Can't Set SSH to Listen on Port 80

Discussion in 'Tomato Firmware' started by jbaker6953, Oct 25, 2007.

  1. jbaker6953

    jbaker6953 LI Guru Member

    When I set the SSH Daemon to listen on port 80 for remote connections, the connections fail. It has to be port 80 because my work blocks ALL ports except port 80 (they even block 443).

    After setting Administration -> Admin Access -> SSH Daemon Remote Port to 80, I can verify that Tomato does not begin listening on port 80. Netstat reveals the following:

    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State      
    tcp        0      0 *:domain                *:*                     LISTEN      
    tcp        0      0 *:ssh                   *:*                     LISTEN      
    tcp        0      0 *:5431                  *:*                     LISTEN      
    tcp        0      0 *:https                 *:*                     LISTEN      
    tcp        0      0 router:ssh              router:16230 ESTABLISHED 
    tcp        0      0 router:1098             router:netbios-ssn ESTABLISHED 
    udp        0      0 *:1024                  *:*                                 
    udp        0      0 localhost:34954         *:*                                 
    udp        0      0 *:domain                *:*                                 
    udp        0      0 *:bootps                *:*                                 
    udp        0      0 *:upnp                  *:*                                 
    raw        0      0 *:255                   *:*                     0           
    Active UNIX domain sockets (servers and established)
    Proto RefCnt Flags       Type       State         I-Node Path
    unix  9      [ ]         DGRAM                    346    /dev/log
    unix  2      [ ACC ]     STREAM     LISTENING     1366887 /tmp/dropbear-f27067fc/auth-b597a41e-7
    unix  2      [ ]         DGRAM                    1365671 
    unix  2      [ ]         DGRAM                    1365669 
    unix  2      [ ]         DGRAM                    2068   
    unix  2      [ ]         DGRAM                    822    
    unix  2      [ ]         DGRAM                    555    
    unix  2      [ ]         DGRAM                    481    
    unix  2      [ ]         DGRAM                    383    
    unix  2      [ ]         DGRAM                    342    
    unix  3      [ ]         STREAM     CONNECTED     335    
    unix  3      [ ]         STREAM     CONNECTED     334    
    unix  2      [ ]         DGRAM                    331    
  2. azeari

    azeari LI Guru Member

    set ssh to listen on another port, and configure port forwarding, as such

    external port: 80
    internet port: <<port ssh is running on>>
    internet ip: <<router's ip(i.e.>>

    that should work, unless you want to explicitly run ssh on port 80, which might be a problem since the webif already uses that port
  3. jbaker6953

    jbaker6953 LI Guru Member

    I want to access my router from the outside by logging into SSH on port 80. There is nothing running on port 80 on the WAN interface - nothing at all. I can try port forwarding WAN port 80 to LAN Something seems wrong with that, but I'll try it.
  4. jbaker6953

    jbaker6953 LI Guru Member

    I just tried forwarding WAN port 80 to the router's address on port 22, but it doesn't work. I cannot establish an SSH session. The TCP connection itself is initiated and the router ACKs that, but then it just hangs there.
  5. dvd-guy

    dvd-guy Guest

    Port 80 is used for the web interface. If it's running a web server, you can't run an SSH server on the same port. You have to disable the web interface and run all your commands through telnet to configure your SSH server. You can disable telnet again when SSH is up and running.
  6. LLigetfa

    LLigetfa LI Guru Member

    Have you tried accessing from other places than work or home? Home might not work because of loopback. At work, while they may allow port 80, they may also deploy stateful inspection meaning you cannot tunnel non http stuff through port 80.

    Even if you don't have remote admin for the WebGUI turned on in the router, it may still be reserve that port. Try turning in remote admin using a different port like 8000. That may free up port 80.
  7. Macskeeball

    Macskeeball LI Guru Member

  8. LLigetfa

    LLigetfa LI Guru Member

    OK, I deserve that for being lazy. What I meant to say is turn it on, change the port and test to see if the remote admin is not what is hogging port 80. Turn it back off after you change the port.
  9. azeari

    azeari LI Guru Member

    well most restrictive firewalls employ stateful inspection. my school definately does that and i couldn't establish a ssh connection thru port 443.. openvpn works though, cuz both use ssl-styled encryption (=
  10. LLigetfa

    LLigetfa LI Guru Member

    Unfortunately, the firewall admin is blocking 443.
  11. Toxic

    Toxic Administrator Staff Member

    are you sure your admin is not also blocking all IP protocols except httpd? (not just the port) I know advanced firewalls can monitor ports to make sure the protocol that is transmitted on a certain port is the correct IP protocol.

    ie: httpd = 80 and nothing else. ssh on port 80 is not httpd is therefore blocked.
  12. u3gyxap

    u3gyxap Network Guru Member

    I can state that tomato sets SSH to listen on port 80 just fine. It worked from the first try.
  13. jbaker6953

    jbaker6953 LI Guru Member

    Let me try to address everyone's helpful suggestions.

