mancalablog

posts to days old
of topics
with text
post

No IP :( and port forwarding?

Paul (28 Sep 2004 17:30): So I have DSL now, but I have no IP; getting one costs an extra $15 per month.
Is there a recommendable way people might ssh to my computer despite this hangup? Like, ssh to somewhere else on some weird port...? Perhaps I could get a special ssh-daemon that supports such a thing (I suppose my daemon would have to log onto the port-forwarding server)...
Paul (28 Sep 2004 17:38): Wait, so, checking google and this site, it seems all I need is to type

ssh2 -R 1234:localhost:22 paul@digitalaudiorock.com

then tell people to ssh to digitalaudiorock.com:1234...
but it can't be that simple, can it? That would be too bizarre; I'd be hijacking their port 1234... Thoughts?
m (29 Sep 2004 0:13): huh. I was about to say that you're wrong, but it looks like you're not. Hijack away! Take a more oddly numbered port to decrease the chance that anyone will ever care.
m (29 Sep 2004 1:34): huh. trying this between two machines in the cs dept and I can't get it to work.
m (29 Sep 2004 1:35): what timezone are you in, paul? two hours later, or is that just digaudiorock?
m (29 Sep 2004 1:38): maybe you can run your own instance of sshd on digitalaudiorock, listening on port bajillion that forwards to your home machine? that seems plausible. then whenever you restart your computer, or renew your ip-lease, or whatever dhcp does, you can have something log into the server and restart the sshd?
m (29 Sep 2004 17:22): I'm desperate, paul - I need a machine to log into.
shaky and irritable, both.
Paul (30 Sep 2004 13:34): Well if you can't get it to work on two machines you know, I certainly can't get it to work on something weird like digitalaudiorock.com (which is only a limited mini-server running on a larger server anyway). Also, port forwarding could only work if I can initiate it; nobody can initiate a connection to me since I have no IP :( But why can't you log into your own machine, Mike?

Also, recommendations for how to get Carla a wireless card that works? The LinkSys one we tried required IE5.5, and when she tried to upgrade IE, we ended up having to reformat the whole hard drive :( This comes up because the DSL modem has only one ethernet jack, so I can't use internet on Linux until she gets a wireless card.
Paul (30 Sep 2004 13:58): And, by pure coincidence, I am now in the same time zone as digitalaudiorock
m (1 Oct 2004 15:34): Julian: DLINK, maybe?
Julian: tell him to get something that uses the PRISM chipset
Me: yeah?
Julian: the actually manufacturer isn't super-important
Julian: just make sure the chipset is supported
Paul (14 Nov 2004 13:24): I now believe that my port forwarding trouble is not on my end, but due to firewalls etc. on all the outside machines I have ssh access to. So I ask you, do you know of any plain linux box running sshd with no firewall, that I could have an account on? Once I find one, you can all ssh to my machine....
Paul (20 Feb 2005 18:26): have you heard of wifi connection-sharing with an ISP called speakeasy.net?
m (20 Feb 2005 19:33): speakeasy's my isp - what wifi connection sharing are you referring to?
Paul (20 Feb 2005 20:56): apparently they have a connection sharing plan. they bill your neighbors for sharing your line, and you pay less or nothing. the details don't look stellar, but it's a lot better than anti-sharing ISPs
m (21 Feb 2005 0:08): that seems all-right. Except that on our 1.5Mb line, if either tatsu or I are d/l'ing at >= ~15K/sec, any web-browsing we might be doing is brought to an abrupt halt. stupid speakeasy dsl.
Paul (6 Mar 2005 21:23): Have you heard of entropy and other anonymous filesharing? Do they work? Can I use them to download and share music and movies without danger of prosecution? ...er...um...I mean, for research purposes only, of course...
Paul (12 Sep 2005 17:36): So once again I'm sitting here with sshd, with no IP address. But it looks like all I was missing last time was a way to open the remote port to listen for connections. This seems to be resolved with "simpleproxy". So, if you ask me for an account, you can now ssh -p 5730 digitalaudiorock.com.
m (3 Jun 2006 3:14): So now that I've got a clean install and can do things again (i.e. connect to the internets) -- how do I ssh to cuax? digaud:5730 doesn't seem to be working right now, but maybe your connection is down.
Paul (4 Jun 2006 4:34): My connection just came back up following about 36h of downtime :/ It's digaud:5722 (you know, like "22" only with 57 first). You may notice that when it's my connection that's down, ping digaud works, whereas when I would be up but digaud is down, ping digaud fails.
Paul (15 Jun 2006 11:41): Cuax and I are back online(!), after >100h downtime, with a whole new setup under which I actually know where the packets go. As before, ssh -p 5722 digaud
Paul (22 Sep 2006 19:24): Apparently grza.net is not cool with me running 'simpleproxy' (which I used so I could connect from afar to my home machine):

