[SATLUG] Blocked ports on college campus

Jon Mark Allen jm at allensonthe.net
Tue Oct 21 14:04:08 CDT 2008


On Tue, Oct 21, 2008 at 13:25, Borries Demeler
<demeler at biochem.uthscsa.edu> wrote:
>>
>> Just recently St. Phillips only allows outgoing connections to
>> destination ports 80 and 443 on their public wifi.  So that means no
>> irc, no instant messaging, no email, and no SSH.  This can't be!  To my
>> knowledge I only have 2 options, ssh or vpn.  I do have one remote
>> server that has a free port 80 open so I can get ssh listening on that
>> (to connect with ssh -D) or some kind of vpn software.  I am not sure
>> which would be easier.  If I use vpn I would like to use ipsec but I
>> don't have to.  I am also afraid that with vpn it would have to be tied
>> in with the ip address on my laptop which might change subnets depending
>> on which access point I am connected to at college.
>>
>> What do yall think?
>
> Argue with the administrators and tell them why you need these ports open
> and why it doesn't represent a threat to them to have them open. You
> can also ask them to open them on a case-by-case basis, let's say just
> to your computer or server. They cannot interfere with the mission of
> the school, which is what they are doing if they restrict your ability
> to do research. That would be my line of argument.
>
> -b.
> --

I would certainly discuss with the administrators your situation.

However, I would disagree that allowing outbound SSH does not present a
threat.

SSH is great.  I use it every day.  But it can certainly be used to
bypass security filters and allow access to services that are intended
to be blocked, via it's incredibly powerful port forwarding features.

ssh -D9999 my.home.ip

will create a SOCKS proxy (not technically, of course) on my client
machine (localhost:9999) through which I can forward ALL internet
traffic.  Where IRC, IM, email, and certain websites were once blocked,
I now have full access -- without the additional protections of an IPSec
tunnel.  My machine can now be compromised via any of those services but
is still on the local network and can be used as a point of attack.

Alternatively,

ssh -R9999:my.company.server.ip:23 my.home.ip

will open an SSH tunnel to my house and forward connections made to port
9999 of my computer at home to port 23 at work.  I've now created a
remote access session back to work that is completely unmonitored and
relies soley on my personal home security.

Any good network administrator should be concerned about remote access
to their network that is outside his/her control.

I still recommend talking with the network admins about your situation,
but recognize they have a valid reason to deny access.  Perhaps they
will make an exception for your home IP if you have already established
their trust.

-- 
JM

/* If you haven't found something strange during the day, it hasn't
been much of a day.
-- John A. Wheeler */


More information about the SATLUG mailing list