From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1JYyRt-0001G3-EQ for garchives@archives.gentoo.org; Tue, 11 Mar 2008 06:58:57 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 7D209E03B8; Tue, 11 Mar 2008 06:58:55 +0000 (UTC) Received: from fire-eyes.org (makulit.fire-eyes.org [89.16.163.121]) by pigeon.gentoo.org (Postfix) with ESMTP id 3A994E03B8 for ; Tue, 11 Mar 2008 06:58:55 +0000 (UTC) Received: from makulit.fire-eyes.org ([89.16.163.121] helo=[0.0.0.0]) by fire-eyes.org with esmtp (Exim 4.68) (envelope-from ) id 1JYyQZ-0006jh-Og for gentoo-user@lists.gentoo.org; Tue, 11 Mar 2008 06:57:36 +0000 Message-ID: <47D62DAB.2070007@fire-eyes.org> Date: Mon, 10 Mar 2008 23:58:51 -0700 From: fire-eyes User-Agent: Thunderbird 2.0.0.12 (X11/20080229) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Bizarre SSH connection reset References: <20080309080351.6kdf31qb4s08gggw@webmail.collinstarkweather.com> <200803102251.44347.michaelkintzios@gmail.com> <20080310192439.75cb71a1@pascal.spore.ath.cx> <200803110649.24883.michaelkintzios@gmail.com> In-Reply-To: <200803110649.24883.michaelkintzios@gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Score: -2.4 (--) X-Spam-Report: Spam detection software, running on the system "makulit.fire-eyes.org", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: > Hmm, I don't know . . . The particular address I was trying to connect was > definitely blocked. Other than not beeing able to connect with a browser, > nc, httping and tcptraceroute confirmed it). Could it be an area/account > specific block perhaps? When I questioned the owner he said that this was > common practice and that his ISP does not allow webservers to run. [...] Content analysis details: (-2.4 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.0000] 0.2 AWL AWL: From: address is in the auto white-list X-Archives-Salt: c36b9617-b0ea-44db-a8ce-83ee5831eacd X-Archives-Hash: cd982e4b1abf0b7ac8577b220bf8fc58 > Hmm, I don't know . . . The particular address I was trying to connect was > definitely blocked. Other than not beeing able to connect with a browser, > nc, httping and tcptraceroute confirmed it). Could it be an area/account > specific block perhaps? When I questioned the owner he said that this was > common practice and that his ISP does not allow webservers to run. Get me a full packet capture of the entire ssh session, and I'll have a look at it. Install tcpdump if you don't have it: emerge tcpdump If you already have it or it's now installed, as root, just before you start the session: tcpdump -i dev -s 0 host IP and port PORT -w ssh-session-1.pcap where host is the IP you are connecting to, PORT is the port you're connecting to, and dev is the network interface it's going through (such as eth0). Log in, do your thing, and after the ssh session craps, ctl-c the tcpdump. Send the file directly to me, sgtphou@fire-eyes.org. The information I'll be able to see is the client and server IP, port, ssh client version, and user name, fyi. I'll reply directly to you and if you agree, we'll post the findings to the list. -- gentoo-user@lists.gentoo.org mailing list