There has been a quite an uproar over the Xeon-64 servers not being able to accept connections by CSE students of my batch.
Abstract
[ For those who just want to know, "can I get to that fucking machine anyway ?" ]
The problem, to put in very accurate technical terms is, Port Blocking on Outbound traffic. SSH runs on Port 22( Default Value/XEON Server) and CIC network guys have blocked all outbound traffic on Port 22 for most of the halls.... ( atleast RK, RP, NH and more... ).
So the simple thing is this, YOU CANNOT HAVE ANY TRAFFIC ON PORT 22 OUTSIDE THE HALLS. Though local( inside halls ) traffic will suffice. And hence if you are too desperate for the 64bit lady, there are 3 solutions from me:
1. Get the Xeon server port changed to something other than 22, say 4455 etc.
2. OR Ask the CIC/Wipro guys to turn the stupid firewall off.
3. Tell the guys at Hall Server rooms, ask if they can get you through
Details
Let's see what exactly is the scene, I wont talk much theoretical nonsence, but rather show you some concrete output to support the facts.
First thing I will do is to ssh the Xeon( 10.5.18.75 ) server with my user
----------------------------------------------------------------------------------------------------------
sanket@sanket-desktop:~$ ssh sanketa@10.5.18.74
ssh: connect to host 10.5.18.74 port 22: No route to host
----------------------------------------------------------------------------------------------------------
Clearly I cannot open the server!
Now I shall try to ssh into Avishek's machine which is in the same Hall as I am:
----------------------------------------------------------------------------------------------------------
sanket@sanket-desktop:~$ ssh avishekbanerjee@10.110.11.209
The authenticity of host '10.110.11.209 (10.110.11.209)' can't be established.
RSA key fingerprint is 99:15:20:66:1f:d7:de:f9:24:be:dc:99:2a:62:6d:26.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.110.11.209' (RSA) to the list of known hosts.
avishekbanerjee@10.110.11.209's password:
----------------------------------------------------------------------------------------------------------
Evidently I can see that avishek's system is open for me on port 22.
Another more "techniche" check using nmap.
Xeon Server: nmap -p22 10.5.1875
----------------------------------------------------------------------------------------------------------
sanket@sanket-desktop:~$ nmap -p22 10.5.18.75
Starting Nmap 4.62 ( http://nmap.org ) at 2009-07-24 19:52 IST
Interesting ports on 10.5.18.75:
PORT STATE SERVICE
22/tcp filtered ssh
Nmap done: 1 IP address (1 host up) scanned in 13.085 seconds
----------------------------------------------------------------------------------------------------------
Avishek's Machine: nmap -p22 10.110.11.209
----------------------------------------------------------------------------------------------------------
sanket@sanket-desktop:~$ nmap -p22 10.110.11.209
Starting Nmap 4.62 ( http://nmap.org ) at 2009-07-24 19:53 IST
Interesting ports on 10.110.11.209:
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 1 IP address (1 host up) scanned in 13.052 seconds
----------------------------------------------------------------------------------------------------------
The results are evident, Xeon server has got no port 22 request, Filtered! But Avishek my friend is very comfy with the thing :D
It's a easy test actually to see if your outbound traffic is blocked. Just try to ssh into a machine you know is ought to be working, and if you can't access.. you're doomed.
Though what I have shown here is Outbound Traffic blocking, and it's actually the case that inbound traffic is totallly okay. Try sshing into your computer from department computers and don't get surprised at the results. ;)
Here's a proof, the machine I will be using is kept in the CSE Deptt and I have access to it( on somehow ). All deptt machines have open outboud traffic, so if I get a filtered output when scanning my m/c in hall, that means that the m/c in hall is refusing!
----------------------------------------------------------------------------------------------------------
mailinglist@maillist-cse:~$ nmap -p22 10.110.11.10
Starting Nmap 4.76 ( http://nmap.org ) at 2009-07-24 20:00 IST
Interesting ports on 10.110.11.10:
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 1 IP address (1 host up) scanned in 5.69 seconds
----------------------------------------------------------------------------------------------------------
I am OPEN! If you can realize the gravity of the results so far, I can go further explaining the network you're inside.
On the basic layer is a Hall which is connected to a Server( often called Server Room as you all know it ). This server, rather a Gateway, connects to the CIC Network Shells( at CIC ), and there's where they put the port throttling etc! But I don't know why is it that they've put it for some of the halls.
What I can suspect is that, maybe somehow, by redirecting the port 22 traffic to some open m/c and then bouncing off requests from that machine, you can be helped out of this port 22 menace. So if the people at the server room are intelligent enough, you're in God's hands I guess :).
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment