Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
Next revisionBoth sides next revision
faq:tcpip [2019/01/01 23:53] – Added WS & WSS, removed some unused UDP ports. Added SMTP-Submission/TLS and POP3 over TLS ports. digital manfaq:tcpip [2019/08/08 21:08] – [SSH Session Key] mention ssl.cert and system-password dependency digital man
Line 14: Line 14:
   * [[#bandwidth|How many nodes/clients/users can I support with my Internet connection]]?    * [[#bandwidth|How many nodes/clients/users can I support with my Internet connection]]? 
   * [[#block_hackers|Can Synchronet automatically block the IP address of hackers]]?   * [[#block_hackers|Can Synchronet automatically block the IP address of hackers]]?
-  * [[#ssh_kex_algo|Why do some SSH clients fail to connect to my BBS]]?+  * [[#ssh_algo|Why do some SSH clients fail to connect to my BBS]]?
   * [[#ssh_session_key|How do resolve the SSH error: importing session key to protect private key]]?   * [[#ssh_session_key|How do resolve the SSH error: importing session key to protect private key]]?
  
Line 207: Line 207:
 [[http://www.ncftpd.com/ncftpd/doc/misc/ftp_and_firewalls.html|This document]] contains the technical details about how and why and the recommended solutions.  [[http://www.ncftpd.com/ncftpd/doc/misc/ftp_and_firewalls.html|This document]] contains the technical details about how and why and the recommended solutions. 
  
-**Note**: Most web browsers (e.g. //Microsoft Internet Explorer//) use passive FTP transfer mode by default. +**Note**: Most web browsers use //passive// FTP transfer mode by default, though this may be configurable
  
-**Note**: Some FTP clients (e.g. the Windows command-line FTP client, ''ftp.exe'') only support active mode transfers. +**Note**: Some FTP clients (e.g. the Windows command-line FTP client, ''ftp.exe''//only// support //active// mode transfers. 
  
-Enabling the logging of FTP data channel activity can help diagnose these kinds of problems. This can be done by adding the ''DEBUG_DATA'' option to the ''Options'' value in the ''[FTP]'' section of your ''[[dir:ctrl]]/[[config:sbbs.ini]]'' file or by checking the //Data Channel Activity// checkbox in the //Log// tab of the FTP Server Configuration dialog in the Synchronet Control Panel for Win32.  +Enabling the logging of FTP data channel activity can help diagnose these kinds of problems. This can be done by adding the ''DEBUG_DATA'' option to the ''Options'' value in the ''[FTP]'' section of your ''[[dir:ctrl]]/[[config:sbbs.ini]]'' file or by checking the //Data Channel Activity// checkbox in the //Log// tab of the FTP Server Configuration dialog in the Synchronet Control Panel for Windows
- +
-If you're having problems with passive transfers and you're seeing +
-  !UNSUPPORTED COMMAND from username: 'P@SW' +
-in your FTP server log/window output, you're probably using an //SMC Barricade// router (see [[http://www.gbnetwork.co.uk/smcftpd/|this document]] for details). Upgrade to Synchronet v3.13a (FTP Server Revision 1.296) or later to work-around this problem with this device+
  
 If you're having problems with passive (PASV) transfers through your NAT/firewall device and you're running Synchronet v3.13a (FTP Server Revision 1.296) or later:  If you're having problems with passive (PASV) transfers through your NAT/firewall device and you're running Synchronet v3.13a (FTP Server Revision 1.296) or later: 
-If the remote client is attempting to connect to your [[#private IP]] address (your NAT device isn't translating the PASV response from the FTP server) and you have a static [[#public IP]] address, you can work-around this limitation of your NAT device by using the ''PasvIpAddress'' value in the ''[FTP]'' section of your ''[[dir:ctrl]]/[[config:sbbs.ini]]'' file to specify your [[#public IP]] address. +If the remote client is attempting to connect to your [[#private IP]] address (your NAT device isn't translating the PASV response from the FTP server) and you have a static [[#public IP]] address, you can work-around this limitation of your NAT device by using the ''PasvIpAddress'' value in the ''[FTP]'' section of your ''[[dir:ctrl]]/[[config:sbbs.ini]]'' file to specify your IPv4 [[#public IP]] address. 
  
 This problem can be identified (on the client) by finding a comma-separated [[#private IP]] address in the PASV response received from the FTP server (in response to a directory or file transfer request from the client).  This problem can be identified (on the client) by finding a comma-separated [[#private IP]] address in the PASV response received from the FTP server (in response to a directory or file transfer request from the client). 
Line 240: Line 236:
 If you have a dynamically-assigned IP address (via DHCP), then your IP address may change at some point, so setting the ''PasvIpAddress'' to a specific IP address may not be a long term solution for your FTP Server. In Synchronet v3.14a and later, you can enable the new //Lookup Passive IP// feature by checking the //Lookup// checkbox on the //Passive// tab of the FTP Server Configuration Dialog in [[monitor:SBBSCTRL]]-Win32, or by adding ''LOOKUP_PASV_IP'' to the Options value in the ''[FTP]'' section of your ''[[dir:ctrl]]/[[config:sbbs.ini]]'' file. This option instructs the Synchronet FTP Server to perform a DNS hostname lookup on your BBS's public hostname and use the resulting IP address (which should be your BBS's [[#public IP]] address) in passive responses.  If you have a dynamically-assigned IP address (via DHCP), then your IP address may change at some point, so setting the ''PasvIpAddress'' to a specific IP address may not be a long term solution for your FTP Server. In Synchronet v3.14a and later, you can enable the new //Lookup Passive IP// feature by checking the //Lookup// checkbox on the //Passive// tab of the FTP Server Configuration Dialog in [[monitor:SBBSCTRL]]-Win32, or by adding ''LOOKUP_PASV_IP'' to the Options value in the ''[FTP]'' section of your ''[[dir:ctrl]]/[[config:sbbs.ini]]'' file. This option instructs the Synchronet FTP Server to perform a DNS hostname lookup on your BBS's public hostname and use the resulting IP address (which should be your BBS's [[#public IP]] address) in passive responses. 
  
