...making Linux just a little more fun!
raj [raj at technofina.com]
Wed, 29 Nov 2006 14:53:27 -0500
Hi James, My Name is raj and i work as a technical recruiter at technofina Inc, we are a NewYork based Software consulting firm. I work as a unix admin too some times(i suck at it tough). Well comming to the problem, i have a Red hat Linux based system at our office which we use to train students on java/j2ee, the problem is that students are able to access the linux server(using ssh) from the office intranet, but not via internet from their homes. The students are able to ping the server(we have a static IP assigned to us by the ISP). I need your help in resolving the above problem.
Thanks in advance
Thanks,
-- Raj Technical Recruiter Technofina Inc. 45 West, 34 street. New York 10001, NY. E-Mail: raj@technofina.com Phone : 212-629-7483. Fax : 646-219-2466
Karl-Heinz Herrmann [kh1 at khherrmann.de]
Wed, 29 Nov 2006 21:24:36 +0100 (MET)
On Wed, 29 Nov 2006 14:53:27 -0500 "raj" <raj@technofina.com> wrote:
> the problem, i have a Red hat Linux based system at our office > which we use to train students on java/j2ee, the problem is that > students are able to access the linux server(using ssh) from the > office intranet, but not via internet from their homes. > The students are able to ping the server(we have a > static IP assigned to us by the ISP).
I'm not familiar with Red Hat -- but have a look at the firewall configuration and check if there are any restrictions for port 22 (ssh) on your machine (or the router which keeps the line to the outside world). This could also be your ISP -- but ping getting through and ssh not would be weird. On the other hand there are still ISPs out there which never heard of anything newer than telnet -- so asking them anyway might not hurt.
K.-H.
Karl-Heinz Herrmann [kh1 at khherrmann.de]
Wed, 29 Nov 2006 21:29:54 +0100 (MET)
[I forgot rajs CC anyway, so here with something more]
On Wed, 29 Nov 2006 14:53:27 -0500 "raj" <raj@technofina.com> wrote:
> the problem, i have a Red hat Linux based system at our office > which we use to train students on java/j2ee, the problem is that > students are able to access the linux server(using ssh) from the > office intranet, but not via internet from their homes. > The students are able to ping the server(we have a > static IP assigned to us by the ISP).
I'm not familiar with Red Hat -- but have a look at the firewall configuration and check if there are any restrictions for port 22 (ssh) on your machine (or the router which keeps the line to the outside world). This could also be your ISP -- but ping getting through and ssh not would be weird. On the other hand there are still ISPs out there which never heard of anything newer than telnet -- so asking them anyway might not hurt.
Just in case you are talking about technofina.com (70.86.149.8):
:~> ping technofina.com PING technofina.com (70.86.149.8) 56(84) bytes of data. 64 bytes from 8.95.5646.static.theplanet.com (70.86.149.8): icmp_seq=1 ttl=108 time=210 ms 64 bytes from 8.95.5646.static.theplanet.com (70.86.149.8): icmp_seq=2 ttl=108 time=211 ms 64 bytes from 8.95.5646.static.theplanet.com (70.86.149.8): icmp_seq=3 ttl=108 time=210 ms --- technofina.com ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 1999ms rtt min/avg/max/mdev = 210.325/210.683/211.379/0.492 ms :~> telnet 70.86.149.8 22 Trying 70.86.149.8... telnet: connect to address 70.86.149.8: Connection refusedand this was a very quick reply, so something was not just letting me run into a blocked firewall but the connection was actively refused, which means firewall or ssh config. Is sshd running on its own or started on demand via [x]inted and a wrapper which check permissions to connect?
K.-H.
Benjamin A. Okopnik [ben at linuxgazette.net]
Wed, 29 Nov 2006 23:21:34 -0500
On Wed, Nov 29, 2006 at 09:29:54PM +0100, Karl-Heinz Herrmann wrote:
> > Just in case you are talking about technofina.com (70.86.149.8): > > :~> ping technofina.com > PING technofina.com (70.86.149.8) 56(84) bytes of data. > 64 bytes from 8.95.5646.static.theplanet.com (70.86.149.8): icmp_seq=1 ttl=108 time=210 ms > 64 bytes from 8.95.5646.static.theplanet.com (70.86.149.8): icmp_seq=2 ttl=108 time=211 ms > 64 bytes from 8.95.5646.static.theplanet.com (70.86.149.8): icmp_seq=3 ttl=108 time=210 ms > > --- technofina.com ping statistics --- > 3 packets transmitted, 3 received, 0% packet loss, time 1999ms > rtt min/avg/max/mdev = 210.325/210.683/211.379/0.492 ms > > > :~> telnet 70.86.149.8 22 > Trying 70.86.149.8... > telnet: connect to address 70.86.149.8: Connection refused > > and this was a very quick reply, so something was not just letting me > run into a blocked firewall but the connection was actively refused, > which means firewall or ssh config. Is sshd running on its own or > started on demand via [x]inted and a wrapper which check permissions to > connect?