    1) The firewall is not blocking non-HTTP traffic. I can forward port 80 to VNC on one of my machines and it works (and fast).

    2) It's not a matter of the router's admin interface binding to port 80 since I can forward port 80 to another machine on the LAN and it works fine. It is only in the case of trying to use port 80 for SSH on the router that it fails.

    EDIT: I lied. There is something on the router binding to port 80 on the WAN interface. Remote access is disabled for the Web interface, there are no forwardings, and nothing else is set to port 80. Still the router listens on port 80 and accepts incoming connections. What could be doing it? How can I netstat the WAN interface?
  14. jbaker6953

    jbaker6953 LI Guru Member

    It's not as easy as I thought. I set up an SSH server on a LAN machine to see if I could forward port 80 from the router to a machine on the LAN. No dice. In summary:

    router:80 ---> = FAIL
    router:81 ---> = SUCCEED
  15. u3gyxap

    u3gyxap Network Guru Member

    Perhaps, ask your Internet Provider?
  16. jbaker6953

    jbaker6953 LI Guru Member

    I'm not sure they could tell me what process on Tomato is binding to port 80 on the WAN interface.
  17. jbaker6953

    jbaker6953 LI Guru Member

    It turns out to be an interesting DNS thing. I use a dynamic DNS service which is configured properly and working well. Outside of my LAN, the host name resolves to the WAN interface's IP address, but for some reason inside the LAN it resolves to the IP of whatever machine on the LAN initiates the request. When I use the actual WAN IP address to make the connection it works out fine.
  18. jbaker6953

    jbaker6953 LI Guru Member

    Turns out dnsmasq is adding the LAN host:

    C:\Documents and Settings\user>nslookup host


    I think once a connection is established, the client gets very confused about what to do since has Apache listening on port 80 and is the Tomato router with dropbear listening on port 80.
  19. jbaker6953

    jbaker6953 LI Guru Member

    OK everyone, thanks for the help. Problem solved.

    NEVER name a host on your LAN (Basic -> Static DHCP) with the same name as a subdomain that resolves to your WAN IP. This will confuse the hell out of dnsmasq.

    I had named "host" and resolved to the from inside the LAN. The way dnsmasq worked, it thought they were both the same.

    There is a plus though. If you want to do load balancing with round robin DNS, dnsmasq will do it automatically if you give all of the hosts the same name under the static DHCP configuration. Each query returns a different one of the IPs.
  20. jbaker6953

    jbaker6953 LI Guru Member

    Problem only solved from inside LAN. Outside of LAN I still cannot connect to the router on port 80. Right now there is nothing set to forward port 80, and remote Web admin access is disabled. The only setting in Tomato's NVRAM variables containing anything referencing port 80 is the remote port for SSH to listen to. Still, it will not connect. Can anybody here test whether they can connect with an SSH client? The current IP is

    I can connect to it from inside the LAN using the WAN IP address, but not from the outside. When I set Tomato to port forward 80 to a LAN machine running Apache it works fine, so there is no filter blocking port 80 connections. If you connect to the above IP you will see that the connection is established to the router, but then the SSH session never starts.

    When I connect using Telnet instead of SSH, I am presented with the following string:

    That leads me to believe dropbear is answering on port 80, but that something is going awry after that. After I see that string, nothing responds to any commands. No amount of pressing enter or anything will cause a response. The connection just sits there in an open state.

    The PuTTY log reads as follows

    =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2007.10.30 08:21:38 =~=~=~=~=~=~=~=~=~=~=~=
    Event Log: Writing new session log (SSH raw data mode) to file: putty.log
    Event Log: Connecting to port 80
    Event Log: Server unexpectedly closed network connection
  21. u3gyxap

    u3gyxap Network Guru Member

    It's working:
  22. jbaker6953

    jbaker6953 LI Guru Member

    Are you also behind a router (so you have a private IP address)? I'm out of ideas. I tried using openssh instead of PuTTY with the same results. Perhaps my firewall admin even blocks stuff that isn't identifiable as HTTP traffic on port 80?
  23. u3gyxap

    u3gyxap Network Guru Member

    It works either way - when I am directly connected to the internet or behind a router.
    That is why I suggesteed you to talk with the folks from your Internet Provider.
  24. azeari

    azeari LI Guru Member

    yup from your description.. it is definitely the firewall thats blocking the traffic. the reason why you're seeing the dropbear msg is cuz thats probably the only unencrypted traffic dropbear sends out

    edit: if you really wanna get around it, you could try setting up a form of http proxy somewhere inside your network. no experience doing that though (= so can't help u there
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice