On 6/12/24 15:54, Greg Marks wrote:

I'm running a Debian server from my home with a static IP address,
with ssh configured to use key-based authentication rather than password-based. As of a couple weeks ago, I have been unable to ssh to
my server from external locations. When I ssh from a laptop connected
to the wireless network on the same router as my home server, I do successfully connect to the server. But when I ssh from an external location, I get this error:

OpenSSH_8.4p1 Debian-5+deb11u3, OpenSSL 1.1.1w 11 Sep 2023
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug2: resolve_canonicalize: hostname xxx.xxx.xxx.xxx is address
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/user/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/user/.ssh/known_hosts2'
debug2: ssh_connect_direct
debug1: Connecting to xxx.xxx.xxx.xxx [xxx.xxx.xxx.xxx] port 22.
debug1: Connection established.
debug1: identity file /home/user/.ssh/id_rsa type -1
debug1: identity file /home/user/.ssh/id_rsa-cert type -1
debug1: identity file /home/user/.ssh/id_dsa type -1
debug1: identity file /home/user/.ssh/id_dsa-cert type -1
debug1: identity file /home/user/.ssh/id_ecdsa type -1
debug1: identity file /home/user/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/user/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/user/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/user/.ssh/id_ed25519 type -1
debug1: identity file /home/user/.ssh/id_ed25519-cert type -1
debug1: identity file /home/user/.ssh/id_ed25519_sk type -1
debug1: identity file /home/user/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/user/.ssh/id_xmss type -1
debug1: identity file /home/user/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u3
kex_exchange_identification: read: Connection timed out
banner exchange: Connection to xxx.xxx.xxx.xxx port 22: Connection timed out

When I ping the server from external locations, I get 100% packet loss; whereas when I ping the server from my local wireless network, there
is 0% packet loss. (I do have nftables set to drop connections from
numerous IP addresses that have attempted hacks in the past; however,
the problem persists after flushing nftables, and at any rate, using check-host.net and www.site24x7.com to ping my server from various
worldwide locations also results in 100% packet loss.) Port 22 is open.
The package ufw is not installed on my server.

The apache2 Web server running on my home server is correctly hosting
my Web pages: from external locations, my Web page gmarks.org will
open in a Web browser (even though "ping -c 10 gmarks.org" shows 100%
packet loss). Running "traceroute xxx.xxx.xxx.xxx" from external
locations reported four successful steps, not reaching my server IP,
followed by a series of "* * *" lines.

Running "sudo service sshd status" on my server shows ssh.service
is active and running. Running "ip address show" on my server shows
nothing unusual. I've restarted my router, and I've restarted my server; neither helped.

The problem began a couple weeks ago; previously (and for many years)
I had been able to ssh to my server without issue. The first time it
failed, I was using free wireless at an airport; I was able to ssh to my server from the hotel that morning, and maybe, the first time I tried,
from the airport, but then subsequent ssh attempts from the airport
failed to connect. I mention this only because nothing had changed in
my server's configuration when this problem began.

This is a real problem for me, as a lot of my work involves sending
files via scp between work and home. Any suggestions about how to troubleshoot and hopefully fix the problem will be greatly appreciated.

Best regards,
Greg Marks

Ping:

2024-06-12 16:19:25 dpchrist@laalaa ~
$ ping -c 1 -v gmarks.org
PING gmarks.org (76.235.90.201) 56(84) bytes of data.

--- gmarks.org ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms


HTTPS works:

https://gmarks.org/

Greg Marks
Office: 313 Ritter Hall
Phone: (314)977-7206
E-mail address: local-part consists of surname, domain name identical
to that of the present Web page
PGP encryption public key ID: 0x53F269E8

Postal Address:
Department of Mathematics and Statistics
St. Louis University
221 N. Grand Blvd.
St. Louis, MO 63103-2006
U.S.A.

Resources for students

Resources for mathematicians

Research papers


It appears that someone who controls one or more of the routers between
the Internet and your router has blocked ICMP echo requests, ICMP echo
replies, and TCP port 22 (SSH).


I suggest that you submit a support request with your university
information technology people.


David

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, 12 Jun 2024, Greg Marks wrote:

I'm running a Debian server from my home with a static IP address,
with ssh configured to use key-based authentication rather than password-based. As of a couple weeks ago, I have been unable to ssh to
my server from external locations. When I ssh from a laptop connected
to the wireless network on the same router as my home server, I do successfully connect to the server. But when I ssh from an external location, I get this error:

The problem began a couple weeks ago; previously (and for many years)
I had been able to ssh to my server without issue. The first time it
failed, I was using free wireless at an airport; I was able to ssh to my server from the hotel that morning, and maybe, the first time I tried,
from the airport, but then subsequent ssh attempts from the airport
failed to connect. I mention this only because nothing had changed in
my server's configuration when this problem began.

This is a real problem for me, as a lot of my work involves sending
files via scp between work and home. Any suggestions about how to troubleshoot and hopefully fix the problem will be greatly appreciated.

Run tcptraceroute to ports 22 and 80 to see ehere it's being blocked.

(or 443)

Depending on where it's blocked and why, possibly run sshd on a
different port. (or fix the firewall if it's controlled by you)

You can also run openvpn on 443 without breaking the webserver, which is another workaround.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 6/13/2024 10:26, Darac Marjal wrote:

On 12/06/2024 23:54, Greg Marks wrote:

The problem began a couple weeks ago; previously (and for many years)
I had been able to ssh to my server without issue.  The first time it
failed, I was using free wireless at an airport; I was able to ssh to my
server from the hotel that morning, and maybe, the first time I tried,
from the airport, but then subsequent ssh attempts from the airport
failed to connect.  I mention this only because nothing had changed in
my server's configuration when this problem began.

This is a real problem for me, as a lot of my work involves sending
files via scp between work and home.  Any suggestions about how to
troubleshoot and hopefully fix the problem will be greatly appreciated.

Have you contacted your ISP? It's possible they're blocking SSH access
on (questionable) security grounds.

As a workaround, you could look at
https://packages.debian.org/bookworm/sslh, which allows you to
"multiplex" HTTPS, SSH and various other protocols all on the same
port (the idea being that you can do "ssh -p 443 gmarks.org" as well
as browsing to https://gmarks.org:443).

It might be worth trying something like Tailscale... with a free
personal account, you can set it up on your home server, and if your
work allows, on there as well.  It'll establish essentially a private
vpn between the devices, without having to mess with any kind of port forwarding on your router, and bypassing any shenanigans on the part of
your ISP.  Tailscale also has some 'fancier' SSH options, if you need
them, but just establishing a 'direct' connection between the hosts
without any other crap in between helps simplify things a lot.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)