Getting around company firewall

[nash]

Hi, I was reading this thread: http://www.tfproject.org/tfp/showthr...threadid=57724
and I remembered:

At work, there is a firewall which won't let me ssh to port 22. It lets me telnet, though, so I changed my ssh server to listen on 23. So everything's alright now, but I'm wondering if the IT guys can tell that I'm ssh-ing, and also vnc-ing through the ssh connection. I don't think there's any rules against it, I checked the rules again, and I don't think it said anything about that. But they must be disallowing ssh for some reason, right? Any ideas why?

[MrFlux]

Probably because the firewall is set up on a Deny-all with exceptions basis. So they just never saw any reason to set up an exception for SSH or something.

On an interesting note, I had to use an external DNS server to be able to use SSH at school. Which the tutor was kind enough to give me an IP for

[glytch]

Yes, the IT guys can tell exactly what program you're using on what port very simply by using netstat or any number of other commands.
As for why they aren't allowing ssh, what MrFlux said is probably the case.

[oberon]

nash: Ethereal or any other decent traffic analyzer can figure out what kind of traffic is being passed on any arbitrary stream. However, they can't see past any encryption layers. I agree that MrFlux's got the right idea on the "deny all" philosophy.

MrFlux: You can use most DNS servers listed as primary/secondary for domains, unless they block unknown clients for queries on domains they don't serve (I've only seen a few of those).

glytch: You assume that nash's IT guys have access to the machine he's ssh'ing from. Plus, netstat is the wrong tool for this purpose. But lsof would work.

[ssh_agent]

Quote:

Originally posted by nash
Hi, I was reading this thread: http://www.tfproject.org/tfp/showthr...threadid=57724
and I remembered:

At work, there is a firewall which won't let me ssh to port 22. It lets me telnet, though, so I changed my ssh server to listen on 23. So everything's alright now, but I'm wondering if the IT guys can tell that I'm ssh-ing, and also vnc-ing through the ssh connection. I don't think there's any rules against it, I checked the rules again, and I don't think it said anything about that. But they must be disallowing ssh for some reason, right? Any ideas why?

sounds familiar to my circumstance. our company firewall did allow outgoing ssh til about a month ago. i also am now ssh'ing to the telnet port at hom. and am running a socks n squid proxy there to provide some entertainment at work.

[nash]

Quote:

Originally posted by ssh_agent
sounds familiar to my circumstance. our company firewall did allow outgoing ssh til about a month ago. i also am now ssh'ing to the telnet port at hom. and am running a socks n squid proxy there to provide some entertainment at work.

I don't make the connection between running a socks and squid proxy and entertainment at work. Please explain to me?

[glytch]

Woops, I was assuming he was ssh'ing from his work computer. Guess I misread the question.

[elpha]

if you are running windows xp at work and home, i'd suggest remote desktoping. this way even if they see what you are doing, its still being excuted on your home computer and connection

[Fallon]

If you are using your home connection to hide your activites at work to justify whatever you do, be it look at porn or just not do work, I imagine you are breaking some rules for your company. They hire you to be productive, not to leech their bandwidth. I'm not one to speak, but if I company doesn't allow me to do something for a reason, generally a little flag goes off that says, "Hey, they don't want me to do this so I better not try it."

[Pragma]

I agree with Fallon. SSHing, Remote Desktoping, or whatever protocol you use to get to your home computer and use your internet connection from there while at work is still probably breaking rules.

If you want to, on your lunch break, check your e-mail at home, etc., I'm not gonna complain about that (unless your company has rules against even that), but while you're at work, you're there to work.

That said, I'm an IT folk and tend to be pretty overzealous about tracking down people

We've got programs that will pick up on any outbound sessions and figure out what kind of traffic it is, flag it appropriately for review, and if really necessary (IM traffic), it'll send a pager alert so we can get a hold of the individual and shut it down immediately.

[nash]

Well the main reason is to check my email. I have to ssh into the email server that I use (and use pine or mail or one of those programs). Since the ssh port is blocked, I figure I'll ssh to home and then ssh to the email server that way. Playing around with VNC is just for my own experimentation and education; I wasn't planning on using it for anything. So I have a "legit" reason, albeit unconventional. I could set up Outlook or something similar and IMAP it, but I really really hate email programs like those. Also, I would prefer to keep it on the server, not copy or move anything over to the work computer where people could snoop.

Regarding Remote Desktop, I bet that port is blocked as well. Port 2263 or something like that, I forget.

Edit again: People at my workplace use email very often, very much like instant messaging. Although people's offices (not cubicles) are next door, it's less disruptive than shouting. So that's why I would like to be able to access my email.

[Fallon]

Why not set up webmail for your email server?
(It sounds like you are using *nix)Off the top of my head there is squirrelmail.

[ssh_agent]

excuse if im going over something you already know...but anyway...

basically with ssh you can forward ports over the ssh connection. so in my example i have a squid running on my home linux box listenin on port 1080.

i then from work

ssh -p 23 -L 1080:127.0.0.1:1080 userid@home

this makes your ssh connectoin as usual, too the telnet port...and forwards any traffic heading to your 127.0.0.1 port 1080 to "home".

i then point mozilla to my proxy of http://127.0.0.1 port 1080.

And then i can surf and view whatever i like. The socks server is something i've added later...so i can run trillian or just about whatever will accept a socks server in its settin.

[rubicon]

Quote:

Originally posted by nash
Regarding Remote Desktop, I bet that port is blocked as well. Port 2263 or something like that, I forget.

Windws Remote Desktop uses port 3389 and can be changed if desired. Use an unblocked port like 80. http://www.sanx.org/tipShow.asp?articleRef=80

You can use differnt ports for VNC as well.

You probably don't want to spend any $, but GoToMyPC works very well through anything because it uses port 80 while still providing an encrypted channel.