[gentoo-user] Bizarre SSH connection reset

[gentoo-user] Bizarre SSH connection reset

[Collin Starkweather]

To preface the question, I should mention that I'm currently residing  
in China, so communication with the networking guys on this end is a  
bit difficult because the communication algorithm typically begins,  
"Step 1: Learn Chinese."

I am having difficulties with getting bumped out of an SSH connection  
from a server in the U.S. with "Connection reset by peer" maybe 5-10  
seconds after logging in.

It *only* occurs in my apartment; i.e., when I go to a local wifi  
hotspot, I have no difficulties whatsoever.  So I don't think it's  
coming from my end, and I don't think it's coming from the server I'm  
logging in to.

Some details:

1) To ensure that I'm not having problems with keepalives, I  
configured SSHD on the other end very liberally (with some  
impressively fast typing, if I do say so myself).  In sshd_config, I  
have

TCPKeepAlive no
ClientAliveInterval 15
ClientAliveCountMax 12

2) I then set ethereal running.  Just as I got bumped, it indicated

   Source        Destination  Protocol  Info
   (the server)  (my laptop)   TCP      22 > 1259 [RST, ACK] Seq=5357
                                        Ack=4037 Win=63856 Len=0

I'm not a networking guy, but I think that means a reset packet is  
being sent, ostensibly from the server.

3) When I get bumped, ssh -vvv gives the following

   debug1: channel 0: free: client-session, nchannels 1
   debug3: channel 0: status: The following connections are open:
     #0 client-session (t4 r0 i0/0 o0/0 fd 4/5 cfd -1)
   debug3: channel 0: close_fds r 4 w 5 e 6 c -1
   Read from remote host www.bogusdomain.com: Connection reset by peer
   Connection to www.bogusdomain.com closed.
   debug1: Transferred: stdin 0, stdout 0, stderr 126 bytes in 17.1 seconds
   debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 7.4
   debug1: Exit status -1

If the reset is not coming from the server or the client (I don't have  
any problems when I'm at a hotspot), where could it be coming from?

Thanks in advance,

-Collin

-- 
Collin Starkweather, Ph.D.
http://www.linkedin.com/in/collinstarkweather

--
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] Bizarre SSH connection reset

[Mick]

[-- Attachment #1: Type: text/plain, Size: 2931 bytes --]

On Sunday 09 March 2008, Collin Starkweather wrote:
> To preface the question, I should mention that I'm currently residing
> in China, so communication with the networking guys on this end is a
> bit difficult because the communication algorithm typically begins,
> "Step 1: Learn Chinese."

I would argue that your Chinese domain is blacklisted due to exhaustive number 
of owned MSWindows boxen and botnets that ping the rest of us without 
respite, from China.  I really wish their step 1 was "learn how to protect 
your PC, even if it runs an illegitimate Mickey Mouse OS".  </sarcasm>

> I am having difficulties with getting bumped out of an SSH connection
> from a server in the U.S. with "Connection reset by peer" maybe 5-10
> seconds after logging in.
>
> It *only* occurs in my apartment; i.e., when I go to a local wifi
> hotspot, I have no difficulties whatsoever.  So I don't think it's
> coming from my end, and I don't think it's coming from the server I'm
> logging in to.
>
> Some details:
>
> 1) To ensure that I'm not having problems with keepalives, I
> configured SSHD on the other end very liberally (with some
> impressively fast typing, if I do say so myself).  In sshd_config, I
> have
>
> TCPKeepAlive no
> ClientAliveInterval 15
> ClientAliveCountMax 12

Why don't you leave keepalive On?  I would switch that flag to yes and perhaps 
increase the Interval to 60 seconds or more?

> 2) I then set ethereal running.  Just as I got bumped, it indicated
>
>    Source        Destination  Protocol  Info
>    (the server)  (my laptop)   TCP      22 > 1259 [RST, ACK] Seq=5357
>                                         Ack=4037 Win=63856 Len=0

The packet flag [RST, ACK] indicates that the port is closed.

> I'm not a networking guy, but I think that means a reset packet is
> being sent, ostensibly from the server.

Yep, to indicate that the port has closed.

