ISPs making home servers impossible (port blocking)

You can talk about almost anything that you want to on this board.

Moderator: Moderators

User avatar
Drew Sebastino
Formerly Espozo
Posts: 3496
Joined: Mon Sep 15, 2014 4:35 pm
Location: Richmond, Virginia

ISPs making home servers impossible (port blocking)

Post by Drew Sebastino »

So, I had finally got around to setting up an old desktop I have to be a web (LAMP) server, but I come to find that even though I can access my test website locally by forwarding port 80 on my router, I cannot access it elsewhere.

So I then set my server to operate on a different port and forward that port on my router (including the port in the url now when I enter the website), but the same thing happens. I then found out about various online port checking tools and about the DMZ option on my router and ultimately found that my ISP (Suddenlink) blocks every port except 22. However, port 22 is used by SSH, and I found that apache2 refuses to listen on port 22 when I set it to, as it generates some error about an address conflict and fails to restart.

Sure enough, I find that Suddenlink says, on their website, that they do not allow any sort of server operation for "residential" customers, and that you would need to become a "business" customer, which I come to find is a ridiculously expensive option.

So just for the heck of it, I look at what other ISPs are in the area, and see that the only real options are AT&T and the satellite internet providers. However, AT&T appears no better than Suddenlink (although I don't know exactly how many ports they block), and HughesNet doesn't either.


Is this a relatively new development with ISPs, or am I just unlucky? How are personal blogs, or anything else that isn't a corporate website, on the internet? That is, unless everyone pays for web hosting.

Edit: Wait, I'm an idiot, it will say every port other than 22 is blocked if only 22 is on; I just changed the port number of apache and forwarded it and now it seems to be working. It feels a bit crazy that they, under there acceptable use policy, "RESERVE THE RIGHT TO IMMEDIATELY TERMINATE YOUR ACCOUNT WITHOUT NOTICE", but I can't imagine they'd give a damn unless you end up generating a lot of traffic.

Actually, wait, no it's not working; I still had my WiFi on. :oops:
Last edited by Drew Sebastino on Wed Jun 19, 2019 11:12 pm, edited 1 time in total.
tepples
Posts: 22708
Joined: Sun Sep 19, 2004 11:12 pm
Location: NE Indiana, USA (NTSC)
Contact:

Re: ISPs making home servers impossible (port blocking)

Post by tepples »

Is 443 blocked? If not, you can still host HTTPS on its standard port. You'll just need to include the Strict-Transport-Security so that the browser will rewrite HTTP type-ins to HTTPS starting the second time the user visits the site.
User avatar
Drew Sebastino
Formerly Espozo
Posts: 3496
Joined: Mon Sep 15, 2014 4:35 pm
Location: Richmond, Virginia

Re: ISPs making home servers impossible (port blocking)

Post by Drew Sebastino »

Port 443 does not work either. Neither does port 8000, or 8080, or 8086, or 20000... I'm testing this via accessing my external IP address on my phone with WiFi, then without.
User avatar
koitsu
Posts: 4201
Joined: Sun Sep 19, 2004 9:28 pm
Location: A world gone mad

Re: ISPs making home servers impossible (port blocking)

Post by koitsu »

You will not win this battle, and switching ISPs seems like a pretty knee-jerk reaction, especially if your ISP is already working well for you (for general Internet service), compounded with the fact that most US cities are still lucky to have more than 1 ISP choice. Don't change ISPs, and don't sign up for their exorbitant "business class" service either.

Even if your ISP wasn't filtering inbound TCP SYN to customer WAN IPs on their border routers -- which from your description it sounds like they are, and which is perfectly within their right -- if you ran a server, you'd still be violating their ToS and thus potentially subjecting yourself to service termination. If they have a FAQ/ToS entry about it, you should probably adhere to it else accept the risk. Hint: it is very, very common for ISPs to port scan customers.

So here's two pieces of advice, take them or leave them:

1. Don't run a server on your home connection. Buy yourself a cheap VPS (see: $7/month, sometimes less) and stop worrying about it. You now have something that's totally accessible via the Internet, and you can do nearly whatever you want however you want, all the way down to maintaining firewall rules yourself. Get something that has actual serial or VGA console access (i.e. not only SSH).

