Not able to ssh to outside world (WAN)

Peter_APIIT · Jul 13, 2021, 9:21 AM

Dear All,
I had did nothing on my pfsense firewall and suddenly i cannot connect my company jumphost using ssh. May I know how to diagnose it? Where to see the log according to ssh connection? Thanks.

johnpoz · Jul 14, 2021, 5:43 AM

@peter_apiit said in Not able to ssh to outside world (WAN):

Where to see the log according to ssh connection? Thanks.

In your ssh client would be the first place.. Does it show the connection even starting, ie able to even connect to the host?

As to logs on pfsense - out of the box it does not log allowed stuff, only blocked.

You can look in your state table to see if a state was created. You could sniff on your wan and validate the ssh tcp syn when out, and did you get an answer?

If you are having problems connecting to some ssh server, the best place to start looking is the ssh client itself - connect with -v and will show you info related to the process..

Here is starting the connection for example

C:\>ssh -v 192.168.3.10
OpenSSH_8.5p1, OpenSSL 1.1.1f  31 Mar 2020
debug1: Connecting to 192.168.3.10 [192.168.3.10] port 22.
debug1: Connection established.

then you will get lots of info about that connection starting..

debug1: Local version string SSH-2.0-OpenSSH_8.5
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.9p1 Raspbian-10+deb10u2+rpt1
debug1: compat_banner: match: OpenSSH_7.9p1 Raspbian-10+deb10u2+rpt1 pat OpenSSH* compat 0x04000000

debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received

etc. etc..

But if you can not even get the first connection.. Say for example something like this

C:\>ssh -v 192.168.2.50
OpenSSH_8.5p1, OpenSSL 1.1.1f  31 Mar 2020
debug1: Connecting to 192.168.2.50 [192.168.2.50] port 22.
debug1: connect to address 192.168.2.50 port 22: Connection refused
ssh: connect to host 192.168.2.50 port 22: Connection refused

Then you would need to look to pfsense logs/states/sniff to see if traffic went where it was suppose to go, did you get back a syn,ack, etc..

Gertjan · Jul 13, 2021, 10:27 AM

@peter_apiit

Connect to some server using TCP, port 80, or port 443, or port 110, or 445, or port 143, etc uses :
The IP address, and a port number.

You could use a host name in FQDN format, like sshaccess.myserver.tld. In that case, check if "sshaccess.myserver.tld" resolves to the correct IP.

(destination) IP's, hostnames (using DNSBL) can be - this is the outgoing traffic - blocked by pfSense.
But why would you block yourself ?

The SSH access is, like the one pfSense uses, often protected. Miss spell your password 10 x and you'll be locked out for some time - ask the admin for how long.
If you suspect this happens, use another WAN IP, and if you have access to SSH account now, you know the "SSH sever" blocked your initial WAN IP.

@peter_apiit said in Not able to ssh to outside world (WAN):

Where to see the log

The firewall logs (of course) !?!
So did you put a firewall rule on the LAN interface and you don't know if it will block yourself, when you're are using a legit connection ?
I guess not.

Peter_APIIT · Jul 14, 2021, 5:52 AM

Still not able to diagnose the root cause. I try with ssh -v but cannot find the ip been blocked by the firewall. I stop the Snort, Pf-blocker but still not able to find the root cause.

johnpoz · Jul 14, 2021, 8:33 AM

@peter_apiit said in Not able to ssh to outside world (WAN):

find the ip been blocked by the firewall.

Who says the firewall is blocking anything? Unless you disabled logging - anything blocked would be logged.

Peter_APIIT · Jul 14, 2021, 10:43 AM

@johnpoz I tried initiate command ssh -v to find out the ip address of the ssh server but i don't see any logged by this ip. Any other thought?

johnpoz · Jul 14, 2021, 10:52 AM

@peter_apiit and what was the output of ssh? What did it tell you?? Did it say host not found?

Peter_APIIT · Jul 14, 2021, 11:17 AM

@johnpoz I solve it by initiate a VPN connection since my ISP block me.

Gertjan · Jul 14, 2021, 12:08 PM

@peter_apiit

It blocks destination port 22 TCP ?

Instead of investing in a VPN, what about terminating your relation with this ISP.

And just for my own curiosity : what country I/ ISP ?

johnpoz · Jul 14, 2021, 12:12 PM

@gertjan said in Not able to ssh to outside world (WAN):

what about terminating your relation with this ISP.

I would agree with this.. While I get some isp should prob block some outbound access.. SMTP is one of these that comes to mind that many an ISP might block outbound on a residential connection. SMB also serves now real purpose being sent over the public internet 137-139,445 for example.

But ssh - yeah that could be problematic.. But I could see the logic behind maybe blocking that for your typical residential account.. I would be really pissed if my isp did that.. that is for sure..

Gertjan · Jul 14, 2021, 2:20 PM

@peter_apiit said in Not able to ssh to outside world (WAN):

connect my company jumphost using ssh

Can you change the settings of this ssh access ?
Change the '22' port to '2222' and you'll be good.