> 3) When I get bumped, ssh -vvv gives the following
>
>    debug1: channel 0: free: client-session, nchannels 1
>    debug3: channel 0: status: The following connections are open:
>      #0 client-session (t4 r0 i0/0 o0/0 fd 4/5 cfd -1)
>    debug3: channel 0: close_fds r 4 w 5 e 6 c -1
>    Read from remote host www.bogusdomain.com: Connection reset by peer
>    Connection to www.bogusdomain.com closed.
>    debug1: Transferred: stdin 0, stdout 0, stderr 126 bytes in 17.1 seconds
>    debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 7.4
>    debug1: Exit status -1

The server closes the connection.

> If the reset is not coming from the server or the client (I don't have
> any problems when I'm at a hotspot), where could it be coming from?

Are you using the same NIC on the laptop?  If yes, then the issue could be 
related to your router configuration., but my money is on your keepalive 
settings.  See if my suggestions above help.
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] Bizarre SSH connection reset

[Collin Starkweather]

Quoting Mick <michaelkintzios@gmail.com>:

> I would argue that your Chinese domain is blacklisted due to   
> exhaustive number
> of owned MSWindows boxen and botnets that ping the rest of us without
> respite, from China.  I really wish their step 1 was "learn how to protect
> your PC, even if it runs an illegitimate Mickey Mouse OS".  </sarcasm>

You're not whistlin' Dixie ... every USB stick I've ever been handed  
in China has a virus on it.

> Are you using the same NIC on the laptop?  If yes, then the issue could be
> related to your router configuration., but my money is on your keepalive
> settings.  See if my suggestions above help.

Thanks.  I'll give it a shot.

-Collin

-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] Bizarre SSH connection reset

[Andrey Falko]

>  > Are you using the same NIC on the laptop?  If yes, then the issue could be
>  > related to your router configuration., but my money is on your keepalive
>  > settings.  See if my suggestions above help.
>
>  Thanks.  I'll give it a shot.
>
>  -Collin

Something to try if the above does not work----a long shot if it
works, but you can try setting the server to listen on another port,
like 2222.
-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] Bizarre SSH connection reset

[Mark Shields]

[-- Attachment #1: Type: text/plain, Size: 642 bytes --]

On Sun, Mar 9, 2008 at 12:03 PM, Andrey Falko <ma3oxuct@gmail.com> wrote:

> >  > Are you using the same NIC on the laptop?  If yes, then the issue
> could be
> >  > related to your router configuration., but my money is on your
> keepalive
> >  > settings.  See if my suggestions above help.
> >
> >  Thanks.  I'll give it a shot.
> >
> >  -Collin
>
> Something to try if the above does not work----a long shot if it
> works, but you can try setting the server to listen on another port,
> like 2222.
> --
> gentoo-user@lists.gentoo.org mailing list
>
>
Are you thinking his ISP is doing port-based connection filtering?

-- 
- Mark Shields

[-- Attachment #2: Type: text/html, Size: 1111 bytes --]

Re: [gentoo-user] Bizarre SSH connection reset

[Dan Farrell]

On Sun, 9 Mar 2008 20:16:09 -0400
"Mark Shields" <laebshade@gmail.com> wrote:

> Are you thinking his ISP is doing port-based connection filtering?

What kind of connection filtering allows a connection to go through for
5 seconds, then resets it?
-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] Bizarre SSH connection reset

[Collin Starkweather]

Quoting Dan Farrell <dan@spore.ath.cx>:

> On Sun, 9 Mar 2008 20:16:09 -0400
> "Mark Shields" <laebshade@gmail.com> wrote:
>
>> Are you thinking his ISP is doing port-based connection filtering?
>
> What kind of connection filtering allows a connection to go through for
> 5 seconds, then resets it?

I've been wondering the same thing.  Typically, one wouldn't even  
expect to get through in the first place if there were filtering.

The Great Firewall of China works by immediately sending hangup  
packets to both sides, spoofing they're coming from the appropriate  
party.  But typically that happens the instant you try to establish a  
connection.  Moreover, because I can get in from the local hotspot, I  
wouldn't imagine it's a Great Firewall issue.

Some ISPs and the university campus (I believe I'm going through the  
local university's ISP) do their own filtering, but I can't imagine  
why a "5-second rule" would be implemented.

-Collin

-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] Bizarre SSH connection reset

[Mike Edenfield]

Dan Farrell wrote:
> On Sun, 9 Mar 2008 20:16:09 -0400
> "Mark Shields" <laebshade@gmail.com> wrote:
>
>   
>> Are you thinking his ISP is doing port-based connection filtering?
>>     
>
> What kind of connection filtering allows a connection to go through for
> 5 seconds, then resets it?
>   
Comcast?
-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] Bizarre SSH connection reset

[Dan Farrell]

On Mon, 10 Mar 2008 15:43:55 -0400
Mike Edenfield <kutulu@kutulu.org> wrote:

> Comcast?

