because the ssh session start. When I try to ssh it start and after some time fail , here is debug session. ssh -v -l user 111.111.111.111 OpenSSH_3.9p1, OpenSSL 0.9.7a Feb 19 2003 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Connecting to ... port 22. debug1: Connection established. debug1: identity file /home/user/.ssh/identity type -1 debug1: identity file /home/user/.ssh/id_rsa type -1 debug1: identity file /home/user/.ssh/id_dsa type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3 debug1: match: OpenSSH_4.3 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.9p1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server-client aes128-cbc hmac-md5 none debug1: kex: client-server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(102410248192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP ... after few minutes... Connection closed by 111.111.111.111 Any idea what wrong Rami ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il -- Tomer Cohen http://tomercohen.com H. L. Mencken - It is even harder for the average ape to believe that he has descended from man. http://www.brainyquote.com/quotes/authors/h/h_l_mencken.html ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il -- The way of the world Ira Abramov http://ira.abramov.org/email/ ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: ssh from 012 cable to server in US fail
On Tue, Apr 28, 2009 at 11:10:30AM +0300, Rami Addady wrote: Hi, I have weird problem , staring this morning I can't ssh to a server in US, from some computers that connect to the Internet using 012 cabels. But if I'm ssh to server in 012 farm and then from it to the US server is work fine! I called 012 technical support but they didn't help me. Trial and error: what if you use a different port number for the server? For testing: /usr/sbin/sshd -D -p 1234 -- Tzafrir Cohen | tzaf...@jabber.org | VIM is http://tzafrir.org.il || a Mutt's tzaf...@cohens.org.il || best ICQ# 16849754 || friend ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il