2. If your goal is to be able to access home resources from somewhere (i.e. you're using a laptop and wish you could access your home web server to view some web pages, or remote desktop in to a machine on your LAN, whatever), and the service you want to access is TCP-based, then use the fact that the ISP permits inbound TCP port 22 to your advantage: forward 22 to your "LAMP" server running OpenSSH. Now use SSH port forwarding/tunnelling, in your SSH client (on your phone, on your laptop, whatever) to forward, say, 127.0.0.1:1234 to 192.168.1.99:80 (where 192.168.1.99 is your "LAMP" server), then access the URL http://127.0.0.1:1234 in your browser on the machine running SSH. The advantages to this are several, but the two big ones are: i) the only way "in" to your network is through SSH thus you don't have to worry about Internet users finding Apache exploits etc. and destroying your box, ii) all traffic across the SSH tunnel is encrypted (read: cannot be sniffed or identified), e.g. your ISP would only see "a bunch of SSH traffic" and have no idea if you were using it to tunnel HTTP traffic or whatever else you might find useful, iii) a sub-set of (i): you can lock down what IPs have access to port 22 via firewall rules on the "LAMP" box, that way only places/networks you'd be accessing things from would even know that TCP port 22 was listening at all (read: ISP port scanning you would turn up nothing). However, this overall method only works with TCP; SSH does not support UDP port forwarding/tunnelling, so if you need UDP access, you're SOL. Be aware that even with this method, you're still violating their ToS on some level (but I will say that many ISPs with this ToS clause actually let SSH slide most of the time).

P.S. -- Apache will listen on TCP port 22 just fine. There is nothing "magic" about 22 vs. 80 vs. 443 vs. 1234 vs. 8080 vs. 6667 vs. 28549. You have some other daemon listening on that port, or a router-related nuance relating to that port that you haven't figured out, which is the root cause. However, I assure you, you do not want Apache listening on port 22 on the public Internet. I'm not going to explain why either, to force you to go digging to find out what sorts of crap flies across/at port 22 in this day and age. Likewise I suggest not leaving port 22 w/ OpenSSH open to the Internet either, instead lock it down to specific IPs or networks you wish to come in from. Go figured out/read about why, you'll thank me later.
tepples
Posts: 22708
Joined: Sun Sep 19, 2004 11:12 pm
Location: NE Indiana, USA (NTSC)
Contact:

Re: ISPs making home servers impossible (port blocking)

Post by tepples »

This problem of blocking all inbound TCP connections would affect not only "running a server" in the traditional sense but also playing online multiplayer video games, and I doubt that most such games support SSH tunneling as a workaround.

Son order to assess the practicality of various mitigation options, I would first need to understand your situation through answers to the following questions:
  1. How much does Suddenlink residential service cost per month?
  2. How much does Suddenlink business service cost per month? (The difference in price between the two helps to illustrate Suddenlink's attitude toward subscribers who work from home.)
  3. Is the AT&T service to which you refer wired or wireless? (Wireless Internet tends to have even stricter TOS, caps, and NAT than wired home Internet.)
  4. How much does AT&T residential service cost per month?
  5. How much does AT&T business service cost per month? (The difference in price between the two helps to illustrate AT&T's attitude toward subscribers who work from home.)
  6. Are you a single adult with no mortgage and no dependents? (This detail about your life situation affects the practicality of exercising the nuclear option.)
Some users on another forum are under the impression that it's a good idea for people stuck behind ISPs that ban servers or have an unacceptably low monthly cap to plan to move to a different city for its different selection of ISPs. See posts by sglewis100, anonymous, anonymous, anonymous, Zero__Kelvin, allquixotic, anonymous, Bengie, Bengie again, FlyHelicopters, Thanshin, DiSKiLLeR, and these:
In [url=https://slashdot.org/comments.pl?sid=9412543&cid=52549867]this post[/url], an anonymous poster wrote:Well, you can vote with your feet, you just need to use those feet to move to a location which has the ISP you want.
In [url=https://soylentnews.org/comments.pl?noupdate=1&sid=23437&page=1&cid=618605#commentwrap]this post[/url], bobthecimmerian wrote:if I was single, I could just move some place with cheaper internet. But with kids in school and a mortgage, I'm stuck with whatever Comcast feels like charging.
User avatar
koitsu
Posts: 4201
Joined: Sun Sep 19, 2004 9:28 pm
Location: A world gone mad

Re: ISPs making home servers impossible (port blocking)

Post by koitsu »

tepples wrote:This problem of blocking all inbound TCP connections would affect not only "running a server" in the traditional sense but also playing online multiplayer video games ...
Not necessarily (read: it depends on the game, and many games in the past 10-15 years implement multiple models to alleviate this exact issue). I can clue you in to the variances in the latter some other time/somewhere else, as to not derail the thread. Furthermore, subject being discussed has nothing to do with playing video games, it has to do with running an Apache HTTP server on a home connection. Re-read what the thread is about please and don't conflate.
User avatar
Drew Sebastino
Formerly Espozo
Posts: 3496
Joined: Mon Sep 15, 2014 4:35 pm
Location: Richmond, Virginia

Re: ISPs making home servers impossible (port blocking)

Post by Drew Sebastino »

Tepples, I couldn't find exactly what we're paying, but I looked up the business cost, and for the plan we have, it'd be $180 per month for business.

AT&T is also DSL, which is significantly slower than the cable internet we have. And I'm just a college student home for the summer, lol. It's 100% impossible that I would be able to do this in a dorm; I doubt I could even log onto the router.

I don't think it was bad of Tepples to bring up game servers, which, by the way, are also prohibited under the ToS... I think me running an Apache server is pretty much dead in the water at this point.
tepples
Posts: 22708
Joined: Sun Sep 19, 2004 11:12 pm
Location: NE Indiana, USA (NTSC)
Contact:

Re: ISPs making home servers impossible (port blocking)

Post by tepples »

I meant that the existence of game servers would act as an incentive for an ISP not to block all servers because blocking a subscriber from acting as the server in a video game as collateral damage in an effort to block HTTP servers would drive up the cost of handling technical support telephone calls from subscribers who cannot get a game working.

Cheap, fast, servers: choose two.
Garth
Posts: 246
Joined: Wed Nov 30, 2016 4:45 pm
Location: Southern California
Contact:

Re: ISPs making home servers impossible (port blocking)

Post by Garth »

I'm paying $60/year at Digital Ocean ($5 a month price for basic hosting service): https://www.digitalocean.com/pricing/ . Running our son's server (where my site was originally hosted) costs three times that much just for electricity (although our residential electric rates here is SoCal are high, anywhere from $.10 to .33 per kWh, depending on how much you use in a month). He does still runs the server for other reasons, including automatic daily backups of our home computers. The Digital Ocean virtual server is a hundred times as fast as our home DSL connection.
http://WilsonMinesCo.com/ lots of 6502 resources
User avatar
Drew Sebastino
Formerly Espozo
Posts: 3496
Joined: Mon Sep 15, 2014 4:35 pm
Location: Richmond, Virginia

Re: ISPs making home servers impossible (port blocking)

Post by Drew Sebastino »

That's really cheap for what I've seen for hosting; I thought it typically ran around $15/month. I don't know the exact price per killowatt hour, but electricity where I am in Nacogdoches, TX (I go to college in Richmond, VA) is very cheap; our bill is usually $100 flat for three people who aren't good about saving electricity (myself included). It's obviously more in the summer when the AC is cranking though.

I have no idea how much power the PC I was using requires; it's a Pentium 4 though... :lol:
User avatar
koitsu
Posts: 4201
Joined: Sun Sep 19, 2004 9:28 pm
Location: A world gone mad

Re: ISPs making home servers impossible (port blocking)

Post by koitsu »

You still haven't explained why a VPS or hosted server somewhere on the Internet isn't a viable option for you, if all you're doing is a "LAMP" stack? You don't have to worry about kwh or whatever else with that. Hell, make a free AWS account and get a t2.micro (1 core, 1GB RAM) + 30GB EBS (disk) for free for a year, then start paying for it after.

If you want a dedicated server (i.e. bare metal that's purely just you, not a shared resource), expect it to be a lot more expensive (hint for that: look at dedicated boxes in Europe, they're substantially cheaper, and offer insane specs and bandwidth, some are even unlimited; you can usually find something like for this for under US$75/month).
User avatar
Drew Sebastino
Formerly Espozo
Posts: 3496
Joined: Mon Sep 15, 2014 4:35 pm
Location: Richmond, Virginia

Re: ISPs making home servers impossible (port blocking)

Post by Drew Sebastino »

It is an option for me, but I didn't realize they could be that cheap.