I was on comcast for a long time (2.5 yrs) and never had a problem like
this.  They might have blocked port 25 and squelched my bittorrenting
at times, but never anything like this.  Of course, ymmv.  
-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] Bizarre SSH connection reset

[Mick]

[-- Attachment #1: Type: text/plain, Size: 511 bytes --]

On Monday 10 March 2008, Dan Farrell wrote:
> On Mon, 10 Mar 2008 15:43:55 -0400
>
> Mike Edenfield <kutulu@kutulu.org> wrote:
> > Comcast?
>
> I was on comcast for a long time (2.5 yrs) and never had a problem like
> this.  They might have blocked port 25 and squelched my bittorrenting
> at times, but never anything like this.  Of course, ymmv.

IIRC they also block port 80 for sure on their retail accounts.  They don't 
want the average punter to run a webserver at home.
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] Bizarre SSH connection reset

[Brian Marshall]

[-- Attachment #1: Type: text/plain, Size: 671 bytes --]

On Mon, 10 Mar 2008 22:51:42 +0000
Mick <michaelkintzios@gmail.com> wrote:

> On Monday 10 March 2008, Dan Farrell wrote:
> > On Mon, 10 Mar 2008 15:43:55 -0400
> >
> > Mike Edenfield <kutulu@kutulu.org> wrote:
> > > Comcast?
> >
> > I was on comcast for a long time (2.5 yrs) and never had a problem
> > like this.  They might have blocked port 25 and squelched my
> > bittorrenting at times, but never anything like this.  Of course,
> > ymmv.
> 
> IIRC they also block port 80 for sure on their retail accounts.  They
> don't want the average punter to run a webserver at home.
httpd has been on port 80 behind Comcast since forever with no problems.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] Bizarre SSH connection reset

[Dan Farrell]

On Mon, 10 Mar 2008 22:51:42 +0000
Mick <michaelkintzios@gmail.com> wrote:

> On Monday 10 March 2008, Dan Farrell wrote:
> > On Mon, 10 Mar 2008 15:43:55 -0400
> >
> > Mike Edenfield <kutulu@kutulu.org> wrote:
> > > Comcast?
> >
> > I was on comcast for a long time (2.5 yrs) and never had a problem
> > like this.  They might have blocked port 25 and squelched my
> > bittorrenting at times, but never anything like this.  Of course,
> > ymmv.
> 
> IIRC they also block port 80 for sure on their retail accounts.  They
> don't want the average punter to run a webserver at home.

Even when they blocked port 25 for me bidirectionally (evidently
sending 6 gigs through that port made me look like a spammer, even if
it was all to the same address ;) ), and I called security assurance
and they listed that among all the open ports I wasn't allowed on a
residential account, even then, they still didn't block port 80 (or 26,
22, 21, 110, 993, or any other port!).  
-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] Bizarre SSH connection reset

[Mick]

[-- Attachment #1: Type: text/plain, Size: 1476 bytes --]

On Tuesday 11 March 2008, Dan Farrell wrote:
> On Mon, 10 Mar 2008 22:51:42 +0000
>
> Mick <michaelkintzios@gmail.com> wrote:
> > On Monday 10 March 2008, Dan Farrell wrote:
> > > On Mon, 10 Mar 2008 15:43:55 -0400
> > >
> > > Mike Edenfield <kutulu@kutulu.org> wrote:
> > > > Comcast?
> > >
> > > I was on comcast for a long time (2.5 yrs) and never had a problem
> > > like this.  They might have blocked port 25 and squelched my
> > > bittorrenting at times, but never anything like this.  Of course,
> > > ymmv.
> >
> > IIRC they also block port 80 for sure on their retail accounts.  They
> > don't want the average punter to run a webserver at home.
>
> Even when they blocked port 25 for me bidirectionally (evidently
> sending 6 gigs through that port made me look like a spammer, even if
> it was all to the same address ;) ), and I called security assurance
> and they listed that among all the open ports I wasn't allowed on a
> residential account, even then, they still didn't block port 80 (or 26,
> 22, 21, 110, 993, or any other port!).