-If your firewall cannot dynamically open/forward FTP PASV data ports for incoming passive FTP data connections, you can specifiy a limited range of TCP port numbers to use for passive transfers by modifying the PasvPortLow and PasvPortHigh values in the ''[FTP]'' section of your ''[[dir:ctrl]]/[[config:sbbs.ini]]'' file. You will of course need to configure your firewall device to open/forward these ports to your FTP server. +If your firewall cannot dynamically open/forward FTP PASV data ports for incoming passive FTP data connections, you can specify a limited range of TCP port numbers to use for passive transfers by modifying the PasvPortLow and PasvPortHigh values in the ''[FTP]'' section of your ''[[dir:ctrl]]/[[config:sbbs.ini]]'' file. You will of course need to configure your firewall device to open/forward these ports to your FTP server. 
  
 ===== Bind ===== ===== Bind =====
Line 300: Line 296:
 Yes, see [[howto:Block-Hackers]] for detailed instructions. Yes, see [[howto:Block-Hackers]] for detailed instructions.
  
-===== SSH Kex Algo =====+===== SSH Algo =====
 :?: **Question:**\\ :?: **Question:**\\
 Why do some SSH clients (e.g. [[http://www.openssh.com/|OpenSSH]]) fail to connect to the Synchronet SSH Server? Why do some SSH clients (e.g. [[http://www.openssh.com/|OpenSSH]]) fail to connect to the Synchronet SSH Server?
 +
 +:!: **Answer:**\\
 +SSH supports a variety of cryptographic algorithms for encryption (privacy), integrity (mac) and authentication (key-exchange). As stronger algorithms are introduced, older (less-strong) algorithms are deprecated. As a result, when using a newer version of any SSH client (especially OpenSSH), it may fail to connect to SSH servers which only support less-than-the-strongest (newest) algorithms. There is no permanent solution to this issue as cryptographic algorithms are constantly improving (becoming stronger) and older (weaker) algorithms are going out of favor.
 +
 +
 +==== SSH Cipher Algo ====
  
 Example: Example:
   $ ssh vert.synchro.net   $ ssh vert.synchro.net
-  $ Received disconnect from 71.95.196.342Handshake failed+  Unable to negotiate with vert.synchro.net port 22no matching cipher found. Their offeraes128-cbc,3des-cbc
      
-or: +Workarounds for OpenSSH:
-  Unable to negotiate with legacyhost: no matching key exchange method found. +
-  Their offer: diffie-hellman-group1-sha1+
  
-:!: **Answer:**\\+  $ ssh -c aes128-cbc user@yourbbs.com 
 +   
 +or in the ''~/.ssh/config'' file (OpenSSH v6):
  
-//**NOTE: This has been fixed in CVS now.**//+  Host yourbbs.com 
 +  Ciphers aes128-cbc 
 +   
 +==== SSH Kex Algo ====
  
-Synchronet uses [[http://www.cs.auckland.ac.nz/~pgut001/cryptlib/|Cryptlib]], a cryptographic library, for SSH and TSL/SSL support in Synchronet. Cryptlib's v3.4.2 SSH support uses an older "Key Exchange Algorithm". OpenSSH has deprecated support for this older key exchange algorithm. Cryptlib v3.4.4, the currently latest version of Cryptlib now used by Synchronet, does not have this problem.+Example: 
 +  $ ssh vert.synchro.net 
 +  Received disconnect from 71.95.196.34: 2: Handshake failed 
 +   
 +or: 
 +  Unable to negotiate with legacyhost: no matching key exchange method found. 
 +  Their offer: diffie-hellman-group1-sha1
  
 From the OpenSSH [[http://www.openssh.com/legacy.html|legacy page]]: From the OpenSSH [[http://www.openssh.com/legacy.html|legacy page]]:
Line 340: Line 351:
 Note: Run ''ssh -V'' to see what version of OpenSSH you have. Note: Run ''ssh -V'' to see what version of OpenSSH you have.
  
-:!: **Answer:**\\+==== SSH MAC Algo ==== 
 Another observed problem is with the negotiated Message Authentication Code (MAC) algorithm. Another observed problem is with the negotiated Message Authentication Code (MAC) algorithm.
  
Line 356: Line 368:
 Rename/move or delete your ''[[dir:ctrl]]/cryptlib.key'' file. Rename/move or delete your ''[[dir:ctrl]]/cryptlib.key'' file.
  
 +If you're using TLS for your other [[server:|Synchronet servers (e.g. web, mail, ftp, etc.)]], you may also need to rename/move or delete your ''[[dir:ctrl]]/ssl.cert'' file.
 +
 +These files (''cryptlib.key'' and ''ssl.cert'') are encrypted with the Synchronet //system password//, so if the system password is changed then these files must also be regenerated. The files are automatically recreated by //sbbs// upon startup if they do not already exist.
 ===== See Also ===== ===== See Also =====
   * [[:server:|Servers]]   * [[:server:|Servers]]
faq/tcpip.txt · Last modified: 2020/06/01 21:33 by digital man
Back to top
CC Attribution 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0