New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
ISP Blocks SSH (port 22), workarounds?
My current ISP blocks SSH, so I'm looking for workarounds to get a shell into my vps box (OpenVZ, Ubuntu). One option is web based consoles, and there are a few of them (paid and free).
Other than that, I was wondering if:
(a) changing the SSH port from 22 to something else could help? Sorry I may sound technically retarded, but do ISP's block a port (e.g. 22) or a protocol (e.g. SSH)?
(b) Is it ever fine to share the VPS root password with tech-support if they ask for it?
Comments
I can answer part b for you, your root password is like your bank account. Anyone who is supposed to have access to it doesn't need to ask you for it, and anyone who isn't will ask you for it. In most support cases, they should have their own methods of accessing your VPS without needing to ask for your password.
Maybe I can answer part a. And this question is never technically retarded.
Yes, SSH can be detected as a protocol. But chances are they are not blocking the whole protocol - just the port for some damned reason.
Try to switch to another random port(maybe 21? 53? 443?) and give it a shot.
Also, complain to the ISP. Blocking 22 isn't doing anything good.(Unless you live in Mainland China, well, they are not the same animal...)
For the a :
To b)
If this is a OpenVZ container, host has access to all your files anyways.
Change it to something temporary (well, every password should be temporary anyway, but make sure that it's unique, not shared with other services you use and that you change it when it's not needed for host anymore).
It's still not good idea just give it because it stays in ticket system permanently - unless it's just for this specific occasion and then changed.
You can make a port redirection with iptables.
Also please do not call such an organization an Internet Service Provider.
Cancel your contract, don't support bad company behavior.
You can try Tor
Move SSH to port 443. It's the least likely to be blocked.
Even better, you can use sslh to run both SSH and HTTPS on the same port.
Thanks! I was looking for something like this a looong time!
True, but not in some cases where hosts contract their support via some agency.
http://lowendtalk.com/discussion/28727/why-would-host-ask-me-for-my-root-pass
Have you checked your router settings?
Try chaging to port 443 if it's not in use, I had done this before. My work place network blocked port 22 except for local network or certain whitelist through their proxy server
Why use port 22 in the first place? 1 & 1 on server security always recommend using another port then 22, as one of many security measures on your Linux server.
Who is this odious ISP?
Some people advise it, others advise against it. I personally change my port to something else, it seriously reduces brute force attempts.
I use
AllowUsers [email protected]Port xxxxxOnly root user has access, has to be from one of my IPs, and a non standard SSH port.
IMO you shouldn't use default port 22. I always change it after installing the OS.
Does this mean the vm was never provisioned in the first place? No root access if provider doesn't allow ssh.......interesting, unless there is cp. Wonder how you managed to access
@TobyG - Use tunnel or change SSH port ?
Century does have a point, what error does it show or what does it do when you do try connect to SSH, are you sure it's your ISP?
A workaround like stated above would be best to change the port, which is good security practice to avoid brute-force attempts anyway.
On Openvz your host should have direct access as-is and I would only provide a temporary password, to change it immediately after they've finished.
Wow, sounds great. But is it secure? I mean if that software gets comprimised can't it be like a permanent mitm? (did just read your post, didn't study the way that software works)
ISP blocks SSH, not VPS provider. VPS provider provisioned the box just fine. I've been managing the VPS through SSH over the years. It's only when I recently changed my ISP that I couldn't get into the box as usual.
Connection timed out. To ensure it's the ISP and not something else, I'm going to try from a totally different network.
I don't think that's possible. Your ISP will not know you're connecting to SSH. Would you mind if I tried? Just IP will do.
This normally happens if your vps is offline or you are connecting to the wrong port or blocked by firewall.
Appreciate the help, but I stated that I've been regularly logging into by box without issues until I switched ISPs. If the box went down, my website wouldn't be accessible either, which is not the case.
Turns out my suspicion is correct. I tried on a different network and logged into my box as usual, no issues.
These morons (current ISP) needs to sort things out. Support ticket opened at their end. Let's see how this plays out.
Good for you but I just wonder how that could happen. Please do update this thread when you get a reply from your ISP. Really curious.
There are a few ISPs who have firewalls that do block SSH and other services, but I've only seen it inbound. Like for instance in my ISP, Internode, where they block incoming SSH, FTP and other services by default to protect the customer.
Any downside to this, say, a possibility of some kind of conflict using same port (443) for both SSH and SSL?
@TobyG I once observed that port 22 was blocked in a Verizon router. In that case, the blocking was on the verizon dsl router at home rather than at the ISP. Logging in to the router and changing some settings unblocked port 22. ( search for your ISP / router mfg and look for ssh blocking) The final answer on this thread might be what I did.. but its too long to remember the exact steps. I do remember it was a router config to unblock 22
http://forums.verizon.com/t5/FiOS-Internet/Outbound-SSH-connection-seemingly-blocked/td-p/418745
There is an alternative to sslh which is stunnel4 using sni, which I've found here http://tyy.host-ed.me/pluxml/article4/port-443-for-https-ssh-and-ssh-over-ssl-and-more
The protocol should appear to be https, useful if the ssh protocol is being blocked.
Not useful if the webserver isn't nginx.