paul@somewhere:~$ ssh -p 5722 www.grza.net
ssh: connect to host www.grza.net port 5722: Connection refused
paul@somewhere:~$ ssh grza.net
[lei]$ simpleproxy
-bash: simpleproxy: command not found
[lei]$ ls bin/simpleproxy
ls: bin/simpleproxy: no such file or directory
[lei]$ find -name simpleproxy
./disabled-NoProxies/simpleproxy
[lei]$ echo doh
doh


I can still twist it to work like before (by double-tunneling 'ssh -g'), but perhaps I risk angering root@lei? Do you think they're actually against what I was doing (minimal-bandwidth, authorized-connections-only)? or do they just have a kneejerk reaction to the substring "proxy"?
m (25 Sep 2006 4:08): it probably is a knee-jerk reaction, but circumventing the prohibition is contrary to the implicit request that you not run an ssh proxy on their machine. Maybe the best thing to do would be to drop root or admin an email?
Grant (25 Sep 2006 19:30): I'll have to check what their policies are. I've read some potentially pertinent things on the support board, but I'm sending a specific question and I'll let you know what I hear back.

What I read was that: They generally discourage things being left running all the time, and "CGI proxies are known to regularly cause problems and consume system resources. They're generally not allowed on our servers because of that but if they don't cause us problems we won't notice. If it does cause a problem we'll shut it down."
Grant (25 Sep 2006 21:29): Their response: "We specifically don't allow proxies because they can easily be abused,
and they are considered a persistent service and CPU intensive which
violates are TOS:

http://dreamhost.com/tos.html

I strongly advise you to request that your friend not use their account
for this purpose, or you risk having your account disabled if it is
causing problems on the server. Please let us know if you have any other
questions."

Now, for what it's worth, the only thing the TOS mentions is the 'intensive tasks' part, which is oddly worded in a way that seems to imply that persistent tasks are considered 'bugs.' I don't know - are SSH proxies super intensive? It would be news to me. They probably don't want people to use them for security reasons, but can't actually go ahead and say that because it's too vague. I'll send back a message asking for some suggestions and maybe a bit of clarification, but that seems to be the gist of it.
Grant (25 Sep 2006 21:32): I suppose the other thing to mention is - why do you need a proxy for SSH? Seems kind of wonky to me.
Grant (25 Sep 2006 22:45): Although, yeah, ssh -g or -L might be the way to go.
Grant (25 Sep 2006 23:01): Or perhaps none of it's allowed. It's really hard to tell what their policies are, since you have people saying things like "we'll only disable it if it's a problem." Does that mean they admit that they're fallible, or are they essentially saying they'll turn a blind eye towards responsible use? Are all the administrators even on the same page?
(26 Sep 2006 18:24): RE: SSH processor usage, I doubt it would be huge, normally. SCP'ing a file at 78 KB/s only takes ~2% processor time on my laptop.

But yeah, for security and other hassle reasons, I doubt this would ever be entirely supported by any ISP. The internet is full of BAD DUDES, and allowing a customer to set up an encrypted proxy for an unknown numbers of users to a system or system(s) you don't control could be (which translates to a lawyer (or pessimistic(/experienced?) sysadmin) to "will be") problematic for obvious reasons. Almost analogous to running an open relay. I mean *I* know you are aren't trying to do anything wrong, but try finding an ISP that will trust you that far.

TOS's anywhere are a little bit odd. >90% probably prohibit illegal file sharing, and yet enormous numbers of people do, and end users do not seem to ever be disconnected. People who run servers, well, yeah. That shit is obvious. Which seems to be the same principle at work here. I'm not saying it's logically consistent. Check John Gilmore's take on the subject of Terms and Conditions, particularly the T&Cs that were in effect for the ISP he co-founded.

