Frontier: Blocking port 22 because of illegal files?
I've had a handful of clients contact me over the last week with trouble using SCP (usually WinSCP) to manage their website content on my servers. Either they get timeout messages from WinSCP or a message saying they should switch to SFTP. After getting a few helpful users on the phone to run some quick tests, we found port 22 was blocked. When my customers contacted Frontier, they were told that port 22 was blocked because it is used to transfer illegal files. I called them, and got the same ridiculous excuse. Just a friendly heads-up to anyone from Frontier who might be listening, I have a few additional ports you may wish to block: 80 - Allows users to use Google to search for illegal files 443 - Allows users to use Google to search for illegal files in a secure manner 69 - Allows users to trivially transfer illegal files 3389 - Allows users to connect to unlicensed Windows machines 179 - Allows users to exchange routes to illegal file shares 53 - Allows people to look up illegal names -A
Wed, Mar 25, 2015 at 07:31:35PM -0700, Aaron C. de Bruyn wrote:
Just a friendly heads-up to anyone from Frontier who might be listening, I have a few additional ports you may wish to block:
80 - Allows users to use Google to search for illegal files 443 - Allows users to use Google to search for illegal files in a secure manner 69 - Allows users to trivially transfer illegal files 3389 - Allows users to connect to unlicensed Windows machines 179 - Allows users to exchange routes to illegal file shares 53 - Allows people to look up illegal names
Can't help to add that there are - port 21 that allow users to give commands to examine the existence and initiate transfers of illegal files; - ports 1025 - 65535 that allow users to create data streams to actually transfer illegal files in an (oh my) passive mode. ;) -- Eygene Ryabinkin, National Research Centre "Kurchatov Institute" Always code as if the guy who ends up maintaining your code will be a violent psychopath who knows where you live.
On Wed, 25 Mar 2015, Aaron C. de Bruyn wrote:
I've had a handful of clients contact me over the last week with trouble using SCP (usually WinSCP) to manage their website content on my servers. Either they get timeout messages from WinSCP or a message saying they should switch to SFTP.
After getting a few helpful users on the phone to run some quick tests, we found port 22 was blocked.
When my customers contacted Frontier, they were told that port 22 was blocked because it is used to transfer illegal files.
I called them, and got the same ridiculous excuse.
Just a friendly heads-up to anyone from Frontier who might be listening, I have a few additional ports you may wish to block:
I wonder if their support is just confused, and Frontier is really blocking outbound tcp/22 to stop complaints generated by infected customers with sshd scanners. After all, most of their customers probably don't know what SSH is. ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route | therefore you are _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
On 03/25/2015 07:31 PM, Aaron C. de Bruyn wrote:
After getting a few helpful users on the phone to run some quick tests, we found port 22 was blocked.
It's been a while since I did this, but you can select an additional port to accept SSH connections. A Google search indicates you can specify multiple ports in OpenSSH. Picking the right port to use is an exercise, though, that will depend on what other services you are running on your server. People with sane ISPs can use the standard port. People on Frontier can use the alternate port, which shouldn't be firewalled by the provider. If Frontier is running a mostly-closed firewall configuration, then you have to be damn careful about the port you select.
Stephen Satchell schreef op 26-3-2015 om 12:24:
On 03/25/2015 07:31 PM, Aaron C. de Bruyn wrote:
After getting a few helpful users on the phone to run some quick tests, we found port 22 was blocked.
It's been a while since I did this, but you can select an additional port to accept SSH connections. A Google search indicates you can specify multiple ports in OpenSSH. Picking the right port to use is an exercise, though, that will depend on what other services you are running on your server.
People with sane ISPs can use the standard port. People on Frontier can use the alternate port, which shouldn't be firewalled by the provider. If Frontier is running a mostly-closed firewall configuration, then you have to be damn careful about the port you select.
Ahem, just to clarify, he is not talking about inbound on the Frontier connection, but outbound *from* the Frontier network. Akin to the "Let's block outbound port 25 (smtp)". This is just a really really bad idea m'kay. Cheers
Stephen Satchell <list@satchell.net> writes:
It's been a while since I did this, but you can select an additional port to accept SSH connections.
That's easy: jens@screen:~$ grep Port /etc/ssh/sshd_config Port 22 Port 443
Picking the right port to use is an exercise, though, that will depend on what other services you are running on your server.
I always have at least one sshd listening on port 443. For all the hotel, coffee house, customer networks blocking ssh. You can even multiplex and run ssh and ssl on the same port: http://www.rutschle.net/tech/sslh.shtml Jens -- ---------------------------------------------------------------------------- | Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 | | http://blog.quux.de | jabber: jenslink@jabber.quux.de | --------------- | ----------------------------------------------------------------------------
ISPs are generally expected to disclose any port blocking. A quick Google search shows this is Frontier’s list: http://www.frontierhelp.com/faq.cfm?qstid=277 On 3/25/15, 10:31 PM, "Aaron C. de Bruyn" <aaron@heyaaron.com<mailto:aaron@heyaaron.com>> wrote: I've had a handful of clients contact me over the last week with trouble using SCP (usually WinSCP) to manage their website content on my servers. Either they get timeout messages from WinSCP or a message saying they should switch to SFTP. After getting a few helpful users on the phone to run some quick tests, we found port 22 was blocked. When my customers contacted Frontier, they were told that port 22 was blocked because it is used to transfer illegal files. I called them, and got the same ridiculous excuse. Just a friendly heads-up to anyone from Frontier who might be listening, I have a few additional ports you may wish to block: 80 - Allows users to use Google to search for illegal files 443 - Allows users to use Google to search for illegal files in a secure manner 69 - Allows users to trivially transfer illegal files 3389 - Allows users to connect to unlicensed Windows machines 179 - Allows users to exchange routes to illegal file shares 53 - Allows people to look up illegal names -A
All, I have reached out to Aaron privately for details, but we do not block port 22 traffic unless it is in direct response to an attack or related item. Please let me know directly if you have any specific questions. Thanks, -Jeff
On Mar 26, 2015, at 7:09 AM, Livingood, Jason <Jason_Livingood@cable.comcast.com> wrote:
ISPs are generally expected to disclose any port blocking. A quick Google search shows this is Frontier’s list: http://www.frontierhelp.com/faq.cfm?qstid=277
On 3/25/15, 10:31 PM, "Aaron C. de Bruyn" <aaron@heyaaron.com<mailto:aaron@heyaaron.com>> wrote:
I've had a handful of clients contact me over the last week with trouble using SCP (usually WinSCP) to manage their website content on my servers. Either they get timeout messages from WinSCP or a message saying they should switch to SFTP.
After getting a few helpful users on the phone to run some quick tests, we found port 22 was blocked.
When my customers contacted Frontier, they were told that port 22 was blocked because it is used to transfer illegal files.
I called them, and got the same ridiculous excuse.
Just a friendly heads-up to anyone from Frontier who might be listening, I have a few additional ports you may wish to block:
80 - Allows users to use Google to search for illegal files 443 - Allows users to use Google to search for illegal files in a secure manner 69 - Allows users to trivially transfer illegal files 3389 - Allows users to connect to unlicensed Windows machines 179 - Allows users to exchange routes to illegal file shares 53 - Allows people to look up illegal names
-A
Nothing helps promote a free and open Internet more than micromanaging your users' download activity. Not really sure how someone comes to the conclusion that nobody really *needs* ssh for anything. "Livingood, Jason" <Jason_Livingood@cable.comcast.com> writes:
ISPs are generally expected to disclose any port blocking. A quick Google search shows this is Frontier’s list: http://www.frontierhelp.com/faq.cfm?qstid=277
On 3/25/15, 10:31 PM, "Aaron C. de Bruyn" <aaron@heyaaron.com<mailto:aaron@heyaaron.com>> wrote:
I've had a handful of clients contact me over the last week with trouble using SCP (usually WinSCP) to manage their website content on my servers. Either they get timeout messages from WinSCP or a message saying they should switch to SFTP.
After getting a few helpful users on the phone to run some quick tests, we found port 22 was blocked.
When my customers contacted Frontier, they were told that port 22 was blocked because it is used to transfer illegal files.
I called them, and got the same ridiculous excuse.
Just a friendly heads-up to anyone from Frontier who might be listening, I have a few additional ports you may wish to block:
80 - Allows users to use Google to search for illegal files 443 - Allows users to use Google to search for illegal files in a secure manner 69 - Allows users to trivially transfer illegal files 3389 - Allows users to connect to unlicensed Windows machines 179 - Allows users to exchange routes to illegal file shares 53 - Allows people to look up illegal names
-A
Someone with Frontier contacted me off-list and assured me they don't block port 22, and that it could have been related to port scans, infected PCs, etc... They are looking in to it. Apologies for the noise and for being a prat. ;) -A On Wed, Mar 25, 2015 at 7:31 PM, Aaron C. de Bruyn <aaron@heyaaron.com> wrote:
I've had a handful of clients contact me over the last week with trouble using SCP (usually WinSCP) to manage their website content on my servers. Either they get timeout messages from WinSCP or a message saying they should switch to SFTP.
After getting a few helpful users on the phone to run some quick tests, we found port 22 was blocked.
When my customers contacted Frontier, they were told that port 22 was blocked because it is used to transfer illegal files.
I called them, and got the same ridiculous excuse.
Just a friendly heads-up to anyone from Frontier who might be listening, I have a few additional ports you may wish to block:
80 - Allows users to use Google to search for illegal files 443 - Allows users to use Google to search for illegal files in a secure manner 69 - Allows users to trivially transfer illegal files 3389 - Allows users to connect to unlicensed Windows machines 179 - Allows users to exchange routes to illegal file shares 53 - Allows people to look up illegal names
-A
participants (9)
-
Aaron C. de Bruyn
-
Daniel Corbe
-
Eygene Ryabinkin
-
Jeff Richmond
-
Jens Link
-
Jon Lewis
-
Livingood, Jason
-
Seth Mos
-
Stephen Satchell