I'm just interested in hosting some simple references. For example, felixcloutier.com is a fantastic x86-64 reference, except that the instructions are not listed in a particularly useful way (alphabetically, as opposed to by their function or when included, as I feel this makes more sense) so I thought I'd create a webpage that just provides links to the detailed descriptions given by this website. I'll probably also post some code that could be useful for any x86-64 assembly program (not that anyone but me is doing this, lol).

Also, a good Irem M92 reference, even if I'm also the only one who would ever use it, lol. The MAME driver is hard to read, and what few other references there are are either incomplete, inaccurate, or both.

I had also wanted to use my old desktop for something, because I hate just having it sit there. I tried downloading Lubuntu on it, but the ram is so puny (512MB) that one tab in Firefox caused it to use virtual memory and come to a grinding hault. DDR2 ram is very cheap at least, and a Pentium D 945 is $4...
User avatar
gauauu
Posts: 779
Joined: Sat Jan 09, 2016 9:21 pm
Location: Central Illinois, USA
Contact:

Re: ISPs making home servers impossible (port blocking)

Post by gauauu »

Drew Sebastino wrote:It is an option for me, but I didn't realize they could be that cheap.
Google cloud will give you a single micro vm (1 vCPU, 0.6 GB memory) for "free" (without the year limit that Amazon has).

I put free in quotes because:

1. Part of the cost of working with google is wondering how many different ways they're tracking you
2. Being google, you never know when they'll suddenly get bored of their cloud service and turn it off
3. They actually charge my credit cart for 1 cent per month (probably to ensure that I have a working card attached to my account in case I add something that actually costs money)
User avatar
Drew Sebastino
Formerly Espozo
Posts: 3496
Joined: Mon Sep 15, 2014 4:35 pm
Location: Richmond, Virginia

Re: ISPs making home servers impossible (port blocking)

Post by Drew Sebastino »

Wow; and yeah, if it's "free", there are definitely caveats, but I'm cheap. Hardware isn't an issue for me; the worst hardware any web host will provide will be just as good as the Pentium 4 PC I was using, and it's ample powerful for whatever little traffic I'll generate.

Edit: I already found a caveat; it has to be a "static website", so no php or anything. ...I think I'll just pay $5 a month with Amazon.
User avatar
koitsu
Posts: 4201
Joined: Sun Sep 19, 2004 9:28 pm
Location: A world gone mad

Re: ISPs making home servers impossible (port blocking)

Post by koitsu »

You may find AWS to be... "complicated"... especially with billing. I have no interest in spending 4+ hours explaining the details of it, but AWS has a lot of small "gotchas" that make it not always the best choice for something as generic as "just a web hosting box". I mentioned AWS because of it being (mostly) free for 12 months. I say "mostly" because there are catches/caveats, bandwidth being one of them. When it comes to calculating costs in AWS, it takes me literally days of just crunching numbers and trying to figure out "worst case scenarios"; "flat rates" are not something AWS works well with, their billing model is extremely dynamic and a lot of things cannot be easily predicted / will catch you by surprise. (Hint: there are actual companies who specialise in nothing but helping you analyse and manage AWS billing.)

For general hosting where you understand what you're doing and want something "flat-rate" (read: a box with N CPU cores, N RAM, N disk space, N bandwidth, with a static IP, at $X/month), I strongly suggest a VPS. There are *tons* of VPS providers, many for very affordable prices (re: sub-$10). You get basically a pre-installed Linux distro on the box, can SSH in and do whatever you want as root. The rates are "flat" so you know what you're getting up front. I've used many over the years, but I currently use https://www.lunanode.com/pricing -- prices start at US$3.50/month. Other VPS providers often offer free trials and the like, such as Linode (who I do not particularly like. If you go with them, avoid their Fremont datacenter like the plague!). Others I've used in the past are ComfortVPS, DigitalOcean, RootBSD, vr.org, and Vultr. Spend a weekend trying things out. Only you know what's best for you.
Post Reply