The world can be an ugly place. (I think the prank described in the link is amusing, but sadly true, not that the prank is ugly)
R (26 Sep 2006 18:33): That last post is mine, BTW.
To do what you want, the easiest way would definitely be to get an actual IP address. I'm sure you have a pretty good reason for being with the ISP you are using (perhaps - "they are the only ISP available" or "Only ISP I can afford"), but living behind NAT is just messed up. I mean, I've never had an ISP do that to me, or even heard of such a thing before this thread. Maybe you can find a new ISP here?
Paul (3 Oct 2006 18:26): Hm...the point about living behind NAT is well taken. The original idea was to allow sshd to be accessed even when the sshd server (a laptop) moves to strange places, say, wifi hotspots (those often use NAT, ne?), corporate firewalled networks, etc. But maybe I should forget about that weirdness.
Paul (7 Oct 2006 18:36): So, provided my computer stays where it's at, you can now use
ssh krubo.info.tm
Paul (9 May 2009 10:40):
[lei]$ pwd
/home/dex
[lei]$ ls bin
ls: bin: No such file or directory

Wait, I think this directory used to exist...
Paul (23 Oct 2009 19:01): So I signed up my friend for a dreamhost site for his business, but now he changed his mind and wants to point the domain name to a wordpress blog. Reading about domain name transfers is very confusing, with 60-day rules and such! It's almost as bad as immigration, complete with horror stories. Do you all know how to do such a thing? Would dreamhost register the domain name cheap and point it elsewhere? Should he ask dreamhost somehow? Their contact info is intentionally obscure...

Also, I don't 100% get the difference between a domain registrar and a domain server. Help!
Paul (23 Oct 2009 19:03): Also: this and that
G (25 Oct 2009 13:17): It's not intentionally obscure, it's quite prominent once you're a subscriber.
But he probably won't need to contact them, because it seems pretty straightforward.
I mean, if that doesn't work, that's one thing. But he should try that first.
G (26 Oct 2009 1:32): Although, because this friend may not know entirely what he's doing, you should at least make him aware of these options:

1) Move hosting to wordpress.com. for details. Once he's got an account set up, that's when he could use the auth code from Dreamhost to move his domain hosting over to them.

2) Setup a wordpress blog on his existing dreamhost account. Dreamhost actually makes this ridiculously simple, and if you go with 'easy' mode (choose from pre-installed themes), will even auto-update wordpress. In 'advanced' mode, he can install his own themes, but will have to click a button in the DH control panel to have it updated.
G (26 Oct 2009 1:39): Hosting on wordpress.com, itself, has a few different options.

1) Set up a blog at plucktea.wordpress.com using the free tools. It's free!

2) Pay for stuff there. No ads on your blog costs $30/year. Custom domains cost $15/year ($5 for registration, $10 for mapping, so he should save at least an initial $5 on this). And a custom theme will cost $15 a year. So, maybe $45 a year - probably about half.

You want intentionally obscure? I had to make a wordpress account to get the pricing. :P
Paul (26 Oct 2009 5:11): From plucktea.wordpress.com: "I convinced Paul to drink it, and he said it tasted like strong tea. I should have known not to expect hyperbolic language from Paul."
Paul (26 Oct 2009 5:18): I think the source of angst is: "Domains may not be transferred within 60 days of their initial registration." This seems to be not Dreamhost's rule, but ICANN's. But it means the Dreamhost 14-day risk-free trial period is actually not risk-free, because you can't keep your domain if you cancel hosting during the trial period afaict. Maybe you can still take advantage of the 97-day money-back guarantee period...maybe.
G (26 Oct 2009 7:10): This appears to be the case.
If he no longer has access to the support system because his account has been deleted, I can submit a report for him. They could probably get him a transfer once the 60 days are up, account or no.
m (26 Oct 2009 16:44): Geocities is shutting down today! Boo!
But go to xkcd right now for that sweet nostalgia you crave.
G (28 Oct 2009 0:47): Then again, perhaps if they had to spend money to register the domain, they might not want to just hand it to him after refunding all his money.

