I've had a handful of clients contact me over the last week with
trouble using SCP (usually WinSCP) to manage their website content on
my servers. Either they get timeout messages from WinSCP or a message
saying they should switch to SFTP.
After getting a few helpful users on the phone to run some quick
tests, we found port 22 was blocked.
When my customers contacted Frontier, they were told that port 22 was
blocked because it is used to transfer illegal files.
I called them, and got the same ridiculous excuse.
Just a friendly heads-up to anyone from Frontier who might be
listening, I have a few additional ports you may wish to block:
80 - Allows users to use Google to search for illegal files
443 - Allows users to use Google to search for illegal files in a secure manner
69 - Allows users to trivially transfer illegal files
3389 - Allows users to connect to unlicensed Windows machines
179 - Allows users to exchange routes to illegal file shares
53 - Allows people to look up illegal names
-A
Wed, Mar 25, 2015 at 07:31:35PM -0700, Aaron C. de Bruyn wrote:
Just a friendly heads-up to anyone from Frontier who might be
listening, I have a few additional ports you may wish to block:
80 - Allows users to use Google to search for illegal files
443 - Allows users to use Google to search for illegal files in a secure manner
69 - Allows users to trivially transfer illegal files
3389 - Allows users to connect to unlicensed Windows machines
179 - Allows users to exchange routes to illegal file shares
53 - Allows people to look up illegal names
Can't help to add that there are
- port 21 that allow users to give commands to examine
the existence and initiate transfers of illegal files;
- ports 1025 - 65535 that allow users to create data streams
to actually transfer illegal files in an (oh my) passive mode.
I wonder if their support is just confused, and Frontier is really blocking outbound tcp/22 to stop complaints generated by infected customers with sshd scanners. After all, most of their customers probably don't know what SSH is.
It's been a while since I did this, but you can select an additional
port to accept SSH connections. A Google search indicates you can
specify multiple ports in OpenSSH. Picking the right port to use is an
exercise, though, that will depend on what other services you are
running on your server.
People with sane ISPs can use the standard port. People on Frontier can
use the alternate port, which shouldn't be firewalled by the provider.
If Frontier is running a mostly-closed firewall configuration, then you
have to be damn careful about the port you select.
Stephen Satchell schreef op 26-3-2015 om 12:24:
Stephen Satchell <list@satchell.net> writes:
It's been a while since I did this, but you can select an additional
port to accept SSH connections.
That's easy:
jens@screen:~$ grep Port /etc/ssh/sshd_config
Port 22
Port 443
Picking the right port to use is an exercise, though, that will depend
on what other services you are running on your server.
I always have at least one sshd listening on port 443. For all the
hotel, coffee house, customer networks blocking ssh.
You can even multiplex and run ssh and ssl on the same port:
http://www.rutschle.net/tech/sslh.shtml
Jens
ISPs are generally expected to disclose any port blocking. A quick Google search shows this is Frontier’s list:
http://www.frontierhelp.com/faq.cfm?qstid=277
All, I have reached out to Aaron privately for details, but we do not block port 22 traffic unless it is in direct response to an attack or related item. Please let me know directly if you have any specific questions.
Thanks,
-Jeff
Nothing helps promote a free and open Internet more than micromanaging
your users' download activity.
Not really sure how someone comes to the conclusion that nobody really
*needs* ssh for anything.
"Livingood, Jason" <Jason_Livingood@cable.comcast.com> writes:
Someone with Frontier contacted me off-list and assured me they don't
block port 22, and that it could have been related to port scans,
infected PCs, etc... They are looking in to it.
Apologies for the noise and for being a prat.
-A