Hmm, I don't know  . . . The particular address I was trying to connect was 
definitely blocked.  Other than not beeing able to connect with a browser, 
nc, httping and tcptraceroute confirmed it).  Could it be an area/account 
specific block perhaps?  When I questioned the owner he said that this was 
common practice and that his ISP does not allow webservers to run.
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] Bizarre SSH connection reset

[fire-eyes]

> Hmm, I don't know  . . . The particular address I was trying to connect was 
> definitely blocked.  Other than not beeing able to connect with a browser, 
> nc, httping and tcptraceroute confirmed it).  Could it be an area/account 
> specific block perhaps?  When I questioned the owner he said that this was 
> common practice and that his ISP does not allow webservers to run.

Get me a full packet capture of the entire ssh session, and I'll have a 
look at it.

Install tcpdump if you don't have it: emerge tcpdump

If you already have it or it's now installed, as root, just before you 
start the session:

tcpdump -i dev -s 0 host IP and port PORT -w ssh-session-1.pcap

where host is the IP you are connecting to, PORT is the port you're 
connecting to, and dev is the network interface it's going through (such 
as eth0).

Log in, do your thing, and after the ssh session craps, ctl-c the 
tcpdump. Send the file directly to me, sgtphou@fire-eyes.org. The 
information I'll be able to see is the client and server IP, port, ssh 
client version, and user name, fyi.

I'll reply directly to you and if you agree, we'll post the findings to 
the list.
-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] Bizarre SSH connection reset

[Mike Edenfield]

Mick wrote:
> On Tuesday 11 March 2008, Dan Farrell wrote:
>> On Mon, 10 Mar 2008 22:51:42 +0000
>>
>> Mick <michaelkintzios@gmail.com> wrote:
>>> On Monday 10 March 2008, Dan Farrell wrote:
>>>> On Mon, 10 Mar 2008 15:43:55 -0400
>>>>
>>>> Mike Edenfield <kutulu@kutulu.org> wrote:
>>>>> Comcast?
>>>> I was on comcast for a long time (2.5 yrs) and never had a problem
>>>> like this.  They might have blocked port 25 and squelched my
>>>> bittorrenting at times, but never anything like this.  Of course,
>>>> ymmv.
>>> IIRC they also block port 80 for sure on their retail accounts.  They
>>> don't want the average punter to run a webserver at home.
>> Even when they blocked port 25 for me bidirectionally (evidently
>> sending 6 gigs through that port made me look like a spammer, even if
>> it was all to the same address ;) ), and I called security assurance
>> and they listed that among all the open ports I wasn't allowed on a
>> residential account, even then, they still didn't block port 80 (or 26,
>> 22, 21, 110, 993, or any other port!).
> 
> Hmm, I don't know  . . . The particular address I was trying to connect was 
> definitely blocked.  Other than not beeing able to connect with a browser, 
> nc, httping and tcptraceroute confirmed it).  Could it be an area/account 
> specific block perhaps?  When I questioned the owner he said that this was 
> common practice and that his ISP does not allow webservers to run.

When I was on Comcast, the only ports they blocked outright, 
that I found, were mail related.  Presumably this was a spam 
prevention measure more than anything else.

However, they did *monitor* other common ports for traffic. 
  Occasionally I'd put some local service or another on my 
firewall during development, or for testing, or whatnot.  If 
it happened to be on port 80, 443, or 21, I'd usually get a 
nasty-gram from then within a day reminding me of their AUP.

--Mike

-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] Bizarre SSH connection reset

[Mark Shields]

[-- Attachment #1: Type: text/plain, Size: 2445 bytes --]

On Tue, Mar 11, 2008 at 10:30 AM, Mike Edenfield <kutulu@kutulu.org> wrote:

> Mick wrote:
> > On Tuesday 11 March 2008, Dan Farrell wrote:
> >> On Mon, 10 Mar 2008 22:51:42 +0000
> >>
> >> Mick <michaelkintzios@gmail.com> wrote:
> >>> On Monday 10 March 2008, Dan Farrell wrote:
> >>>> On Mon, 10 Mar 2008 15:43:55 -0400
> >>>>
> >>>> Mike Edenfield <kutulu@kutulu.org> wrote:
> >>>>> Comcast?
> >>>> I was on comcast for a long time (2.5 yrs) and never had a problem
> >>>> like this.  They might have blocked port 25 and squelched my
> >>>> bittorrenting at times, but never anything like this.  Of course,
> >>>> ymmv.
> >>> IIRC they also block port 80 for sure on their retail accounts.  They
> >>> don't want the average punter to run a webserver at home.
> >> Even when they blocked port 25 for me bidirectionally (evidently
> >> sending 6 gigs through that port made me look like a spammer, even if
> >> it was all to the same address ;) ), and I called security assurance
> >> and they listed that among all the open ports I wasn't allowed on a
> >> residential account, even then, they still didn't block port 80 (or 26,
> >> 22, 21, 110, 993, or any other port!).
> >
> > Hmm, I don't know  . . . The particular address I was trying to connect
> was
> > definitely blocked.  Other than not beeing able to connect with a
> browser,
> > nc, httping and tcptraceroute confirmed it).  Could it be an
> area/account
> > specific block perhaps?  When I questioned the owner he said that this
> was
> > common practice and that his ISP does not allow webservers to run.
>
> When I was on Comcast, the only ports they blocked outright,
> that I found, were mail related.  Presumably this was a spam
> prevention measure more than anything else.
>
> However, they did *monitor* other common ports for traffic.
>  Occasionally I'd put some local service or another on my
> firewall during development, or for testing, or whatnot.  If
> it happened to be on port 80, 443, or 21, I'd usually get a
> nasty-gram from then within a day reminding me of their AUP.
>
> --Mike
>
> --
> gentoo-user@lists.gentoo.org mailing list
>
>
Who knows their Sandvine equipment is horrendous.  But let's not get off
topic.

Collin:  it may not be a "5-second rule".  It may just be cutting it off
after a certain amount of traffic has passed based on the protocol/port
used.  But I'm just speculating.  Let's hear what fire-eyes has to say.

-- 
- Mark Shields

[-- Attachment #2: Type: text/html, Size: 3381 bytes --]

Re: [gentoo-user] Bizarre SSH connection reset

[fire-eyes]

> Collin:  it may not be a "5-second rule".  It may just be cutting it off 
> after a certain amount of traffic has passed based on the protocol/port 
> used.  But I'm just speculating.  Let's hear what fire-eyes has to say.
> 
> -- 
> - Mark Shields

I don't have the pcap file yet ;) Not much I can do.
-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] Bizarre SSH connection reset

[Collin Starkweather]

fire-eyes wrote:
>
> I don't have the pcap file yet ;) Not much I can do.

Pardon the delay in reply.  I've been getting behind on my reading.   
The capture has been forwarded.

Cheers,

-Collin

-- 
gentoo-user@lists.gentoo.org mailing list

Re: [gentoo-user] Bizarre SSH connection reset

[Chris Brennan]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mick wrote:
| On Monday 10 March 2008, Dan Farrell wrote:
|> On Mon, 10 Mar 2008 15:43:55 -0400
|>
|> Mike Edenfield <kutulu@kutulu.org> wrote:
|>> Comcast?
|> I was on comcast for a long time (2.5 yrs) and never had a problem like
|> this.  They might have blocked port 25 and squelched my bittorrenting
|> at times, but never anything like this.  Of course, ymmv.
|
| IIRC they also block port 80 for sure on their retail accounts.  They
don't
| want the average punter to run a webserver at home.

This isn't exactly true, I'm a comcast subscriber and I successfully run
ssh/httpd and I bittorrent legal stuff on occasion and I've never been
squelched by the Upstream servers.

If anyone desires proof, contact me off-list and I shall provide this
aspect.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFH2VMQ8hUIAnGfls4RAp3BAJ0c+NrKEccH6nG0uBO5gh2ih4mrHQCggDkn
vQFLKTFSLykunKx+1kcwZio=
=gPeC
-----END PGP SIGNATURE-----
-- 
gentoo-user@lists.gentoo.org mailing list

[gentoo-user] Re: Bizarre SSH connection reset

[Hendrik Boom]

On Sun, 09 Mar 2008 08:03:51 -0600, Collin Starkweather wrote:

> To preface the question, I should mention that I'm currently residing in
> China, so communication with the networking guys on this end is a bit
> difficult because the communication algorithm typically begins, "Step 1:
> Learn Chinese."
> 
> I am having difficulties with getting bumped out of an SSH connection
> from a server in the U.S. with "Connection reset by peer" maybe 5-10
> seconds after logging in.
...
...
> 
> If the reset is not coming from the server or the client (I don't have
> any problems when I'm at a hotspot), where could it be coming from?

It might be coming from China's own internet gateways.  If you access 
content they reject, I'm told the international gateway simulates a 
disconnect, so it looks to both parties tha other just disconnected.

- hendrik


-- 
gentoo-user@lists.gentoo.org mailing list