He could always go with pluck-tea.com. I hear hyphens are pretty cool these days.
G (28 Oct 2009 0:48): Oh, I see that plucktea.com now forwards to his wordpress site.
Paul (20 Nov 2009 5:19): So I still had ssh access to my really old computer, even though its screen basically doesn't work anymore. But its wifi link went down. So I carefully (without a screen) backed up its /etc/network/interfaces, typed in a very simple /etc/network/interfaces myself, then packet-sniffed it as I ran 'ifup eth0'. Result:

08:04:57.842937 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:01:03:7d:25:cc (oui Unknown), length 300
08:04:57.845168 IP 192.168.1.1.bootps > 255.255.255.255.bootpc: BOOTP/DHCP, Reply, length 548
08:05:10.645639 arp who-has cuaxilotl tell 192.168.1.1
08:05:10.645841 arp reply cuaxilotl is-at 00:01:03:7d:25:cc (oui Unknown)
08:05:10.646102 IP 212.57.104.168.50630 > cuaxilotl.ssh: S 3598103644:3598103644(0) win 5840 <mss 1460,sackOK,timestamp 470792406 0,nop,wscale 6>
08:05:10.646437 IP cuaxilotl.ssh > 212.57.104.168.50630: S 1046792842:1046792842(0) ack 3598103645 win 5792 <mss 1460,sackOK,timestamp 283434685 470792406,nop,wscale 0>
08:05:10.797568 IP 212.57.104.168.50630 > cuaxilotl.ssh: . ack 1 win 92 <nop,nop,timestamp 470792444 283434685>
08:05:10.801386 IP cuaxilotl.ssh > 212.57.104.168.50630: P 1:42(41) ack 1 win 5792 <nop,nop,timestamp 283434701 470792444>
08:05:10.950833 IP 212.57.104.168.50630 > cuaxilotl.ssh: . ack 42 win 92 <nop,nop,timestamp 470792482 283434701>
08:05:10.950948 IP 212.57.104.168.50630 > cuaxilotl.ssh: P 1:21(20) ack 42 win 92 <nop,nop,timestamp 470792482 283434701>
0
... etc ... down to ...
08:05:16.387883 IP cuaxilotl.ssh > 212.57.104.168.50630: F 1302:1302(0) ack 590 win 5792 <nop,nop,timestamp 283435260 470793377>
08:05:16.541800 IP 212.57.104.168.50630 > cuaxilotl.ssh: . ack 1303 win 130 <nop,nop,timestamp 470793880 283435260>


Whew...scared me for a minute. Next step: unplug cuaxilotl, unplug internet from hub, plug in cuaxilotl and log in from adjacent computer, inspect /var/log/auth.log. Just an unsuccessful hack-attempt as usual. Plugged everything back in.
G (21 Nov 2009 10:56): "Whew!" Paul, you are doing an excellent job of maintaining your reputation.
There's probably a koan in here about a fonts in a computer with no screen.
m (21 Nov 2009 12:07): An ancient laptop
with no display
and broken ethernet
still has feelings.
R (23 Nov 2009 9:53): Skillz: Paul has them.
Paul (5 Dec 2009 13:14): you misinterpreted my intent. my intent was not 'look I have teh skillz'. my intent was 'dammit how can I tell if my headless machine was hacked?' and I think the answer is clear. it has been hacked. how else can I explain
16:00:58.276494 IP cuaxilotl.40038 > cd.48.1343.static.theplanet.com.www: S 498640721:498640721(0) win 5840 <mss 1460,sackOK,timestamp 415884952 0,nop,wscale 0>
occurring with no web browser open.
Paul (5 Dec 2009 13:31): okay, okay, it could be explained because I set it to do that, and am now paranoid. I think we've confirmed by now that I do not have teh skillz.
R (5 Dec 2009 17:00): Well, one could argue that a less-skillzful user wouldn't have a headless machine to begin with, or be able to find potential signs of hacking. A low degree of paranoia is probably symptomatic of awareness that one is not the biggest fish in the sea, and that this "sea" contains predators.
R (8 Dec 2009 13:39): I have just realized that it is very unclear if I was mocking Paul or complementing him in my initial comment. It was a compliment.