I doubt that there's a firewall there - or that it's the right box.
ben@Fenrir:~$ nmap -v -A technofina.com Starting Nmap 4.11 ( https://www.insecure.org/nmap/ ) at 2006-11-29 23:00 EST Machine 70.86.149.8 MIGHT actually be listening on probe port 80 DNS resolution of 1 IPs took 0.29s. Initiating Connect() Scan against 8.95.5646.static.theplanet.com (70.86.149.8) [1680 ports] at 23:01 Discovered open port 21/tcp on 70.86.149.8 Discovered open port 3389/tcp on 70.86.149.8 Discovered open port 25/tcp on 70.86.149.8 Discovered open port 554/tcp on 70.86.149.8 Discovered open port 443/tcp on 70.86.149.8 Discovered open port 80/tcp on 70.86.149.8 Discovered open port 1234/tcp on 70.86.149.8 Discovered open port 808/tcp on 70.86.149.8 Discovered open port 1222/tcp on 70.86.149.8 Discovered open port 1755/tcp on 70.86.149.8 Discovered open port 3306/tcp on 70.86.149.8 Discovered open port 1248/tcp on 70.86.149.8 Discovered open port 2105/tcp on 70.86.149.8 The Connect() Scan took 423.03s to scan 1680 total ports. Initiating service scan against 13 services on 8.95.5646.static.theplanet.com (70.86.149.8) at 23:08 Stats: 0:07:23 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 46.15% done; ETC: 23:08 (0:00:15 remaining) The service scan took 72.83s to scan 13 services on 1 host. Host 8.95.5646.static.theplanet.com (70.86.149.8) appears to be up ... good. Interesting ports on 8.95.5646.static.theplanet.com (70.86.149.8): Not shown: 1662 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp Rhinosoft Serv-U FTP 25/tcp open smtp Microsoft ESMTP 6.0.3790.1830 80/tcp open http Microsoft IIS webserver 6.0 135/tcp filtered msrpc 139/tcp filtered netbios-ssn 443/tcp open https? 445/tcp filtered microsoft-ds 554/tcp open rtsp Microsoft Windows Media Server 9.0.0.3372 808/tcp open ccproxy-http? 1023/tcp filtered netvenuechat 1222/tcp open msrpc Microsoft Windows RPC 1234/tcp open http Microsoft IIS httpd 1248/tcp open nsclient Netsaint Windows Client 1755/tcp open wms? 2105/tcp open msrpc Microsoft Windows RPC 3306/tcp open mysql MySQL 4.1.12-nt 3389/tcp open microsoft-rdp Microsoft Terminal Service 4444/tcp filtered krb524 Service Info: Host: w3.hamarashehar.com; OS: Windows Nmap finished: 1 IP address (1 host up) scanned in 503.064 secondsThat's a bunch of open ports - many of which (e.g., 139 and 1222) would be the first things hidden behind a firewall if one was available. It allows FTP, IIS/HTTP access... that's pretty much an unprotected system. Also note that it's a Windows box - i.e., presumably not the RedHat system that's being asked about.
-- * Ben Okopnik * Editor-in-Chief, Linux Gazette * https://LinuxGazette.NET *
Faber J. Fedor [faber at linuxnj.com]
Thu, 30 Nov 2006 00:02:32 -0500
On 29/11/06 23:21 -0500, Benjamin A. Okopnik wrote:
> ben@Fenrir:~$ nmap -v -A technofina.com<snip>
> Not shown: 1662 closed ports > PORT STATE SERVICE VERSION > 21/tcp open ftp Rhinosoft Serv-U FTP > 25/tcp open smtp Microsoft ESMTP 6.0.3790.1830 > 80/tcp open http Microsoft IIS webserver 6.0
<more snippage>
You know, I always assumed nmap looked up the service in /etc/services but the above output (particularly the VERSION column) leads me to beleive otherwise.
After nmap-ing my machine, I found port 902 open. That makes sense because I'm running VMware server (virtualization rocks!). However, nmap stated the service for 902 is iss-realsecure-sensor whereas my /etc/services says 902 is for vmware-authd.
So where is nmap getting the data from? A quick scan of the docs showed nothing nor did strings. Is nmap phoning home? Is it accessing files I haven't determined?
Enquiring minds want to know.
-- Regards, Faber Fedor President Linux New Jersey, Inc. 908-320-0357 800-706-0701
Predrag Ivanovic [predivan at ptt.yu]
Thu, 30 Nov 2006 17:22:32 +0100
On Thu, 30 Nov 2006 00:02:32 -0500 Faber J. Fedor wrote:
> <more snippage> > > You know, I always assumed nmap looked up the service in /etc/services > but the above output (particularly the VERSION column) leads me to > beleive otherwise. > > After nmap-ing my machine, I found port 902 open. That makes sense > because I'm running VMware server (virtualization rocks!). However, nmap > stated the service for 902 is iss-realsecure-sensor whereas my /etc/services > says 902 is for vmware-authd. > > So where is nmap getting the data from? A quick scan of the docs showed > nothing nor did strings. Is nmap phoning home? Is it accessing files I > haven't determined? > > Enquiring minds want to know.
From nmap-services, which is part of the source and installed in /usr/share/nmap.
Pedja
-- "The Linux philosophy is to laugh in face of danger. Oops. Wrong one. 'Do it yourself' That's it." -- Linus Torvalds
Benjamin A. Okopnik [ben at linuxgazette.net]
Thu, 30 Nov 2006 12:20:58 -0500
On Thu, Nov 30, 2006 at 12:02:32AM -0500, Faber Fedor wrote:
> On 29/11/06 23:21 -0500, Benjamin A. Okopnik wrote: > > ben@Fenrir:~$ nmap -v -A technofina.com > <snip> > > > Not shown: 1662 closed ports > > PORT STATE SERVICE VERSION > > 21/tcp open ftp Rhinosoft Serv-U FTP > > 25/tcp open smtp Microsoft ESMTP 6.0.3790.1830 > > 80/tcp open http Microsoft IIS webserver 6.0 > > <more snippage> > > You know, I always assumed nmap looked up the service in /etc/services > but the above output (particularly the VERSION column) leads me to > beleive otherwise. > > After nmap-ing my machine, I found port 902 open. That makes sense > because I'm running VMware server (virtualization rocks!). However, nmap stated > the service for 902 is iss-realsecure-sensor whereas my /etc/services > says 902 is for vmware-authd. > > So where is nmap getting the data from? A quick scan of the docs showed > nothing nor did strings. Is nmap phoning home? Is it accessing files I > haven't determined? > > Enquiring minds want to know.
ben@Fenrir:/tmp$ strace -s 4096 -o nmap.strace nmap 127.0.0.1Looking through the resulting file, I find the following:
stat64("/usr/share/nmap/nmap-services", {st_mode=S_IFREG|0644, st_size=108536, ...}) = 0 stat64("./nmap-services", 0xbfac1a10) = -1 ENOENT (No such file or directory) open("/usr/share/nmap/nmap-services", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=108536, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f14000 read(3, "# Well known service port numbers -*- mode: fundamental; -*-\n# From the Nmap security scanner ( https://www.insecure.org/nmap/ )\n#\n# $Id: nmap-services 3515 2006-06-19 04:01:16Z fyodor $\n# For a HUGE list of services (including these and others), \n# see https://www.graffiti.com/services\ntcpmux 1/tcp # TCP Port Service Multiplexer [rfc-1078]\ntcpmux 1/udp # TCP Port Service Multiplexer\ncompressnet 2/tcp # Management Utility\ncompressnet 2/udp # Management Utility\ncompressnet 3/tcp # Compression Process\ncompressnet 3/udp # Compression Process\nrje [ ... ]If you note the 'read' and the file handle it uses (3), then look above it and note the 'open' call that produces the '3', the answer is "/usr/share/nmap/nmap-services".
As has been said here often, 'strace' is your friend.
-- * Ben Okopnik * Editor-in-Chief, Linux Gazette * https://LinuxGazette.NET *